[TUTORIAL] Advancing Proxmox Mail Gateway (especially Spam and Virus Detection)

Discussion in 'Mail Gateway: Installation and configuration' started by heutger, May 29, 2018.

  1. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    570
    Likes Received:
    142
    I believe you could forget about free antivirus options. Free antivirus beside clamav is usually for private/personal use only and usually includes software to be used on personal desktop computers and not on servers or to be invoked by CLI or API calls. However, licenses for "appliance" usage is often different, so there may be attractive options. Recent versions of PMG already e.g. included Avira, which I believe is one of the best options, but with open-sourcing PMG, Avira is not included any more. Maybe in future subscriptions it will get an option again (hopefully). Beside Avira I would like to see Sophos, however Sophos is already used for endpoint protection, so it would make sense to use another vendor. Avast had bad publicity in the past, I would not prefer to use that, however, it's the only alternative available currently, also needs to be licensed.
     
    killmasta93 likes this.
  2. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    570
    Likes Received:
    142
    Yes, the script requires IMAP. However, I will test and provide scripts for POP3 as well, this mailboxes then need only to be ham and spam mailboxes, so they then get emptied by the script.
     
    killmasta93 likes this.
  3. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    415
    Likes Received:
    15
    Thanks for the reply, let me know how it goes with the POP3 if you need any help me let me know as i have many users use POP3 rather then IMAP
     
  4. karnz

    karnz Member

    Joined:
    Nov 23, 2015
    Messages:
    34
    Likes Received:
    0
    After set all things up and running more than a week, Bayes still not working for all messages.

    No any error in the log. Where I should look for this?
     
  5. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    570
    Likes Received:
    142
    Try to run sa-learn --dump magic and look for the rows nspam and nham. If any of the counts did not reach 200, bayes will not start to tag. From my experience, ham will reach 200 very easy, but spam will take months to get the amount of 200 via autolearn (as autolearn is always very conservative, as it's an automatism), so to reach the 200 spam mails limit, you should train spam by yourself via sa-learn --spam FILENAME
     
  6. IEM

    IEM Member

    Joined:
    Sep 4, 2018
    Messages:
    35
    Likes Received:
    4
    i wonder, why couldn't you just use `/root/.spamassassin` as the input for spamass-milter directly?
     
  7. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    570
    Likes Received:
    142
    Maybe you can assist, but I’m afraid and believe, that using the same folder would result in damaging the awl and bayes data as all mails will pass them twice, once via milter and second via pmg-smtp-filter. So I decide to have timed syncs.
     
  8. karnz

    karnz Member

    Joined:
    Nov 23, 2015
    Messages:
    34
    Likes Received:
    0
    Hi Heutger,
    Thanks for your advice. Now Bayes has score for each message but some are zero. Not sure it's correct. Will see the incoming SPAM result next few days.

    Another question,
    Have you ever install BitDefender with PMG?
    I ever used it with Amavis but PMG didn't use it.
     
  9. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    570
    Likes Received:
    142
    Hi,

    looks fine. No, I didn't. About antivirus clamav with the adjustments I made looks fine and is working well. Otherwise I would welcome Avira as it's very reliable (and already was integrated with PMG in earlier days). Sophos I would also welcome, however, as we already use it as endpoint and firewall protection, I would welcome something different.

    Regards,
    Christian
     
  10. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,469
    Likes Received:
    395
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    570
    Likes Received:
    142
    Sad to hear, but it's an explanation, why Avira is not included any more. Avast I really disalike, they have no good reputation (see the CCleaner disaster)
     
  12. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,469
    Likes Received:
    395
    based on our tests, avast is fast and reliable and quite affordable too.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Davide Bozzelli

    Joined:
    Feb 6, 2018
    Messages:
    76
    Likes Received:
    4
    The event you are referring to seems not to be correlated directly to Avast.
    From what i've seen on desktop pc avast is on par with other av (kaspersky, trend micro etc etc) and in some cases its features is superior.
     
  14. DerDanilo

    DerDanilo Member
    Proxmox Subscriber

    Joined:
    Jan 21, 2017
    Messages:
    255
    Likes Received:
    23
    Would you mint pushing your improvements into a git repo, adding a readme file that explains what to do, but references config files and scripts rather than containing them inline?
    I am willing to assist cleaning it up and even publishing it in my github repos, mentioning that it originated from this forum post.

