[TUTORIAL] Advancing Proxmox Mail Gateway (especially Spam and Virus Detection)

  • Like
Reactions: killmasta93
Current pricing is something about US$150 (original pricing is in €) per server per year, with good discounts on multiple years and multiple servers. Core Security for Linux is enough and best fitting license. Via partners there are additional discounts possible. You can PM me for details.

From this post and your earlier post regarding detection rate and false positives with ClamAV and pricing with commercial vendors. Seems to me, it's pointless to have any AV running especially with the small setup that I currently have. It's more efficient and afforable to simply just rely on other methods (eg. DMARK/DKIM) to protect one's self.

Regards
 
From this post and your earlier post regarding detection rate and false positives with ClamAV and pricing with commercial vendors. Seems to me, it's pointless to have any AV running especially with the small setup that I currently have. It's more efficient and afforable to simply just rely on other methods (eg. DMARK/DKIM) to protect one's self.

Regards

Depends on your setup. Cheapest price I found is $312 for 3 years and one server is about $9 per month, depending on your number of users (on my commercial installation it's 25 users) it's about 35 Cent not for handling with viruses, that's fine.

Looking for detection and false positives rate ClamAV is terrible for sure (but free or with additional signatures like Saint Security #15 with 76.5% dr and 0 fp) and for sure others are better (#1 BitDefender with 100% dr and 1 fp, #4 Kaspersky with 99.8% dr and 0 fp, #5 Avast with 99.7% pr and 0 fp, #10 ESET with 98.9% and 2 fp) but 35 Cent to protect my users is fine. Additional we use another Desktop Scanner, so combining two scanners would result in a good rate of detecting possible viruses.

DMARK/DKIM, I'm sorry, are similar to DNSSEC or DANE, they are dead. Every spammer know about DKIM and DMARK, so what do they do: They use mail servers, which provide SPF and work well with SPF and they use mail servers which sign their messages with DKIM. I don't have the time to show the proof in detailed statistics, but I can tell you from my observations, that you will find about 90% legit mails not DKIM-signed from no SPF-enabled mail servers meanwhile you will find 90% spam mails DKIM-signed from SPF-enabled mail servers, so what's the sense of DMARK/DKIM then?
 
  • Like
Reactions: Maxim Macovei
heutger said:
Depends on your setup. Cheapest price I found is $312 for 3 years and one server is about $9 per month, depending on your number of users (on my commercial installation it's 25 users) it's about 35 Cent not for handling with viruses, that's fine.

For my size of 12 users with no incoming revenue, that's still pricey unfortunately.

DMARK/DKIM in concert with IP reputation, spam list, etc. IIRC, somewhere along this thread, you had dropped RSpamd? AFAIK, doesn't RSpamd scores based on DMARK/DKIM among other things. Additionally, aren't in majority of cases, viruses are spread through E-Mail attachments ? Unless there is a known/unknown vulnerability in the E-Mail client? I wasn't aware of third party signatures, I'll have a look into that.

Regards
 
For my size of 12 users with no incoming revenue, that's still pricey unfortunately.

DMARK/DKIM in concert with IP reputation, spam list, etc. IIRC, somewhere along this thread, you had dropped RSpamd? AFAIK, doesn't RSpamd scores based on DMARK/DKIM among other things. Additionally, aren't in majority of cases, viruses are spread through E-Mail attachments ? Unless there is a known/unknown vulnerability in the E-Mail client? I wasn't aware of third party signatures, I'll have a look into that.

Regards

DMARK/DKIM together with whatever does not help anything. Many spam like purchasing such lists, get such money out of my country because anyone is dead, penis enlargements etc. come from servers with good reputation, with SPF and DMARK/DKIM, e.g. from Microsoft Servers, Gmail Servers, Yahoo Servers etc. A local virus scanner also would help for sure, with a mail server antivirus you have a second bastion. rspamd scores may be based on that, maybe that's the reason, why rspamd detection was really worse against my optimized SpamAssassin setup here with PMG and that's why I skipped rspamd recently, as the scores were not acceptable.
 
