Set Up Postfix Spam Protection: Complete SpamAssassin Guide

Understanding SpamAssassin Integration with Postfix

Email spam drains business productivity and clogs mail servers. SpamAssassin offers content-based filtering that works directly with Postfix to catch unwanted messages before they reach users.

This guide shows you how to set up Postfix spam protection with SpamAssassin. You'll create a solid defense without blocking legitimate mail.

We'll use Amavis as the interface layer between Postfix and SpamAssassin. This setup gives you precise control over spam scoring while keeping mail delivery reliable for your users.

Hostperl VPS hosting provides the resources you need to run effective mail filtering without performance bottlenecks.

Prerequisites and Server Requirements

Start with a clean Ubuntu 22.04 or 24.04 VPS with at least 2GB RAM. SpamAssassin needs memory for rule processing and message analysis.

Your Postfix server should already handle inbound mail correctly. Test basic mail delivery before adding spam filtering layers.

Update your system packages:

sudo apt update
sudo apt upgrade -y

Install required packages for the complete setup:

sudo apt install postfix amavisd-new spamassassin clamav-daemon libnet-dns-perl libmail-spf-perl pyzor razor -y

Install and Configure SpamAssassin

Enable the SpamAssassin daemon and configure basic settings. Edit the main configuration:

sudo nano /etc/default/spamassassin

Set these essential options:

ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
CRON=1

The --max-children 5 setting limits concurrent SpamAssassin processes. Adjust based on your VPS memory capacity.

Configure SpamAssassin's main settings:

sudo nano /etc/spamassassin/local.cf

Add these core configuration options:

# Required score to mark as spam
required_score 5.0

# Rewrite subject line for spam
rewrite_header Subject [***SPAM***]

# Network tests
skip_rbl_checks 0
use_razor2 1
use_pyzor 1
use_dcc 1
use_auto_whitelist 1

# Bayes learning
use_bayes 1
bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 12.0

Configure Amavis for Mail Processing

Amavis acts as the bridge between Postfix and SpamAssassin. Configure the main Amavis settings:

sudo nano /etc/amavis/conf.d/15-content_filter_mode

Uncomment these lines to enable spam and virus filtering:

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

Configure Amavis to integrate with your setup:

sudo nano /etc/amavis/conf.d/50-user

Add these essential settings:

use strict;

# Set spam tag and kill levels
$sa_tag_level_deflt = 2.0;
$sa_tag2_level_deflt = 6.2;
$sa_kill_level_deflt = 6.9;

# Quarantine settings
$spam_quarantine_to = "spam-quarantine";
$virus_quarantine_to = "virus-quarantine";

# Final spam destiny
$final_spam_destiny = D_PASS;
$final_virus_destiny = D_DISCARD;

# Add spam info headers
$sa_spam_subject_tag = '[SPAM] ';

1; # ensure configuration ends with this line

Integrate Postfix with Amavis Content Filter

Configure Postfix to send mail through the Amavis content filter. Edit the main Postfix configuration:

sudo nano /etc/postfix/main.cf

Add the content filter directive:

content_filter = amavis:[127.0.0.1]:10024

Configure Postfix master process settings:

sudo nano /etc/postfix/master.cf

Add these service definitions at the end:

amavis unix - - - - 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n - - - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Set Up ClamAV Virus Scanner

ClamAV provides virus scanning alongside spam filtering. Configure the daemon settings:

sudo nano /etc/clamav/clamd.conf

Ensure these key settings are configured:

LocalSocket /var/run/clamav/clamd.ctl
User clamav
ScanMail yes
ScanArchive yes
ArchiveBlockEncrypted no

Add the clamav user to the amavis group:

sudo adduser clamav amavis
sudo adduser amavis clamav

Update virus definitions and start the service:

sudo freshclam
sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon

Configure Real-Time Blacklist Checks

Network-based spam checks improve filtering accuracy. Configure DNS blacklist settings in SpamAssassin:

sudo nano /etc/spamassassin/local.cf

Add effective RBL configurations:

