[TUTORIAL] Advancing Proxmox Mail Gateway (especially Spam and Virus Detection)

heutger

Well-Known Member
Apr 25, 2018
821
216
48
Fulda, Hessen, Germany
www.heutger.net
Gotcha did not know so far its been great i would hope one day to incorporate the free Bitdefender Antivirus.
I believe you could forget about free antivirus options. Free antivirus beside clamav is usually for private/personal use only and usually includes software to be used on personal desktop computers and not on servers or to be invoked by CLI or API calls. However, licenses for "appliance" usage is often different, so there may be attractive options. Recent versions of PMG already e.g. included Avira, which I believe is one of the best options, but with open-sourcing PMG, Avira is not included any more. Maybe in future subscriptions it will get an option again (hopefully). Beside Avira I would like to see Sophos, however Sophos is already used for endpoint protection, so it would make sense to use another vendor. Avast had bad publicity in the past, I would not prefer to use that, however, it's the only alternative available currently, also needs to be licensed.
 
  • Like
Reactions: killmasta93

killmasta93

Active Member
Aug 13, 2017
694
36
33
26
Yes, the script requires IMAP. However, I will test and provide scripts for POP3 as well, this mailboxes then need only to be ham and spam mailboxes, so they then get emptied by the script.
Thanks for the reply, let me know how it goes with the POP3 if you need any help me let me know as i have many users use POP3 rather then IMAP
 

karnz

Active Member
Nov 23, 2015
51
2
28
After set all things up and running more than a week, Bayes still not working for all messages.

pmg-smtp-filter[166654]: 419DC5B86853B5F533: SA score=3/5 time=1.438 bayes=undefined autolearn=no autolearn_force=no hits=AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_MESSAGE,MIME_HTML_MOSTLY,PYZOR_CHECK,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS
No any error in the log. Where I should look for this?
 

heutger

Well-Known Member
Apr 25, 2018
821
216
48
Fulda, Hessen, Germany
www.heutger.net
Try to run sa-learn --dump magic and look for the rows nspam and nham. If any of the counts did not reach 200, bayes will not start to tag. From my experience, ham will reach 200 very easy, but spam will take months to get the amount of 200 via autolearn (as autolearn is always very conservative, as it's an automatism), so to reach the 200 spam mails limit, you should train spam by yourself via sa-learn --spam FILENAME
 
Sep 4, 2018
56
6
8
44
Austria
/etc/cron.daily/spamass-milter (AWL, Bayes etc. from SpamAssassin as been run by pmg-smtp-filter needs to be synced with SpamAssassin been run by spamass-milter, especially as manual sa-learn calls will be performed against SpamAassassin as been run by pmg-smtp-filter, it's required to run a daily job to copy the files from /root/.spamassassin to /var/lib/spamass-milter/.spamassasin):
Code:
#!/bin/sh
cp -R /root/.spamassassin/* /var/lib/spamass-milter/.spamassassin/.
i wonder, why couldn't you just use `/root/.spamassassin` as the input for spamass-milter directly?
 

heutger

Well-Known Member
Apr 25, 2018
821
216
48
Fulda, Hessen, Germany
www.heutger.net
i wonder, why couldn't you just use `/root/.spamassassin` as the input for spamass-milter directly?
Maybe you can assist, but I’m afraid and believe, that using the same folder would result in damaging the awl and bayes data as all mails will pass them twice, once via milter and second via pmg-smtp-filter. So I decide to have timed syncs.
 

karnz

Active Member
Nov 23, 2015
51
2
28
Hi Heutger,
Thanks for your advice. Now Bayes has score for each message but some are zero. Not sure it's correct. Will see the incoming SPAM result next few days.

pmg-smtp-filter[68921]: 41FBA5B969D6659332: SA score=0/5 time=3.020 bayes=8.12057532328936e-10
pmg-smtp-filter[69515]: 41F675B969CF26DAA5: SA score=0/5 time=4.686 bayes=0 autolearn=no autolearn_force=no
Another question,
Have you ever install BitDefender with PMG?
I ever used it with Amavis but PMG didn't use it.
 

heutger

Well-Known Member
Apr 25, 2018
821
216
48
Fulda, Hessen, Germany
www.heutger.net
Hi,

looks fine. No, I didn't. About antivirus clamav with the adjustments I made looks fine and is working well. Otherwise I would welcome Avira as it's very reliable (and already was integrated with PMG in earlier days). Sophos I would also welcome, however, as we already use it as endpoint and firewall protection, I would welcome something different.

Regards,
Christian
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
14,490
583
133

heutger

Well-Known Member
Apr 25, 2018
821
216
48
Fulda, Hessen, Germany
www.heutger.net

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
14,490
583
133
Sad to hear, but it's an explanation, why Avira is not included any more. Avast I really disalike, they have no good reputation (see the CCleaner disaster)
based on our tests, avast is fast and reliable and quite affordable too.
 
Feb 6, 2018
80
6
13
47
Sad to hear, but it's an explanation, why Avira is not included any more. Avast I really disalike, they have no good reputation (see the CCleaner disaster)
The event you are referring to seems not to be correlated directly to Avast.
From what i've seen on desktop pc avast is on par with other av (kaspersky, trend micro etc etc) and in some cases its features is superior.
 
