Setup Email Server From Scratch On FreeBSD #2 - 11 SpamAssassin

10 Blocking Spam With Postfix <- Intro -> 12 Amavis Clam AntiVirus

We believe in data independence, and support others who want data independence.
This tutorial is complete 2025-08-14 except there is no page for setting up postscreen.
This is version 2 and everthing works.

###################################################
# Blocking Spam With Postfix PCRE and SpamAssasin #
###################################################

Discard or Reject mails by matching regular expressions in message header or body

nano /usr/local/etc/postfix/main.cf
--- add to end of file ---

Discard silently messages matching regular expression use DISCARD
Reject messages matching regular expression use REJECT

Spamhaus does client testing and if you discard the server will report delivered, and this may not be what is desired with doing a configuration check with Spamhaus. For production a production server, in some cases discard may be preferred, as the client doesn't know the email has been discarded. Giving clients too much information just tells spammers how to improve thier mail bot.

Filter emails with empty From: and To: and 'free morgage quote' and 'repair your credit' .. pcre is case insensitive by default.

nano /usr/local/etc/postfix/header_checks

postmap /usr/local/etc/postfix/header_checks

Filter emails with matching body

nano /usr/local/etc/postfix/body_checks

postmap /usr/local/etc/postfix/body_checks

Setup NO-REPLY addresses if needed, you can add domain in the regular expression

nano /usr/local/etc/postfix/noreply_recipients

postmap /usr/local/etc/postfix/noreply_recipients
service postfix restart

SpamAssassin

pkg install spamassassin spamass-milter

nano rc.conf

mkdir -p /var/spool/postfix/spamass
chown spamd:wheel /var/spool/postfix/spamass
chmod 770 /var/spool/postfix/spamass
pw groupmod spamd -m postfix

sa-update
service sa-spamd start
service spamass-milter start

Change this later and run Spamassassin from Amavis virus filter, otherwise Spamassasin will be run twice.

nano /usr/local/etc/postfix/main.cf
--- change this line ---

Configure blacklists and whitelists

nano /usr/local/etc/postfix/main.cf
--- edit smtpd_recipient_restrictions ---

service postfix restart

Spamhaus DQS - didn't work for me so we'll skip that.

At this point I got bounce mails from my first mail server saying the domain okbsd.com was on a blacklist. Even though it was brand new.

https://check.spamhaus.org/
https://www.spamsources.fabel.dk/delist
https://www.mail-tester.com
https://mxtoolbox.com

I created a postmaster@okbsd.com email address, not an alias, to submit a ticket. Checked my email credibility which was saying no reverse DNS. In OVH Cloud control customers can set a reverse DNS easily if you have the forward pointer set, so I set mine for both ipv4 and ipv6 to mx.okbsd.com which has to match what is is the smtp_banner which should be myhostname variable. My first hostname in /etc/hosts is okbsd.com but the value in the banner comes from myhostname set in /usr/local/etc/postfix/main.cf which is mx.okbsd.com. After this I submitted a request to remove my domain from spamhaus RBL and used the postmaster@okbsd.com email address, they send a confirmation mail, and I replied and the ticket was submitted. There were many DNS messages in the logs. The main issues were probably due to non-matching RDNS pointer and it being a brand new domain.

nano /usr/local/etc/postfix/rbl_override

postmap /usr/local/etc/postfix/rbl_override
service postfix restart

You may see DNSSEC failures related to spamhaus in the logs. So turned off DNSSEC in your nameserver and possibly white listed spamhaus in /usr/local/etc/postfix/rbl_override. Some troubleshooting will be needed since you want DNSSEC enabled for opendkim keys.

grep URIBL /var/log/maillog

URIBL_BLOCKED hit, (This means DNSBL blocked you due to too many queries.>

After a few DNS queries to spamhaus they will be blocked and a local cache will solve the problem. The full resolution of this to install a full recursive caching resolver that suppports DNSSEC, eg. setup bind nameserver, covered previously.

