I run a small mail server for a group of friends, yesterday one of them forwarded me a message which they’d sent through my server using authenticated SMTP. The problem was that the message had been marked as spam, and quite rightly they were asking why the mail server didn’t automatically trust them to not spam since they’d had to authenticate to send the message.
That made sense to me so I went digging. It turns out that by default Postfix doesn’t include any details in the message headers to show that a it came from an authenticated source. This of course means that SpamAssassin can’t treat the message any differently. This seemed silly so I went digging to see what could be done about it.
There’s a lot of (mis)information out there about this but in the end I found a great site which listed all of the common complaints people have about this sort of thing and what you can do to fix it.
With modern versions of Postfix (at least 2.3.0) and SpamAssassin (at least 3.1.4) it turns out that fixing this is pretty simple.
In your “main.cf” add this line and restart Postfix:
smtpd_sasl_authenticated_header = yes
This change adds a new “Authenticated sender:” section to the “Received:” header of the message, eg:
Received: from overkill.spack.org (gotham.spack.org [111.222.333.444]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) (Authenticated sender: adam) by ronin.spack.org (Postfix) with ESMTP id 046699C10F; Wed, 20 Feb 2008 19:07:09 -0500 (EST)
Once this new section is present in your mail headers SpamAssassin can tell when a message has been authenticated by a local user and adjust their spam score accordingly. It does this by using the ALL_TRUSTED rule:
X-Spam-Status: No, score=-0.668 tagged_above=-10 required=6.31 tests=[ALL_TRUSTED=-1.44, AWL=0.772]
If for some reason it’s adjustment isn’t enough, I assume you can go digging in the SpamAssassin rules and tweak it further, but I haven’t looked into it yet since this simple change did the trick for me.