[SOLVED] Problem with Regex Filtering

I

itechniker

Member
Jan 6, 2022
6
0
6
32
Dear Proxmox experts,

I have a rule active (for quarantining mails) with a bunch of match fields, but two specific match fields are not working, the test-button says my regex is okay and working, but the mail isn't filtered out by the rule with the match fields:

match field/s:
Return-Path: .*@[^.]+\.[^.]+\.(si|su)$
From: same as above

Part of Mail-Header (anonymized my data):

Received: from mail.vikliss.azerbaijan.su (mail.vikliss.azerbaijan.su [217.79.191.84])
by xxx (Proxmox) with ESMTP id BA6B5A0E84
for <xxx>; Fri, 15 Sep 2023 04:49:59 +0200 (CEST)
Received: from vikliss.azerbaijan.su (unknown [95.47.161.31])
by mail.vikliss.azerbaijan.su (Postfix) with ESMTPA id CA6C981A31FF;
Fri, 15 Sep 2023 03:12:25 +0300 (EEST)
Message-ID: <06467636F32744242Q41765360J27813521Q@idoztensw>
From: Orgasmus-Garantie <oztensw@vikliss.azerbaijan.su>
To: <info@ambroso.at>
Subject: Dieser Trick garantiert einen Orgasmus
Date: Fri, 15 Sep 2023 03:12:23 +0300
X-SPAM-LEVEL: Spam detection results: 2
BAYES_00 -0.5 Spamwahrscheinlichkeit nach Bayes-Test: 0-1%
DMARC_MISSING 0.1 Missing DMARC policy
HTML_IMAGE_ONLY_08 1.651 =?UTF-8?Q?Au=C3=9Fer=20?=Bildern nur 400-800 Zeichen Text
HTML_IMAGE_RATIO_02 0.5 =?UTF-8?Q?Verh=C3=A4ltnis=20?= =?UTF-8?Q?Bilderfl=C3=A4che=20?=zu Text ist klein
HTML_MESSAGE 0.001 Nachricht =?UTF-8?Q?enth=C3=A4lt=20?=HTML
HTML_SHORT_LINK_IMG_1 1 HTML is very short with a linked image
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: Senderechner entspricht SPF-Datensatz
T_TVD_MIME_EPI 0.01 -
URIBL_DBL_BLOCKED_OPENDNS 0.001 ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [at.bellax.ink]
Return-Path: oztensw@vikliss.azerbaijan.su
Click to expand...
 
Last edited:
what's the output of `pmgversion -v`?
anything in the logs when receiving such a mail?
 
Stoiko Ivanov said:
what's the output of `pmgversion -v`?
anything in the logs when receiving such a mail?
Click to expand...
Can you please tell me which logs I should check?

proxmox-mailgateway: 7.3-2 (API: 7.3-8/d5acb693, running kernel: 5.15.116-1-pve)
pmg-api: 7.3-8
pmg-gui: 3.3-2
pve-kernel-5.15: 7.4-6
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.116-1-pve: 5.15.116-1
pve-kernel-5.15.108-1-pve: 5.15.108-2
pve-kernel-5.15.107-2-pve: 5.15.107-2
pve-kernel-5.15.104-1-pve: 5.15.104-2
pve-kernel-5.15.102-1-pve: 5.15.102-1
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-1-pve: 5.13.19-3
clamav-daemon: 0.103.10+dfsg-0+deb11u1
ifupdown2: 3.1.0-1+pmx4
libarchive-perl: 3.4.0-1
libjs-extjs: 7.0.0-1
libjs-framework7: 4.4.7-1
libproxmox-acme-perl: 1.4.4
libproxmox-acme-plugins: 1.4.4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.4-2
libpve-http-server-perl: 4.2-3
libxdgmime-perl: 1.0-1
lvm2: 2.03.11-2.1
pmg-docs: 7.3-3
pmg-i18n: 2.12-1
pmg-log-tracker: 2.3.2-1
postgresql-13: 13.11-0+deb11u1
proxmox-mini-journalreader: 1.3-1
proxmox-offline-mirror-helper: 0.5.2
proxmox-spamassassin: 4.0.0-2
proxmox-widget-toolkit: 3.7.3
pve-firmware: 3.6-5
pve-xtermjs: 4.16.0-2
zfsutils-linux: 2.1.11-pve1
Click to expand...
 
