Bots and other malicious actors send a lot of spam via email. They try to exploit vulnerabilities on servers (e.g., your VPS) to send spam from an infected mail server. Therefore, it is important to use anti-spam software on your mail server in addition to good overall VPS security.
In this tutorial, we show how to use SpamAssassin as spam protection for a mail server with Postfix and Dovecot.
- For the steps in this guide, you need a VPS with Ubuntu, Debian, CentOS Stream, AlmaLinux, or Rocky Linux with Postfix and Dovecot. In this guide, we explain how to install and configure Postfix and Dovecot. For this guide, we assume you have completed that guide.
- Execute the commands in this guide with sudo, or as the root user.
SpamAssassin in short
SpamAssassin scans mail for elements that it recognizes as possible spam characteristics, such as:
- A small amount of text relative to the number of images in an email
- An email subject consisting of uppercase letters
- An invalid or absent DKIM record (more and more parties automatically block email as spam if it doesn't have DKIM; see also this guide)
- etc.
When SpamAssassin sees such characteristics, it assigns a score for that characteristic. The score is higher when the specific characteristic often appears in spam. SpamAssassin adds up all the scores, and if it reaches a pre-set value, the email is blocked as spam.
Installing and configuring SpamAssassin
Step 1
Connect to your VPS via SSH or the VPS console in the TransIP control panel.
Step 2
Install SpamAssassin with:
Ubuntu & Debian:
apt -y install spamassassin
CentOS Stream, AlmaLinux & Rocky Linux:
dnf -y install spamassassin
Step 3
Then open the master configuration of Postfix:
nano /etc/postfix/master.cf
Step 4
Expand the smtp line at the top of the file so that it looks like this:
smtp inet n - n - - smtpd -o content_filter=spamassassin
Then scroll all the way to the bottom of the file and add the following code:
spamassassin unix - n n - - pipe flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
Save the changes and close the file (ctrl + x > y > enter).
Step 5
By default, SpamAssassin is set to block email with a score of 5 (see 'SpamAssassin in brief'). This is quite strict and can lead to false positives. We see this, for example, more often when older email software is used to send emails. Old software often contains errors in the formatting of the emails, which can cause them to be marked as spam.
We therefore recommend using a value between 7 and 10 instead of 5. You can adjust this in the following file:
nano /etc/mail/spamassassin/local.cf
Adjust the value of required_hits to the desired value, for example:
required_hits 8
Spam messages get the addition [SPAM] behind the subject. You are free to adjust this by modifying the block rewrite_header Subject [SPAM].
Save the changes and close the file (ctrl + x > y > enter).
Individual SpamAssassin rules can be found in the files in /usr/share/spamassassin. The content of these files is outside the scope of this guide.
Step 6
Then add a user for SpamAssassin so that Postfix can communicate with SpamAssassin:
groupadd spamd
useradd -g spamd -s /bin/false -d /var/log/spamassassin spamd
chown spamd:spamd /var/log/spamassassin
Step 7
Restart SpamAssassin, update the spam rules, and restart Postfix:
systemctl enable spamassassin
systemctl start spamassassin
Step 8 - optional
You can automatically update the spam rules via a cron job, for example by opening crontab (with sudo or as root):
crontab -e
Add the following line at the bottom of the file. This updates the spam rules every Sunday at 0:00:
0 0 * * 0 sa-update && systemctl restart spamassassin
Save the changes and finally close crontab with :wq!
This brings us to the end of this tutorial. However, there are additional checks you can perform to see if mail is spam: blacklist checking. We explain how to enable blacklist checking in this tutorial.
If you have any questions based on this guide, do not hesitate to contact our support department. You can reach them via the 'Contact us' button at the bottom of this page.