If you want to configure Warden to reject and not forward mail classified as spam or spammy you can use the instructions below.
1. Run the command below to add the entry to header_checks. This entry will tell postfix to check if the mail was previously flagged as spam and if so add an additional X-Already-Spam header:
warden --task=mailserver:checks --oper=header_add --pattern='/^X-Spam-Flag:\s+YES/' --action=PREPEND --text='X-Already-Spam: YES' --reload=yes
Important: A bug exists in the Postfix RPM packages provided by Plesk (Centos/AlmaLinux/CloudLinux 7 and 8) where it will revert any changes to the file /etc/postfix/header_checks every time the Plesk Postfix RPM packages are updated. Admins will have to re-run the command above after Plesk updates Postfix until the bug ID PPPM-14712 is fixed. Our recommendation is that (Centos/AlmaLinux/CloudLinux 7 and 8) users add the command above as a nightly cron so that you won't have to worry about Postfix Plesk updates to removing the entry.
2. Reset the server wide policy to enable the spam kill level if it is not already enabled:
warden --task=contentfilter:policy --default=yes
3. Add a header rule to check if the message was already classified as spam:
warden --task=antispam:rules --oper=rule_add --name='__IS_ALREADY_SPAM' --description='Mail is already classified as spam' --type=header --value='X-Already-Spam =~ /YES/i'
4. Add a header rule to check if the message is a redirect (Plesk applies Sender Rewriting Scheme (SRS) to redirects):
warden --task=antispam:rules --oper=rule_add --name='__IS_REDIRECT' --description='Mail is a redirect' --type=header --value='Return-Path =~ /^<SRS0=/i'
5. Add a meta rule to check if both rules from above match then apply a higher score so that the message is rejected:
warden --task=antispam:rules --oper=rule_add --name='REDIRECT_SPAM' --description='Mail is redirect spam' --type=meta --value='(__IS_REDIRECT && __IS_ALREADY_SPAM)' --score=20
6. Enable the shortcircuit plugin:
warden --task=antispam:plugins --Shortcircuit=1
7. Shortcircuit the REDIRECT_SPAM rule we added so that we do not process any other rules once it is matched. This will save on CPU usage and should disable autolearning for the redirects.:
warden --task=antispam:plugin:shortcircuit --shortcircuit='REDIRECT_SPAM spam' --reload=yes
Now any incoming mail that is classified as spam or spammy will trigger the REDIRECT_SPAM rule and for their forwards so they will be rejected and not leave the server.