    What do you think?
     
  15. karnz

    karnz Member

    Joined:
    Nov 23, 2015
    Messages:
    34
    Likes Received:
    0
    I updated to the latest PMG 5.1 last night then got Cron e-mail below.
    Not sure it comes from PMG directly or this added script. Anyway SA version showing on GUI is updated version already about six hours ago and no new fresh update.

     
  16. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    570
    Likes Received:
    142
    Hmm, Kaspersky also has it's own bad news and Trend Micro as well in the past, so Avast then is in same environment. However, I prefer solutions like Avira, however, if it's not available, I will stay with ClamAV and the additional signatures.
     
  17. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    570
    Likes Received:
    142
    You're welcome to do that.
     
    #37 heutger, Oct 10, 2018
    Last edited: Oct 23, 2018
  18. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    570
    Likes Received:
    142
    It comes from my sa-update script and I also have the same behavior currently.

    Update: Configuration above updated. Two of the lists had issues not signing with SHA-2 (256 or 512 bit) as required from SpamAssassin 3.4.2 which has been updated by PMG 5.1, they solved issues now. sought.rules.yerp.org seems to be gone, I will remove it now.
     
    #38 heutger, Oct 10, 2018
    Last edited: Oct 23, 2018
    bhueske and karnz like this.
  19. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    570
    Likes Received:
    142
    Updates, I won't change in the configuration above to not confuse readers:

    Adjust milter reject on private installation to 5, so no spam tagging any more, all mails reaching score 5 will directly be rejected. Works well for months now (thanks to bayes). My commercial test installation I'm still working on and therefor stay at 10.

    Additional I need to disable SPF on my private installation as well after increasing false-positives. My conclusion for now: SPF isn't really working. Sad, but true.
     
    #39 heutger, Oct 23, 2018
    Last edited: Oct 24, 2018
  20. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    570
    Likes Received:
    142
    Here comes something new:

    Adding email blocklist (EBL on msbl.org) introduced by SpamAssassin 3.4.2. Steps performed:

    Code:
    vi /etc/mail/spamassassin/v342.pre
    vi /etc/mail/spamassassin/custom.cf
    /etc/mail/spamassassin/v342.pre (uncommenting HashBL):
    Code:
    # This is the right place to customize your installation of SpamAssassin.
    #
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    #
    # This file was installed during the installation of SpamAssassin 3.4.1,
    # and contains plugin loading commands for the new plugins added in that
    # release.  It will not be overwritten during future SpamAssassin installs,
    # so you can modify it to enable some disabled-by-default plugins below,
    # if you so wish.
    #
    # There are now multiple files read to enable plugins in the
    # /etc/mail/spamassassin directory; previously only one, "init.pre" was
    # read.  Now both "init.pre", "v310.pre", and any other files ending in
    # ".pre" will be read.  As future releases are made, new plugins will be
    # added to new files, named according to the release they're added in.
    ###########################################################################
    
    # HashBL - Use EBL email blocklist
    loadplugin Mail::SpamAssassin::Plugin::HashBL
    
    # ResourceLimits - assure your spamd child processes
    # do not exceed specified CPU or memory limit
    # loadplugin Mail::SpamAssassin::Plugin::ResourceLimits
    
    
    # FromNameSpoof - help stop spam that tries to spoof other domains using
    # the from name
    # loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
    
    # Phishing - finds uris used in phishing campaigns detected by
    # OpenPhish or PhishTank feeds.
    # loadplugin Mail::SpamAssassin::Plugin::Phishing
    
    # allow URI rules to look at DKIM headers if they exist
    parse_dkim_uris 1
    Adding the following the lines to the bottom of /etc/mail/spamassassin/custom.cf:
    Code:
    
    ifplugin Mail::SpamAssassin::Plugin::HashBL
    header HASHBL_EMAIL eval:check_hashbl_emails('ebl.msbl.org')
    describe HASHBL_EMAIL Message contains email address found on EBL
    score HASHBL_EMAIL 1.0
    endif
     
    #40 heutger, Oct 24, 2018
    Last edited: Nov 12, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice