While I know there are plenty of documents on how to defeat spam with Postfix and various tools, I’m still quite amazed at how effective two options are. They are:
smtpd_sender_restrictions =
reject_unknown_sender_domain
And:
smtpd_client_restrictions =
cidr:/etc/postfix/access_cidr,
check_client_access hash:/etc/postfix/access,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl-xbl.spamhaus.org
Now the cidr: line isn’t necessary above, but it’s handy if you want to shut down a whole IP block. The above two configurations have dropped the spam abuse on one of the servers I manage from about 90 or so a day, down to about 25. I was considering adding spamcop.net to the above RBLs, however, they’ve been known to blacklist SourceForge’s servers on a regular basis.