It's just about impossible to completely avoid all spam, though there are settings that I have found work well and are minimally disruptive to legitimate email.
Here are the settings I typically use:
1. Use RBLs. I use the following RBL zones: Edit: Updated 1/2/07 zen.spamhaus.org bl.spamcop.net list.dsbl.org
2. Deny RCPT Hacks - on
3. SPF fail check - on
4. Use Greylisting - optional - can cut down on a lot of spam, but will delay a good amount of email and spammers are also catching on and resending. Occassionally you run into a bad mail server that doesn't retry frequently enough so sometimes you lose legitimate email. The delay can be annoying to end-users so I usually leave it off as getting spam is better than not getting email when you're running a business.
5. Verify recipient - ON
6. File Extension Filter. I filter exe, scr, bat, cmd and pif files.
7. Turn on virus protection if you have it.
8. I don't use the built-in Spam Protection having found it to not be very effective compared to DSPAM (see below), but it does catch some emails.
On my main mail server I also have been testing DSPAM. It's a bit tricky to setup, but once it's running it seems to do a good job with the spam that makes it past the firewall.
