A major problem with the default postfix install is that any user can send email as any user (even if it’s not your domain!)
The solution is very simple.
Edit /etc/main.cf and add
smtpd_delay_reject = yes
smtpd_helo_required = yessmtpd_sender_restrictions=check_sender_access,hash:/etc/postfix/domains,
reject_unauth_destination,reject_sender_login_mismatch
Make sure you don’t add ‘permit_mynetworks’ here, or local users (or webmail users) will be able to forge their email.
In /etc/postfix/domains, add
your.domain OK
other.domain OK
and run
postmap /etc/postfix/domains
postfix reload
You might also want to try to help stop spam (along with spamassassin) with blacklists and stopping bad senders.
In /etc/postfix/main.cf
smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination,
reject_invalid_hostname,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_rbl_client list.dsbl.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,permit
I have mixed feelings about blacklists; my website has shown up on them from time to time after all. Still, if you’re willing to get a few false positives then this should help stop quite a bit of spam.