true true but prob dr web is better then clamav? btw im if you need a demo for gdata for testing let me know
[TUTORIAL] Advancing Proxmox Mail Gateway (especially Spam and Virus Detection)
- Thread starter heutger
- Start date
Everything is better than ClamAV ;-) I googled around all the GDATA page and didn't found any occurrence of command line scanner, I just found on how to install the linux agent, but that's nothing, which can be called for scanning viruses on mails.
yeah same here, im talking to the support team of GDATA to maybe see how to call the scanner ill postback if they can help.
Hello heutger,
I am doing following your guide but can't install dcc
I start dcc with the command: systemctl start dcc but output error: "Failed to start dcc.service: Unit dcc.service not found"
Please help me fix this
Thanks
Hi,
did you create the dcc.service file as written in the tutorial? What does
Code:
cat /lib/systemd/system/dcc.serviceshow?
Did you also perform
Code:
wget http://www.dcc-servers.net/dcc/source/dcc.tar.Z
tar xzvf dcc.tar.Z
cd dcc-*
./configure
make
make installto install DCC?
Regards,
Christian
I have installed pyzor with "apt-get install pyzor" and added this to my /etc/mail/spamassassin/custom.cf
loadplugin Mail::SpamAssassin:
lugin:yzor
use_pyzor 1
Testing with 'echo "test" | spamassassin -D pyzor 2>&1' tells me spamassassin is only showing me "dbg: pyzor: network tests on, attempting Pyzor" but nothing else like executing pyzor etc...
Is this the case on your end too? Or did I miss something?
loadplugin Mail::SpamAssassin:
lugin:yzoruse_pyzor 1
Testing with 'echo "test" | spamassassin -D pyzor 2>&1' tells me spamassassin is only showing me "dbg: pyzor: network tests on, attempting Pyzor" but nothing else like executing pyzor etc...
Is this the case on your end too? Or did I miss something?
So that's my output:
So you can see, network is connected and pyzor checks are performed, you also see Pyzor occurs in the checks, so you should also check with e.g. Tracking Center, if PYZOR_CHECK is shown there (with scores). If so, everything works fine, otherwise you should get different responses. Please also wait a moment for pyzor to do its job. In addition, KAM rules have some bugs, however, they don't break the system, so hopefully next update of KAM rules will correct the bugs.
Sorry for late response, currently held ISO 27001 training course.
Code:
May 17 11:47:43.992 [28281] dbg: pyzor: network tests on, attempting Pyzor
May 17 11:47:53.832 [28281] dbg: pyzor: pyzor is available: /usr/bin/pyzor
May 17 11:47:53.833 [28281] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin28281HJyNYktmp
May 17 11:47:53.838 [28300] info: util: setuid: ruid=0 euid=0 rgid=0 0 egid=0 0
May 17 11:47:53.930 [28281] dbg: pyzor: [28300] finished: exit 1
May 17 11:47:53.930 [28281] dbg: pyzor: got response: public.pyzor.org:24441 (200, 'OK') 15409334 141497
May 17 11:47:53.930 [28281] dbg: pyzor: listed: COUNT=15409334/5 WHITELIST=141497
May 17 11:47:53.939 [28281] info: rules: meta test KAM_WARRANTY has dependency 'CBJ_GiveMeABreak' with a zero score
May 17 11:47:53.940 [28281] info: rules: meta test KAM_VOICEMAIL has dependency 'KAM_RAPTOR' with a zero score
May 17 11:47:53.945 [28281] info: rules: meta test KAM_PHISHY_DOLLARS has dependency 'KAM_RAPTOR' with a zero score
May 17 11:47:53.951 [28281] info: rules: meta test KAM_PAYPAL2 has dependency 'KAM_RAPTOR' with a zero score
May 17 11:47:53.955 [28281] info: rules: meta test KAM_AUTO has dependency 'CBJ_GiveMeABreak' with a zero score
May 17 11:47:53.959 [28281] info: rules: meta test KAM_INSURE has dependency 'CBJ_GiveMeABreak' with a zero score
May 17 11:47:53.963 [28281] info: rules: meta test KAM_REALLY_FAKE_DELIVER has dependency 'KAM_RPTR_PASSED' with a zero score
May 17 11:47:53.966 [28281] info: rules: meta test KAM_AMAZON has dependency 'KAM_RAPTOR' with a zero score
May 17 11:47:53.967 [28281] info: rules: meta test KAM_EVICTION has dependency 'KAM_RAPTOR' with a zero score
May 17 11:47:53.970 [28281] info: rules: meta test JMQ_CONGRAT has dependency 'KAM_RAPTOR' with a zero score
May 17 11:47:53.972 [28281] info: rules: meta test KAM_FORGED_ATTACHED has dependency 'KAM_RAPTOR' with a zero score
May 17 11:47:53.978 [28281] info: rules: meta test KAM_FAKE_DELIVER has dependency 'KAM_RAPTOR' with a zero score
May 17 11:47:53.987 [28281] info: rules: meta test KAM_WARRANTY3 has dependency 'CBJ_GiveMeABreak' with a zero score
May 17 11:47:53.994 [28281] info: rules: meta test KAM_BBB has dependency 'KAM_RAPTOR' with a zero score
May 17 11:47:53.998 [28281] info: rules: meta test KAM_INSURE2 has dependency 'CBJ_GiveMeABreak' with a zero score
May 17 11:47:53.999 [28281] info: rules: meta test KAM_BADPDF2 has dependency 'KAM_RPTR_SUSPECT' with a zero score
May 17 11:47:54.003 [28281] info: rules: meta test KAM_NOTIFY2 has dependency 'KAM_IFRAME' with a zero score
May 17 11:47:54.006 [28281] info: rules: meta test KAM_CARD has dependency 'KAM_RPTR_SUSPECT' with a zero score
May 17 11:47:54.007 [28281] info: rules: meta test KAM_JURY has dependency 'KAM_RAPTOR' with a zero score
Received: from localhost by xxxx
with SpamAssassin (version 3.4.2);
Fri, 17 May 2019 11:47:54 +0200
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on xxxx
X-Spam-Flag: YES
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.9 required=5.0 tests=EMPTY_MESSAGE,FSL_BULK_SIG,
MISSING_DATE,MISSING_FROM,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,
NO_HEADERS_MESSAGE,NO_RECEIVED,NO_RELAYS,PYZOR_CHECK autolearn=no
autolearn_force=no version=3.4.2
X-Spam-Relay-Country:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5CDE834A.7F91156D"
This is a multi-part message in MIME format.
