[SOLVED] Reject messages
- Thread starter felix_84
- Start date
with before queue filtering this should work through the default blacklist rule (pmg-smtp-filter would reject the mail, and it would not get queued on PMG)
I hope this helps!
check the complete log - if pmg-smtp-filter replied with a 5xx code then the sending server sees this as a rejected message...
Sep 8 12:12:26 mailgw pmg-smtp-filter[4601]: 826885F574AF9A0274: block mail to <user@domain.com> (rule: Drop Blacklist)
Sep 8 12:12:26 mailgw pmg-smtp-filter[4601]: 826885F574AF9A0274: processing time: 0.879 seconds (0.792, 0.053, 0)
Sep 8 12:12:26 mailgw postfix/lmtp[4817]: 9152C82687: to=<user@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.3, delays=0.34/0.02/0/0.93, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (826885F574AF9A0274))Sender address is in the 'Who Objects-Blacklist' and option Before Queue Filtering is set to YES.
proxmox-mailgateway: 6.2-1 (API: 6.2-3/dd58a339, running kernel: 5.4.30-1-pve)
pmg-api: 6.2-3
pmg-gui: 2.2-1
pve-kernel-5.4: 6.1-9
pve-kernel-helper: 6.1-9
pve-kernel-5.3: 6.1-6
pve-kernel-5.0: 6.0-11
pve-kernel-5.4.30-1-pve: 5.4.30-1
pve-kernel-5.3.18-3-pve: 5.3.18-3
pve-kernel-5.3.18-1-pve: 5.3.18-1
pve-kernel-5.3.13-1-pve: 5.3.13-1
pve-kernel-5.3.10-1-pve: 5.3.10-1
pve-kernel-5.0.21-5-pve: 5.0.21-10
pve-kernel-5.0.21-2-pve: 5.0.21-7
pve-kernel-5.0.21-1-pve: 5.0.21-1
clamav-daemon: 0.102.4+dfsg-0+deb10u1
libarchive-perl: 3.3.3-1
libjs-extjs: 6.0.1-10
libjs-framework7: 4.4.7-1
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.0-19
libpve-http-server-perl: 3.0-5
libxdgmime-perl: 0.01-5
lvm2: 2.03.02-3
pmg-docs: 6.2-1
pmg-log-tracker: 2.1.4-1
postgresql-11: 11.7-0+deb10u1
proxmox-mini-journalreader: 1.1-1
proxmox-spamassassin: 3.4.4-2
proxmox-widget-toolkit: 2.1-6
pve-firmware: 3.0-7
pve-xtermjs: 4.3.0-1
zfsutils-linux: 0.8.3-pve1
pmg-api: 6.2-3
pmg-gui: 2.2-1
pve-kernel-5.4: 6.1-9
pve-kernel-helper: 6.1-9
pve-kernel-5.3: 6.1-6
pve-kernel-5.0: 6.0-11
pve-kernel-5.4.30-1-pve: 5.4.30-1
pve-kernel-5.3.18-3-pve: 5.3.18-3
pve-kernel-5.3.18-1-pve: 5.3.18-1
pve-kernel-5.3.13-1-pve: 5.3.13-1
pve-kernel-5.3.10-1-pve: 5.3.10-1
pve-kernel-5.0.21-5-pve: 5.0.21-10
pve-kernel-5.0.21-2-pve: 5.0.21-7
pve-kernel-5.0.21-1-pve: 5.0.21-1
clamav-daemon: 0.102.4+dfsg-0+deb10u1
libarchive-perl: 3.3.3-1
libjs-extjs: 6.0.1-10
libjs-framework7: 4.4.7-1
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.0-19
libpve-http-server-perl: 3.0-5
libxdgmime-perl: 0.01-5
lvm2: 2.03.02-3
pmg-docs: 6.2-1
pmg-log-tracker: 2.1.4-1
postgresql-11: 11.7-0+deb10u1
proxmox-mini-journalreader: 1.1-1
proxmox-spamassassin: 3.4.4-2
proxmox-widget-toolkit: 2.1-6
pve-firmware: 3.0-7
pve-xtermjs: 4.3.0-1
zfsutils-linux: 0.8.3-pve1
Last edited:
This logline looks like it's from a system not configured for before queue filtering
are the configuration templates for postfix (especially master.cf.in) without modifications?
