Linux : Postfix SpamAssassin Setup

This page last changed on Jan 07, 2007 by Kees de Kooter


After a lot of digging and experimenting integrating SpamAssassin and Postfix turned out to quite easy.

Create special user account

Create user account for running the filter. E.g. spamassassin.


First add the SA service to the postfix services file and add this content filter to the smtp service type.

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin:
<some lines omitted>
smtp      unix  -       -       n       -       -       smtp -o content_filter=spamassassin:
<some lines omitted>
spamassassin unix -       n       n       -       -       pipe user=spamassassin 
         argv=/usr/local/bin/ -f ${sender} -- ${recipient}

Next create a small shell script that pipes incoming mail through to the spamassassin daemon. The script should be executable by the spam user.

/usr/bin/spamassassin | /usr/sbin/sendmail.postfix -i "$@"
exit $?


Enable header checks in the postfix configuration file.

Finally these lines silently in the header_checks file destroy the incoming mail that is marked as spam by the SpamAssassin service configured in the previous paragraph.

/^X-Spam-Status: Yes/ DISCARD
/^X-Spam-Flag: YES/ DISCARD

I purposely put this on "DISCARD" so no action towards the sending party is taken. Before it was set to REJECT leading to "backscattering" behaviour. In that case postfix politely notifies the sender of the reason of rejection. However a lot of spam these days has a forged sender to postfix's mails bounced back. I decided to DISCARD them al together. After all why be polite to unpolite spammers?

A less agressive approach would be to let the header check put the message in the hold queue with the HOLD directive. That way possible legitimate mail can always be retrieved later on.

See also and


postfix reload