I stole this from Here.
Also see this.
I think it's well worth configuring Postfix with these options (tuned to your exact needs, of course) to block SPAM.
Blocking spammers with Postfix alone
The battle between email admins and spammers is an ongoing arms race. The spammers are at a disadvantage because by and large, they have to rely on exploiting vulnerable systems to send their mail. With the ever growing size of botnets, they have a pretty large pool of exploited systems to send from, but Postfix can be configured to weed out most of that.
I’ve used the following configuration for many systems that were being plagued by spam problems. In many cases, SpamAssassin was doing the job, but it was having to process so much junk that it was putting an amazing amount of load on the server. After adding this to the Postfix configuration, Postfix was able to reject mail before it came into the queue, thereby reducing the amount of mail that made it through to SpamAssassin.
Add to /etc/postfix/main.cf
smtpd_delay_reject = yes
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
#reject_unknown_helo_hostname,
permit
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_recipient_access hash:/etc/postfix/denied_recipients,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
permit
