Postfix as incoming and outgoing relay

I’d like to replace a peace of legacy Windows email gateway software with a postfix 3.5 container and I can’t seem to pull of both features at the same time:

• It should accept incoming mails (@ourdomain.com) from any IP if the address is in the relay_recipient_maps and forward it to the exchange server.
• It should accept outgoing mails (ex. @anydomain.net) only from specific IP addresses with any [email protected] and relay those through the exchange as well.

Here’s the configuration I’m currently using:

# differences from postconf -d
compatibility_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
header_size_limit = 4096000
inet_protocols = ipv4
local_transport = error:local mail delivery is disabled
manpage_directory = /usr/share/man
message_size_limit = 50000000
mydestination =
mydomain = ourdomain.com
myhostname = smtp-demo.ourdomain.com
mynetworks = /etc/postfix/mynetworks
myorigin = ourdomain.com
parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps
process_id = 137
readme_directory = /usr/share/doc/postfix/readme
relay_domains = ourdomain.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relayhost = exchange.ourdomain.com
smtp_tls_security_level = may
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,reject_invalid_helo_hostname,permit
smtpd_recipient_restrictions = permit_auth_destination,reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access hash:/etc/postfix/allowed_senders, reject
smtpd_relay_restrictions = permit_mynetworks,reject_unauth_destination
smtpd_sender_restrictions = permit_mynetworks


# /etc/postfix/mynetworks
10.176.204.50
10.176.201.100
...

# /etc/postfix/relay_recipients
[email protected] OK
[email protected] OK
...

# /etc/postfix/allowed_senders
ourdomain.com OK

Everytime I change something in smtpd_recipient_restrictions or smtpd_relay_restrictions I get one of the two objectives to work, but then I break the other one. With the current config I get no error after RCTP TO an external address from a client not in the mynetworks file. Container networking is set up correctly, the correct IP of the clients I’m testing with is shown in the logs, so mynetworks should work.

What am I doing wrong?

submission  inet n       -       y       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_relay_restrictions=permit_mynetworks,reject
  -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,permit_mynetworks,reject