As part of my nerdy home system, I have a Fedora Linux server, which is my file server, my web server and my mail server. For almost 20 years, my incoming mail was scrubbed by a spam filtering service operated by my friend in Switzerland, but he is now retiring, so I need to do this for myself now. I figure the tool of choice is spamassassin, but where do I find a reasonably simple how-to guide? I assume I cannot just

dnf install spamassassin
    systemctl enable spamassassin.service
    systemctl start spamassassin.service

But what more do I need to do?

I was running Ubuntu 23.04, with postfix, with spamassassin installed as a service with systemctl. At the weekend I upgraded the distro to 24.04 and have now discovered that postfix is no longer able to call spamassassin. Originally I followed this installation guide: https://www.linuxbabe.com/mail-server/block-email-spam-check-header-body-with-postfix-spamassassin It configures /etc/postfix/main.cf with this milter: smtpd_milters = local:spamass/spamass.sock I now get these errors at various times:

mail:/w/serverless# cat /var/log/mail.log.1 | grep spam

Jul  6 15:33:49 mail spamass-milter: spamass-milter 0.4.0 starting
Jul  6 15:34:40 mail spamass-milter: Could not retrieve sendmail macro "b"!.  Please add it to confMILTER_MACROS_ENVRCPT for better spamassassin results
2024-07-06T16:10:54.054537+02:00 mail spamass-milter: spamass-milter 0.4.0 starting
2024-07-06T20:45:21.391844+02:00 mail spamass-milter: Could not retrieve sendmail macro "b"!.  Please add it to confMILTER_MACROS_ENVRCPT for better spamassassin results
2024-07-06T20:45:23.465636+02:00 mail spamass-milter: Could not extract score from 

2024-07-06T23:20:55.566449+02:00 mail spamc: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
2024-07-06T23:20:55.566535+02:00 mail spamc: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection refused
2024-07-06T23:20:56.566720+02:00 mail spamc: connect to spamd on ::1 failed, retrying (#2 of 3): Connection refused
2024-07-06T23:20:56.566814+02:00 mail spamc: connect to spamd on 127.0.0.1 failed, retrying (#2 of 3): Connection refused
2024-07-06T23:20:57.567154+02:00 mail spamc: connect to spamd on ::1 failed, retrying (#3 of 3): Connection refused
2024-07-06T23:20:57.567279+02:00 mail spamc: connect to spamd on 127.0.0.1 failed, retrying (#3 of 3): Connection refused
2024-07-06T23:20:57.567368+02:00 mail spamc: connection attempt to spamd aborted after 3 retries

How can I fix this, and make postfix connect to spamassassin, when it is not running as a service?