------------=_5CDE834A.7F91156D
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "xxxx",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview:
Content analysis details: (10.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 NO_RELAYS Informational: message was not relayed via SMTP
1.2 MISSING_HEADERS Missing To: header
2.0 PYZOR_CHECK Listed in Pyzor
(https://pyzor.readthedocs.io/en/latest/)
-0.0 NO_RECEIVED Informational: message has no Received headers
1.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
Subject: text
0.1 MISSING_MID Missing Message-Id: header
1.8 MISSING_SUBJECT Missing Subject: header
1.4 MISSING_DATE Missing Date: header
1.0 MISSING_FROM Missing From: header
0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822
headers
------------=_5CDE834A.7F91156D
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
test
------------=_5CDE834A.7F91156D--So you can see, network is connected and pyzor checks are performed, you also see Pyzor occurs in the checks, so you should also check with e.g. Tracking Center, if PYZOR_CHECK is shown there (with scores). If so, everything works fine, otherwise you should get different responses. Please also wait a moment for pyzor to do its job. In addition, KAM rules have some bugs, however, they don't break the system, so hopefully next update of KAM rules will correct the bugs.
Sorry for late response, currently held ISO 27001 training course.
Thanks for the reply, the problem was fixed, the reason I forgot to create dcc.service
Hello Heutger,
I don't understand this, xxx needs to be replaced by your license keys. If I want to use ClamAV-unofficial, I must buy a license, right?
How I find my license?
Best Regards,
Not for ClamAV-unofficial itself but for some of its used signatures:
Malware Patrol => https://www.malwarepatrol.net (you need to sign up for e.g. free service, if you're eligible to do so)
SecuriteInfo => https://www.securiteinfo.com/servic...on-rate-of-zero-day-malwares-for-clamav.shtml (same as above)
Howdy, here comes an update again. ;-)
1. I changed all my DNS RBL to only factor 1 instead of 2. In another thread I got informed about some trouble with my recommended blacklists (blocklists) and therefor checked back about false-positives and how often just one recent score 2 blacklist blocked a mail. After some time of investigation I found a total of 2 false-positives on commercial test and 1 false-positive on private setup, but I found really rare count of mails, which have been blocked just by a score 2 blacklist. So I decided to change to a more reliant and robust setup for somehow everyone. I won't update my posts above not to confuse readers but mostly to keep ability up for everyone to reject my decision and still use a score 2 (kick) and score 1 (hit) setup. So my setup is now:
So I left *1 (unsure how long this will be kept) also to be able to still see the recent score 2 lists, for sure, it's still required to reach a score of 2 to block by RBL, otherwise adjustment won't make sense, the percentage of additional spam is really low (just encountered about 1-2 mails a week on my private setup, where I recently had none).
