Recipe 21.9. Setting Up SpamAssassin on Postfix with Amavisd-new

21.9.1 Problem

You know that UBE checks at the SMTP level, while useful and efficient, are limited, and you want something smart enough to shoot down spam without requiring a lot of monitoring and tweaking. It needs to integrate into your existing Postfix/Amavisd-new/Clam AV setup.

21.9.2 Solution

SpamAssassin is just what you want. Because this is going onto a system running Amavisd-new, which acts as an SMTP proxy, you install SpamAssassin, then configure it in /etc/amavis/amavisd.conf. You won't use /etc/SpamAssassin/local.cf.

To get started, install SpamAssassin, then edit /etc/amavis/amavisd.conf. In Section 1, comment out:

@bypass_spam_checks_acl  = qw( . );

Section IV tells Amavisd-new what to do with messages marked as spam. This setting delivers them to the recipients:

$final_spam_destiny = D_PASS; # (defaults to D_REJECT)

This setting drops them at the server, with no notice to the sender:

$final_spam_destiny = D_DISCARD; # (defaults to D_REJECT)

Section VII configures SpamAssassin:

$sa_tag_level_deflt  = -999; # add spam info headers if at, or above that level

$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level

$sa_kill_level_deflt = -999; # triggers spam evasive actions

# string to prepend to Subject header field when message exceeds tag2 level

$sa_spam_subject_tag = '***SPAM*** ';

And finally, the "amavis" user must own SpamAssassin files:

# chown -R amavis:amavis /usr/share/spamassassin

21.9.3 Discussion

The question of whether to drop spam at the server or pass it on to users is up to you. If you allow delivery, users can easily set up filters in their mail clients to route the spam to wherever they want to put it, filtering on the "***SPAM***" subject line.

A third option is to reject the spam, and also send a 5xx nondelivery message:

$final_spam_destiny = D_REJECT

This is the correct behavior for an MTA, but I don't see any point in wasting bandwidth on SMTP messages to fake addresses just to adhere to protocol.

The fourth, and absolute worst, option is to bounce the spam. Since the vast majority of spammers use fake return addresses, and any tiny fraction who use honest return addresses won't care, all this does is waste bandwidth and clog the Internet uselessly.

Postfix accepts mail on port 25, then forwards it to 127.0.0.1:10024 where Amavisd-new is listening. Amavisd-new puts SpamAssassin and Clam AV through their paces, then hands the mail back to the Postfix instance running on 127.0.0.1:10025. The second Postfix instance reinjects mail into the queue without any further interference.

If you miss your Postfix whitelists, which were overridden when Amavisd-new was installed (see Recipe Recipe 21.8), you can reimplement them in /etc/amavis/amavisd.conf (Section V: Per-recipient and per-sender handling, whitelisting). However, I suggest giving SpamAssassin and Clam AV a good test drive before adding more controls. Most likely they will do the best job, with the lowest error rate.

21.9.4 See Also

• The SpamAssassin Wiki (http://wiki.apache.org/spamassassin/FrontPage), for howtos and help

• Local Amavisd-new documentation (/usr/share/doc/amavisd-new, amavisd-new(8), and /usr/share/doc/amavisd-new/README.postfix)