So far it works great and log files show proper reject_warning.
controlled_envelope_senders and controlled_envelope_senders_static contain email-to-login and @workdomain.tld-to-login tables.
Some of my ~40K users are using this SMTP server to "send as" a private email address that does not end with @workdomain.tld (like for example hotmail or gmail addresses).
Is there a way to allow any user to send as any email address that does not end in @workdomain.tld without explicitly listing every other domain.tld? If not I'll have to contact everyone of them and educate them about the new restriction. No big deal but still a delicate task.