I've spent hours on websites, checked config files etc. But can't find the problem. Debian server, with Spamassassin and Postfix. Spamassassin is enabled (checked it on command line). In the mail.log, some lines are relay=spamassassin, and it is writing logs when restarting service. Here are my Postfix and Spamassassin config files. Please can you check if all is OK and give me a way to find the problem? Postfix (main.cf): # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html) . # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o content_filter=spamassassin #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy #submission inet n - - - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup unix n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} submission inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o content_filter=spamassassin #========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) #========================================================================== slow unix - - n - 5 smtp -o syslog_name=postfix-slow -o smtp_destination_concurrency_limit=3 -o slow_destination_rate_delay=1 spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} And Spamassassin (local.cf) # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # # Only a small subset of options are listed below # ########################################################################### # Add *****SPAM***** to the Subject header of spam e-mails # rewrite_header Subject *****SPAM***** # Save spam messages as a message/rfc822 MIME attachment instead of # modifying the original message (0: off, 2: use text/plain instead) # report_safe 0 # Set which networks or hosts are considered 'trusted' by your mail # server (i.e. not spammers) # # trusted_networks 212.17.35. # Set file-locking method (flock is not safe over NFS, but is faster) # # lock_method flock # Set the threshold at which a message is considered spam (default: 5.0) # required_score 5.0 # Use Bayesian classifier (default: 1) # use_bayes 1 # Bayesian classifier auto-learning (default: 1) # bayes_auto_learn 1 clear_headers always_add_headers 1 add_header all Score _SCORE_ add_header spam Flag _YESNOCAPS_ add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ add_header all Level _STARS(*)_ add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_ # Set headers which may provide inappropriate cues to the Bayesian # classifier # # bayes_ignore_header X-Bogosity # bayes_ignore_header X-Spam-Flag # bayes_ignore_header X-Spam-Status # Whether to decode non- UTF-8 and non-ASCII textual parts and recode # them to UTF-8 before the text is given over to rules processing. # # normalize_charset 1 # Some shortcircuiting, if the plugin is enabled # ifplugin Mail::SpamAssassin::Plugin::Shortcircuit # # default: strongly-whitelisted mails are *really* whitelisted now, if the # shortcircuiting plugin is active, causing early exit to save CPU load. # Uncomment to turn this on # # shortcircuit USER_IN_WHITELIST on # shortcircuit USER_IN_DEF_WHITELIST on # shortcircuit USER_IN_ALL_SPAM_TO on # shortcircuit SUBJECT_IN_WHITELIST on # the opposite; blacklisted mails can also save CPU # # shortcircuit USER_IN_BLACKLIST on # shortcircuit USER_IN_BLACKLIST_TO on # shortcircuit SUBJECT_IN_BLACKLIST on # if you have taken the time to correctly specify your "trusted_networks", # this is another good way to save CPU # # shortcircuit ALL_TRUSTED on # and a well-trained bayes DB can save running rules, too # # shortcircuit BAYES_99 spam # shortcircuit BAYES_00 ham endif # Mail::SpamAssassin::Plugin::Shortcircuit blacklist_from *myeasygrowin.com blacklist_from *chartmedias.eu blacklist_from *petch.fr blacklist_from *hellopro.fr blacklist_from commerce@emailing.hellopro.fr use_pyzor 0 use_dcc 1 # When using dccifd, socket will be search from dcc_home dcc_home /var/dcc dcc_timeout 8 # If not using dccifd, dccproc is used dcc_path /usr/local/bin/dccproc

I've made a bunch of custom rules in my SpamAssassin setup. When I start the service (systemctl start spamassassin), those rules are properly evaluated on my test spam e-mail:

[antek@mailgate ~]$ cat /tmp/spam.txt | spamc -R -l
23.4/5.0
Spam detection software, running on the system "mailgate.anadoxin.org",
has identified this incoming email as possible spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  jeśli wiadomość nie wyświetliła się poprawnie, kliknij
tutaj by przejść do oferty. astra jesienne ceny opla od 89 900 zł lub
760 zł netto/mies. f gg 9086 sprawdź opel niniejszy materiał ni [...]

Content analysis details:   (23.4 points, 5.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
-5.0 RCVD_IN_DNSWL_HI       RBL: Sender listed at https://www.dnswl.org/ , high
                            trust
                            [91.185.184.51 listed in list.dnswl.org]
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                            See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block 
                            for more information.
                            [URI: xya.pl]
                            [URI: doubleclick.net]
                            [URI: dobrebazy.pl]
                            [URI: brightsender.pl]
                            [URI: ddtracker.pl]
                            [URI: lrmailr.pl]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
domain
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
-0.5 BAYES_05               BODY: Bayes spam probability is 1 to 5%
                            [score: 0.0121]
 2.5 GENERIC_MAILING        mailing@ in From: email address
 20 NIP_SPAM_1             BODY: No description available.
 0.5 NUMER_NIP              BODY: No description available.
 1.0 KLIKNIJ_TUTAJ          BODY: No description available.
 1.0 OFERT                  BODY: Ofert
 0.2 BAD_WORDS_2            BODY: No description available.
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 HTML_IMAGE_RATIO_02    BODY: HTML has a low ratio of text to image area
 0.3 CEN_IN_BODY            RAW: cen
-0.3 CENTER_IN_BODY         RAW: No description available.
 0.5 UNSUBSCRIBE            RAW: Unsubscribe in body
 0.5 NO_TO_NAME             No Real Name in To: header
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors
                            in HTML
 0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/) 
 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]

