I have recently configured a Postfix mail server to use SpamAssassin as a before-content filter using SpamPD as described on the SpamAssassin Wiki. I have been quite impressed with how well it is working, with one exception. A few email messages have been getting rejected with the following error message:
warning: proxy 127.0.0.1:10025 rejected "MAIL FROM:<example@example.com> SIZE=3325 AUTH=<> BODY=7BIT": "555 5.5.4 Unsupported option: AUTH=<>"
After a bit of investigation I found that the problem is due to a few mail servers that include the AUTH parameter to the MAIL FROM command, even when not authenticated. However, this server is configured to allow authentication only over TLS/SSL. The problem is that the AUTH parameter is passed through SpamPD to the receiving instance of postfix, which rejects the MAIL FROM command because the connection from SpamPD is not using TLS/SSL. To solve the problem, add "-o smtpd_tls_auth_only=no" to the postfix receiving entry in master.cf from the example as follows:
127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
-o smtpd_tls_auth_only=no
