Postfix antispam with Spamassassin

Bots and other malicious actors send a lot of spam via email. They try to exploit vulnerabilities on servers (e.g., your VPS) to send spam from an infected mail server. Therefore, it is important to use anti-spam software on your mail server in addition to good overall VPS security.

In this tutorial, we show how to use SpamAssassin as spam protection for a mail server with Postfix and Dovecot.

SpamAssassin in short

SpamAssassin scans mail for elements that it recognizes as possible spam characteristics, such as:

• A small amount of text relative to the number of images in an email
• An email subject consisting of uppercase letters
• An invalid or absent DKIM record (more and more parties automatically block email as spam if it doesn't have DKIM; see also this guide)
• etc.

When SpamAssassin sees such characteristics, it assigns a score for that characteristic. The score is higher when the specific characteristic often appears in spam. SpamAssassin adds up all the scores, and if it reaches a pre-set value, the email is blocked as spam.

Installing and configuring SpamAssassin

Step 1

Connect to your VPS via SSH or the VPS console in the TransIP control panel.

Step 2

Install SpamAssassin with:

Ubuntu & Debian:

apt -y install spamassassin

CentOS Stream, AlmaLinux & Rocky Linux:

dnf -y install spamassassin

Step 3

Then open the master configuration of Postfix:

nano /etc/postfix/master.cf

Step 4

Expand the smtp line at the top of the file so that it looks like this:

smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin

Then scroll all the way to the bottom of the file and add the following code:

spamassassin unix - n n - - pipe flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Save the changes and close the file (ctrl + x > y > enter).

Step 5

By default, SpamAssassin is set to block email with a score of 5 (see 'SpamAssassin in brief'). This is quite strict and can lead to false positives. We see this, for example, more often when older email software is used to send emails. Old software often contains errors in the formatting of the emails, which can cause them to be marked as spam.

We therefore recommend using a value between 7 and 10 instead of 5. You can adjust this in the following file:

nano /etc/mail/spamassassin/local.cf

Adjust the value of required_hits to the desired value, for example:

required_hits 8

Spam messages get the addition [SPAM] behind the subject. You are free to adjust this by modifying the block rewrite_header Subject [SPAM].

Save the changes and close the file (ctrl + x > y > enter).

Step 6

Then add a user for SpamAssassin so that Postfix can communicate with SpamAssassin:

groupadd spamd
    useradd -g spamd -s /bin/false -d /var/log/spamassassin spamd
    chown spamd:spamd /var/log/spamassassin

Step 7

Restart SpamAssassin, update the spam rules, and restart Postfix:

systemctl enable spamassassin
    systemctl start spamassassin

Step 8 - optional

You can automatically update the spam rules via a cron job, for example by opening crontab (with sudo or as root):

crontab -e

Add the following line at the bottom of the file. This updates the spam rules every Sunday at 0:00:

0 0 * * 0 sa-update && systemctl restart spamassassin

Save the changes and finally close crontab with :wq!

This brings us to the end of this tutorial. However, there are additional checks you can perform to see if mail is spam: blacklist checking. We explain how to enable blacklist checking in this tutorial.

If you have any questions based on this guide, do not hesitate to contact our support department. You can reach them via the 'Contact us' button at the bottom of this page.