... but when I use "spamc" to evaluate the e-mail again right after the first try, my custom rules are not there anymore, and the e-mail is not evaluated as spam:

-2.8/5.0
Spam detection software, running on the system "mailgate.anadoxin.org",
has NOT identified this incoming email as spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  jeśli wiadomość nie wyświetliła się poprawnie, kliknij
tutaj by przejść do oferty. astra jesienne ceny opla od 89 900 zł lub
760 zł netto/mies. f gg 9086 sprawdź opel niniejszy materiał ni [...]

Content analysis details:   (-2.8 points, 5.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
-5.0 RCVD_IN_DNSWL_HI       RBL: Sender listed at https://www.dnswl.org/ , high
                            trust
                            [91.185.184.51 listed in list.dnswl.org]
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                            See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block 
                            for more information.
                            [URI: xya.pl]
                            [URI: doubleclick.net]
                            [URI: ddtracker.pl]
                            [URI: brightsender.pl]
                            [URI: dobrebazy.pl]
                            [URI: lrmailr.pl]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
domain
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
-0.5 BAYES_05               BODY: Bayes spam probability is 1 to 5%
                           [score: 0.0121]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 HTML_IMAGE_RATIO_02    BODY: HTML has a low ratio of text to image area
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors
                           in HTML
 0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/) 
 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]

This result is the same for any subsequent tests using "spamc". When I restart spamassassin service, I once again have the "this e-mail is spam" verdict, because my custom rules are evaluated, but again only for the first try. Any subsequent invocations omit my custom rules, and the e-mail is not spam anymore. When I run spamd in debug mode, it sees my custom config files, but does not load them, because they are "already loaded"; is this some bug in spamassassin?

Oct 18 07:51:51.935  dbg: prefork: ordered 1105768 to accept
Oct 18 07:51:51.938  dbg: spamd: select() on fd bit field 00000110, timeout 0.5, not locked
Oct 18 07:51:51.939  dbg: prefork: sysread(7) not ready, wait max 300.0 secs
Oct 18 07:51:51.941  dbg: spamd: accept() on fd 5
Oct 18 07:51:51.943  dbg: prefork: child 1105768: entering state 2
Oct 18 07:51:51.944  dbg: prefork: new lowest idle kid: 1105769
Oct 18 07:51:51.951  dbg: netset:  cached lookup on ::1, 2 networks, result: 1
Oct 18 07:51:51.952  info: spamd: connection from ::1 [::1]:44452 to port 783, fd 5
Oct 18 07:51:51.954  dbg: util: get_user_groups: uid is 1000
Oct 18 07:51:51.956  dbg: util: get_user_groups: added 10 (wheel) to group list which is now: 1000 10
Oct 18 07:51:51.959  info: spamd: setuid to antek succeeded
Oct 18 07:51:51.961  dbg: config: parsing file /home/antek/.spamassassin/user_prefs
Oct 18 07:51:51.963  dbg: config: fixed relative path: /home/antek/.spamassassin/custom.cf
Oct 18 07:51:51.964  dbg: config: using "/home/antek/.spamassassin/custom.cf" for included file
Oct 18 07:51:51.966  dbg: config: skipping already read file: /home/antek/.spamassassin/custom.cf
Oct 18 07:51:51.967  dbg: config: parsing file /home/antek/.spamassassin/user_prefs
Oct 18 07:51:51.968  dbg: config: fixed relative path: /home/antek/.spamassassin/playfire.cf
Oct 18 07:51:51.969  dbg: config: using "/home/antek/.spamassassin/playfire.cf" for included file
Oct 18 07:51:51.970  dbg: config: skipping already read file: /home/antek/.spamassassin/playfire.cf
Oct 18 07:51:51.971  dbg: config: parsing file /home/antek/.spamassassin/user_prefs
Oct 18 07:51:51.972  dbg: config: fixed relative path: /home/antek/.spamassassin/listonic.cf
Oct 18 07:51:51.973  dbg: config: using "/home/antek/.spamassassin/listonic.cf" for included file
Oct 18 07:51:51.974  dbg: config: skipping already read file: /home/antek/.spamassassin/listonic.cf
[... snip ...]