The only modifications i was made, is header checks in /etc/pmg/templates/main.cf.in
header_checks = regexp:/etc/postfix/header_checks
# auto-generated by proxmox
smtp_generic_maps = hash:/etc/postfix/generic
compatibility_level = 2
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
# appending .domain is the MUA's job.
append_dot_mydomain = yes
smtpd_banner = $myhostname ESMTP Proxmox Mail Gateway
biff = no
delay_warning_time = 4h
best_mx_transport = local
message_size_limit = 36700160
mailbox_size_limit = 73400320
mydomain = domain
myhostname = mailgw
smtp_helo_name = mail.server.com
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost, $myhostname
mynetworks = 127.0.0.0/8 [::1]/128 172.16.10.0/24 192.168.0.0/16
relay_domains = hash:/etc/pmg/domains
transport_maps = hash:/etc/pmg/transport
relay_transport = smtp:[mail.server.com]:25
content_filter=scan:127.0.0.1:10024
mail_name = Proxmox
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_rhsbl_helo dbl.spamhaus.org reject_rhsbl_helo dbl.abuse.ro
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_access
postscreen_dnsbl_sites = zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com,spamrbl.imp.ch,noptr.spamrats.com,escalations.dnsbl.sorbs.net,bl.score.scenderscore.com,bl.spameatingmonkey.net,dnsbl-1.uceprotect.net
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
smtpd_sender_restrictions =
permit_mynetworks
reject_non_fqdn_sender
check_client_access cidr:/etc/postfix/clientaccess
check_sender_access regexp:/etc/postfix/senderaccess
check_recipient_access regexp:/etc/postfix/rcptaccess reject_unknown_client_hostname reject_unknown_sender_domain
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_reverse_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_client dbl.abuse.ro
reject_rhsbl_reverse_client dbl.abuse.ro
reject_rhsbl_sender dbl.abuse.ro
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
check_recipient_access regexp:/etc/postfix/rcptaccess check_sender_access regexp:/etc/postfix/senderaccess check_client_access cidr:/etc/postfix/clientaccess check_policy_service inet:127.0.0.1:10022 reject_unknown_recipient_domain reject_unverified_recipient
smtpd_data_restrictions = reject_unauth_pipelining
unverified_recipient_reject_code = 550
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 50
smtpd_client_message_rate_limit = 30
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/pmg/tls_policy
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pmg/pmg-tls.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_ciphers = medium
