Ok, you have a small postfix deployed, and you need a fast but effective protection from third people using your server as a rocket-delivering-spam.

The first thing to do, is to configure the variable mynetworks to allow only certain netblocks to use postfix to send email all over the world:
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 X.X.X.X/XX
Look out: the ips should be in CIDR notation, so you probably need to apt-get install ipcalc.

Using ipcalc is straight-forward. For example, think our servers are located on the netblock from 188.57.33.80 to 188.57.33.87:
$ ipcalc 188.57.33.80 - 188.57.33.87 deaggregate 188.57.33.80 - 188.57.33.87 188.57.33.80/29
Here it is.

Next level is to configure smtp login, if you don’t have a subnet for your clients.
aptitude install sasl2-bin libsasl2-modules libsasl2-2
Now enable daemon and configure it for being accessed by postfix, editing /etc/default/saslauthd:
START=yes OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Now tell to postfix to use saslauth in /etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd mech_list: PLAIN LOGIN

And enable it in /etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

In case of:

postfix/smtpd[638]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied

Hint: add postfix to sasl group:
$ adduser postfix sasl