What could be the problem here? For now it works when I change the source code:

1887 sub read_cf_file {
1888   my($self, $path) = @_;
1889   my $txt = '';
1890
1891   #if ($self->{cf_files_read}->{$path}++) {
1892   #dbg("config: skipping already read file: $path");
1893   #return $txt;
1894   #}

but I have an impression that this should be solved in some better way :)

While installing some software on my Debian 10.9 server, I received this error:

$ sudo apt-get install fail2ban

... [cut]

Running sa-compile (may take a long time)
command 're2c -i -b -o scanner1.c scanner1.re' failed: exit 0
dpkg: error processing package sa-compile (--configure):
 installed sa-compile package post-installation script subprocess returned error exit status 12
Setting up fail2ban (0.10.2-2.1)...

... [cut]

Errors were encountered while processing:
 sa-compile
E: Sub-process /usr/bin/dpkg returned an error code (1)

I have previously installed spamassassin (sa-compile's dependent). This confused me, so I tried to dpkg-reconfigure:

$ sudo dpkg-reconfigure sa-compile
/usr/sbin/dpkg-reconfigure: sa-compile is broken or not fully installed

Installing the package with --reinstall is a no-op. Using --fix-broken instead returns a familiar error:

$ sudo apt-get install --fix-broken sa-compile
Setting up sa-compile (3.4.2-1+deb10u3) ...
Running sa-compile (may take a long time)
command 're2c -i -b -o scanner1.c scanner1.re' failed: exit 0
dpkg: error processing package sa-compile (--configure):
 installed sa-compile package post-installation script subprocess returned error exit status 12
Errors were encountered while processing:
 sa-compile
E: Sub-process /usr/bin/dpkg returned an error code (1)

How do I go about fixing this?

When my Spam Assassin cron job runs, it gives Perl error messages which are then emailed to me by the cron daemon. How can I fix this error or warning? Cron job: /usr/share/spamassassin/sa-update.cron 2>&1 | tee -a /var/log/sa-update.log UTF-16 surrogate 0xd800 at /usr/local/share/perl5/Pod/Simple/BlackBox.pm line 67. UTF-16 surrogate 0xd800 at /usr/local/share/perl5/Pod/Simple/BlackBox.pm line 67. UTF-16 surrogate 0xd800 at /usr/local/share/perl5/Pod/Simple/BlackBox.pm line 67. I have the latest Perl from CentOS 6 Yum packages, 5.10.1. My Mail::SpamAssassin is up to date (3.004004).

Adding Spamassassin to my Postfix has had an unwarnted effect on my email headers. We use Postfix with all of the mail routed to a catchall account. Our virtual_alias_maps file looks something like: @mydomain.com catchall @mydomain2.com catchall @mydomain3.com catchall ... If a message is sent to two addresses in our domain, we'll get two messages delivered to the catchall, the first one with headers like: X-Original-To: a1@mydomain.com Delivered-To: a1@mydomain.com To: a1@mydomain.com, a2@mydomain.com and the second on with headers like: X-Original-To: a2@mydomain.com Delivered-To: a2@mydomain.com To: a1@mydomain.com, a2@mydomain.com This is exactly what we want. We can look at the X-Original-To or the Delivered-To to know who was the original recipient of the message. However, when we turn SpamAssassin on, the headers are modified so that both messages look like: X-Original-To: catchall@mydomain.com Delivered-To: catchall@mydomain.com To: a1@mydomain.com, a2@mydomain.com and there is absolutely nothing in the message that lets me know which one was for which recipient. Is there a way to stop SpamAssassin from modifying the headers? If not, is there another way to preserve the identity of the original recipient?

