Mostly spamassasin, more or less out of the box. Also postscreen (only the pregreet test) [1] to keep out the dumbest kind of spambots. Works really great and not worse than my gmail account. I don't agree that gmail is damn good at spam filtering, it's quite average.

[1] http://www.postfix.org/POSTSCREEN_README.html

Spamassassin almost cost me my career. A manager at a big company over a team doing my "dream job" emailed me, and Spamassassin threw it straight in to the bit bucket for whatever arbitrary reason it did. Fortunately a recruiter at said company was more persistent and managed to get through to me by phone. That job ended up catapulting me onto a career "hockey stick," and if it weren't for that, I'd likely still be languishing in some sad corner of IBM.

At work we used Ironports for years until Cisco, as usual,started making a mess. Nowadays we use Mailcleaner with a little bit of tweaking in a VM. It's a little worse than IronPort when Ironport was good, but so much better than what Cisco's systems were doing for us when we shut the old system down.

On a side note, I really don't understand why people say it's hard to run a mail server, it really isn't. It can be hard if you go full postfix+spamassasin on plain config files and configure everything without any help. Since 2005, we've been running:

Exchange 2003 Exchange 2010 Exchange 2016

Watchguard smtp Proxies and antispam External provider's antispam services Cisco Ironports (first a dual node cluster with some older machines, then Cisco came and forced us to upgrade to some C170 which were slow as hell)

We've run through countless updates on the exchange servers, we have mailboxes with more than 50Gb of content, about 1Tb of database sizes, the biggest problem we had, came when we had a two node DAG in Exchange 2010 and the RPC Client Access Server didn't correctly change when Outlook 2007 was open leaving some clients trying to connect to the server that was rebooting. We've also changed IP addresses a few times, but if you change your SPF records correctly, and pay for a good IP range you won't have any problems. Sure, you can't have your mail server on an IP range flagged as spam, but you also wouldn't buy a 100.000 dollar car and put 50 dollar wheels on it!

How do you get a “good IP range?”

In Spain at least, from a good ISP, and buying as a Business. Here you get two segments, mostly. Residential, which will leave you with banned SMTP and public IPs marked as spam everywhere. If you buy as a business, and from a trusted ISP, and tell them your use case, they will give you clean IPs. In our case, we're paying about a thousand euros a month for two optic fiber links with 100mbps up/download and two blocks of 8 public IPs, all of them completely clean.

The best nowadays seems to be rspamd (https://rspamd.com/).

Not OP, but I use both Spamassassin and DSPAM. It catches most spam but I do see a couple every week.

I've been using SpamArrest for 15+ years. SpamArrest filters out 99% of spam. I have to whitelist all domains or email addresses the first time I correspond. It gives legitimate users an opportunity to get through.

Worth every penny.

clamav with Google's safebrowsing filter enabled blocks a great deal of junk. It eats RAM, though.

Looking in my logs, it looks like that plus a hard block on zen.spamhaus.org would be enough to remove almost all spam, though I'm not sure what the false positive rate would be like on the latter.