Checking authorization from local nodes

[GlooM]

Greetings!

On one of our third-party services, the script that sends out reports to users broke down. As a result, spam was sent to users mailboxes. When I blocked the mailbox used for sending reports, spam did not stop being sent until the mailing script itself was disabled. The script was able to send mail via blocked account.

The log contains information about authorization refusal.

May 29 06:25:38 mail saslauthd[15664]: auth_zimbra: mailbox@domain.com auth failed: authentication failed for [mailbox@domain.com]
May 29 06:25:38 mail saslauthd[15664]: do_auth : auth failure: [user=mailbox@domain.com] [service=smtp] [realm=domain.com] [mech=zimbra] [reason=Unknown]
May 29 06:25:38 mail postfix/smtpd[26184]: warning: unknown[xxx.xxx.xxx.xx1]: SASL login authentication failed: authentication failure

But the sending occurred

As I understand it, the mail has been sent because the sender node belongs to the internal LAN address (MYNETWORKS RULE)

May 29 06:25:37 mail postfix/postscreen[17173]: CONNECT from [xxx.xxx.xxx.xx1]:63627 to [xxx.xxx.xxx.xx2]:25
May 29 06:25:37 mail postfix/postscreen[17173]: WHITELISTED [xxx.xxx.xxx.xx1]:63627

It turns out that any unauthorized node can send spam if it is connected from "MYNETWORK" subnet?
How can I prevent sending from unauthorized users?

smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreig

As I understand it rule "permit_mynetworks" will be processed earlier than the rule "permit_sasl_authenticated". How to change the processing order? Will it be enough to just edit it manually /opt/zimbra/common/conf ?