I'd also recommend turning of hostname lookups and identd lookups in tcpserver's command line.
I have my clients use port 587 whenever possible, because I use RBLs on
port 25 that block some dynamic address ranges.
Is there a better practice for this?
You may want to look at the REQUIREAUTH patch (I had to modify it slightly to make it work with newer smtpauth versions) as well, making sure that only smtp authentication can be used on port 587. While spammers don't submit mail to 587 to date, who knows when that may start. Plus, it lets me ensure that nobody is using the pop-before-smtp on port 587. When we have them on the phone and are changing settings, might as well check 'enable authentication'
Some discussion is here about using SSL instead ('requires a secure connection'), but that's up to you. Some versions of outlook confuse users with 'use secure password authentication SPA' which works with exchange servers... Every time I told soemone to turn on SSL, SPA was turned on and it didn't authenticate properly.