Block mails with local from-addresses from unauthenticated senders using courier-esmtpd

We run a small courier mail server (courier-esmtpd). It is configured to accept mail from authenticated clients without recipient restrictions and mail from everywhere to local addresses: *(at)mydomain.tld. Now we get some spam mails where the from-address is set to something like info(at)mydomain.tld and another local mail address as recipient. I'd like to block those mails. Yes, most of the time SpamAssassin marks them as spam but I think the better way would be to directly reject mails with spoofed sender addresses.

Is it possible to configure courier-esmtpd to block mails sent by an unauthenticated client from an external IP address and a local from-address?

It is important that authenticated (legitimate) users are able to send mail using any from-address like user(at)mydomain.tld even from an external IP address (PC at home, etc.).

Edit: I tried to set the configuration option badfrom (at)mydomain.tld in file /etc/courier/bofh, but then all mails with corresponding return addresses are blocked, authenticated user or not...

The short answer is yes. The way to do it is to enable esmtpd-msa.

Courier supports a Mail Submission Agent (MSA) which is just like a Mail Transport Agent but is intended for non-local mail injection. MSA servers not only listen on different ports (587), but are capable of correcting minor errors in the SMTP data from the client's mailer. The other main benefit is that you can easily and simply disable relaying from external hosts on the MTA and enable authorisation on the MSA. This neatly gets around trying to authenticate from particular domains which is almost impossible because the authentication request happens before the from domain is provided.

The biggest downside is that you have to change all your clients to send mail to port 587 instead of port 25.