How to make spamassasin reject mail based on score?

I am running Linux with Postfix, Dovecot, Postgrey and spamassasin/spamd.

This is my main.cf

smtpd_recipient_restrictions = permit_sasl_authenticated,
                               permit_mynetworks,
                               reject_unauth_destination,
                               reject_invalid_hostname,
                               reject_unauth_pipelining,
                               reject_non_fqdn_sender,
                               reject_unknown_sender_domain,
                               reject_non_fqdn_recipient,
                               reject_unknown_recipient_domain,
                               check_policy_service inet:127.0.0.1:10030

I got spamassasin to add spam header to other emails that postfix didn't catch, but how to make it reject?


Solution 1:

You can configure postfix to use Spamassasin/Amavis as a proxy-filter. This way you prevent bounces: The connection to the SMTP remote side will remain open until the spam checks are done and postfix will response either with a OK or REJECTED message. This way, the remote side is responsible for bounces.

# master.cf

# mail inbound
smtp      inet  n       -       -       -       -       smtpd
    -o smtpd_proxy_filter=127.0.0.1:10024
    -o smtpd_client_connection_count_limit=10
    -o smtpd_proxy_options=speed_adjust

# spamassasin/amavis is listening to port 10024 and sending it's
# checked mail to port 10025
amavis    unix  -       -       n       -       2       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes

# SMTP return (from amavis/spamassasin)
localhost:10025 inet  n -       n       -      -        smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_override_options=no_address_mappings
   -o mynetworks=127.0.0.0/8
   -o receive_override_options=no_unknown_recipient_checks
# main.cf

# for rejecting spam
header_checks = pcre:/etc/postfix/header_checks
# header_checks

/X-Spam-Level: \*{9,}/ REJECT Looks like spam to me.

If you are using Amavis to call spamassasin, you can let Amavis reject the mail for you - the reject threashold can be configured with $sa_kill_level_deflt. Add ,no_header_body_checks to the receive_override_options at the SMTP return entry when using Amavis.

Solution 2:

In general you don't want to reject anything. Most spam has forged headers, so people may get bouncebacks that don't belong to them, and you're just creating headaches for those people and their administrators (or basically creating spam yourself by flooding mailboxes with incorrect bounces).

Better thing to do is hold the spam or put it into a spam folder so users can still get access to the spam in case it actually isn't spam, and just set your mail client to delete that mail when it is aged far enough that you're fairly sure you won't need it.

Other than that, configure your mail server for first line defenses...you can set it to use SPF, make sure it's strict with RFC's, etc...if you want to go one step further, have it check with RBL's to reject mail that is in the blackhole lists. It's stronghanded, but it's up to you if you want to go with those lists as it may periodically block out servers that are incorrectly added, but on the other hand email isn't the reliable communications medium that people think it is. Email may or may not make it, and if something is life or death important, communicate over another medium to verify receipt...spammers ruin it for everyone.