postfwd not rate limiting sasl users

Postfix restriction classes can return three answers, OK, REJECT or DUNNO, usually they have (OK, DUNNO) or (REJECT, DUNNO), because of the way that postfix functions. DENY and OK mean the rest of the checks are ignored, DUNNO means go on to the next check.

So, in your case, permit_mynetworks or permit_sasl_authenticated are returning OK, so it does not check further under smtpd_recipient_restrictions, though you could place it in another restriction class which will then first have to return OK, for the mail to be forwarded.

You should not use "smtpd_recipient_restrictions" for a "action=rcpt(...)" as it needs to know the recipient_count attribute. From the man page:

 rcpt (<item>/<max>/<time>/<action>) 
   this command works similar to the rate() command with the difference,
   that the rate counter is increased by the request's recipient_count
   attribute. to do this reliably you should call postfwd from 
   smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want
   to be sure, you could check it within the ruleset:
      # recipient count limit 3 per hour per client
      id=RCPT01 ;  protocol_state==END-OF-MESSAGE ;  client_address!=10.1.1.1
         action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)

So, if you use "check_policy_service inet:127.0.0.1:10045" in smtpd_data_restrictions instead, it will work. Hope so.