Jan 21, 2017
320
44
33
Berlin
Would you mint pushing your improvements into a git repo, adding a readme file that explains what to do, but references config files and scripts rather than containing them inline?
I am willing to assist cleaning it up and even publishing it in my github repos, mentioning that it originated from this forum post.

What do you think?
 

karnz

Active Member
Nov 23, 2015
51
2
28
I updated to the latest PMG 5.1 last night then got Cron e-mail below.
Not sure it comes from PMG directly or this added script. Anyway SA version showing on GUI is updated version already about six hours ago and no new fresh update.

/etc/cron.hourly/sa-update:
channel: could not find working mirror, channel failed
channel: could not find working mirror, channel failed
channel: could not find working mirror, channel failed
 

heutger

Well-Known Member
Apr 25, 2018
821
216
48
Fulda, Hessen, Germany
www.heutger.net
The event you are referring to seems not to be correlated directly to Avast.
From what i've seen on desktop pc avast is on par with other av (kaspersky, trend micro etc etc) and in some cases its features is superior.
Hmm, Kaspersky also has it's own bad news and Trend Micro as well in the past, so Avast then is in same environment. However, I prefer solutions like Avira, however, if it's not available, I will stay with ClamAV and the additional signatures.
 

heutger

Well-Known Member
Apr 25, 2018
821
216
48
Fulda, Hessen, Germany
www.heutger.net
Would you mint pushing your improvements into a git repo, adding a readme file that explains what to do, but references config files and scripts rather than containing them inline?
I am willing to assist cleaning it up and even publishing it in my github repos, mentioning that it originated from this forum post.

What do you think?
You're welcome to do that.
 
Last edited:

heutger

Well-Known Member
Apr 25, 2018
821
216
48
Fulda, Hessen, Germany
www.heutger.net
I updated to the latest PMG 5.1 last night then got Cron e-mail below.
Not sure it comes from PMG directly or this added script. Anyway SA version showing on GUI is updated version already about six hours ago and no new fresh update.
It comes from my sa-update script and I also have the same behavior currently.

Update: Configuration above updated. Two of the lists had issues not signing with SHA-2 (256 or 512 bit) as required from SpamAssassin 3.4.2 which has been updated by PMG 5.1, they solved issues now. sought.rules.yerp.org seems to be gone, I will remove it now.
 
Last edited:
  • Like
Reactions: bhueske and karnz

heutger

Well-Known Member
Apr 25, 2018
821
216
48
Fulda, Hessen, Germany
www.heutger.net
Updates, I won't change in the configuration above to not confuse readers:

Adjust milter reject on private installation to 5, so no spam tagging any more, all mails reaching score 5 will directly be rejected. Works well for months now (thanks to bayes). My commercial test installation I'm still working on and therefor stay at 10.

Additional I need to disable SPF on my private installation as well after increasing false-positives. My conclusion for now: SPF isn't really working. Sad, but true.
 
Last edited:

heutger

Well-Known Member
Apr 25, 2018
821
216
48
Fulda, Hessen, Germany
www.heutger.net
Here comes something new:

Adding email blocklist (EBL on msbl.org) introduced by SpamAssassin 3.4.2. Steps performed:

Code:
vi /etc/mail/spamassassin/v342.pre
vi /etc/mail/spamassassin/custom.cf
/etc/mail/spamassassin/v342.pre (uncommenting HashBL):
Code:
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# This file was installed during the installation of SpamAssassin 3.4.1,
# and contains plugin loading commands for the new plugins added in that
# release.  It will not be overwritten during future SpamAssassin installs,
# so you can modify it to enable some disabled-by-default plugins below,
# if you so wish.
#
# There are now multiple files read to enable plugins in the
# /etc/mail/spamassassin directory; previously only one, "init.pre" was
# read.  Now both "init.pre", "v310.pre", and any other files ending in
# ".pre" will be read.  As future releases are made, new plugins will be
# added to new files, named according to the release they're added in.
###########################################################################

# HashBL - Use EBL email blocklist
loadplugin Mail::SpamAssassin::Plugin::HashBL

# ResourceLimits - assure your spamd child processes
# do not exceed specified CPU or memory limit
# loadplugin Mail::SpamAssassin::Plugin::ResourceLimits


# FromNameSpoof - help stop spam that tries to spoof other domains using
# the from name
# loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof

# Phishing - finds uris used in phishing campaigns detected by
# OpenPhish or PhishTank feeds.
# loadplugin Mail::SpamAssassin::Plugin::Phishing

# allow URI rules to look at DKIM headers if they exist
parse_dkim_uris 1
Adding the following the lines to the bottom of /etc/mail/spamassassin/custom.cf:
Code:
ifplugin Mail::SpamAssassin::Plugin::HashBL
header HASHBL_EMAIL eval:check_hashbl_emails('ebl.msbl.org')
describe HASHBL_EMAIL Message contains email address found on EBL
score HASHBL_EMAIL 1.0
endif
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!