How to make spamassasin reject mail based on score?

Question

I am running Linux with Postfix, Dovecot, Postgrey and spamassasin/spamd.

This is my main.cf

smtpd_recipient_restrictions = permit_sasl_authenticated,
                               permit_mynetworks,
                               reject_unauth_destination,
                               reject_invalid_hostname,
                               reject_unauth_pipelining,
                               reject_non_fqdn_sender,
                               reject_unknown_sender_domain,
                               reject_non_fqdn_recipient,
                               reject_unknown_recipient_domain,
                               check_policy_service inet:127.0.0.1:10030

I got spamassasin to add spam header to other emails that postfix didn't catch, but how to make it reject?

As an aside you could greatly reduce your spam by adding reject_rbl_client bl.spamcop.net and reject_rbl_client zen.spamhaus.org to your smtpd_recpient_restrictions line. — Aaron Tate, Jun 01 '10 at 03:49
Thanks I will try, will these lists cache or they will query it every time? — Van Nguyen, Jun 01 '10 at 04:45
Query for every request. If you want caching, take a look at http://www.policyd-weight.org — weeheavy, Dec 29 '10 at 09:47
spamass-milter has an option for this. See https://www.nesono.com/node/220 — David Grayson, Dec 19 '16 at 19:39

score 9 · Accepted Answer · answered Jan 23 '14 at 15:02

You can configure postfix to use Spamassasin/Amavis as a proxy-filter. This way you prevent bounces: The connection to the SMTP remote side will remain open until the spam checks are done and postfix will response either with a OK or REJECTED message. This way, the remote side is responsible for bounces.

# master.cf

# mail inbound
smtp      inet  n       -       -       -       -       smtpd
    -o smtpd_proxy_filter=127.0.0.1:10024
    -o smtpd_client_connection_count_limit=10
    -o smtpd_proxy_options=speed_adjust

# spamassasin/amavis is listening to port 10024 and sending it's
# checked mail to port 10025
amavis    unix  -       -       n       -       2       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes

# SMTP return (from amavis/spamassasin)
localhost:10025 inet  n -       n       -      -        smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_override_options=no_address_mappings
   -o mynetworks=127.0.0.0/8
   -o receive_override_options=no_unknown_recipient_checks

# main.cf

# for rejecting spam
header_checks = pcre:/etc/postfix/header_checks

# header_checks

/X-Spam-Level: \*{9,}/ REJECT Looks like spam to me.

If you are using Amavis to call spamassasin, you can let Amavis reject the mail for you - the reject threashold can be configured with $sa_kill_level_deflt. Add ,no_header_body_checks to the receive_override_options at the SMTP return entry when using Amavis.

Note that it might be simpler to use the newer milter interface of postfix. — Dominik Heidler, Dec 08 '15 at 11:39

score 1 · Answer 2 · answered May 31 '10 at 14:08

In general you don't want to reject anything. Most spam has forged headers, so people may get bouncebacks that don't belong to them, and you're just creating headaches for those people and their administrators (or basically creating spam yourself by flooding mailboxes with incorrect bounces).

Better thing to do is hold the spam or put it into a spam folder so users can still get access to the spam in case it actually isn't spam, and just set your mail client to delete that mail when it is aged far enough that you're fairly sure you won't need it.

Other than that, configure your mail server for first line defenses...you can set it to use SPF, make sure it's strict with RFC's, etc...if you want to go one step further, have it check with RBL's to reject mail that is in the blackhole lists. It's stronghanded, but it's up to you if you want to go with those lists as it may periodically block out servers that are incorrectly added, but on the other hand email isn't the reliable communications medium that people think it is. Email may or may not make it, and if something is life or death important, communicate over another medium to verify receipt...spammers ruin it for everyone.

I don't think postfix bounce rejected mails, it just doesn't get added in the queue. — Van Nguyen, May 31 '10 at 14:18
rejecting is not bouncing. http://www.dontbouncespam.org/#BVR — ElementalStorm, Jan 08 '16 at 15:32

score 0 · Answer 3 · answered May 17 '21 at 09:32

When using your spamfilter via the milter protocol, you can have additional header checks afer the milter filters: http://www.postfix.org/header_checks.5.html

milter_header_checks (default: empty)

These are applied to headers that are added with Milter applications. This feature is available in Postfix 2.7 and later.

score 0 · Answer 4 · answered May 31 '10 at 13:55

The best idea is to simply filter it based on the score. It will happen on occasion that an important e-mail gets snagged by SA, and you don't want to permanently lose that e-mail (plus end users will think it's just never getting delivered).

On my personal server, anything with a score above 3.5 get delivered to the user's Spam folder. That way it always gets delivered, and the user has access to it. There then a cronjob that deletes anything older than 3 weeks in that folder.

Deleting mails automatically (even when they're recognized as spam) is a really bad idea. It may even lead to legal consequences. — ckruse, Jan 19 '15 at 09:56

How to make spamassasin reject mail based on score?

4 Answers4

Linked