Thanks to all who helped me on this
In case anyone else is searching and wants to do the same thing.
How do I get mail sent with a single envelope-to of postmaster to
bypass spam checks
Answer
Set up two variables acl_m0 = 1 if the mail is rcpt to:
postmaster@anything
acl_m1 = 1 if there is any other rcpt to:
In the rcpt acl find the part where postmaster is accepted and modify
as follows
<snip>
accept local_parts = postmaster
domains = +local_domains
set acl_m0 = 1
warn
set acl_m1 = 1
<snip>
Then in the data acl
# Always add X-Spam-Score and X-Spam-Report headers, using SA
system-wide settings
# (user "nobody"), no matter if over threshold or not.
warn message = X-Spam-Score: $spam_score ($spam_bar)
log_message = Spam Score $spam_score P=$acl_m0 O=$acl_m1
spam = nobody:true
warn message = X-Spam-Report: $spam_report
spam = nobody:true
# Add X-Spam-Flag if spam is over system-wide threshold
warn message = X-Spam-Flag: YES
spam = nobody
warn message = X-new-Subject: [Suspected Spam] $h_Subject
log_message= Spam detected
spam = nobody
# Accept the message if it is sent to postmaster ONLY
# m0 = message to postmaster
# m1 = message to other
accept
condition = $acl_m0
condition = ${if ={$acl_m1}{1}{0}{1}}
logwrite = Postmaster spam block exception
# Reject spam messages with score over 10, using an extra condition.
deny message = This message is over the system wide anti-spam
threshold.
spam = nobody:true/defer_ok
condition = ${if >{$spam_score_int}{100}{1}{0}}
# finally accept all the rest
accept
