accept for domain "example.com" virtual <users> relay via relay.example.com
PS. maybe that's one of the vulnerabilities mentioned in the report (1). Anyway it's an argument for me to run Qmail/qpsmtpd instead.
I just wish we had something that wasn't written in C.