Rules not being applied?

K

killmasta93

Renowned Member
Aug 13, 2017
980
60
93
31
Hi
I was wondering if someone could shed some light on the issue im having,
Currently i created rules so that external emails cannot send fake email to my domain
ex: synchronization@mydomain.com to cartera@mydomain.com

synchronization@mydomain.com being the fake email

i created a rule to quarantine emails that are from @mydomain.com

1639148107338.png
1639148303236.png

this is the snip of the email

Code: 
Dec 9 13:16:53 mail postfix/smtpd[32053]: connect from cloudgate.m1net.com.sg[203.211.152.60]
Dec 9 13:16:54 mail postfix/smtpd[32053]: Anonymous TLS connection established from cloudgate.m1net.com.sg[203.211.152.60]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 9 13:16:56 mail postfix/smtpd[32053]: 0BEBC3C138A: client=cloudgate.m1net.com.sg[203.211.152.60]
Dec 9 13:16:56 mail postfix/cleanup[32055]: 0BEBC3C138A: message-id=<3CU6NHBA-HKCY-0HLD-DBA7-XFKWL2AY07RO@[Company]>
Dec 9 13:16:56 mail postfix/cleanup[32055]: 0BEBC3C138A: info: header From: "synchronization@mydomain.com" <synchronization@mydomain.com> from cloudgate.m1net.com.sg[203.211.152.60]; from=<synchronization@mydomain.com> to=<cartera@mydomain.com> proto=ESMTP helo=<cloudgate.m1net.com.sg>
Dec 9 13:16:56 mail postfix/cleanup[32055]: 0BEBC3C138A: info: header To: cartera <cartera@mydomain.com> from cloudgate.m1net.com.sg[203.211.152.60]; from=<synchronization@mydomain.com> to=<cartera@mydomain.com> proto=ESMTP helo=<cloudgate.m1net.com.sg>
Dec 9 13:16:56 mail postfix/cleanup[32055]: 0BEBC3C138A: info: header Subject: =?utf-8?Q?cartera_=E2=80=94_email_service_report?= from cloudgate.m1net.com.sg[203.211.152.60]; from=<synchronization@mydomain.com> to=<cartera@mydomain.com> proto=ESMTP helo=<cloudgate.m1net.com.sg>
Dec 9 13:16:57 mail postfix/qmgr[3871]: 0BEBC3C138A: from=<synchronization@mydomain.com>, size=19456, nrcpt=1 (queue active)
Dec 9 13:16:57 mail pmg-smtp-filter[31674]: 3C148E61B2481949054: new mail message-id=<3CU6NHBA-HKCY-0HLD-DBA7-XFKWL2AY07RO@[Company]>#012
Dec 9 13:16:59 mail pmg-smtp-filter[31674]: 3C148E61B2481949054: SA score=5/5 time=2.589 bayes=0.49 autolearn=no autolearn_force=no hits=AWL(0.001),BAYES_50(0.8),DCC_CHECK(1.1),DCC_REPUT_00_12(-0.4),FSL_BULK_SIG(1.757),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),MIME_HTML_ONLY(0.1),SPF_HELO_PASS(-0.001),SPF_NEUTRAL(0.779),UNICODE_OBFU_ZW(1),URIBL_BLOCKED(0.001)
Dec 9 13:16:59 mail postfix/smtpd[32068]: connect from localhost.localdomain[127.0.0.1]
Dec 9 13:16:59 mail postfix/smtpd[32068]: E90AD3C14AD: client=localhost.localdomain[127.0.0.1], orig_client=cloudgate.m1net.com.sg[203.211.152.60]
Dec 9 13:16:59 mail postfix/cleanup[32055]: E90AD3C14AD: message-id=<3CU6NHBA-HKCY-0HLD-DBA7-XFKWL2AY07RO@[Company]>
Dec 9 13:17:00 mail postfix/qmgr[3871]: E90AD3C14AD: from=<synchronization@mydomain.com>, size=19663, nrcpt=1 (queue active)
Dec 9 13:17:00 mail postfix/smtpd[32068]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Dec 9 13:17:00 mail pmg-smtp-filter[31674]: 3C148E61B2481949054: accept mail to <cartera@mydomain.com> (E90AD3C14AD) (rule: Whitelist)
Dec 9 13:17:00 mail pmg-smtp-filter[31674]: 3C148E61B2481949054: processing time: 2.713 seconds (2.589, 0.047, 0)
Dec 9 13:17:00 mail postfix/lmtp[32056]: 0BEBC3C138A: to=<cartera@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.7, delays=1.9/0/0/2.7, dsn=2.5.0, status=sent (250 2.5.0 OK (3C148E61B2481949054))
Dec 9 13:17:00 mail postfix/qmgr[3871]: 0BEBC3C138A: removed
Dec 9 13:17:00 mail postfix/smtp[31898]: E90AD3C14AD: to=<cartera@mydomain.com>, relay=192.168.3.170[192.168.3.170]:27, delay=0.12, delays=0.06/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 115CD3829632)
Dec 9 13:17:00 mail postfix/qmgr[3871]: E90AD3C14AD: removed
Dec 9 13:17:02 mail postfix/smtpd[32053]: disconnect from cloudgate.m1net.com.sg[203.211.152.60] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
 
I assume your fakemail is a who object. Who object only look for Return-Path header. Double check your spam mail's Return-Path.
Another option is use what object Match Field with the From header.

1639174425554.png
 
thanks for the reply, the rule was to block any @mydomain.com because internally email do not pass though PMG
the fakeemail is @mydomain.com
 
killmasta93 said:
thanks for the reply, the rule was to block any @mydomain.com because internally email do not pass though PMG
the fakeemail is @mydomain.com
Click to expand...
Still who object, no matter is email or domain still refer to spam mail Return-Path header. Do your fakemail object match it?
 
on the return path i get this
the who object is @mydomain.com


Code: 
Return-Path: <synchronization@mydomain.com>
Received: from mail.mydomain.com (LHLO mail.mydomain.com)
 (192.168.3.170) by mail.mydomain.com with LMTP; Thu, 9 Dec 2021
 13:17:00 -0500 (COT)
Received: from mail.mydomain.com (unknown [192.168.3.169])
    by mail.mydomain.com (Postfix) with ESMTPS id 115CD3829632
    for <cartera@mydomain.com>; Thu,  9 Dec 2021 13:17:00 -0500 (-05)
Received: from mail.mydomain.com (localhost.localdomain [127.0.0.1])
    by mail.mydomain.com (Proxmox) with ESMTP id E90AD3C14AD
    for <cartera@mydomain.com>; Thu,  9 Dec 2021 13:16:59 -0500 (-05)
Received-SPF: neutral (mydomain.com: Default neutral result due to no mechanism matches) receiver=mail.mydomain.com; identity=mailfrom; envelope-from="synchronization@mydomain.com"; helo=cloudgate.m1net.com.sg; client-ip=203.211.152.60
Received: from cloudgate.m1net.com.sg (cloudgate.m1net.com.sg [203.211.152.60])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.mydomain.com (Proxmox) with ESMTPS id 0BEBC3C138A
    for <cartera@mydomain.com>; Thu,  9 Dec 2021 13:16:55 -0500 (-05)
 
thanks for the reply, correct they both have the same domain, but synchronization@mydomain.com is not an email we have it was a fake email that was sent from cloudgate.m1net.com.sg what i did was a reboot and now i saw that it was getting blocked, it seems that the rules were getting blocked
 
You must log in or register to reply here.
Top Bottom