Further, I recommend you use amavisd (as you already are for the $sa
dsn_cutofflevel settings, etc.)
for whitelising, since it is amavisd that is calling spamassassin.
There's plenty of info on/for amavisd and whitelisting.
That said, what works for some is NOT right for others/everyone, but after long having used proper Postfix anti-spam configuration, I have amavisd.conf set to
$sa
tag_leveldeflt = -999; # add spam info headers if at, or above that level
$sa
tag2_leveldeflt = 2.1; # add 'spam detected' headers at that level
$sa
kill_leveldeflt = 5.5; # triggers spam evasive actions (e.g. blocks mail)
$sa
dsn_cutofflevel = 7;
and have not once in the past several years had any word of false rejection(s) or any lost/mishandled incoming messages.
There have been other problems at the external emailer(s)' mailserver, and they have used
- for example - a gmail account to complain to my mail users, only to have it turn out to be botched DNS or mailserver settings at their end (Symantec AV's mailserver... offering, completely mangling mail-headers before sending it out, as just one example. It may have been misconfigured).
But what matters far more than wrangling amavisd and/or spamassassin in regards to otherwise legitimate mail traffic, is proper configuration of postfix. Run, don't walk to see Pterobyte's Front-Line defense tutorial at
http://osx.topicdesk.com/
If you use it, I recommend making a contribution (and I have no official affiliation with Pterobyte or that site).
Next stop I strongly recommend reading up at the Postfix site,
and
http://www.postfix-book.com/
Point being, handle spam vs. legitimate mail earlier via Postfix, rather than wasting server resources.
It's not hard to adjust Postfix (via custom rules) to accommodate for problems for some users (at their end), although one should not have to 😉