[TUTORIAL] Advancing Proxmox Mail Gateway (especially Spam and Virus Detection)

killmasta93

Member
Aug 13, 2017
510
18
18
25
quick question any one else this error before not sure if its the modification i did on proxmox or itself? I have only one email that does not come in which im getting this error but i checked the client email and they do have dmarc
Code:
5.7.1 rejected by DMARC policy
Code:
Sep 16 14:04:03 mail postfix/cleanup[4617]: 40BCF3C156A: milter-reject: END-OF-MESSAGE from mail-eopbgr820051.outbound.protection.outlook.com[40.107.82.51]: 5.7.1 rejected by DMARC policy for clientemail.com; from=<user@clientemail.com> to=<myemail@mydomain.com> proto=ESMTP helo=<NAM01-SN1-obe.outbound.protection.outlook.com>
 
Last edited:

heutger

Active Member
Apr 25, 2018
682
180
43
Fulda, Hessen, Germany
www.heutger.net
quick question any one else this error before not sure if its the modification i did on proxmox or itself? I have only one email that does not come in which im getting this error but i checked the client email and they do have dmarc
Code:
5.7.1 rejected by DMARC policy
Unsure in which direction, but as DMARC is not implemented in PMG yet, I believe, it's not coming from PMG.
 

killmasta93

Member
Aug 13, 2017
510
18
18
25
Thanks for the quick reply, but its odd because this is the error that PMG is giving me
Code:
Sep 16 14:04:03 mail postfix/cleanup[4617]: 40BCF3C156A: milter-reject: END-OF-MESSAGE from mail-eopbgr820051.outbound.protection.outlook.com[40.107.82.51]: 5.7.1 rejected by DMARC policy for clientemail.com; from=<user@clientemail.com> to=<myemail@mydomain.com> proto=ESMTP helo=<NAM01-SN1-obe.outbound.protection.outlook.com>
 

heutger

Active Member
Apr 25, 2018
682
180
43
Fulda, Hessen, Germany
www.heutger.net
milter-reject screams for an individual adjustment as PMG doesn't use milter as default. I use milter with spamass-milter and I saw some DKIM tutorials here also using milter. DKIM and DMARC are close together, so it looks like you first time raised a DMARC reject based on DMARC policy (as DMARC is not such spread as it's promoted, DKIM has big problems with lack of controlled key sizes, algorithms etc., OpenDMARC also seems to have an unpatched vulnerability, at all, DMARC isn't worth, what it get promoted for.
 
  • Like
Reactions: Stoiko Ivanov

killmasta93

Member
Aug 13, 2017
510
18
18
25
thanks for the reply, so how would i disable temporary this issue? First time this is happening. I did put the dkim to go outbound but not sure why its affecting in the inbound?

Thank you
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
2,027
204
63
I did put the dkim to go outbound but not sure why its affecting in the inbound?
just to be sure - check for a running process matching dmarc (e.g. opendmarc is a popular milter for dmarc) : ps auxwf |grep -i dmarc
 
  • Like
Reactions: heutger

heutger

Active Member
Apr 25, 2018
682
180
43
Fulda, Hessen, Germany
www.heutger.net
thanks for the reply, so how would i disable temporary this issue? First time this is happening. I did put the dkim to go outbound but not sure why its affecting in the inbound?

Thank you
How do you prevent DKIM to be invoked for inbound as I remember from my rspamd tests, that you need a special version of Postfix to be able to control, when milter is called, otherwise once integrated it's called inbound as well as outbound, although you see your benefits outbound only.
 

killmasta93

Member
Aug 13, 2017
510
18
18
25
Thanks for the reply finally figured it out after lots of reading so this is what happened. so if anyone else has this issue ONLY if they have openDMARC on PMG (which does not come by default i installed it with openDKIM to send outbound emails though PMG)

The client had a dmarc (its a goverment domain i know so sad)
Code:
dig +short txt _dmarc.dian.gov.co
"v=DMARC1; p=reject;  rua=mailto:seguridadinfo@dian.gov.co"
so they had the p=reject meaning that if someone tries to send email which does not come from their IP and if someone else has DMARC it will reject it, here is the worst part their MX record

Code:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dian.gov.co.            IN    MX

;; ANSWER SECTION:
dian.gov.co.        71312    IN    MX    10 mailgw.dian.gov.co.

;; ADDITIONAL SECTION:
mailgw.dian.gov.co.    71312    IN    A    190.144.206.25
and this is the best part they have their email sending though exchange
Code:
: disconnect from mail-eopbgr690079.outbound.protection.outlook.com[40.107.69.79] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7
i told them something is wrong and they said that this has never happened to them, the only way i fixed this is on
nano /etc/opendmarc.conf
removed
RejectFailures true

Hope this helps someone else

and reboot
 

heutger

Active Member
Apr 25, 2018
682
180
43
Fulda, Hessen, Germany
www.heutger.net
Thanks for the reply finally figured it out after lots of reading so this is what happened. so if anyone else has this issue ONLY if they have openDMARC on PMG (which does not come by default i installed it with openDKIM to send outbound emails though PMG)

The client had a dmarc (its a goverment domain i know so sad)
Code:
dig +short txt _dmarc.dian.gov.co
"v=DMARC1; p=reject;  rua=mailto:seguridadinfo@dian.gov.co"
so they had the p=reject meaning that if someone tries to send email which does not come from their IP and if someone else has DMARC it will reject it, here is the worst part their MX record

Code:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dian.gov.co.            IN    MX

;; ANSWER SECTION:
dian.gov.co.        71312    IN    MX    10 mailgw.dian.gov.co.

