While I know there are plenty of documents on how to defeat spam with Postfix and various tools, I’m still quite amazed at how effective two options are. They are:
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_client_restrictions = cidr:/etc/postfix/access_cidr, check_client_access hash:/etc/postfix/access, reject_rbl_client relays.ordb.org, reject_rbl_client sbl-xbl.spamhaus.org
Now the cidr: line isn’t necessary above, but it’s handy if you want to shut down a whole IP block. The above two configurations have dropped the spam abuse on one of the servers I manage from about 90 or so a day, down to about 25. I was considering adding spamcop.net to the above RBLs, however, they’ve been known to blacklist SourceForge’s servers on a regular basis.