Tanktalus,

This being postfix, you can set it up to authenticate against either MySQL or LDAP, and one good way to limit spam would be to authenticate the recipient address against a known database of users able to accept email.

If it doesn't exist in your authoritative database, throw it away. I'm saying this because the majority of spam I was seeing when I did email for a living (I was an email admin for a small telecom) were generated by dictionary attacks, and this is a simple, trouble free way to get rid of all that.

If this is a terminal email acceptor (as opposed to a forwarder), then you might want to grab one of the formulas for building a amavisd-spamassasin-clamav setup as well. Just be warned that this software trio is a power hungry, not suitable for old hardware if you're seeing large volumes of stuff. High volume receivers keep this trio on separate hardware from the original MX acceptor.