There are 7 issues you need to check on spam filtering with a great and easy to use Postfix-SpamAssassin-ClamAV setup like PMG:
1. Check, that your mail path is only going through PMG. So take sure, backup MX don't exist or are also protected by their own PMG or a similar anti spam solution. As well take sure, that your destination mail server is only available via PMG, some spammers try to access mail servers directly and ignore any MX records, e.g. if the server hosting your domain has an active and available SMTP server on port 25, some spammers may try to send their mails directly.
2. Find a good set of Pre-Greet reject settings, e.g. check sender addresses, you may check sender clients, however my explanations soften the setting from PMG a bit as if activating usually FCrDNS checks are performed, that may result in some trouble with lame administrators so my explanations only check for reverse DNS. You will also find some additional Pre-Greet optimizations in my thread.
3. Find a good set of RBL, be aware, some are not for commercial usage, some have limits, some are paid ones. You should also find your optional set, e.g. Proxmox recommends to use Barracuda Central as blacklist, which I would never do, as Barracuda lists IP addresses once any Barracuda Appliance Administrator claims a mail as spam. You may use postfix warn_if_reject setting to find your optimal set, you may also use mine on your own risk, be aware, that two lists are just xxxx, as they are paid and I won't provide their hostname, you need to purchase at invaluement and will get the list names. For all list based setups ensure, you run your own DNS server and don't use e.g. Google or any public DNS server because of rate limit.
4. You may optimize your SpamAssassin settings by adding additional rules, lists, services like DCC and Pyzor, again ensure not to violate any license (e.g. DCC), commercial usage etc.
5. You should train the Bayes Database of SpamAssassin by learning ham and spam. You could also use autolearn, but to learn 200 spams and hams automatically it takes a really really long time. My commercial test setup is running now for 1+ year and didn't learn 200 spams yet (129 is the current value). Don't learn any spam or ham databases you can download online as that's "their" spam not "your" spam, so you would make the Bayes Database useless. However, AWL will run beside Bayes Database and already work from the scratch and will get better from time to time. You may also play around with the new fuzzy alternative to AWL, but I have no experience with that.
6. Choose a good antivirus solution. Honestly, ClamAV is not working well, also additional signatures like in my thread are not such useful, I stopped it completely and switched to Avast as it has the best possible integration. Maybe I will have a few on Dr.Web in future, as it seems to be the most affordable solution.
7. There are a few more screws you can adjust, e.g. setup a milter-reject as spammers seem to see a rejecting system as not valuable for their efforts, there are simpler victims, so once you reject very much, you will also see a total decrease of spammers trying to get through your filter.
What's missing:
a. SPF may have been a good idea, but it's broken by design. PMG also doesn't allow you to chose, which option you want to run (if the sender is running a hard fail policy, also PMG will do a hard fail mean while e.g. Plesk allows to adjust). As there are many lame administrators, but also as SPF is not widely adopted, you may always get in trouble with some legit mails, which will get rejected. So let SpamAssassin score on SPF, but don't use PMG SPF setting.
b. Same for Greylisting. The golden ages of Greylisting are long time ago, currently you will only suffer your users because of delayed mails. There is a really intelligent Greylisting setup, which is used by rspamd and hopefully Proxmox will adopt it as well. So delaying some mails may help, if such mails could be spam, but you're unsure, if they are or not. Then delaying such mail would be a great option, as on second try, this mails will already be blacklisted and then be rejected. Proxmox sadly just adopted a Greylisting passthrough once a mail server has a valid SPF record. As mentioned above, I don't recommend to use SPF, also usually worst senders have SPF as well as DKIM rolled out meanwhile legit senders don't have.
