All other things being equal, I’d second what Xiphon said and recommend an external service such as MessageLabs these days.
There’s a number of advantages (and a couple of disadvantages) to doing this. Not least of which is, you palm off the admin headache to someone else.
On the email servers I see these days, I’d say that maybe 80% of all email is spam and malware, perhaps higher than that even. Each mail has to be routed, analysed, processed, categorised etc. which uses system resources. By doing spam handling locally, you’ll need a server four or five times more powerful just to deal with crap you’re going to throw away.
You’ve got the benefit of pooled heuristics (so your filters can learn from other people’s spam as well as your own). This can be a double-edged sword though; for instance, I’ve worked for a financial company where legitimate emails look a lot like ‘make money fast’ type spam.