At first thought, it seems that HestiaCP security on Debian 11 hosts can be improved by having spamd run as an unprivileged user (e.g. debian-spamd). For this we would need to have spamd bind to a higher port (e.g. tcp/1783)
By changing /etc/default/spamassassin accordingly e.g. OPTIONS="-u debian-spamd -p 1783 --create-prefs --max-children 5 --helper-home-dir"
I will also have to check if there are differences with previous supported Debian releases (9 and 10) and how SA is configured under Ubuntu.
As with everything else, improvements are always welcome and needed. The main problem is time. There is not enough time to improve everything at once. So we always need to make compromises and prioritize what we need to do first.
There are some improvements that get higher priority than others. That does not mean that your proposal is not good. It might be that it gets lower priority because of other more important things.
Let me bring an example. We all know the IPv4 shortage is real and will get even worse in the future. Maybe some hosts will stop offering IPv4 VPS or charge a much higher price (like Hetzner who raised some IPv4 prices the start of 2022 and I’m sure they’re not the only ones). So, it makes more sense to give priority to IPv6 implementation than improving mail subsystem.
TLDR: Every suggestion is welcome. Just don’t be disappointed if it doesn’t get any immediate attention or priority. But feel free to work on it. So when the time is right we will be many steps ahead
Another option would be to use Dovecot system-wide sieve filters to move X-Spam-Status: Yes mails to the Junk/Spam folder (instead of changing the Subject to *** SPAM ***). The only downside of this approach would be that users using POP3 instead of IMAP wouldn’t get those mails dumped in Junk.
I don’t see a big problem, with rejecting mails with super-high spam score (>10) as long as you do it properly during SMTP-time (and not with a DSN after accepting it) . Score >10 is either unquestionably spam or a misconfigured mailserver (e.g. SPF).
I made a git repo of configs, scripts and installer for spam ham learning by user moving email to from junk folder. The installer isn’t perfect. Need a few.manual changes after. But most of the work is done if someone wants to check it out make some improvements go ahead. It’s a good startingroung.