2. I'm unsure, why ^^ but I had chosen to setup SPF. OK, honestly, I started some optimizations because of reading an article about STS been enabled at Google Mail now as default (and also enforced), so I decided to setup STS and as been on that way and checking my systems with Mozilla Observatory (mostly website optimization, will post a wordpress article about that on my website soon as it's a hard job, also with Wordpress, and need to consider many points, also if you want to run for A+ and 100%+) as well as Qualys SSL Labs and Hardenize, I also always be faced with SPF, so I decided, to set that ... up. Honestly I also found an article on Heinlein Support, I also mentioned some times here as they also had some posts and presentations confirming blocking mails without further notice is illegal in Germany, that SPF is bull... and broken by design, which I can confirm, as it's not such ease to setup SPF, if you're not only using your infrastructure. However, I found a way to get the SPF record of Quality Hosting, which I use for my Hosted Exchange (with Antispameurope/Hornet Security) and get the IP address blocks from Cyren/Expurgate/Eleven/Spamfence, which I use on my mailflow. I strongly recommend to set ~all at the end (Softfail), you can read the blog post of Heinlein why (forwarding mails, posting on mailing lists etc. are all good reasons) as hard blocking SPF makes no sense at all (so that was also the reason to disable SPF on my setup). I also strongly recommend to use a SPF checker like MX Toolbox or DMARC Analyzer to check the validity of the record and if using many e-mail service providers the record may get too long or too nested and will be rejected by receiving mail servers. I also only found the SPF records of Quality Hosting by checking their SPF record for their own mails, they do not provide a SPF record public, Cyren provided their IP ranges to me, which I need to handle careful, if they change them anytime without prior notice (as also not official posted). I'd chosen first their own SPF record, but it was too long and too nested, so I was required to adjust. So if you're running the same setup as me on my private setup (Quality Hosting with Antispam from Hornet Security as Hosted Exchange as the endpoint, Spamfence in between and your own servers are also allowed to send mails), your record should look like this:
I won't setup DMARC, as I'm unable to use DKIM with Hosted Exchange and for the rare direct mails (finally all administrative mails to myself) it doesn't make sense. However, I still also don't see DMARC as panacea as promoted e.g. by MX Toolbox, as I saw more spam DMARC compliant than no-spam on my systems. I also won't setup or support DANE, which also came up with my adjustments, as it's based on DNSSEC and DNSSEC has many problems and also is broken by design, I believe DoH will make DNSSEC obsolete and MTA-STS will also make DANE obsolete (hopefully if improved, it's not yet as such good as I would like it to be, not yet well designed, however, instead of DANE many big mail providers have been involved on the design process of MTA-STS).
3. I set up MTA-STS. It primary need to be done on other systems than PMG. For sure, PMG should support TLS via STARTTLS and should be set up with a good set of protocols and ciphers, so I tried to optimize the defaults (as PMG don't change them), I will post lateron on this as I'm not yet finished on finding the optimal configuration. To setup MTA-STS, first it's required to set up a website mta-sts.yourdomain.yourextension like mta-sts.heutger.net. It's then required to create a file containing control information on how MTA-STS should be performed (which mail servers are allowed, how long should the record be valid, should MTA-STS be enforced or is it just in testing mode and which version you're running). Finally it's required to set up a DNS record to tell mail servers, MTA-STS is available on your setup and where to report problems. MTA-STS then will tell anyone, who support MTA-STS (add-on for postfix is not yet final, so I currently did not install to run MTA-STS against other servers by myself) to use STARTTLS mandatory instead of using it optional. The drawbacks of the current definition is, that you require a SSL/TLS certificate for each domain, you like to run MTA-STS with, I don't support Let's Encrypt because of different reasons, however, I use a wildcard certificate instead and only use one of my domain names as mail domain.
Steps I performed to set up MTA-STS (after setting up the website mta-sts.heutger.net) on my Plesk machine:
with the content of mta-sts.txt:
and the DNS records:
For the ID I use a randomized value, so no attacker can guess the next value, I just used a password generator therefor.
4. I found in this forums about users with space issues on their PMG setup. As apt-get autoremove --purge as well as getting really low space apt-get autoclean may help to free up some space, most worse issue is, that PMG provides its own kernels (based on their PVE product) and they are not cleaned up automatically or with any of the commands before. However, I got recommended by PMG stuff, that there is a great tool to perform cleanup, although unofficial it performs well. So I downloaded that one, installed it and performed it once and perform it now after each kernel update (requires reboot, so I can do both manually once a kernel update is available. Meanwhile I use automatic updates with reporting, I don't want the machine to reboot itself, I try to keep control as much as possible. I would also not recommend automatic updates on e.g. commercial installations, but for my private installation, I'm fine with. Same as Let's Encrypt, for private installations would be great but for commercial ones I would recommend stronger validation and a more reliable CA).
Steps performed:
Errata: include:antispameurope.com is not required at QualityHosting
1. I changed all my DNS RBL to only factor 1 instead of 2. In another thread I got informed about some trouble with my recommended blacklists (blocklists) and therefor checked back about false-positives and how often just one recent score 2 blacklist blocked a mail. After some time of investigation I found a total of 2 false-positives on commercial test and 1 false-positive on private setup, but I found really rare count of mails, which have been blocked just by a score 2 blacklist. So I decided to change to a more reliant and robust setup for somehow everyone. I won't update my posts above not to confuse readers but mostly to keep ability up for everyone to reject my decision and still use a score 2 (kick) and score 1 (hit) setup. So my setup is now:
Code:
postscreen_dnsbl_sites = zen.spamhaus.org*1,bl.spamcop.net*1,psbl.surriel.com*1,spamrbl.imp.ch*1,noptr.spamrats.com*1,escalations.dnsbl.sorbs.net*1,bl.score.senderscore.com*1,bl.spameatingmonkey.net*1,rbl.realtimeblacklist.com*1,dnsbl.dronebl.org*1,ix.dnsbl.manitu.net,b.barracudacentral.org,truncate.gbudb.net,bl.blocklist.de,sip.xxxx,sip24.xxxx
postscreen_dnsbl_threshold = 2So I left *1 (unsure how long this will be kept) also to be able to still see the recent score 2 lists, for sure, it's still required to reach a score of 2 to block by RBL, otherwise adjustment won't make sense, the percentage of additional spam is really low (just encountered about 1-2 mails a week on my private setup, where I recently had none).
