With cloud based spam-scanning you make the anti-spam service MX for your domain, and they do the scanning and forward mail on to your server(s). Sounds simple enough, but spammers don't play by the rules, and they're quite happy to ignore your MX record (particularly if it changes to one of a large well-known anti-spam service) or use old cached ones if it suits them.
So, when we changed our MX a lot of spam just kept coming to our server - the old MX for the domain, even days after the change (even as I write this, spammers are still trying to send mail to that host).
We had a machine (the old MX) that was sitting in our DMZ handling email for the whole oganisation, which consisted of three separate mail domains (Domain A, Domain B and Domain C), only Domain A was using cloud-based scanning. This machine ran Postfix, and we needed Posfix to have a rule something along the lines of "If mail is delivered to Domain A from any host other than our Anti-Spam service, or hosts on our network, reject it".
That sounded complicated, but it really wasn't, with the help of the postfix-user mailing list we got it done easily. See the examples below:
We added the following two lines in red to the Postfix main.cf file:
smtpd_recipient_restrictions =The file /etc/postfix/cloudspamsubnets contained a list of subnets our spam scanning service uses to forward mail to us, in the format:
100.1.2 OKYou'll notice the subnet notation is a little odd. Apparently, 220.127.116.11/24 or 18.104.22.168/255.255.255.0 don't work.
Next, the file /etc/postfix/restrictourdomain was a simple list of our domain and any subdomains:
subdomain.domaina.com OKPostfix will reject any subdomains of Domain A if it's responsible for those as well, so you need to list them with an OK to have them let through.
And apart from running postmap /etc/postfix/restrictourdomain and postmap /etc/postfix/cloudspamsubnets and restarting Postfix, that pretty much did the trick!
P.S. Thanks to Sahil Tandon for suggesting this bit of config.