Monitoring is one of the most important things.
Disable root login. And also disable any other user who receives emails. Actually disable password login at all. Most imported don’t enable services (like ftp) which reveal passwords.
Use tools like fail2ban to keep your log files clean.
Make sure you are aware of backscatter mail and how to configure a mail server to reject undeliverable messages as soon as possible.
These days using policy services is inescapable. In particular postfwd or postgrey or …
In case your web application needs a decent MTA. Chose a slim one.