...
If you simply use 'whitelist_from', this is quite trivial for spammers to exploit, as it simply examines the From:, Return-Path, and related headers of the mail. All a spammer needs to do is forge your address in the From: line, and they've whitelisted themselves. Because this mistake is quite common, it is frequently used in spam.
One way is to use 'whitelist_from_rcvd', which requires a hostname appear in the headers as well. This is the generally recommended method.
Note: for either of the below whitelist_from_rcvd to work, you must have your trusted networks set properly. See TrustPath for more details. That said, trusted_networks is NOT a whitelist mechanism in itself.One
Another way is to use 'whitelist_from_rcvd', which requires a hostname appear in the headers as well.Or, for defense in depth, another way is to examine the Received: headers of locally-originating mail, identify a pattern than will work, then create a local rule for this.
Note: this example is not particularly good, as it is effectively implementing whitelist_from_rcvd the hard way. The only advantage to the rule-based method is if you must check IPs due to lack of RDNS names. If RDNS hostnames exist, and the trust path is configured correctly, whitelist_from_rcvd will offer strong security against forgery. It will only honor received: headers inserted by trusted hosts, so you don't need to go to all this work.
For example, if every local mail passes through your mailserver with a Received line like this:
...