[TUTORIAL] Advancing Proxmox Mail Gateway (especially Spam and Virus Detection)

[heutger]

Gotcha did not know so far its been great i would hope one day to incorporate the free Bitdefender Antivirus.

I believe you could forget about free antivirus options. Free antivirus beside clamav is usually for private/personal use only and usually includes software to be used on personal desktop computers and not on servers or to be invoked by CLI or API calls. However, licenses for "appliance" usage is often different, so there may be attractive options. Recent versions of PMG already e.g. included Avira, which I believe is one of the best options, but with open-sourcing PMG, Avira is not included any more. Maybe in future subscriptions it will get an option again (hopefully). Beside Avira I would like to see Sophos, however Sophos is already used for endpoint protection, so it would make sense to use another vendor. Avast had bad publicity in the past, I would not prefer to use that, however, it's the only alternative available currently, also needs to be licensed.

 

[heutger]

Forgot to ask has to be IMAP right?

Yes, the script requires IMAP. However, I will test and provide scripts for POP3 as well, this mailboxes then need only to be ham and spam mailboxes, so they then get emptied by the script.

 

[killmasta93]

Yes, the script requires IMAP. However, I will test and provide scripts for POP3 as well, this mailboxes then need only to be ham and spam mailboxes, so they then get emptied by the script.

Thanks for the reply, let me know how it goes with the POP3 if you need any help me let me know as i have many users use POP3 rather then IMAP

 

[karnz]

After set all things up and running more than a week, Bayes still not working for all messages.

pmg-smtp-filter[166654]: 419DC5B86853B5F533: SA score=3/5 time=1.438 bayes=undefined autolearn=no autolearn_force=no hits=AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_MESSAGE,MIME_HTML_MOSTLY,PYZOR_CHECK,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS

No any error in the log. Where I should look for this?

 

[heutger]

Try to run sa-learn --dump magic and look for the rows nspam and nham. If any of the counts did not reach 200, bayes will not start to tag. From my experience, ham will reach 200 very easy, but spam will take months to get the amount of 200 via autolearn (as autolearn is always very conservative, as it's an automatism), so to reach the 200 spam mails limit, you should train spam by yourself via sa-learn --spam FILENAME

 

[IEM]

/etc/cron.daily/spamass-milter (AWL, Bayes etc. from SpamAssassin as been run by pmg-smtp-filter needs to be synced with SpamAssassin been run by spamass-milter, especially as manual sa-learn calls will be performed against SpamAassassin as been run by pmg-smtp-filter, it's required to run a daily job to copy the files from /root/.spamassassin to /var/lib/spamass-milter/.spamassasin):

#!/bin/sh
cp -R /root/.spamassassin/* /var/lib/spamass-milter/.spamassassin/.

i wonder, why couldn't you just use `/root/.spamassassin` as the input for spamass-milter directly?

 

[heutger]

i wonder, why couldn't you just use `/root/.spamassassin` as the input for spamass-milter directly?

Maybe you can assist, but I’m afraid and believe, that using the same folder would result in damaging the awl and bayes data as all mails will pass them twice, once via milter and second via pmg-smtp-filter. So I decide to have timed syncs.

 

[karnz]

Hi Heutger,
Thanks for your advice. Now Bayes has score for each message but some are zero. Not sure it's correct. Will see the incoming SPAM result next few days.

pmg-smtp-filter[68921]: 41FBA5B969D6659332: SA score=0/5 time=3.020 bayes=8.12057532328936e-10
pmg-smtp-filter[69515]: 41F675B969CF26DAA5: SA score=0/5 time=4.686 bayes=0 autolearn=no autolearn_force=no

Another question,
Have you ever install BitDefender with PMG?
I ever used it with Amavis but PMG didn't use it.

 

[heutger]

Hi,

looks fine. No, I didn't. About antivirus clamav with the adjustments I made looks fine and is working well. Otherwise I would welcome Avira as it's very reliable (and already was integrated with PMG in earlier days). Sophos I would also welcome, however, as we already use it as endpoint and firewall protection, I would welcome something different.

Regards,
Christian

 

[tom]

..Otherwise I would welcome Avira as it's very reliable (and already was integrated with PMG in earlier days).

Avira does not sell any license for aGPL based linux mail gateways, their license requirements are incompatible.

I recommend to use avast as a second scanner, see:
https://forum.proxmox.com/threads/enabling-avast-core-security-need-syntax.45872/

 

[heutger]

Avira does not sell any license for aGPL based linux mail gateways, their license requirements are incompatible.

I recommend to use avast as a second scanner, see:
https://forum.proxmox.com/threads/enabling-avast-core-security-need-syntax.45872/

Sad to hear, but it's an explanation, why Avira is not included any more. Avast I really disalike, they have no good reputation (see the CCleaner disaster)

 

[tom]

Sad to hear, but it's an explanation, why Avira is not included any more. Avast I really disalike, they have no good reputation (see the CCleaner disaster)

based on our tests, avast is fast and reliable and quite affordable too.

