1. warn_if_reject
Change the meaning of the next restriction, so that it logs a warning
instead of rejecting a request (look for logfile records that contain
"reject_warning"). This is useful for testing new restrictions in a "live"
environment without risking unnecessary loss of mail.

2. Because the mail failed three of your many restrictions and was then
delivered.

3. Try to minimize restrictions. Find the restrictions that present the
least false-positives. Blocking entire countries will generate many
false-positives. Using client restrictions will usually generate 4xx errors
which may result in repeat traffic. Using recipient restrictions and placing
criteria that generate 5xx errors first will minimize repeat delivery
attempts. Restrictions such as reject_unknown_sender_domain are not
applicable to client restrictions because postfix hasn't yet received the
smtp mail from. Restriction correspond the smtp sequence.

connect: client restrictions
mail from: sender restrictions
rcpt to: recipient restrictions

http://www.postfix.org/postconf.5.html

Here's the configuration I have found effective:

smtpd_recipient_restrictions=permit_mynetworks reject_unauth_destination
reject_unlisted_recipient reject_unknown_client reject_unknown_sender_domain
reject_unverified_sender

I believe reject_unknown_client to cause the most false positives in my
configuration and reject_unlisted_recipient to cause the least..