Last edited:
Nothing special:

Sep 15 04:49:59 antispam postfix/postscreen[35477]: CONNECT from [217.79.191.84]:46231 to [xxx]:25
Sep 15 04:49:59 antispam postfix/postscreen[35477]: PASS OLD [217.79.191.84]:46231
Sep 15 04:49:59 antispam postfix/smtpd[35498]: connect from mail.vikliss.azerbaijan.su[217.79.191.84]
Sep 15 04:49:59 antispam pmgpolicy[34964]: SPF says pass
Sep 15 04:49:59 antispam postfix/smtpd[35498]: BA6B5A0E84: client=mail.vikliss.azerbaijan.su[217.79.191.84]
Sep 15 04:49:59 antispam postfix/cleanup[35549]: BA6B5A0E84: message-id=<06467636F32744242Q41765360J27813521Q@idoztensw>
Sep 15 04:49:59 antispam postfix/qmgr[19165]: BA6B5A0E84: from=<oztensw@vikliss.azerbaijan.su>, size=236425, nrcpt=1 (queue active)
Sep 15 04:49:59 antispam postfix/smtpd[35498]: disconnect from mail.vikliss.azerbaijan.su[217.79.191.84] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 15 04:49:59 antispam pmg-smtp-filter[35370]: 2023/09/15-04:49:59 CONNECT TCP Peer: "[127.0.0.1]:56578" Local: "[127.0.0.1]:10024"
Sep 15 04:49:59 antispam pmg-smtp-filter[35370]: 1019366503C657E08F6: new mail message-id=<06467636F32744242Q41765360J27813521Q@idoztensw>
Sep 15 04:50:00 antispam pmg-smtp-filter[35370]: 1019366503C657E08F6: SA score=2/5 time=0.785 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-0.5),DMARC_MISSING(0.1),HTML_IMAGE_ONLY_08(1.651),HTML_IMAGE_RATIO_02(0.5),HTML_MESSAGE(0.001),HTML_SHORT_LINK_IMG_1(1),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_TVD_MIME_EPI(0.01),URIBL_DBL_BLOCKED_OPENDNS(0.001)
Sep 15 04:50:00 antispam postfix/smtpd[35555]: connect from localhost.localdomain[127.0.0.1]
Sep 15 04:50:00 antispam postfix/smtpd[35555]: D1219A0E85: client=localhost.localdomain[127.0.0.1], orig_client=mail.vikliss.azerbaijan.su[217.79.191.84]
Sep 15 04:50:00 antispam postfix/cleanup[35549]: D1219A0E85: message-id=<06467636F32744242Q41765360J27813521Q@idoztensw>
Sep 15 04:50:00 antispam postfix/qmgr[19165]: D1219A0E85: from=<oztensw@vikliss.azerbaijan.su>, size=237611, nrcpt=1 (queue active)
Sep 15 04:50:00 antispam postfix/smtpd[35555]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 15 04:50:00 antispam pmg-smtp-filter[35370]: 1019366503C657E08F6: accept mail to <xxx> (D1219A0E85) (rule: default-accept)
Sep 15 04:50:00 antispam pmg-smtp-filter[35370]: 1019366503C657E08F6: processing time: 0.991 seconds (0.785, 0.084, 0)
Sep 15 04:50:00 antispam postfix/lmtp[35550]: BA6B5A0E84: to=<xxx>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.2, delays=0.17/0/0.04/1, dsn=2.5.0, status=sent (250 2.5.0 OK (1019366503C657E08F6))
Sep 15 04:50:00 antispam postfix/qmgr[19165]: BA6B5A0E84: removed
Sep 15 04:50:01 antispam postfix/smtp[35556]: D1219A0E85: to=<xxx>, relay=xxx:25, delay=0.37, delays=0.06/0/0.05/0.26, dsn=2.6.0, status=sent (250 2.6.0 <06467636F32744242Q41765360J27813521Q@idoztensw> [InternalId=70858370449417, Hostname=xxx] 238879 bytes in 0.130, 1790,860 KB/sec Queued mail for delivery)
Sep 15 04:50:01 antispam postfix/qmgr[19165]: D1219A0E85: removed
 
Solution:

The regex for the from-match-fields should not end with (su|si)$, because the last character in the from-field is a bracket (>).
 
You must log in or register to reply here.
Top Bottom