Create mail Rules to forwarding emails

Hello, This might sound stupid but I don't see how to do it otherwise.
So in our company we're running postscreen + postwhite (thanks to Jesse for all the support provided).
Everything is running smooth and as expected we're still getting spam but around 3 to 4 per day.
From this 3 to 4 spam mails, 2 are coming from [email protected].
So since it is a company mail, we don't really need any incoming .ua mails since we are only providing services to our country.
On the mail settings I added a mail filter deleting all incoming mail from .ua addresses, which created me a custom rule

Code:

if header :regex    ["from"] [".*\.ua$"] {
    discard;
    stop;
}

This rule has been added to all mail clients which are receiving spams (their mail address are published in the company website).

Now the problem comes when this same mail address (let's call it [email protected]) which has this rule enable is receiving mail from this [email protected]. This because this address also receives redirected mail from for example [email protected].

So what happens is, [email protected] sends mail to [email protected] -> gets deleted.
And if [email protected] sends mail to [email protected] which is forwarded to [email protected] -> is received.
So I need to create the same rule to [email protected] but how can I achieve this?

 

Hi Till. Thanks for the fast reply, here is the header.

Code:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from localhost (localhost [127.0.0.1])
    by mail.company.com (Postfix) with ESMTP id 903FC414BC
    for <[email protected]>; Mon, 23 Apr 2018 04:28:11 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail.company.com
X-Spam-Flag: NO
X-Spam-Score: 1.195
X-Spam-Level: *
X-Spam-Status: No, score=1.195 tagged_above=1 required=4.5
    tests=[HTML_IMAGE_ONLY_04=0.342, HTML_MESSAGE=0.001,
    HTML_SHORT_LINK_IMG_1=0.139, MPART_ALT_DIFF=0.724, SPF_PASS=-0.001,
    T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
Received: from mail.company.com ([127.0.0.1])
    by localhost (mail.company.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id DUqgXz0WQfpQ for <[email protected]>;
    Mon, 23 Apr 2018 04:28:10 +0200 (CEST)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=89.163.130.219; helo=mail.willianna.co.ua; [email protected]; receiver=<UNKNOWN>
Received: from mail.willianna.co.ua (mail.willianna.co.ua [89.163.130.219])
    by mail.company.com (Postfix) with ESMTP id 46158414B3
    for <[email protected]>; Mon, 23 Apr 2018 04:28:09 +0200 (CEST)
Received: from willianna.co.ua (mail.willianna.co.ua [89.163.130.219])
    by mail.willianna.co.ua (Postfix) with ESMTPA id D17363D4C42;
    Mon, 23 Apr 2018 04:00:00 +0300 (EEST)
Message-ID: <[email protected]>
From: "Best pills" <[email protected]>
To: <[email protected]>
Subject: Best pills! Delivery to door
Date: Mon, 23 Apr 2018 04:00:01 +0300
MIME-Version: 1.0
Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_000F_01D3DAB7.8CDDE8E0"
Precedence: bulk
List-Id: b63112473v12348300
X-Complaints-To: [email protected]
List-Unsubscribe: <http://willianna.co.ua/ru/unsubscribe/do?hash=xxxxxxxxxxxxx>
X-Antivirus: Avast (VPS 180422-4, 22/04/2018), Inbound message
X-Antivirus-Status: Clean
This is a multi-part message in MIME format.

As you can see the incoming mail is from .co.ua which was blocked from the rule posted above. I don't understand how am I still receiving mails from this provider. Did the rule stop working? is there anything missing?
The worst of this spam is that it wasn't considered spam by the server X-Spam-Status: No, score=1.195 tagged_above=1 required=4.5

 

After searching a little further I found out that I could add global filters, which I didn't add so following this link
https://www.howtoforge.com/tutorial/how-to-block-email-from-certain-tld-in-ispconfig/
I added the rule to block incoming mail from .co.ua. I'll keep this thread active for a few days to check how it's working