;; ADDITIONAL SECTION:
mailgw.dian.gov.co.    71312    IN    A    190.144.206.25
and this is the best part they have their email sending though exchange
Code:
: disconnect from mail-eopbgr690079.outbound.protection.outlook.com[40.107.69.79] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7
i told them something is wrong and they said that this has never happened to them, the only way i fixed this is on
nano /etc/opendmarc.conf
removed
RejectFailures true

Hope this helps someone else

and reboot
And that they never got this problem shows again, that DMARC is nice promoted but somehow not used at all. They also seem to have a SPF record (so don't follow your worst or best part, they would have to add their Office365 usage into the SPF policy and need to enable DMARC there, if won't have been done already), but forgot about it. That's not the exception, it's the rule. On my commercial installation therefor SPF is still off (I just play around with on my private installation), because I still see with looking at the tracking center for spf_fail, which mail would have been rejected and it's terrible. Beside forgetting to adjust SPF records also problems arise with forums (like this), mailing lists (like proxmox developer list) etc., they usually arise in my DMARC reports, I activated.
 

killmasta93

Member
Aug 13, 2017
510
18
18
25
Very correct so sad people dont use the correct settings which makes people who want to use it cannot. So far the first case i have ever seen this before, usually people may have the wrong dmarc but they have p=none which does not have effect but the p=reject really killed it for them and having the wrong mx record too.
 

heutger

Active Member
Apr 25, 2018
682
180
43
Fulda, Hessen, Germany
www.heutger.net
Very correct so sad people dont use the correct settings which makes people who want to use it cannot. So far the first case i have ever seen this before, usually people may have the wrong dmarc but they have p=none which does not have effect but the p=reject really killed it for them and having the wrong mx record too.
They often don't make wrong settings, they just forget about what they set and don't update it. The reason for that is, that it usually never occur, that this mistakes arise any problems, because the technique has so much obstacles, that it isn't adopted widely. SPF fails on any forwarding, mailing list or group mailing system (e.g. Google Groups!), DKIM the same and finally because of both also DMARC fails. SRS is not widely adopted and instead of solving such problems with DKIM or latest DMARC, the same problems arise again and they try to solve with another new technology called ARC.

p=none however is somehow completely useless DMARC (or also recognized by many rating sites, which test your settings and rate their success as "disabled" DMARC), so as you don't enforce anything, it also makes no sense at all. It's like ending up a SPF record with allowance, that everyone else also can send, that makes no sense at all, minimum should be for both to flag as softfail or get the mails quarantined with p=quarantine.
 
  • Like
Reactions: killmasta93

killmasta93

Member
Aug 13, 2017
510
18
18
25
Not sure if anyone else has had this issue before on the version of pmg 5.2.1 with clamav-unofficial-sigs
These were the steps i took
Code:
cd /tmp
wget https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip
unzip master.zip
cp -r clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/sbin/
chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh
mkdir /etc/clamav-unofficial-sigs
cp clamav-unofficial-sigs-master/config/* /etc/clamav-unofficial-sigs/
mkdir /var/log/clamav-unofficial-sigs
cd /etc/clamav-unofficial-sigs
cat /etc/*release*
mv os.debian9.conf os.conf
but im getting email alert of this error
Code:
/usr/local/sbin/clamav-unofficial-sigs.sh: line 2828: /var/lib/clamav-unofficial-sigs/test/malwarepatrol.db: No such file or directory
LibClamAV Error: cl_load(): No such file or directory: /var/lib/clamav-unofficial-sigs/test/malwarepatrol.db
ERROR: Can't get file status
/usr/local/sbin/clamav-unofficial-sigs.sh: line 2835: /var/lib/clamav-unofficial-sigs/test/malwarepatrol.db-tmp: No such file or directory
mv: cannot stat '/var/lib/clamav-unofficial-sigs/test/malwarepatrol.db-tmp': No such file or directory
the only error when running the commands above is the last part the mv osdebian9
and on the tutorial it says

Code:
cp clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/sbin/
but it seems that it needed to add a cp -r not sure what could be the issue

Thank you again
 

swarnat

New Member
hi guys...does this work on pmg 6.0 too?
I updated our Cluster yesterday. It works like a charm with the help of the update documentation. First Master and then Slave.

About DMARC:
We also do not check DMARC on our Mailserver. But I configure this for our domains to get reports about SPF/DKIM failures.

But we check and apply hard SPF rejects. Because the sender configure it in this way. Currently I only had 2 cases, where a hard reject result within a wrong reject. But this was human mistake and was fixed within minutes after mail to postmaster.
Most admins configure the ~all catch all, which only result in a bad spam rating.
We inform our clients about that, so they can decide to use another mailprovider. Most major mailinglists are listed in Whitelists and do anything against spam ratings. So this isn't a problem in combination with some major DNSBL.

Didn’t test it yet. As I would like to improve documentation as well as cleaning up my system instead of upgrading, I will test in the next days.
When you need help/time, I can invest some time. Probably @DerDanilo can help us with a Ansible. I just started to understand this deployment way, because it looks powerfull. So we can give something more then money to improve Proxmox Mail Gateway and hopefully get a Mail Archive some day. ^^
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!