I am currently getting a ton of email from "myself" and have been having a ton of difficulty filtering it. I have postfix configured to check SPF and (presumably) reject if it fails, and SpamAssassin has the SPF filter installed. But nothing is working. I can connect to postfix over telnet and plaintext a message from "myself" to myself without authentication and it just arrives in my inbox like it's supposed to be there.

$ sudo -u spamd -H spamassassin -D --lint 2>&1 | grep SPF
May 24 10:12:04.282  dbg: diag: [...] module installed: Mail::SPF, version v2.008
May 24 10:12:04.289  dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC

relevant bits of master.cf

...
smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
submission inet n       -       n       -       -       smtpd -o content_filter=spamassassin
smtps     inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
policyd-spf unix - n n - - spawn user=nobody argv=/bin/python /usr/libexec/postfix/policyd-spf
spamassassin unix - n n - - pipe flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
...

Excerpt main.cf

smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    check_policy_service unix:private/policyd-spf,
    reject_unauth_destination,
    reject_rhsbl_reverse_client dbl.spamhaus.org,
    reject_rhsbl_helo dbl.spamhaus.org,
    reject_rhsbl_sender dbl.spamhaus.org,
    reject_rbl_client zen.spamhaus.org

and I have the SPF defined in the txt records in my DNS (I relay all mail through mailjet due to network restrictions): example.com. 20020 IN TXT "v=spf1 include:spf.mailjet.com ?all" **Edit:** Per suggestion, I have updated my DNS, though the exact behavior still exists: example.com. 86400 IN TXT "v=spf1 include:spf.mailjet.com -all" **Edit 2:** I added a DMARC record to enforce quarantine on 100% of violations, and it's still not working: _DMARC.example.com. 86400 IN TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@example.com; ruf=mailto:dmarc-failures@example.com; fo=1; pct=100" and I've checked SPF and DMARC with mxtoolbox, and everything looks good. but Postfix just passes the mail right on through, and SA tacks on SPF_NEUTRAL in the header. So......... how do I make this work? How can I prevent this garbage email from coming through? Edit: I don't care if SA or Postfix blocks it, I just don't want it in my inbox. I think I may have mixed up trying to integrate both blocking and that's why it's not working? Or did I misconfigure my DNS? **Edit 3:** According to Method 2 here: https://serverfault.com/questions/905591/receiving-spam-from-my-own-email-address-postfix this should be working? (This question is older and uses the perl module, whereas I'm using the newer python module, but I implemented it the same way.)

I'm running a mail server with postfix and spamassassin, and I appear to be getting a fair amount of junk mail through. I picked on one email at random to compare what the email headers say regarding spamassassin and what a command line test on the same mail produces. The results are not consistent: Here are the relevant mail headers:

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on smtp.xxxxx.xxxx
X-Spam-Level: 
X-Spam-Status: No, score=-0.9 required=1.5 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_RATIO_06,HTML_MESSAGE,MIME_HTML_ONLY,
	RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,URIBL_GREY autolearn=no
	autolearn_force=no version=3.4.0

Here is me checking the same mail on the command line: (Mails are stored on the filesystem via Maildir)

spamassassin -d -t < 1556039170.M973634P30465.smtp.xxxxx.xxxx\,S\=41505\,W\=42059\:2\,S

Here's the result:

Content analysis details:   (2.1 points, 1.5 required)
-0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/ , no
                            trust
                            [83.138.173.9 listed in list.dnswl.org]
 1.1 URIBL_GREY             Contains an URL listed in the URIBL greylist
                            [URIs: pure360.com]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 HTML_IMAGE_RATIO_06    BODY: HTML has a low ratio of text to image area
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                            domain
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid

This email should have been blocked by Spamassassin with a score of 2.1. However the mail header shows a score of -0.9. I observed the same issue with several other mails. I don't understand this inconsistency? The only thing I noticed was a lag of maybe 3 seconds or so in the command line test before getting the result. Timeout issue maybe?