Restrictions for postfix submission port

I would like to set up Postfix (on ubuntu 14.04) to use the submission port but I'm worried It may become an open relay. I would like to know what are the best restrictions for each of the restrictions lists (which by default have the $mua_ variables, meaning basically no restrictions at all?)

Here is the default master.cf configuration in Ubuntu:

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

And here is what postconf -Mx (will expand the $mua_ variables) says:

submission inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions= 
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

So, here I'm guessing that, as long as the user is a SASL authenticated user he or she will be able to send emails using whichever account and to any destination, no helo or client restrictions (I'm guessing this is because MUAs -like outlook- and not servers will be connection to this port so you don't want to be too picky)

Some restrictions I think would be nice despite that fact would be:

• reject_non_fqdn_sender and reject_unlisted_sender for smtpd_sender_restrictions
• reject_non_fqdn_recipient for smtpd_recipient_restrictions

What are other desirable restrictions on these restriction lists?