# DNS blacklists
header RCVD_IN_DNSWL_NONE eval:check_rbl('dnswl-none', 'list.dnswl.org.')
describe RCVD_IN_DNSWL_NONE Sender listed at http://www.dnswl.org/, no trust
score RCVD_IN_DNSWL_NONE -0.1

header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-none', '^127\.0\.[0-9]+\.[2-3]$')
describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust
score RCVD_IN_DNSWL_LOW -0.7

header URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
score URIBL_BLACK 1.75

Initialize Razor and Pyzor for collaborative filtering:

sudo -u amavis razor-admin -create
sudo -u amavis razor-admin -register
sudo -u amavis pyzor discover

Start and Test Your Spam Protection Setup

Enable and start all required services in the correct order:

sudo systemctl enable spamassassin
sudo systemctl start spamassassin
sudo systemctl enable amavis
sudo systemctl start amavis
sudo systemctl restart postfix

Test the mail filtering setup. Send a test email with spam-like content:

echo "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" | mail -s "Test Subject" your-email@yourdomain.com

This GTUBE test should trigger SpamAssassin and add spam headers to the message.

Check mail logs for proper processing:

sudo tail -f /var/log/mail.log

Look for entries showing Amavis processing and SpamAssassin scoring.

Train Bayes Filter for Better Accuracy

Bayes learning improves spam detection over time. Create directories for training:

sudo mkdir -p /var/lib/amavis/.spamassassin
sudo chown amavis:amavis /var/lib/amavis/.spamassassin

Train the filter with existing ham and spam samples:

# Train with ham (legitimate emails)
sudo -u amavis sa-learn --ham /path/to/ham/emails/

# Train with spam samples
sudo -u amavis sa-learn --spam /path/to/spam/emails/

Set up automatic Bayes database cleanup:

sudo crontab -u amavis -e

Add this cron entry:

0 2 * * * /usr/bin/sa-learn --sync --username=amavis

Monitor and Optimize Performance

Monitor SpamAssassin performance and adjust settings based on load. Check current statistics:

sudo -u amavis sa-learn --dump magic

This shows Bayes database statistics including learned messages and accuracy.

Monitor system resource usage during peak mail processing:

top -u amavis
ps aux | grep spamassassin

Adjust SpamAssassin max children based on CPU and memory usage patterns.

For detailed mail processing insights, check our guide on monitoring Postfix mail server performance.

Troubleshooting Common Issues

Here's how to fix typical problems during spam filter deployment.

If messages bypass SpamAssassin entirely, verify the content filter setting:

sudo postconf | grep content_filter
sudo netstat -tlnp | grep 10024

For high false positive rates, lower the required spam score temporarily:

sudo nano /etc/spamassassin/local.cf
# Change to: required_score 7.0

When Bayes learning seems ineffective, rebuild the database:

sudo -u amavis sa-learn --clear
# Re-train with clean ham and spam samples

Memory issues often occur with insufficient VPS resources. Our VPS hosting pricing guide explains resource allocation for mail servers.

Frequently Asked Questions

How much RAM does SpamAssassin require?

Plan for 50-100MB per SpamAssassin child process. A typical setup with 5 children needs 250-500MB plus overhead for rules and Bayes data.

Can I whitelist specific senders or domains?

Yes, add whitelist entries to /etc/spamassassin/local.cf using whitelist_from or whitelist_from_rcvd directives for trusted senders.

Should I quarantine or delete detected spam?

Start with quarantine (D_PASS) to review false positives. Switch to D_DISCARD only after confirming accuracy with your mail patterns.

How often should I update SpamAssassin rules?

Enable automatic rule updates via cron. Daily updates work well for most installations without overwhelming the system.

What spam score threshold works best?

Begin with 5.0 and adjust based on false positives. Conservative environments use 7.0, while aggressive filtering may use 3.0-4.0.