[TUTORIAL] Advancing Proxmox Mail Gateway (especially Spam and Virus Detection)

I think I should look into your rSPAMD implementation, about FCrDNS - I am still skeptical on my approach of this whole thing, though right now my bigger challenge is Bayes giving wrong points - I opened a thread here to discuss it.

rspamd is most based on fuzzy technique, which is much more mystery than AWL and Bayes together. ;-) That one didn't work for me at all. FCrDNS is also not working for me and is the same thing like @ittk posted above. You can be the preacher, which try to shame all the ones, which don't configure their SPF or DKIM well (or FCrDNS) or you may be required to get each potential clean mail as your business is based on, so you may be careful with such settings. On Bayes I recently only had one bad experience as I trained Bayes with foreign spam (there are places where you can download spam to load your filters). Also I would be careful with bait mailboxes just for training Bayes, as it would result in dilute your scores because you just learned "stupid spam". Best would be learning spam, which frustrates the users, e.g. spam, which they forward to you or place in an extra spam mailbox as they are such annoyed by that mails, that they do the job to report them to you. This are the best ones to learn as spam.
 
@heutger
Thank you very much for this nice guide. I've been trying a few things. I would be glad if you could help me with a few questions.

Question 1:
pmg.mail.dnsbl_sites =
zen.spamhaus.org * 2, bl.spamcop.net * 2, psbl.surriel.com * 2, spamrbl.imp.ch * 2, noptr.spamrats.com * 2, escalations.dnsbl.sorbs.net * 2, bl.score.senderscore.com * 2, bl.spameatingmonkey.net * 2, rbl.realtimeblacklist.com * 2, dnsbl.dronebl.org * 2, ix.dnsbl.manitu.net, b.barracudacentral.org, truncate. gbudb.net, bl.blocklist.de,

What does * 2 mean here? If dnsbl.dronebl.org * is in 2 blacklist, does it add 2 spam points?

Question 2:
Sample:
From: =?utf-8?Q?=C3=jack@mydomain.com= <marrie@otherdomain.com>
To: <info@mydomain.com>
How can I block an e-mail coming in this way?

The mail on Outlook or webmail seems to come from jack@mydomain.com. However, looking at the details, the original sender is marrie@otherdomain.com
I'll be glad, if you help me. Thank you.
 
@heutger
Thank you very much for this nice guide. I've been trying a few things. I would be glad if you could help me with a few questions.

Question 1:
pmg.mail.dnsbl_sites =
zen.spamhaus.org * 2, bl.spamcop.net * 2, psbl.surriel.com * 2, spamrbl.imp.ch * 2, noptr.spamrats.com * 2, escalations.dnsbl.sorbs.net * 2, bl.score.senderscore.com * 2, bl.spameatingmonkey.net * 2, rbl.realtimeblacklist.com * 2, dnsbl.dronebl.org * 2, ix.dnsbl.manitu.net, b.barracudacentral.org, truncate. gbudb.net, bl.blocklist.de,

What does * 2 mean here? If dnsbl.dronebl.org * is in 2 blacklist, does it add 2 spam points?

Question 2:
Sample:
From: =?utf-8?Q?=C3=jack@mydomain.com= <marrie@otherdomain.com>
To: <info@mydomain.com>
How can I block an e-mail coming in this way?

The mail on Outlook or webmail seems to come from jack@mydomain.com. However, looking at the details, the original sender is marrie@otherdomain.com
I'll be glad, if you help me. Thank you.

Hi, yes *2 means a score factor of two. In combination with the dnsbl threshold setting it can easier reach the necessary amount of points (at my setup 2) or in other words, a factor 2 list directly blocks the mail meanwhile a factor 1 list requires additional one to block. However, in later stages you can read, that I adjusted also all *2 to *1 as (for sure very rare) false positives may occur also on the *2 lists.

For your second question please check the forum, there are many instructions for such "double sender" or "fake sender" settings. I honestly had no problems with, so I also did not implement any solution therefor.
 
  • Like
Reactions: H.c.K
I believe you could forget about free antivirus options. Free antivirus beside clamav is usually for private/personal use only and usually includes software to be used on personal desktop computers and not on servers or to be invoked by CLI or API calls. However, licenses for "appliance" usage is often different, so there may be attractive options. Recent versions of PMG already e.g. included Avira, which I believe is one of the best options, but with open-sourcing PMG, Avira is not included any more. Maybe in future subscriptions it will get an option again (hopefully). Beside Avira I would like to see Sophos, however Sophos is already used for endpoint protection, so it would make sense to use another vendor. Avast had bad publicity in the past, I would not prefer to use that, however, it's the only alternative available currently, also needs to be licensed.
Hello @heutger ,
I currenly install eset on my system , I also consider sophos as well , have you tried sohpos ?
Beside all I would like to take out clamav because of eating to much memory (4g I am on 75%)
When I close clamav --- 30%....
 
Hello @heutger ,
I currenly install eset on my system , I also consider sophos as well , have you tried sohpos ?
Beside all I would like to take out clamav because of eating to much memory (4g I am on 75%)
When I close clamav --- 30%....

