I have no idea how get information from journalctl, as I don’t have to, but I understand gleaning information from it takes a bit of learning.
Virtualmin is a very complex software with a steep learning curve which handles even more complex software. As you are finding out. It isn’t an out of the box substitute for experience. Your posts show a high expectation for that “out of the box” solution. It sets up a very complete “out of the box” environment you probably could not. I know I could not.
It is very easy to mess up configuration while thinking you are not messing it up which makes any issues even harder to fix and figure out.
What does none have been filtered mean to you?
Out of the box you have SpamAssassin working. X-Spam-Status: indicates that.
I have 400 or so (*.offending.domain and *@.offending.domain) in denied addresses form.
I have 30 custom header rules and 70-80 with increased or lowered values that are already used by SpamAssassin. Decisions made by watching what was triggered in headers. Read up on SpamAssassin if you want it to work for you.
If you have [recidive] enabled ( not a default ) with low threshold and long ban time it will funnel repeat offenders from all active filters to that jail and ban all ports. I have no tolerance for repeat offenders so I have all jails set to 2 matches. Make sure you fill in IP addresses to never ban!
If i see IPs from the same block showing up I put a permanent drop rule in firewallID for that block.
None of this is out of the box and shouldn’t be.
You have only posted one email header showing only a couple of tests that had low scores so not spam. Is that characteristic of your spam?
A lot of senders know how to set up their system to not trip filters so they have to be caught by specific words or combos in custom header rules carefully made to not block legit mail.