You could create an "ipset" [1] based on your blacklist. Then you'd use a single "iptables" [2] rule to block all traffic from ipset "MyBlacklist" to port 25 (or multiple ports or any port). This way attacker traffic can't reach the port of Postfix, even without annoying Postfix with them at all. You can decide whether you want to actively REJECT the TCP connections from blacklist hosts or if you want your system to silently discard their traffic as if your host was offline (DROP).
If your blacklist changes from time to time, you could update your ipset using a shell script / cron job. Example help pages: [1]: https://wiki.archlinux.org/title/Ipset [2]: https://wiki.archlinux.org/title/Iptables