2. I'm unsure, why ^^ but I had chosen to setup SPF. OK, honestly, I started some optimizations because of reading an article about STS been enabled at Google Mail now as default (and also enforced), so I decided to setup STS and as been on that way and checking my systems with Mozilla Observatory (mostly website optimization, will post a wordpress article about that on my website soon as it's a hard job, also with Wordpress, and need to consider many points, also if you want to run for A+ and 100%+) as well as Qualys SSL Labs and Hardenize, I also always be faced with SPF, so I decided, to set that ... up. Honestly I also found an article on Heinlein Support, I also mentioned some times here as they also had some posts and presentations confirming blocking mails without further notice is illegal in Germany, that SPF is bull... and broken by design, which I can confirm, as it's not such ease to setup SPF, if you're not only using your infrastructure. However, I found a way to get the SPF record of Quality Hosting, which I use for my Hosted Exchange (with Antispameurope/Hornet Security) and get the IP address blocks from Cyren/Expurgate/Eleven/Spamfence, which I use on my mailflow. I strongly recommend to set ~all at the end (Softfail), you can read the blog post of Heinlein why (forwarding mails, posting on mailing lists etc. are all good reasons) as hard blocking SPF makes no sense at all (so that was also the reason to disable SPF on my setup). I also strongly recommend to use a SPF checker like MX Toolbox or DMARC Analyzer to check the validity of the record and if using many e-mail service providers the record may get too long or too nested and will be rejected by receiving mail servers. I also only found the SPF records of Quality Hosting by checking their SPF record for their own mails, they do not provide a SPF record public, Cyren provided their IP ranges to me, which I need to handle careful, if they change them anytime without prior notice (as also not official posted). I'd chosen first their own SPF record, but it was too long and too nested, so I was required to adjust. So if you're running the same setup as me on my private setup (Quality Hosting with Antispam from Hornet Security as Hosted Exchange as the endpoint, Spamfence in between and your own servers are also allowed to send mails), your record should look like this:
Code:
@ IN TXT "v=spf1 a mx ip4:194.37.255.0/24 ip4:91.198.224.0/24 include:hostedoffice.ag ~all"I won't setup DMARC, as I'm unable to use DKIM with Hosted Exchange and for the rare direct mails (finally all administrative mails to myself) it doesn't make sense. However, I still also don't see DMARC as panacea as promoted e.g. by MX Toolbox, as I saw more spam DMARC compliant than no-spam on my systems. I also won't setup or support DANE, which also came up with my adjustments, as it's based on DNSSEC and DNSSEC has many problems and also is broken by design, I believe DoH will make DNSSEC obsolete and MTA-STS will also make DANE obsolete (hopefully if improved, it's not yet as such good as I would like it to be, not yet well designed, however, instead of DANE many big mail providers have been involved on the design process of MTA-STS).
3. I set up MTA-STS. It primary need to be done on other systems than PMG. For sure, PMG should support TLS via STARTTLS and should be set up with a good set of protocols and ciphers, so I tried to optimize the defaults (as PMG don't change them), I will post lateron on this as I'm not yet finished on finding the optimal configuration. To setup MTA-STS, first it's required to set up a website mta-sts.yourdomain.yourextension like mta-sts.heutger.net. It's then required to create a file containing control information on how MTA-STS should be performed (which mail servers are allowed, how long should the record be valid, should MTA-STS be enforced or is it just in testing mode and which version you're running). Finally it's required to set up a DNS record to tell mail servers, MTA-STS is available on your setup and where to report problems. MTA-STS then will tell anyone, who support MTA-STS (add-on for postfix is not yet final, so I currently did not install to run MTA-STS against other servers by myself) to use STARTTLS mandatory instead of using it optional. The drawbacks of the current definition is, that you require a SSL/TLS certificate for each domain, you like to run MTA-STS with, I don't support Let's Encrypt because of different reasons, however, I use a wildcard certificate instead and only use one of my domain names as mail domain.
Steps I performed to set up MTA-STS (after setting up the website mta-sts.heutger.net) on my Plesk machine:
Code:
cd /var/www/vhosts/heutger.net/mta-sts.heutger.net
rm -Rf css favicon.ico img index.html test
mkdir .well-known
vi .well-known/mta-sts.txt
chown -R heutger:psacln .well-knownwith the content of mta-sts.txt:
Code:
version: STSv1
mode: enforce
mx: *.heutger.net
max_age: 2419200and the DNS records:
Code:
_mta-sts IN TXT "v=STSv1; id=WB2VQK7b784TzXPR;"
_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:xxxx@xxxx"For the ID I use a randomized value, so no attacker can guess the next value, I just used a password generator therefor.
