How To Ensure That My Server Isn't Bulk / Spam Sender

You are never 100% safe.

Postfix will, to the best of my knowledge, send anything it's told to send. The best you can do is to ensure that it's not set to act as a mail relay for other servers, and that it is set to allow only authenticated users to send emails.

Although I personally haven't tried it, I think there should be a way to use SpamAssassin to filter outgoing emails. Trouble is, it may filter out a few legit emails here and there. Spam filtering can never be perfect.

Unless you trust your users absolutely, you can't be 100% sure. Here are some suggestions though:

1. Use postfwd[1] to rate-limit the number of emails an account can send per day/hour/whatever. When spammers take over an account to send spam, they typically send a huge volume of spam in a short amount of time, which is hugely damaging to your reputation. Rate-limiting is an effective way to minimize the damage. The following postfwd rules should limit each SASL user to 50 messages per hour and 100 messages per day:

id=R001; sasl_username=~/./; action=rate(sasl_username/100/86400/REJECT only 100 messages per day for $sasl_username)
id=R002; sasl_username=~/./; action=rate(sasl_username/50/3600/REJECT only 50 messages per hour for $sasl_username)

2. Monitor the major blacklists for your IP address (you can do this yourself or use a free service such as mxtoolbox[2]), so you'll get alerted if your server is ever blacklisted. Then you'll know to look for a compromised account and apply for removal from blacklists. Policies vary between blacklist operators, but for the most part they're willing to de-blacklist you if you say you had a compromised account which you've taken care of. (I've administered email systems used by hundreds of users and this has happened to me a few times.)

Hope this helps.

[1] http://postfwd.org/

[2] http://mxtoolbox.com/