A major problem with the default postfix install is that any user can send email as any user (even if it’s not your domain!)
The solution is very simple.
Edit /etc/main.cf and add
smtpd_delay_reject = yes
smtpd_helo_required = yes
Make sure you don’t add ‘permit_mynetworks’ here, or local users (or webmail users) will be able to forge their email.
In /etc/postfix/domains, add
You might also want to try to help stop spam (along with spamassassin) with blacklists and stopping bad senders.
reject_invalid_hostname,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_rbl_client list.dsbl.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,permit
I have mixed feelings about blacklists; my website has shown up on them from time to time after all. Still, if you’re willing to get a few false positives then this should help stop quite a bit of spam.