Require SMTP AUTH for mail submission and turn on appropriate logging, so abuse can be traced.

Set ACIs in the directory appropriately for your environment.

Enable SSL for LDAP, IMAP, POP, and web mail to provide secure transmission.

Configure and support PGP/digital signatures if non-repudiation and sender validation are required.

Configure and support SMIME or encrypted messages if absolute privacy required.

Keep in mind that each layer of security at this level adds administrative and support overhead.