It may be I'm thinking about this the wrong way but here's how we're set up:

{Internet}->{firewall}->{inbound-mail}->{zimbra-server}

The inbound mail and the zimbra server are in the same network / subnet. Not all e-mail goes to Zimbra, just e-mails for a particular domain. The inbound server handles RBL, antivirus, spamassassin work etc. Zimbra server is running version 7.2.1

I'm increasingly having problems with Zimbra backscattering. Postfix / Zimbra is configured to reject with a 550 e-mails for non-existant domains, I temporarily punched a hole through our firewall to the zimbra server to confirm that it is configured correctly to reject with a 550, and also tested from other subnets.

The problem is that it's accepting carte blanch all e-mails that it gets from its own subnet and then when discovering they're for a non-existant account, sends out an Undelivered Mail message. I need to stop this from happening or I'm going to end up with problems. The amount of backscatter isn't too bad at the moment but is increasing. The subnet for the zimbra server is not in the list of subnets in zimbraMtaMyNetworks

My thoughts are I either:
1) need to be able to persuade Zimbra not to relay for the local subnet, just what I have explicitly configured in zimbraMtaMyNetworks
and/or
2) Stop it sending bounce e-mails for non-existent users regardless of source.

Can anyone help me, or offer an alternative fix? (No it's not possible to move the inbound e-mail server into a different subnet.)