Just my 2d worth ...
Add in amavis-milter - then you can do before-acceptance scainnig. Almost all the howtos out there configure dual Postfix instances so it goes : accept mail and queue it, scan it, requeue it and deliver to mailbox. The porblem is, you are now too late to reject it because it then becomes : accept mail and queue it, scan and reject it - now what ? If you "bounce" it then you are now part of the problem as you'll generate huge amounts of backscatter. If you don't bounce it, do you bother telling the user - if so, then that's no more useful than just delivering the message and tagging it as spam. Of do you silently discard it which is just so wrong in so many ways - which seems to be why all the big outfits do it.
With pre-queue scanning, it needs a bit more resource at message receipt time, but you have the option to reject the message outright. Any properly configured mail server will then notify the sender of any falsely tagged mail that their message has not been delivered, while spam software will just move on to the next.
Greylisting - most definitely, it gets rid of almost all my spam. There's a few niggles, but mostly it "just works" and you don't notice it.
I'd also suggest adding "Postfix Admin - a nice web frontend for managing domains, mailboxes, etc.
And Policyd (aka Cluebringer) which provides a nice policy daemon (though fiddly to set up) that will handle quotas (message count/size), greylisting, and some other stuff.
And of course - go over to sslmate and get yourself a real certificate. It's not expensive, but the real benefit is that they provide config snippets for the common softwares, and it can manage renewals etc.