Does anyone here know how to get SpamAssassin to only look at the last hop instead of looking at every MTA that a message has gone through?
Failing that, do you know how to configure it to not punish Tor users?
I can find lots of guides on configuring rules, but nothing that answers these specific questions.
I use Rspamd, but if I understood you correct the issue is with SpamAssasin filtering MUA connections. The best option is to disable RBLs for 465 and 587 at all. If not possible, you can consider making a whitelist or tor exits
The issue was Sender -> Tor -> GMail -> Destination was being treated as if the mail came from Tor instead of from GMail because Google leaks the Sender's IP address and SpamAssassin apparently uses all the Received From headers by default .
It looks like by using notfirsthop and trusted_networks it can be configured to only use the Received From headers added by the Destination MTA.
This way there's no need to try to manually create and curate a list of all Tor exit nodes.
