Good set of postfix rules and a very mild tweaking of Spamassassin and I have nearly no spam reach my inbox.
smtpd_client_restrictions = permit_mynetworks,
reject_unknown_client_hostname,
reject_unauth_pipelining,
check_client_access pcre:/etc/postfix/reject-domains,
permit
smtpd_helo_restrictions = permit_mynetworks,
check_helo_access pcre:/etc/postfix/nomail-domains,
check_helo_access mysql:/etc/postfix/reject-helo-mydomains.cf,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
permit
smtpd_sender_restrictions = permit_mynetworks,
check_sender_access pcre:/etc/postfix/nomail-domains,
check_sender_access mysql:/etc/postfix/reject-sender-mydomains.cf,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/reject-users,
reject_non_fqdn_recipient,
permit
smtpd_data_restrictions = permit_mynetworks,
reject_multi_recipient_bounce,
permit
The reject-sender-mydomains and reject-helo-mydomains boot mail claiming to come from my users.
reject-domains boots mail from generic hostnames, e.g.: /[0-9]+\-+[0-9]+\-+[0-9]+\-+[0-9]+/ REJECT 554 Dynamic or Generic Hostname /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.[0-9a-z]+/ REJECT 554 Dynamic or Generic Hostname
and others as patterns emerge, should probably run through them again
nomail-domains contains a list of domains that I own that I know shouldn't be claiming to send mail. I doubt it's necessary, honestly.
reject-users just makes it deny that my wheel user exists.
The only custom rules I've added to Spamassassin was to catch hijacked accounts. Black/no subject, multiple recipients, containing a link.
Maybe one piece of spam makes it through a week, if that.