4. I found in this forums about users with space issues on their PMG setup. As apt-get autoremove --purge as well as getting really low space apt-get autoclean may help to free up some space, most worse issue is, that PMG provides its own kernels (based on their PVE product) and they are not cleaned up automatically or with any of the commands before. However, I got recommended by PMG stuff, that there is a great tool to perform cleanup, although unofficial it performs well. So I downloaded that one, installed it and performed it once and perform it now after each kernel update (requires reboot, so I can do both manually once a kernel update is available. Meanwhile I use automatic updates with reporting, I don't want the machine to reboot itself, I try to keep control as much as possible. I would also not recommend automatic updates on e.g. commercial installations, but for my private installation, I'm fine with. Same as Let's Encrypt, for private installations would be great but for commercial ones I would recommend stronger validation and a more reliable CA).
Steps performed:
Code:
cd /tmp
wget https://github.com/jordanhillis/pvekclean/archive/master.zip
unzip master.zip
cd pvekclean-master
chmod +x pvekclean.sh
./pvekclean.sh
pvekcleanErrata: include:antispameurope.com is not required at QualityHosting
Last edited:
Here comes something new!
As mentioned in my last post, I try to optimize PMG postfix TLS setup. The (untouched by PMG) default setup is somehow really weak with weak protocols and ciphers. This setup may be fine for commercial setups as although Qualys SSL Labs, Mozilla Observatory or Hardenize themselves don't fit their own best scores because of compatibility for older browsers, systems etc., but for a "restricted" like private setup I could play around with some optimizations. So be warned, beside all my setups above I also tested out on commercial test setup and only difference between my commercial test and private is still not using FCrDNS (reject_unknown_reverse_client_hostname instead of reject_unknown_client_hostname) and milter-reject of 10 instead of 5 as bayes hasn't been learned yet, and I always recommend to consider all my adjustments if they fit your exact situation before performing (my setup is optimized for "my" spam occurrence, german speaking countries, "my" considerations of a good balance between accepting spam vs. accepting false-positives as well as how to handle spam like tagging only on spam and rejecting high level spam), this settings below need to be tested on your setup from looser to stricter not to reject valid mails or moving from encryption to plain text, every encryption is better than no encryption (however, coming back on my "wishlist" for PGP and S/MIME integration with PMG, content encryption is still better than transport encryption). If already on the warning way, ensure all this adjustments are unsupported by Proxmox and you need to know, what you do. I could provide some help here or as well paid service on rare situations (it's not my primary job and I currently won't consider to do so, help for providing a repository with all my adjustments is also welcome), but you're on your own risk performing any of my adjustments provided here, which involve shell work and are not performed via PMG GUI.
My current setup looks like this (to be added in /etc/pmg/templates/main.cf.in directly after smtpd_tls_key_file = $smtpd_tls_cert_file still in the [% IF pmg.mail.tls %] section before [% IF pmg.mail.tlslog %]):
Now the reasons, why I had chosen this settings (based on Cipherlist website) meanwhile my web server settings are much stricter (to reach A+ and 100%+ score, there will be an extra article on my blog about that):
Rows with mandatory and without mandatory are doubled because of one setting is for mandatory TLS (not recommended, use MTA-STS therefor) and the other is for optional TLS (recommended and default, if TLS enabled). I disallow SSLv2 and SSLv3 as they are outdated, weak and there exist threat vectors for misuse. I allow everything else (which finally currently is TLSv1, TLSv1.1, TLSv1.2 and if provided (currently not) by the postfix package TLSv1.3). TLSv1.2 is the current secure option, TLSv1.3 is future option, TLSv1.1 I never saw been used on connections, but as I allow TLSv1, it makes sense to allow both. TLSv1 is weak, but I still saw servers connecting with TLSv1 and that's the strange and disappointing behavior of SMTP with STARTTLS, if a protocol is not supported, the connection gets aborted and the sending server connects again and send the mail via plain text(!). So the decision is not to disable a weak protocol but still allowing a weak protocol or fallback to plain, so a weak encryption is better than no encryption. All modern servers still use TLSv1.2 and don't fallback to TLSv1.1 or TLSv1 as well, so it's a good compromise. To blame some of the TLSv1 candidates it's Deutsche Post, Fujicolor and some more "unknown" companies. For the ciphers I'd chosen not to support GCM only as there are still some candidates not providing reliable (perfect) forward secrecy ciphers, typical candidates are Amazon (SES), Microsoft (Office 365), for sure all the TLSv1 candidates and some more.
