[SOLVED] A mail filter is not honored

[OlivierF]

Hello,

I created a rule based on domains and referenced in a 'Who object'. But some emails are not catched by this rule.

This the object I define with a list of domains :


and I use it in this rule :


And this is a mail sample that didn't be catched by the rule (I anonymized the email and replaced my domain that list in the 'Who Object' with 'mydomain.fr') :

Delivered-To: martin.dupont@mydomain.fr
Return-Path:
Received: from SRV1.mydomain.loc (SRV1.mydomain.loc [x.x.x.x])
    by srv5.mydomain.loc (Proxmox) with ESMTP id D35D21605BD
    for <martin.dupont@mydomain.fr>; Sun, 20 Dec 2020 10:00:58 +0100 (CET)
From: Myapp@mydomain.fr
To: Martin DUPONT <martin.dupont@mydomain.fr>
Subject: [Projets] - Nouveau projet
Date: Sun, 20 Dec 2020 10:00:58 +0100
X-MailFwdBy: CN=Martin DUPONT/OU=XXX/O=MYCOMPANY
Auto-Submitted: auto-forwarded
Message-ID: <OFBBE1880E.6830DAF9-ONC1258644.003186ED@tech.mydomain.loc>
MIME-Version: 1.0
Content-type: text/html; charset=ISO-8859-1
Content-Disposition: inline
Content-transfer-encoding: quoted-printable

The most of the email emitted with a sender in mydomain.fr are catch by this rule, and some of them not.

Any idea ? How to set a debug mode ?

Regards.

 

[Stoiko Ivanov]

The action in the screenshot of the rule is 'ACCEPT' - should the mail have been accepted?

In any case please post the complete log of the mail (anonymize only what you must, and only in a way that we still understand what's going on)

 

[hata_ph]

From my experience using who object domain, it refer to header Return-Path for the actual domain.

 

[OlivierF]

Hi @Stoiko Ivanov , what do you mean by a complete log ? I posted all the header, do you want the content also ?

As @hata_ph said, I confirme that all emails in quarantine have the header Return-Path empty. @Stoiko Ivanov , could you confirm that works this way ?

 

[Stoiko Ivanov]

Hi @Stoiko Ivanov , what do you mean by a complete log ? I posted all the header, do you want the content also ?

the mail.log - the part of the mail-delivery log for this message - what you get in the Message Tracking Center for that particular mail - there you'll which rule triggered

The Return-path being empty probably indicates that this message had not envelop-sender (a.k.a. bounce-message) - that would explain the not matching of the who 'From' object - but the log would show that more clearly

 

[OlivierF]

Here a new mail sample and trace log :

Delivered-To: my.recipient@mydomain.fr
Return-Path:
Received: from passv2.mydomain.local (clbcluster.mydomain.local [x.x.x.2])
    by srv5.mydomain.local (Proxmox) with ESMTP id 1FE07161E70
    for <my.recipient@mydomain.fr>; Mon, 21 Dec 2020 15:39:50 +0100 (CET)
From: my.sender@mydomain.fr
Date: Mon, 21 Dec 2020 15:39:48 +0100
Subject: =?ISO-8859-1?Q?Nicorosi_-_locaux?=
To: User X <my.recipient@mydomain.fr>
MIME-Version: 1.0
Message-ID: <OFC1257C05.00570A28-ONC1258645.00508CA3@tech.mydomain.com>
X-MailFwdBy: CN=User X/O=MYORG/C=FR
Auto-Submitted: auto-forwarded

Trace :

Dec 21 15:39:50 srv5 postfix/smtpd[24480]: connect from clbcluster.mydomain.local[x.x.x.2]
Dec 21 15:39:50 srv5 postfix/smtpd[24480]: 1DA18161E6F: client=clbcluster.mydomain.local[x.x.x.2]
Dec 21 15:39:50 srv5 postfix/smtpd[24480]: 1FE07161E70: client=clbcluster.mydomain.local[x.x.x.2]
Dec 21 15:39:50 srv5 postfix/cleanup[24485]: 1FE07161E70: message-id=<OFC1257C05.00570A28-ONC1258645.00508CA3@tech.mydomain.com>
Dec 21 15:39:50 srv5 postfix/qmgr[10179]: 1FE07161E70: from=<>, size=1409, nrcpt=1 (queue active)
Dec 21 15:39:50 srv5 postfix/smtpd[24480]: disconnect from clbcluster.mydomain.local[x.x.x.2] ehlo=1 mail=2 rcpt=2 data=2 quit=1 commands=8
Dec 21 15:39:50 srv5 pmg-smtp-filter[24567]: 161E725FE0B3B63C377: new mail message-id=<OFC1257C05.00570A28-ONC1258645.00508CA3@tech.mydomain.com>#012
Dec 21 15:40:17 srv5 pmg-smtp-filter[24567]: 161E725FE0B3B63C377: moved mail for <my.recipient@mydomain.fr> to spam quarantine - 161E775FE0B3D16EFBF (rule: Outgoing - Quarantine wrong senders)
Dec 21 15:40:17 srv5 pmg-smtp-filter[24567]: 161E725FE0B3B63C377: processing time: 27.479 seconds (0, 27.156, 0)
Dec 21 15:40:17 srv5 postfix/lmtp[24486]: 1FE07161E70: to=<my.recipient@mydomain.fr>, relay=127.0.0.1[127.0.0.1]:10023, delay=28, delays=0.01/0/0.11/27, dsn=2.5.0, status=sent (250 2.5.0 OK (161E725FE0B3B63C377))
Dec 21 15:40:17 srv5 postfix/qmgr[10179]: 1FE07161E70: removed

It's confusing because there's a 'From' field filled in the header and the trace display a 'from=<>' in the 5th line !?

 

[Stoiko Ivanov]

It's confusing because there's a 'From' field filled in the header and the trace display a 'from=<>' in the 5th line !?

Yes - it took me quite a while as well to get used to the difference between Envelope-from (a.k.a. Return-Path, a.k.a. bounce-address) and the From header (a.k.a RFC5322.From)

Both don't need to be equal (and there are many legitimate cases where they are not - e.g. mailinglists)

If you want to block in a From-header address you need to use a 'What Object' - Match Field - Field = 'From', value - a regular expression matching the addressess you want to block/accept

https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_mailfilter_what
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_mailfilter_regex

I hope this helps!

 

[OlivierF]

Thanks, it enlightens me !