OS X Tiger Server: Improving SpamAssassin

Tiger Server comes with SpamAssassin (3.0.1), which can be enabled on Mail services via the “Scan email for junk mail” checkbox in ServerAdmin. SpamAssassin is actually called by AMaVis as a postfix filter when receiving/sending mail.

The default installation leaves something to be desired, however. He’s a few tips I’ve culled from different places on the net to get my server’s email filtering functioning much more accurately than the out of the box config.

Add Blacklists

In ServerAdmin, under the “Relay” tab, add a couple of blacklists under the “Use these junk mail rejection servers”. I realize some people have mixed feelings about blacklists. I personally don’t use the ORBs style lists, but use “sbl-xbl.spamhaus.org” and “bl.spamcop.net”. You could also have SpamAssassin use blacklists, but I find it easier to configure here.

Fix Bayesian Filtering and Train it

First, use bayesian filtering. Per the documentation, setup users named “junkmail” and “notjunkmail”, and check the “Update the Junk mail and virus database” checkbox in ServerAdmin. Use those addresses to redirect (not forward!) a corpus of good and bad mail. Overnight, Tiger server will run the script at /etc/mail/spamassassin/learn_junk_mail to feed these mailboxes to the bayes db. You should clear out these mailboxes periodically. You can also manually train SpamAssassin using sa-learn (see SA docs). You can also run the learn_junk_mail script as follows:

cd /etc/mail/spamassassin
sudo ./learn_junk_mail

There is one problem with this. Tiger server has two bayes db locations that are not configured properly. One at /var/amavis/.spamassassin and one at /var/clamav/.spamassassin. SpamAssassin reads from the former, learn_junk_mail posts to the later. To fix this, replace the later with a symlink to the former as follows (WARNING! this will wipe out the existing db built with learn_junk_mail)

sudo rm -rf /var/clamav/.spamassassin
sudo ln -s /var/amavis/.spamassassin /var/clamav/.spamassassin

Setup Razor

Next, setup Razor and enable remote tests. By default, Tiger’s SpamAssassin will only run local tests, and does not have an installation of Vipul’s Razor, which I’ve found to dramatically improve the result quality of SpamAssassin. So, download both the “razor-agents” and “razor-agents-sdk” from here, and follow the Installation Instructions, the default installation instructions work like a charm.

Edit SpamAssassin Config

Make a backup of, then open /etc/mail/spamassassin/local.cf in your favorite text editor. Note that SpamAssassin will respect the rules set in it’s config, but any rules that modify the output of the message will be ignored because AMaViS discards the modified message SA produces and acts based on it’s return result values (see below to configure AMaViS). These are the key entries I made:

use_razor2 1
razor_timeout 10
score RAZOR2_CF_RANGE_51_100 4.0

Edit AMaViS Config

Make a backup of, then open /etc/amavisd.conf in your favorite text editor. Here’s some entries to set as desired:

• $sa_local_tests_only = 1 [default is 0, this will enable SpamAssassin to run razor and any other tests you configured that require network access]
• $sa_tag_level_deflt = -999 [and messages that score over this number get X-Spam... headers added, regardless of the outcome of the SA tests. I like all mail tagged with headers, thus the low number]
• $sa_tag2_level_deflt = [number] [SA score at which to consider a message spam and tag it as such]
• $sa_kill_level_deflt = [number] [SA score at which to apply the final destination setting]
• $sa_spam_subject_tag = ‘[SPAM]‘ [Tag to append to subject of messages marked as spam]
• $final_spam_destiny = [D_DISCARD,D_BOUNCE,D_PASS] [What to do with a message that reaches the "kill" score]
• @local_domains_acl [make sure all possible local domains that will be handled by this server are listed here. spam headers will only be added to messages considered "local"]

Note that ServerAdmin only lets you configure a single “score” for Spam. It will write out this config file to have $sa_tag2_level_deflt = $sa_kill_level_deflt. You probably don’t want to do that. I have one level that will get marked as Spam (4.0) and a different level that will get completely rejected (6.0).

NOTES

Be careful what you change in ServerAdmin, or your mods may get written over.