tls_medium_cipherlist = AES256+EECDH:AES128+EECDH:AES256+EDH:AES128+EDH
tls_preempt_cipherlist = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
unverified_recipient_reject_reason = Recipient address lookup failed
default_destination_concurrency_limit = 40
lmtp_destination_concurrency_limit = 20
relay_destination_concurrency_limit = 20
smtp_destination_concurrency_limit = 20
virtual_destination_concurrency_limit = 20
recipient_delimiter = +
smtp_host_lookup = native
address_verify_sender =
header_checks = regexp:/etc/postfix/header_checks
smtpd_discard_ehlo_keywords = chunking, silent_discard
#sender_bcc_maps = regexp:/etc/postfix/mailmap_bcc
#recipient_bcc_maps = regexp:/etc/postfix/mailmap_bcc
smtp_generic_maps = hash:/etc/postfix/generic
compatibility_level = 2
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
# appending .domain is the MUA's job.
append_dot_mydomain = yes
smtpd_banner = $myhostname ESMTP Proxmox Mail Gateway
biff = no
delay_warning_time = 4h
best_mx_transport = local
message_size_limit = 36700160
mailbox_size_limit = 73400320
mydomain = domain
myhostname = mailgw
smtp_helo_name = mail.server.com
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost, $myhostname
mynetworks = 127.0.0.0/8 [::1]/128 172.16.10.0/24 192.168.0.0/16
relay_domains = hash:/etc/pmg/domains
transport_maps = hash:/etc/pmg/transport
relay_transport = smtp:[mail.server.com]:25
content_filter=scan:127.0.0.1:10024
mail_name = Proxmox
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_rhsbl_helo dbl.spamhaus.org reject_rhsbl_helo dbl.abuse.ro
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_access
postscreen_dnsbl_sites = zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com,spamrbl.imp.ch,noptr.spamrats.com,escalations.dnsbl.sorbs.net,bl.score.scenderscore.com,bl.spameatingmonkey.net,dnsbl-1.uceprotect.net
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
smtpd_sender_restrictions =
permit_mynetworks
reject_non_fqdn_sender
check_client_access cidr:/etc/postfix/clientaccess
check_sender_access regexp:/etc/postfix/senderaccess
check_recipient_access regexp:/etc/postfix/rcptaccess reject_unknown_client_hostname reject_unknown_sender_domain
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_reverse_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_client dbl.abuse.ro
reject_rhsbl_reverse_client dbl.abuse.ro
reject_rhsbl_sender dbl.abuse.ro
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
check_recipient_access regexp:/etc/postfix/rcptaccess check_sender_access regexp:/etc/postfix/senderaccess check_client_access cidr:/etc/postfix/clientaccess check_policy_service inet:127.0.0.1:10022 reject_unknown_recipient_domain reject_unverified_recipient
smtpd_data_restrictions = reject_unauth_pipelining
unverified_recipient_reject_code = 550
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 50
smtpd_client_message_rate_limit = 30
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/pmg/tls_policy
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pmg/pmg-tls.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_ciphers = medium
tls_medium_cipherlist = AES256+EECDH:AES128+EECDH:AES256+EDH:AES128+EDH
tls_preempt_cipherlist = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
unverified_recipient_reject_reason = Recipient address lookup failed
default_destination_concurrency_limit = 40
lmtp_destination_concurrency_limit = 20
relay_destination_concurrency_limit = 20
smtp_destination_concurrency_limit = 20
virtual_destination_concurrency_limit = 20
recipient_delimiter = +
smtp_host_lookup = native
address_verify_sender =
header_checks = regexp:/etc/postfix/header_checks
smtpd_discard_ehlo_keywords = chunking, silent_discard
#sender_bcc_maps = regexp:/etc/postfix/mailmap_bcc
#recipient_bcc_maps = regexp:/etc/postfix/mailmap_bcc
this might explain why the scanning happens as after-queue filtering ....
please try to reset the config templates (meaning use the shipped ones) and then add the modifications you need one by one...
Thank you for pointing me out, i just realised that i used main.cf templating before 'before queue filtering' was implemented, so the template i was using is just missing this feature.
New template has this construction
[% IF ! pmg.mail.before_queue_filtering -%]
Here is the similar question,
https://forum.proxmox.com/threads/templates-and-pmg-upgrades.42196/
and i guess some notification needed in such cases.
New template has this construction
[% IF ! pmg.mail.before_queue_filtering -%]
Here is the similar question,
https://forum.proxmox.com/threads/templates-and-pmg-upgrades.42196/
and i guess some notification needed in such cases.
Now logs looks like this
Thanks again for your help!
Code:
Sep 12 09:48:06 mailgw postfix/smtpd[13604]: proxy-reject: END-OF-MESSAGE: 554 5.7.1 Rejected for policy reasons (82B945F5C6F25251C5); from=<user@google.com> to=<user@domain.com> proto=ESMTP helo=<mail-wm1-f46.google.com>
this was implemented (afair with 6.2) - the configuration templates in /etc/pmg/templates are monitored with ucf(1) - and you should get asked upon upgrade.
Glad you managed to find the issue!