I have followed through your guide and have most things working that I want. Because I didn't install everything there are some errors I am dealing with that I was hoping you could help with.

First one is:
Feb 14 11:37:03 mg1 pmg-smtp-filter[1375]: WARNING: rules: failed to run __KAM_SPF_NONE test, skipping:
(Can't locate object method "check_for_spf_none" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 2764) line 695, <GEN180> line 10108.
)
I don't want to use SPF or DKIM verification because I've already got them set up another way and yours also blocks internal emails because my exchange server is not set up on my SPF record (it's internal only so there's no need).

Second problem I'm having is that I want the subject line to show up in the logs, but any time I create /etc/pmg/templates/main.cf.in with a single line header_checks = regexp:/etc/postfix/header_checks and /etc/postfix/header_checks with the 3 lines in your post on the first page all emails incoming and outgoing get denied (I'm still not sure why)

Anyway, it's working well as it is but would like to get these two things figured out.

By the way, my spam detection is already a lot better so huge thanks for that.
 
To answer my first problem, I had to comment lines 4531-4538 (anything to do with __KAM_SPF_NONE) in /usr/share/spamassassin-extra/KAM.cf. Does this file get updated hourly by sa-update?
 
Last edited:
I have followed through your guide and have most things working that I want. Because I didn't install everything there are some errors I am dealing with that I was hoping you could help with.

First one is:
Feb 14 11:37:03 mg1 pmg-smtp-filter[1375]: WARNING: rules: failed to run __KAM_SPF_NONE test, skipping:
(Can't locate object method "check_for_spf_none" via package "Mail::SpamAssassin::perMsgStatus" at (eval 2764) line 695, <GEN180> line 10108.
)
I don't want to use SPF or DKIM verification because I've already got them set up another way and yours also blocks internal emails because my exchange server is not set up on my SPF record (it's internal only so there's no need).

Second problem I'm having is that I want the subject line to show up in the logs, but any time I create /etc/pmg/templates/main.cf.in with a single line header_checks = regexp:/etc/postfix/header_checks and /etc/postfix/header_checks with the 3 lines in your post on the first page all emails incoming and outgoing get denied (I'm still not sure why)

Anyway, it's working well as it is but would like to get these two things figured out.

By the way, my spam detection is already a lot better so huge thanks for that.

Many thanks for your feedback. SPF on mail server side is disabled in my setup as described above, just SpamAssassin (here it's a KAM rule) is checking for, but it only scores then SPF and DKIM a bit. If you don't want that scores, you need to adjust the scores therefor in your custom.cf. You also could disable the KAM rules in the KAM.cf, but that would be overwritten, once the KAM rules are updated. You could also disable the KAM rules at all, but I would not recommend as some of the KAM rules are fine. However, you should check with spamassassin -Lint, why you have such error with the missing object, haven't seen that yet.

Please don't create a black /etc/pmg/templates/main.cf.in with this setting, you need to copy as written before the original templates to /etc/pmg/templates and then adjust the main.cf.in by just adding the header checks line and the header checks file. You can't just add extra lines, you want to be added to main.cf on syncing by creating a fresh line and also you can't just create the one file you want to edit, you need to copy all the template files then to /etc/pmg/templates and edit them, if you want, or leave them, if you don't want to change. It's no picking rule, it's a one and all or nothing rule. Disadvantage is, that you need then to check from time to time, if the config files are still matching the original ones with just your changes or you missed any extras.
 