Check Email Headers and Body with SpamAssassin
The following files has rules for things like

* MISSING_HEADERS
* MISSING_DATE
* MISSING_FROM

Default spamassassin files are in /var/db/spamassassin/4.000001/updates_spamassassin_org

nano /var/db/spamassassin/4.000001/updates_spamassassin_org/20_head_tests.cf

SpamAssassin's Builtin Whitelist

There are several files under /var/db/spamassassin/4.000001/updates_spamassassin_org/ which contain builtin whitelists among other things.

cat /var/db/spamassassin/4.000001/updates_spamassassin_org/60_whitelist_spf.cf

Edit Local Scoring Rules - whitelist your own domains.

nano /usr/local/etc/mail/spamassassin/local.cf
--- add these to the bottom of the file ---

Check the rules syntax and restart sa-spamd

spamassassin --lint
service spamass-milter restart
service sa-spamd restart

Schedule update of spamassassin rules using cron at 1 am daily

crontab -e
--- add to your crontab ---

Moving spam to the junk folder.

We previously added sieve using dovecot-pigeonhole from ports.

nano /usr/local/etc/dovecot/conf.d/15-lda.conf

nano /usr/local/etc/dovecot/conf.d/20-lmtp.conf

nano /usr/local/etc/dovecot/conf.d/10-mail.conf

nano /usr/local/etc/dovecot/conf.d/90-plugin.conf
--- change sieve_before and enable by removeing hash ---

mkdir /usr/local/etc/dovecot/sieve

nano /usr/local/etc/dovecot/sieve/before-global.sieve

sievec /usr/local/etc/dovecot/sieve/before-global.sieve
service dovecot restart

Reject emails with spamassassin scores > 8 using '-r 8' flags.
Set max-size ' -- --max-size=5120000'

nano /etc/rc.conf

service spamass-milter restart

Configure Individual User Preferences

nano /usr/local/etc/mail/spamassassin/local.cf

service sa-spamd restart
service spamass-milter restart

Send and email to jack@coragarden.com to create the custom user rules directory

cd /var/vmail/coragarden.com/jack/spamassassin/

Add custom rules to user_prefs, besides these you can add many other custom rules as required

nano /var/vmail/coragarden.com/jack/spamassassin/user_prefs
-- these rules increase spam score for unsubscibe emails if you never subscribe with this email
body SUBSCRIPTION_SPAM /(unsubscribe|u n s u b s c r i b e|Un-subscribe)/i
describe SUBSCRIPTION_SPAM I didn't subscribe to your spam.
score SUBSCRIPTION_SPAM 3.0

header LIST_UNSUBSCRIBE ALL =~ /List-Unsubscribe/i
describe LIST_UNSUBSCRIBE I didn't join your mailing list.
score LIST_UNSUBSCRIBE 2.0
whitelist_from *@okbsd.com
whitelist_from myfriend@gmail.com
blacklist_from *
options {
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "/usr/local/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";

// DNSSEC
dnssec-validation auto;

// RECURSION
recursion yes;
allow-recursion {
127.0.0.1;
::1;
// okbsd external
147.135.37.135;
2604:2dc0:200:187::1;
// okdeb slave
15.204.113.148;
2604:2dc0:202:300::3645;
// my trusted home network(s)
trusted_net/cidr;
};

allow-query { any; };

// ...

listen-on {
127.0.0.1;
147.135.37.135;
};
listen-on-v6 {
::1;
2604:2dc0:200:187::1;
};

// if this is master, define slaves here
//allow-notify { 15.204.113.148; };
//allow-transfer { localhost; 15.204.113.148; };
//notify yes;
};
dns_server 127.0.0.1
nameserver 127.0.0.1
options edns0 trust-ad
search .
/^Received:/ IGNORE
/To:.*<>/ REJECT REJECT "5.7.1 Rejected, invalid To: header."
/From:.*<>/ REJECT REJECT "5.7.1 Rejected, invalid From: header."
/free mortgage quote/ REJECT
/repair your credit/ REJECT
/^To:.*badrecipientd.*/ DISCARD
header_checks = regexp:/usr/local/etc/postfix/header_checks
/^User-Agent.*Roundcube Webmail/ IGNORE
smtp_header_checks = pcre:/usr/local/etc/postfix/smtp_header_checks
header_checks = regexp:/usr/local/etc/postfix/header_checks
body_checks = pcre:/usr/local/etc/postfix/body_checks