Adoption of SpamAssassin improvements?

heutger

Famous Member
Apr 25, 2018
893
259
108
Fulda, Hessen, Germany
www.heutger.net
I currently try a new approach of optimizing PMG but keep update-safe. That result in less adjustments, asking for the most important adjustments to be implemented to the core product (as feature requests in bugzilla) and negotiate the final result of additional adjustments. So therefore I have an open question for PMG development and improvement:

As the product is somehow based on SpamAssassin, which gets updated from time to time, do you also adopt/consider/check the new features/plugins being released with the update? I recently tried and activated them by myself like HashBL, FROMNAME, URI_PHISHING and many more, they were not enabled with the PMG/Debian update of SpamAssassin, also often the vxxx.pre.in files for SpamAssassin kept versions behind, so my question is, do you consider such issues, do you consider with delay on next PMG releases or how do you handle such features?
 
Last edited:
  • Like
Reactions: poetry
Let's see what proxmox staff will say. In my opinion it looks like they decided to keep the feature and new implementations low and instead focus on implementing core upgrades like kernel ect like you see in the https://pmg.proxmox.com/wiki/index.php/Roadmap#Roadmap

Adding new features always requires a lot of resources and will make your product more complex and harder to develop in the future if every enhancement is not implemented really well. You also need to take time to validate any core changes to the product or you will have a lot of issues this also takes a lot of time and effort to do well... I don't know how big the core proxmox mail gateway team is but it does not look very big. To me it looks like PVE is the main focus for proxmox and they focus their work there more than on mail gateway.

As every company you are limited by your resources how much it's available for some product and how skilled are your employees. If you want to make a real change to the product you should try to join the company and try to make the changes from inside it's much harder to do that from outside. I also don't know how many subscriptions does pmg have and if it's enough to cover the development of it to me it looks like they make it easy for people to use without subscription if you don't care about regular upgrades you can run with it they could also change this. With more subscription's you can get maybe enough to add some additional developer to the team that could focus on implementing new features. Good developers are hard to come by and will cost a lot.

I have the same thought as you trying to keep my configuration as simple as possible but this is just not possible in some cases if you want to offer good mail filtering services to the companies you are supporting. PMG requires a lot of modifications as default configuration will not be very effective for filtering I am guessing by reading the forums the team decided this route because a lot of inexperienced users use pmg and if they make it more aggressive by default it will be even harder to use for new people.

We used to have before 2 barracuda virtual machines was super easy to upgrade and worked well out of the box (primarily just 1 in use another in standby) for filtering all email incoming and outgoing now we have 3 server for incoming (main pmg, eset icap, quarantine proxy) for outgoing 4 (proxy, primary pmg , secondary pmg (dkim singing), standby) that are highly customized because pmg does not support authentication so it's much harder to upgrade. Also no filtering for outgoing... I was not the one to configure most of this but if I was and I understood the limitations of pmg at the time I would not select this product for our use case it's just does not make sense. It's not a multi tenant solution and will require a lot of customization to make it work well. If you are using it for one company only and have someone who is willing to work with it then you can use it no problem. GFI MailEssentials looks much better for multi tenant use we might even switch as they want to give us NFR license if we use it so we will see.

This was a bit off topic but just so you get an idea I think we are losing money by using pmg as it requires so much time and effort daily to keep the mail filtering at high level (even with manual adjustments still many phishing mails will go pass filtering) and to keep all the systems up to date with all the modifications we want but that is mostly a problem with us selecting a product that is not appropriate for our environment just because it looked like a "free" solution but if you look in more detail you will find the hidden costs like with everything. I had a hard time convincing my boss to cover even the basic community subscription because they want everything "free" without understanding true costs with every solution.
 
Last edited:
  • Like
Reactions: hoanv9 and itNGO
Thanks for your response. I recently authored the thread Advancing Proxmox Mail Gateway. It took many time to get there and I also monitored the forum and responded to many posts. However, my private situation changed since then and I step down from maintaining. In my company (which I'm out of primary business, I own it and do consulting and training, but that's enough for me) they plan to move from PMG to Sophos UTM filtering. Private I tried many options (which should be somehow cheap as it's only for private use and my HostedExchange provider offer already an anti spam solution, but for my needs it's not filtering as expected), so I decided to continue to use Proxmox Mail Gateway. But as last time I took many effort to adjust, which prevent me from upgrading for months, I now don't want to change too much any more. Low adjustments are fine, I know e.g. ESVA and similar solutions with too much and hard adjustments, so I prefer Proxmox approach, but sure, good options should be considered and SpamAssassin is improved for reason, so they also take time to release. It's not really high volume. Would be interested on your adjustments. I just now filed my most important ones as feature requests.
 
I was hoping to see some response from proxmox staff on this issue. We all try to do our best we can do with mail filtering with all limitations in place. Higher pace with implementation of new rulesets of SpamAssassin would be helpful to get better phishing and spam detection. About sharing my modifications when I have some time I will have to take a few hours (maybe more) and do a thread with an overview of all the small modifications and learnings I acquired using pmg I am almost at the end of implementing all the changes I have done now with mail quarantine. Depending on your requirements configuration with or without quarantine can be a lot different. My installation is mostly standard with a few templates. I have tried to use as much as possible of standard features that pmg offers. I have some custom scores for SpamAssassin (mostly just higher spam score for existing rules) that work well for my environment. Implementing virus scanning via ICAP with ESET is extremely good I haven't seen any virus going pass the mail filter since implementing this my clients and administrators also confirmed this. I just hope it does not break because it's an unofficial implementation and was really hoping for some official implementation. I just haven't had time to update my thread here https://forum.proxmox.com/threads/o...inux-integration-with-pmg.116858/#post-509574 to help with that. It's in my work queue when I finish some other very hard projects. I am quite satisfied with how things are working right now but we will see after the holidays when everyone is back in the office how many complains I get from clients.
 
Last edited:
This is all very interesting. I wish there were a way to connect alternative scanning methods easily in the GUI. Especially being able to connect an external scanner via ICAP would be valuable. There are many engines that support ICAP. I noticed that OPSWAT even has a MetaDefender ICAP server. I read through the documentation for IRMA, but it doesn't act as an ICAP server itself. It can only reach out to an ICAP server.

https://www.opswat.com/products/metadefender/icap

https://irma.readthedocs.io/_/downloads/en/latest/pdf/
 
As the product is somehow based on SpamAssassin, which gets updated from time to time, do you also adopt/consider/check the new features/plugins being released with the update?
Yes - we look through the release notes of spamassassin and consider new additions - sometimes we add them directly - sometimes we test them internally and decide that they probably cause more false positives then help - and sometimes we wait and see if someone in the community has good results by enabling them - usually one or another member of the community is quite eager in reporting that a new feature is available - which is great - but quite often the actual field tests don't seem to result in much better detection rates
(and we try not to enable more things in SpamAssassin if they don't help on average)


If you run into a feature you'd like to test - open a thread here and ask if someone has tried it - and/or enable it locally - gather some data about how it performs (e.g. quantitative numbers - especially for false positives, and sample spam that got detected due to that feature) - and add that information to the thread

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!