--- a/ucs-4.1-0/mail/univention-mail-postfix/share/listfilter.py	
+++ a/ucs-4.1-0/mail/univention-mail-postfix/share/listfilter.py	
@@ -50,8 +50,6 @@ def listfilter(attr):
 
 	sender = attr.get("sender", None)
 	recipient = attr.get("recipient", None)
-	action = "DUNNO default"
-	allowed = {}
 
 	if not options.ldap_base:
 		return "443 LDAP base not set."
@@ -59,8 +57,6 @@ def listfilter(attr):
 		# We will never get here, because an empty recipient will have been rejected
 		# earlier by Postfix with '554 5.5.1 Error: no valid recipients'.
 		return "REJECT Access denied for empty recipient."
-	elif not sender:
-		return "REJECT Access denied for empty sender."
 	else:
 		# reuse secret file of univention-mail-cyrus
 		ldap = univention.uldap.getMachineConnection(ldap_master=False, secret_file="/etc/listfilter.secret")
@@ -72,17 +68,6 @@ def listfilter(attr):
 
 		# try the ldap stuff, if that fails send email anyway
 		try:
-			# get dn and groups of sender
-			filter = '(&(|(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)(mail=%s))(objectclass=posixAccount))' % (sender, sender, sender)
-			userResult = ldap.search(base=options.ldap_base, filter=filter, attr=["dn"])
-			if userResult:
-				userDn = userResult[0][0]
-				filter = '(uniqueMember=%s)' % userDn
-				groupResult = ldap.search(base=options.ldap_base, filter=filter, attr=["dn"])
-				if groupResult:
-					for i in groupResult:
-						userGroups.append(i[0])
-
 			# get recipient restriction
 			ldapAttr = ["univentionAllowedEmailGroups", "univentionAllowedEmailUsers"]
 			filter = '(&(mailPrimaryAddress=%s)(|(objectclass=univentionMailList)(objectclass=posixGroup)))' % recipient
@@ -95,6 +80,22 @@ def listfilter(attr):
 				for u in result[0][1].get("univentionAllowedEmailUsers", []):
 					allowedUserDns.append(u)
 
+				# check if there are restrictions, check sender first
+				if allowedUserDns or allowedGroupDns:
+					if not sender:
+						return "REJECT Access denied for empty sender to restricted list %s" % (recipient, )
+
+				# get dn and groups of sender
+				filter = '(&(|(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)(mail=%s))(objectclass=posixAccount))' % (sender, sender, sender)
+				userResult = ldap.search(base=options.ldap_base, filter=filter, attr=["dn"])
+				if userResult:
+					userDn = userResult[0][0]
+					filter = '(uniqueMember=%s)' % userDn
+					groupResult = ldap.search(base=options.ldap_base, filter=filter, attr=["dn"])
+					if groupResult:
+						for i in groupResult:
+							userGroups.append(i[0])
+
 				# check if there are restrictions
 				if allowedUserDns or allowedGroupDns: