Tags
MailServer

📨 Postfix & SpamAss-Milter Integration Guide

Overview

A complete guide to integrating Postfix with SpamAss-Milter on Debian for effective spam filtering. It covers macro configuration, testing, troubleshooting, and best practices for maintaining clean, reliable mail logs.

1. Purpose and Context

spamass-milter connects Postfix with SpamAssassin to analyze incoming messages before delivery. By exporting the correct milter macros, Postfix provides SpamAssassin with valuable context — such as sender, recipient, authentication, and TLS details — which greatly improves spam detection accuracy.

2. Understanding the "Macro b" Warning

If you see the following log entry:

Could not retrieve sendmail macro "b"!.  Please add it to confMILTER_MACROS_ENVRCPT for better spamassassin results

➡️ This warning is normal and harmless when using Postfix.

The Sendmail-only macro b represents a message timestamp. Postfix does not implement this macro, and SpamAssassin does not need it for scoring. You can safely ignore this message.

3. Verifying Milter Setup

Confirm that Postfix recognizes and uses your configured milters:

postconf -n | grep milters

Expected output example:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/spamass/spamass.sock, unix:/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

If any of these lines are missing, review your SpamAss-Milter and OpenDKIM installation paths.

4. Configuring Required Milter Macros

Each macro group provides specific context to SpamAssassin:

  • HELO macros: Information about the connecting host (IP and hostname).
  • MAIL macros: Envelope sender and connection data, including authentication and TLS.
  • RCPT macros: Recipient and routing information.
  • End-of-data macros: Final message metadata such as internal queue ID.

Add the following lines to /etc/postfix/main.cf:

milter_helo_macros = {client_addr} {client_name}
milter_mail_macros = i {mail_addr} {mail_host} {mail_mailer} {client_addr} {client_name} {auth_type} {auth_authen} {tls_version} {cipher} {cipher_bits} {auth_ssf}
milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer} {mail_addr} {mail_host} {mail_mailer} {client_addr} {client_name} {auth_type} {auth_authen} {tls_version} {cipher} {cipher_bits} {auth_ssf}
milter_end_of_data_macros = i

Then reload Postfix and restart SpamAss-Milter:

systemctl reload postfix
systemctl restart spamass-milter

Verify your configuration:

postconf -n | grep -E '^milter_.*_macros'

5. Suppressing the Warning (Optional)

If you prefer cleaner logs, create an rsyslog filter to hide the harmless macro message:

cat >/etc/rsyslog.d/30-spamass-milter-squelch-b.conf <<'EOF'
if ($programname == 'spamass-milter' and
    $msg contains 'Could not retrieve sendmail macro "b"!') then { stop }
EOF
systemctl restart rsyslog

This prevents repetitive log entries without affecting spam filtering performance.

6. Testing Your Configuration

Use swaks to simulate mail delivery and verify that SpamAssassin is processing messages correctly.

Example command:

apt install -y swaks
swaks --to you@yourdomain.tld --from test@local --server 127.0.0.1 --ehlo testhost --tls --timeout 30
journalctl -u spamass-milter -n100 --no-pager

Expected log snippet:

spamass-milter[12345]: spamd: result: Y 6 - BAYES_99,DKIM_SIGNED,SPF_PASS ...

Example headers:

X-Spam-Checker-Version: SpamAssassin 4.0.0 (2024-xx-xx)
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.5 required=5.0 tests=BAYES_99,SPF_PASS autolearn=no

If these headers appear, SpamAssassin is active and evaluating messages properly.

7. Key Points

  • The sendmail macro b warning is safe to ignore in Postfix.
  • Correct macro configuration provides full context to SpamAssassin.
  • Postfix uses a different macro system from Sendmail; this setup is optimized for it.
  • Cleaner logs can be achieved using an rsyslog filter if desired.

8. Summary

This configuration ensures that SpamAssassin receives complete message metadata from Postfix, leading to improved spam filtering accuracy, fewer false positives, and enhanced reliability. The missing b macro warning can safely be ignored or silenced for cleaner logs.

A properly tuned Postfix–SpamAss-Milter integration forms a stable and effective defense layer for any production mail environment.