I didn't get much when I ran spamassassin --lint but it was enough to point me to the file I posed about above. The only errors I could find:

(over 100 lines similar to the one below complaining about a description missing)
Feb 14 14:48:43.542 [19129] dbg: config: warning: no description set for SCHAALIT_URI_376
...
Feb 14 14:48:45.997 [19129] warn: rules: failed to run __KAM_SPF_NONE test, skipping:
Feb 14 14:48:45.997 [19129] warn: (Can't locate object method "check_for_spf_none" via package "Mail: [...]:SpamAssassin::perMsgStatus" at (eval 2048) line 1139.
Feb 14 14:48:45.997 [19129] warn: )
...
Feb 14 14:48:46.531 [19129] warn: lint: 1 issues detected, please rerun with debug enabled for more information
 
SPF on mail server side is disabled in my setup as described above, just SpamAssassin (here it's a KAM rule) is checking for, but it only scores then SPF and DKIM a bit.

Hmm...It could have been because I was scrambling to get the server delivering mail again, but when I had the SPF/DKIM check in /etc/pmg/templates/init.pre.in uncommented it was denying emails from my exchange server. It may have been a combination of a few things but when I commented that out and removed the header checks mail started flowing again which is why I assume it was that.

Please don't create a black /etc/pmg/templates/main.cf.in with this setting, you need to copy as written before the original templates to /etc/pmg/templates and then adjust the main.cf.in by just adding the header checks line and the header checks file.

What do you mean by that? I'm not interested in the other things you have in main.cf.in which is why I chose to only put in the header check. Is there something else in there that is required that I missed?
 
Hmm...It could have been because I was scrambling to get the server delivering mail again, but when I had the SPF/DKIM check in /etc/pmg/templates/init.pre.in uncommented it was denying emails from my exchange server. It may have been a combination of a few things but when I commented that out and removed the header checks mail started flowing again which is why I assume it was that.

So may be by changing that, the SpamAssassin error started to occur, because the object for SPF/DKIM check has been removed.

What do you mean by that? I'm not interested in the other things you have in main.cf.in which is why I chose to only put in the header check. Is there something else in there that is required that I missed?

The templating system works like this:

All files, which are customizable by PMG GUI settings are written from /var/lib/pmg/templates which contain normal text, which should be stored in the configuration files as well as template written variables, which are performed by the template system to been set based on the PMG GUI settings chosen. If the folder /etc/pmg/templates exist, instead of /var/lib/pmg/templates all(!) the files are taken from /etc/pmg/templates (@tom @dietmar @Stoiko Ivanov maybe it would be a great feature, if only some files are taken from there, so if I only want to adjust e.g. main.cf template file, only /etc/pmg/templates/main.cf.in is required and all other files can stay (also been autoupdated) in/by /var/lib/pmg/templates) and the configuration files are written by their content. So if you only place a main.cf.in there, all other PMG managed configuration files will result in been written as blank (e.g. if init.pre.in is missing, you will get a blank init.pre or an error at all if you try syncing), and if you place just one line in main.cf.in, the resulting main.cf will contain only this one line. Everything else is taken from Postfix defaults then.

So if you don't want my(!) main.cf.in but want to add this one line, copy the original main.cf.in from /var/lib/pmg/templates as well as the other templates to /etc/pmg/templates and just add the one line you want to add. Otherwise you will run into errors.
 
  • Like
Reactions: adam.sage
Ok, I understand now. I thought these files appended to the config, not overwrite it. Seems odd to do it this way... Definitely explains why things were not working.
 
I guess my next question is, won't this render the GUI useless for making config changes? Is there already a way to sync these files or do we need to do it manually?
 
Ok, I understand now. I thought these files appended to the config, not overwrite it. Seems odd to do it this way... Definitely explains why things were not working.

I believe append is no good idea as some (also me) would be interested not just add new lines but also remove others or primary change others. However @tom @dietmar @Stoiko Ivanov also would be fine on updates to have a kind of diff system allowing to merge updates of the origin templates to the adjusted files (like Debian and/or CentOS and/or Gentoo updates do, if config changes on update).
 
  • Like
Reactions: adam.sage

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!