Hi, I'm currently very rare of time. So just quick: I considered eset (seems to be not official supported any more) and considered sophos (the only useful option requires api integration which is not provided by pmg), so I finally ended up with avast, which is already supported by pmg and somehow useful and fast enough. The only considerable option, which came along my way was dr.web but honestly I have no glue, how good it really is as there are no statistics, reports etc. and only to be really cheap shouldn't be the final decision for a solution. So although avast always, again and again has worse reputation because of how they work, they have somehow a well recognized antivirus solution, so I would stay with.
 
@heutger WOW, this is a lot to take in, thank you for this.

Could we maybe start a new thread, and reference maybe the PMG version, since some of these things may have been adapted into PMG, helping to reduce the doubling of some of the settings or features?

Thanks!
 
@heutger WOW, this is a lot to take in, thank you for this.

Could we maybe start a new thread, and reference maybe the PMG version, since some of these things may have been adapted into PMG, helping to reduce the doubling of some of the settings or features?

Thanks!

Thanks. I currently need to prioritize my team and wasn't still yet able to provide a new guide. I will provide any time soon, provide a repository therefore and easier access to discussion via Github. I already set up the project there, but wasn't able to do the job yet. I won't believe anything new until end of the year. Sorry for that.
 
Thanks. I currently need to prioritize my team and wasn't still yet able to provide a new guide. I will provide any time soon, provide a repository therefore and easier access to discussion via Github. I already set up the project there, but wasn't able to do the job yet. I won't believe anything new until end of the year. Sorry for that.
Thank you! and please don't apologize, you have taken time to share your discoveries and to help others!
 
  • Like
Reactions: killmasta93
has anyone else been getting this constant email alert?

Code:
/etc/cron.hourly/sa-update:
Possible unintended interpolation of @jpberlin in string at /tmp/.spamassassin26289oGlWIrtmp/70_HS_header.cf, rule HS_HEADER_1477, line 1.
rules: failed to compile Mail::SpamAssassin::Plugin::Check::_head_tests_0_5, skipping:
    (Global symbol "@jpberlin" requires explicit package name (did you forget to declare "my @jpberlin"?) at /tmp/.spamassassin26289oGlWIrtmp/70_HS_header.cf, rule HS_HEADER_1477, line 1.)
channel: lint check of update failed, channel failed
 
has anyone else been getting this constant email alert?
just checked and did not have the message when running sa-update - then again the '/etc/cron.hourly/sa-update' file is not provided by PMG and not present on a plain PMG installation - maybe check what it does and where sa-update goes wrong...
 
Thanks for the reply, it seems that it got resolved on its own i reran it and it seems to work
just checked and did not have the message when running sa-update - then again the '/etc/cron.hourly/sa-update' file is not provided by PMG and not present on a plain PMG installation - maybe check what it does and where sa-update goes wrong...
 
And one more update:

You can decide, if you like to adopt my adjustments or not, but for me it's annoying to see always the same records in tracking center (if checking for quality of e.g. milter-reject) as well as giving any system performance to bad guys. After seeing .icu top level domain seems to have no legit customers, just sending spam over and over, I decided to reject .icu already on connection level (already considered to fail2ban them also, but they seem to use spam server farms, so I would need to reject whole networks, which I currently don't want to do). Googling for .icu spam, there are many records, also on this forum.

So here is what to do:
Code:
vi /etc/postfix/reject_tld
postmap /etc/postfix/reject_tld
vi /etc/pmg/templates/main.cf.in
pmgconfig sync --restart 1

/etc/postfix/reject_tld:
Code:
/\.icu$/ REJECT We reject all .icu domains
I noticed you wrote vi /etc/pmg/templates/main.cf.in , but forgot the line you ad in that file to be active
 
Add GeoIP data to improve bayes filter as well as adding rules to add scores for countries been passed by mails (may or may not work for you)
Hi @heutger

Now maxmind have another policy. You need to create a freea account, then genetare a key(also free) . Then you cand generate a config file(/etc/GeoIP.conf) for their new update tool geoipupdate, who is present in debian:

Code:
apt install geoipupdate

Then using this config file, you can update the data-base from maxmind:

Code:
/usr/bin/geoipupdate -d /usr/share/GeoIP

... and we are back to bussiness again :)

Good luck / Bafta !
 
This guide is a bit old, and even if sometimes you guys have updated it, it's really hard for noobies (of PMG) to understand it all.
I need to install 2 servers because Inumbo is closing, and I really don't know what are the best settings for PMG.

Maybe somebody can create a summary, which would be of great help to newbies. =D
 
This guide is a bit old, and even if sometimes you guys have updated it, it's really hard for noobies (of PMG) to understand it all.
I need to install 2 servers because Inumbo is closing, and I really don't know what are the best settings for PMG.

Maybe somebody can create a summary, which would be of great help to newbies. =D
I'd suggest to start with the recommendations in the wiki-page:

https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

This should get you started with a solid base
 
It looks like heutger is Offline since May 2021.
I hope he is OK, but I am planning to rewrite all 15 pages in one new post, because a lot changed.
Some configurations are EOL and in PMG 7 some features are by default available.
Thanks for the effort ! - very much appreciated :)

We do have a (very basic, but quite effective) getting started page in the wiki - maybe it could also offer some input:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
I also wanted to point out that such an extensive post is better suited in the docu/wiki or at least some github markdown file rather then being split into multiple posts in the forum. I am sure that the Proxmox Team will pin the post advertising the added improvement suggestions if done right and clean.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!