I have seen a few posts about this around the Virtualmin forums but none with solutions to the problem at hand: scanning outbound e-mail for spam.
Virtualmin already supports scanning inbound e-mail for spam and viruses through the combination of Postfix, SpamAssassin, and ClamAV. This is great if you host e-mail for your Web hosting customers, but what if those customers also send e-mail from their Websites to recipients external to your Virtualmin system?
We host over 180+ WordPress Websites for our customers, and often find ourselves dealing with spammers who submit a contact form on one of those sites that contains spam. If the customer hosts their e-mail with us through Virtualmin at their domain, then the contact form submission is not delivered to them because SpamAssassin blocks the inbound spam before it can reach their local mailbox. But if the customer has their contact form submissions sent to an external e-mail address, like something at Gmail or Office365, then the e-mail is sent without being checked for spam and our Virtualmin mail server is put on a blacklist because we've effectively allowed our server to send outbound spam.
Is it already possible to set up outbound spam scanning similar to what's currently used for inbound scanning? In other words, if someone sends an e-mail from an account hosted by Virtualmin, or a contact form on a Website hosted by Virtualmin, and that e-mail is sent through the Postfix mail server, how can it be checked for spam before it is actually sent on to the recipient's external e-mail address? Can we use SpamAssassin to check outbound mail in the same way that inbound mail is checked for spam?
Note: I am aware Virtualmin already includes a feature to rate-limit outgoing e-mail. While useful, this does not solve our problem because it does not check the content of e-mails, but rather just the number of e-mails being sent per a specified time interval. If even one spammy e-mail is sent per hour, that is one e-mail too many, and rate limiting will do nothing to stop that. I am also aware that SMTP authentication can stop a large number of spam by restricting the sending of e-mail to only authenticated users, but again this does not stop cases where a WordPress Website, correctly authenticated to send from an e-mail address set up in Virtualmin, sends out a spammy contact form submission through Postfix to an external e-mail address.