How the hell do I get SpamAssassin to work properly with Postfix? I've been through this several times before, but as far as I can tell, it's never worked right. Here is what I want:

• Postfix feeds all locally-delivered mail through SpamAssassin;
• Each recipient user on the system can have a .spamassassin/user_prefs file that uses directives like "required_score" and "blacklist_from" and "score". (Note that I said that I want this to be per user, not global. His blacklist is not her blacklist.)

Sounds simple, right? Sounds like the setup everyone in the world must have, right?

I can't get it to ever read the user_prefs files. And my mail log is full of errors about not being able to write lock files in ~user/.spamassassin/.

<LJ-CUT text="What I've tried... --More--(31%) ">

What I've tried:

• /etc/postfix/main.cf:
  mailbox_command = /opt/local/bin/procmail

  (I see a lot of pages saying to use master.cf for this instead, but as far as I can tell, that would preclude a per-user user_prefs file ever getting consulted. Also the various FAQs on that approach make it sound flaky as all hell.)

• /etc/procmailrc:
  

  DROPPRIVS=yes
  :0fw
  | /opt/local/bin/spamc -x -s 1000000

  (I tried it with and without DROPPRIVS.)

• spamd: I have tried launching it as either
  /opt/local/bin/spamd
  or
  /opt/local/bin/spamd --user-config --username=postfix --groupname=mail
  

• /Users/XX/.spamassassin/*: Owned by XX; I have also tried putting them in group "mail" and making them group-writable. Didn't help.

Here's the kind of crap that is getting logged:

spamd: connection from localhost [127.0.0.1] at port 61095\n
spamd: processing message <20090304090252.D91F4301D6@neptune.pollstar.com> for caroline:27\n
locker: safe_lock: cannot create tmp lockfile /Users/caroline/.spamassassin/auto-whitelist.lock.cerebellum.dnalounge.com.8462 for /Users/caroline/.spamassassin/auto-whitelist.lock: Permission denied\n
auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /Users/caroline/.spamassassin/auto-whitelist.lock.cerebellum.dnalounge.com.8462 for /Users/caroline/.spamassassin/auto-whitelist.lock: Permission denied\n
bayes: locker: safe_lock: cannot create tmp lockfile /Users/caroline/.spamassassin/bayes.lock.cerebellum.dnalounge.com.8462 for /Users/caroline/.spamassassin/bayes.lock: Permission denied\n
spamd: clean message (0.0/5.0) for caroline:27 in 4.2 seconds, 24916 bytes.\n
spamd: result: . 0 - HTML_MESSAGE scantime=4.2, size=24916, user=caroline, uid=27, required_score=5.0, rhost=localhost, raddr=127.0.0.1, rport=61095, mid=<20090304090252.D91F4301D6@neptune.pollstar.com>, autolearn=failed\n

(I'm especially impressed at the spurious \n on each line. Kwality.)

I have no idea how to tell what's running as who at the various stages of this pipeline.

Update: I think there were at least two missing pieces: spamd needed to be launched with -H, and procmailrc needed to both DROPPRIVS and run spamc with -u $LOGNAME. So my final, working config is:

• /etc/postfix/main.cf:
  mailbox_command = /opt/local/bin/procmail

• /etc/procmailrc:
  DROPPRIVS=yes
  :0fw
  | /opt/local/bin/spamc -u $LOGNAME -x -s 100000000

• /opt/local/bin/spamd -H -s local7

• /etc/syslog.conf:
  local7.*     /var/log/spamd.log

• /Users/XX/.spamassassin/*: Owned by XX

• /opt/local/etc/mail/spamassassin/local.cf:
  bayes_path /var/spool/spamassassin/bayes
  bayes_file_mode 0666

• chown -R postfix:mail /var/spool/spamassassin
  chmod -R a+rw /var/spool/spamassassin
  (not sure if this is really necessary)