What I'm currently testing on is if I could remove the 128 bit encryption options, so if all sending servers support a minimum of 256 bit (would be fine, but on website side with 100% A+ grade it "cost" me some clients as I wasn't able to offer them something else, some few ones would have been fulfilled with chacha20-poly1305 cipher, but my Plesk setups nginx server is built against an older OpenSSL version, which doesn't provide that cipher) and after that, if I could provide a 4096 bit key (as well with my 100% A+ journey I recognized, that an EC DSA 384 bit or 4096 bit RSA key is required to get 100%, but EC DSA support is spread less, e.g. on mail servers and would require adjustments on server configurations beside e.g. what Plesk provides) also with my mail server and all the rest of my infrastructure, so I need to maintain only one wildcard with 4096 bit RSA instead of two (one with 2048 bit and one with 4096 bit). I also switched the CA therefor as I wanted to be close enough to a 4096 bit RSA chain signed with SHA 384 bit, however, the maximum I was able to get was a 4096 bit root, SHA 384 chain with my leaf certificate be 4096 bit RSA but signed only with SHA 256 bit.
I will keep you posted here on my final setup. Again, it's my setup, to be most interoperable, I recommend to stay with TLSv1 and up and use my recommended cipher suite as a minimum, maybe stay at the one provided by default, but enforce a server side order with my last option above as per default it's disabled, so the client choose the cipher instead of the server (usually) starts with the strongest cipher down to the weakest and enforce this order.
Update 1 (5.6.19): I recognized, that meanwhile my Plesk installation is not able to handle chacha20 poly1305, Postfix/OpenSSL on my PMG installation is able to handle it. So I added it to my cipher list after AES256 (after each ECDHE and DHE occurrence): As it's 200% faster than AES on not hardware accelerated platforms but 50% lower on accelerated ones - assuming AES acceleration is wide spread yet - I ordered it after AES, as it's also a 256 bit cipher, I ordered it after AES256 and before AES128.
Update 2 (7.6.19): I now also started to play around with my commercial test installation as mentioned above, need to be more open, but the current default set is really terrible, including weak ciphers as well as anonymous ciphers, so I decided, I will try my ciphers there as well. I already found two occurrences to adjust my ciphers. One is Hubspot, they seem not to like PFS, so I was required to add :AES256-GCM-SHA384:AES128-GCM-SHA256 to the end on my commercial test.
Update 3 (9.6.19): I will stay with the cipher suite above for my private setup and now test the 4096 bit RSA key. 128 bit as well as chacha20 occurred in my commercial test setup, so I could expect it anytime on my private setup too and if I support TLS v1 as well as TLS v1.1 and weaker PFS cipher suites, I could also support 128 bit. I will continue test now, if longer RSA key will encounter any problems (I still use a 2048 bit DH as also the chain is still not complete 4096 bit and I'm afraid, a longer DH may break some more connections) and will then focus on my commercial test setup fine-tuning. I recently saw one client requiring very weak ciphers, will see, if I would support that.
Update 4 (17.6.19): I now added some more ciphers on commercial test setup as some more noobs are using really outdated cipher suites on their servers, so they are :AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Update 5 (1.7.19): For the first I'm done now. My private setup stayed as above meanwhile my commercial setup has been finalized as well with the adjustment as written above on Update 4, so final less tight setup on commercial is now:
I will recheck that from time to time as e.g. Hubspot seem to have been reacting on my claim of their worse setup. As ciphers are sorted now, it's much easier to check from left to right (from good to worse) how the support is going and if any of the less secure ciphers aren't used anymore, I would be able to remove them completely. For sure, I will then update this post or hopefully then will be ready to run my Github repository of changes.
As mentioned in my last post, I try to optimize PMG postfix TLS setup. The (untouched by PMG) default setup is somehow really weak with weak protocols and ciphers. This setup may be fine for commercial setups as although Qualys SSL Labs, Mozilla Observatory or Hardenize themselves don't fit their own best scores because of compatibility for older browsers, systems etc., but for a "restricted" like private setup I could play around with some optimizations. So be warned, beside all my setups above I also tested out on commercial test setup and only difference between my commercial test and private is still not using FCrDNS (reject_unknown_reverse_client_hostname instead of reject_unknown_client_hostname) and milter-reject of 10 instead of 5 as bayes hasn't been learned yet, and I always recommend to consider all my adjustments if they fit your exact situation before performing (my setup is optimized for "my" spam occurrence, german speaking countries, "my" considerations of a good balance between accepting spam vs. accepting false-positives as well as how to handle spam like tagging only on spam and rejecting high level spam), this settings below need to be tested on your setup from looser to stricter not to reject valid mails or moving from encryption to plain text, every encryption is better than no encryption (however, coming back on my "wishlist" for PGP and S/MIME integration with PMG, content encryption is still better than transport encryption). If already on the warning way, ensure all this adjustments are unsupported by Proxmox and you need to know, what you do. I could provide some help here or as well paid service on rare situations (it's not my primary job and I currently won't consider to do so, help for providing a repository with all my adjustments is also welcome), but you're on your own risk performing any of my adjustments provided here, which involve shell work and are not performed via PMG GUI.
