...
If you simply use 'whitelist_from', this is quite trivial for spammers to exploit, as it simply examines the From:, Return-Path, and related headers of the mail. Wiki Markup
One way is to use 'whitelist_from_rcvd', which requires a hostname appear in the headers as well.. This is the generally recommended method.
Note: for whitelist_from_rcvd to work, you must have your trusted networks set properly. See TrustPath for more details. That said, trusted_networks is NOT a whitelist mechanism in itself.
Another Or, for defense in depth, another way is to examine the Received: headers of locally-originating mail, identify a pattern than will work, then create a local rule for this.
Note: this example is not particularly good, as it is effectively implementing whitelist_from_rcvd the hard way. The only advantage to the rule-based method is if you must check IPs due to lack of RDNS names. If RDNS hostnames exist, and the trust path is configured correctly, whitelist_from_rcvd will offer strong security against forgery. It will only honor received: headers inserted by trusted hosts, so you don't need to go to all this work.
For example, if every local mail passes through your mailserver with a Received line like this:
...