This can be accomplished using the smtpd_recipient_restrictions parameter with the check_client_access restriction in main.cf.

The order the restrictions are in is important as, from the Postfix documentation, "Restrictions are applied in the order as specified and the first restriction that matches wins."

With that in mind check_client_access should be AFTER reject_unauth_destination, otherwise the IP you exclude would be able to relay mail through your server to arbitrary destinations.

Likewise check_client_access should be BEFORE reject_rbl_client so that it is evaluated first and not rejected if it is on an RBL.
An example with IP 1.2.3.4 using the inline lookup table syntax can be seen below.

In /etc/postfix/main.cf:

smtpd_recipient_restrictions =
[...]
reject_unauth_destination    
check_client_access inline:{1.2.3.4=OK}
reject_rbl_client zen.spamhaus.org
[...]