My current setup looks like this (to be added in /etc/pmg/templates/main.cf.in directly after smtpd_tls_key_file = $smtpd_tls_cert_file still in the [% IF pmg.mail.tls %] section before [% IF pmg.mail.tlslog %]):
Code:
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_ciphers = medium
tls_medium_cipherlist = AES256+EECDH:ECDHE-RSA-CHACHA20-POLY1305:AES128+EECDH:AES256+EDH:DHE-RSA-CHACHA20-POLY1305:AES128+EDH
tls_preempt_cipherlist = yesNow the reasons, why I had chosen this settings (based on Cipherlist website) meanwhile my web server settings are much stricter (to reach A+ and 100%+ score, there will be an extra article on my blog about that):
Rows with mandatory and without mandatory are doubled because of one setting is for mandatory TLS (not recommended, use MTA-STS therefor) and the other is for optional TLS (recommended and default, if TLS enabled). I disallow SSLv2 and SSLv3 as they are outdated, weak and there exist threat vectors for misuse. I allow everything else (which finally currently is TLSv1, TLSv1.1, TLSv1.2 and if provided (currently not) by the postfix package TLSv1.3). TLSv1.2 is the current secure option, TLSv1.3 is future option, TLSv1.1 I never saw been used on connections, but as I allow TLSv1, it makes sense to allow both. TLSv1 is weak, but I still saw servers connecting with TLSv1 and that's the strange and disappointing behavior of SMTP with STARTTLS, if a protocol is not supported, the connection gets aborted and the sending server connects again and send the mail via plain text(!). So the decision is not to disable a weak protocol but still allowing a weak protocol or fallback to plain, so a weak encryption is better than no encryption. All modern servers still use TLSv1.2 and don't fallback to TLSv1.1 or TLSv1 as well, so it's a good compromise. To blame some of the TLSv1 candidates it's Deutsche Post, Fujicolor and some more "unknown" companies. For the ciphers I'd chosen not to support GCM only as there are still some candidates not providing reliable (perfect) forward secrecy ciphers, typical candidates are Amazon (SES), Microsoft (Office 365), for sure all the TLSv1 candidates and some more.
What I'm currently testing on is if I could remove the 128 bit encryption options, so if all sending servers support a minimum of 256 bit (would be fine, but on website side with 100% A+ grade it "cost" me some clients as I wasn't able to offer them something else, some few ones would have been fulfilled with chacha20-poly1305 cipher, but my Plesk setups nginx server is built against an older OpenSSL version, which doesn't provide that cipher) and after that, if I could provide a 4096 bit key (as well with my 100% A+ journey I recognized, that an EC DSA 384 bit or 4096 bit RSA key is required to get 100%, but EC DSA support is spread less, e.g. on mail servers and would require adjustments on server configurations beside e.g. what Plesk provides) also with my mail server and all the rest of my infrastructure, so I need to maintain only one wildcard with 4096 bit RSA instead of two (one with 2048 bit and one with 4096 bit). I also switched the CA therefor as I wanted to be close enough to a 4096 bit RSA chain signed with SHA 384 bit, however, the maximum I was able to get was a 4096 bit root, SHA 384 chain with my leaf certificate be 4096 bit RSA but signed only with SHA 256 bit.
I will keep you posted here on my final setup. Again, it's my setup, to be most interoperable, I recommend to stay with TLSv1 and up and use my recommended cipher suite as a minimum, maybe stay at the one provided by default, but enforce a server side order with my last option above as per default it's disabled, so the client choose the cipher instead of the server (usually) starts with the strongest cipher down to the weakest and enforce this order.
Update 1 (5.6.19): I recognized, that meanwhile my Plesk installation is not able to handle chacha20 poly1305, Postfix/OpenSSL on my PMG installation is able to handle it. So I added it to my cipher list after AES256 (after each ECDHE and DHE occurrence): As it's 200% faster than AES on not hardware accelerated platforms but 50% lower on accelerated ones - assuming AES acceleration is wide spread yet - I ordered it after AES, as it's also a 256 bit cipher, I ordered it after AES256 and before AES128.
Update 2 (7.6.19): I now also started to play around with my commercial test installation as mentioned above, need to be more open, but the current default set is really terrible, including weak ciphers as well as anonymous ciphers, so I decided, I will try my ciphers there as well. I already found two occurrences to adjust my ciphers. One is Hubspot, they seem not to like PFS, so I was required to add :AES256-GCM-SHA384:AES128-GCM-SHA256 to the end on my commercial test.
Update 3 (9.6.19): I will stay with the cipher suite above for my private setup and now test the 4096 bit RSA key. 128 bit as well as chacha20 occurred in my commercial test setup, so I could expect it anytime on my private setup too and if I support TLS v1 as well as TLS v1.1 and weaker PFS cipher suites, I could also support 128 bit. I will continue test now, if longer RSA key will encounter any problems (I still use a 2048 bit DH as also the chain is still not complete 4096 bit and I'm afraid, a longer DH may break some more connections) and will then focus on my commercial test setup fine-tuning. I recently saw one client requiring very weak ciphers, will see, if I would support that.