 

[Davide Bozzelli]

Sad to hear, but it's an explanation, why Avira is not included any more. Avast I really disalike, they have no good reputation (see the CCleaner disaster)

The event you are referring to seems not to be correlated directly to Avast.
From what i've seen on desktop pc avast is on par with other av (kaspersky, trend micro etc etc) and in some cases its features is superior.

 

[DerDanilo]

Would you mint pushing your improvements into a git repo, adding a readme file that explains what to do, but references config files and scripts rather than containing them inline?
I am willing to assist cleaning it up and even publishing it in my github repos, mentioning that it originated from this forum post.

What do you think?

 

[karnz]

I updated to the latest PMG 5.1 last night then got Cron e-mail below.
Not sure it comes from PMG directly or this added script. Anyway SA version showing on GUI is updated version already about six hours ago and no new fresh update.

/etc/cron.hourly/sa-update:
channel: could not find working mirror, channel failed
channel: could not find working mirror, channel failed
channel: could not find working mirror, channel failed

 

[heutger]

The event you are referring to seems not to be correlated directly to Avast.
From what i've seen on desktop pc avast is on par with other av (kaspersky, trend micro etc etc) and in some cases its features is superior.

Hmm, Kaspersky also has it's own bad news and Trend Micro as well in the past, so Avast then is in same environment. However, I prefer solutions like Avira, however, if it's not available, I will stay with ClamAV and the additional signatures.

 

[heutger]

Would you mint pushing your improvements into a git repo, adding a readme file that explains what to do, but references config files and scripts rather than containing them inline?
I am willing to assist cleaning it up and even publishing it in my github repos, mentioning that it originated from this forum post.

What do you think?

You're welcome to do that.

 

[heutger]

I updated to the latest PMG 5.1 last night then got Cron e-mail below.
Not sure it comes from PMG directly or this added script. Anyway SA version showing on GUI is updated version already about six hours ago and no new fresh update.

It comes from my sa-update script and I also have the same behavior currently.

Update: Configuration above updated. Two of the lists had issues not signing with SHA-2 (256 or 512 bit) as required from SpamAssassin 3.4.2 which has been updated by PMG 5.1, they solved issues now. sought.rules.yerp.org seems to be gone, I will remove it now.

 

[heutger]

Updates, I won't change in the configuration above to not confuse readers:

Adjust milter reject on private installation to 5, so no spam tagging any more, all mails reaching score 5 will directly be rejected. Works well for months now (thanks to bayes). My commercial test installation I'm still working on and therefor stay at 10.

Additional I need to disable SPF on my private installation as well after increasing false-positives. My conclusion for now: SPF isn't really working. Sad, but true.

 

[heutger]

Here comes something new:

Adding email blocklist (EBL on msbl.org) introduced by SpamAssassin 3.4.2. Steps performed:

vi /etc/mail/spamassassin/v342.pre
vi /etc/mail/spamassassin/custom.cf

/etc/mail/spamassassin/v342.pre (uncommenting HashBL):

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# This file was installed during the installation of SpamAssassin 3.4.1,
# and contains plugin loading commands for the new plugins added in that
# release.  It will not be overwritten during future SpamAssassin installs,
# so you can modify it to enable some disabled-by-default plugins below,
# if you so wish.
#
# There are now multiple files read to enable plugins in the
# /etc/mail/spamassassin directory; previously only one, "init.pre" was
# read.  Now both "init.pre", "v310.pre", and any other files ending in
# ".pre" will be read.  As future releases are made, new plugins will be
# added to new files, named according to the release they're added in.
###########################################################################

# HashBL - Use EBL email blocklist
loadplugin Mail::SpamAssassin::Plugin::HashBL

# ResourceLimits - assure your spamd child processes
# do not exceed specified CPU or memory limit
# loadplugin Mail::SpamAssassin::Plugin::ResourceLimits


# FromNameSpoof - help stop spam that tries to spoof other domains using
# the from name
# loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof

# Phishing - finds uris used in phishing campaigns detected by
# OpenPhish or PhishTank feeds.
# loadplugin Mail::SpamAssassin::Plugin::Phishing

# allow URI rules to look at DKIM headers if they exist
parse_dkim_uris 1

Adding the following the lines to the bottom of /etc/mail/spamassassin/custom.cf:

ifplugin Mail::SpamAssassin::Plugin::HashBL
header HASHBL_EMAIL eval:check_hashbl_emails('ebl.msbl.org')
describe HASHBL_EMAIL Message contains email address found on EBL
score HASHBL_EMAIL 1.0
endif