Update 4 (17.6.19): I now added some more ciphers on commercial test setup as some more noobs are using really outdated cipher suites on their servers, so they are :AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Update 5 (1.7.19): For the first I'm done now. My private setup stayed as above meanwhile my commercial setup has been finalized as well with the adjustment as written above on Update 4, so final less tight setup on commercial is now:
Code:
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_ciphers = medium
tls_medium_cipherlist = AES256+EECDH:ECDHE-RSA-CHACHA20-POLY1305:AES128+EECDH:AES256+EDH:DHE-RSA-CHACHA20-POLY1305:AES128+EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
tls_preempt_cipherlist = yesI will recheck that from time to time as e.g. Hubspot seem to have been reacting on my claim of their worse setup. As ciphers are sorted now, it's much easier to check from left to right (from good to worse) how the support is going and if any of the less secure ciphers aren't used anymore, I would be able to remove them completely. For sure, I will then update this post or hopefully then will be ready to run my Github repository of changes.
Last edited:
Hello Heutger,
I have done all of the configs in this thread, Proxmox server filters spam mail better but there are still many spam emails belonging to Google, Amazon or others domain that Proxmox cannot filter. Some mail is actually spam mail but Proxmox still allows it send to Mail Server. I am so confused, some mail is checked by DCC and Pyzor but some mail does not. BTW my Bayes marked score all mail
I have done all of the configs in this thread, Proxmox server filters spam mail better but there are still many spam emails belonging to Google, Amazon or others domain that Proxmox cannot filter. Some mail is actually spam mail but Proxmox still allows it send to Mail Server. I am so confused, some mail is checked by DCC and Pyzor but some mail does not. BTW my Bayes marked score all mail
Hi,
so if DCC and Pyzor are working fine you can only still learn such mails as spam to bayes, so that the score (bayes spam probability) get higher. Additional you may consider to rate (spam level points) DCC, Pyzor and bayes scores higher, if they are valid (so your spam level for marking, quarantine or rejecting get reached faster). That's somehow all you can do with Google, Amazon etc. spam, as you can't filter such domains without too much false positives, so only content weapons can be used (SpamAssassin scores). However, most of this mails are DKIM-signed and SPF-valid, so you will get subtraction of this valid behavior and may score other ratings higher like DCC, Pyzor or Bayes Score. You may report spam to the service providers, hopefully they will change their setup similar to United Internet to also scan outgoing mails and decide to send out based on spam score: reject high level spam, use less reliable servers for possible spam and high reliable servers for no spam. That's the biggest problem with spam from the big providers, but with a good learned bayes database, you may be able to reject many spam based on content.
Regards,
Christian
Hello Heutger,
Thanks for your reply
I really thank you for writing this article. It greatly helps Proxmox's spam filtering capabilities
I hope you will continue to write new things about Proxmox.
Besides, Can you show me where to configure scores for pyzor and dcc?
Regards,
Thinh
Thanks for your reply
I really thank you for writing this article. It greatly helps Proxmox's spam filtering capabilities
I hope you will continue to write new things about Proxmox.
Besides, Can you show me where to configure scores for pyzor and dcc?
Regards,
Thinh
You're welcome.
You need to adjust the scores in /usr/share/spamassassin/50_scores.cf in this sections:
Code:
# DCC
ifplugin Mail::SpamAssassin::Plugin::DCC
score DCC_CHECK 0 1.1 0 1.1
score DCC_REPUT_00_12 0 -0.8 0 -0.4
score DCC_REPUT_13_19 0 -0.1 0 -0.1
score DCC_REPUT_70_89 0 0.1 0 0.1
score DCC_REPUT_90_94 0 0.4 0 0.6
score DCC_REPUT_95_98 0 0.7 0 1.0
score DCC_REPUT_99_100 0 1.2 0 1.4
endif # Mail::SpamAssassin::Plugin::DCC
# Pyzor
ifplugin Mail::SpamAssassin::Plugin::Pyzor
# <gen:mutable>
score PYZOR_CHECK 0 1.985 0 1.392 # n=0 n=2
# </gen:mutable>
endif # Mail::SpamAssassin::Plugin::PyzorHi heutger
i must have missed something i'm not 100% sure on how to create the dcc.service.
i can see you've edited the file but what is being placed into the file?
finding the notes a little difficult to follow.
any assistance is greatly appreciated.
""Cheers
G
i must have missed something i'm not 100% sure on how to create the dcc.service.
i can see you've edited the file but what is being placed into the file?
finding the notes a little difficult to follow.
any assistance is greatly appreciated.
""Cheers
G
Hi,
see the second post. Post first always show steps performed and if required then content of files. Just search on page 1 for dcc.service. I’m still looking for help on how to maintain my changes. So if you can provide assistance, you’re welcome.
Regards,
Christian
Thanks I did but did not understand
/lib/systemd/system/dcc.service (lets dcc run as daemon):
Code:
[Unit]
Description=DCC (Distributed Checksum Clearinghouses) interface daemon
After=remote-fs.target systemd-journald-dev-log.socket
[Service]
Type=forking
PermissionsStartOnly=true
RuntimeDirectory=dcc
ExecStart=/var/dcc/libexec/dccifd
User=root
Group=root
Nice=1
#DCC writes pid file with "-" at the beginning which confuses systemd
#PIDFile=/run/dcc/dccifd.pid
[Install]
WantedBy=multi-user.target