[TUTORIAL] Advancing Proxmox Mail Gateway (especially Spam and Virus Detection)

quick question any one else this error before not sure if its the modification i did on proxmox or itself? I have only one email that does not come in which im getting this error but i checked the client email and they do have dmarc
Code:
5.7.1 rejected by DMARC policy

Code:
Sep 16 14:04:03 mail postfix/cleanup[4617]: 40BCF3C156A: milter-reject: END-OF-MESSAGE from mail-eopbgr820051.outbound.protection.outlook.com[40.107.82.51]: 5.7.1 rejected by DMARC policy for clientemail.com; from=<user@clientemail.com> to=<myemail@mydomain.com> proto=ESMTP helo=<NAM01-SN1-obe.outbound.protection.outlook.com>
 
Last edited:
quick question any one else this error before not sure if its the modification i did on proxmox or itself? I have only one email that does not come in which im getting this error but i checked the client email and they do have dmarc
Code:
5.7.1 rejected by DMARC policy

Unsure in which direction, but as DMARC is not implemented in PMG yet, I believe, it's not coming from PMG.
 
Thanks for the quick reply, but its odd because this is the error that PMG is giving me
Code:
Sep 16 14:04:03 mail postfix/cleanup[4617]: 40BCF3C156A: milter-reject: END-OF-MESSAGE from mail-eopbgr820051.outbound.protection.outlook.com[40.107.82.51]: 5.7.1 rejected by DMARC policy for clientemail.com; from=<user@clientemail.com> to=<myemail@mydomain.com> proto=ESMTP helo=<NAM01-SN1-obe.outbound.protection.outlook.com>
 
milter-reject screams for an individual adjustment as PMG doesn't use milter as default. I use milter with spamass-milter and I saw some DKIM tutorials here also using milter. DKIM and DMARC are close together, so it looks like you first time raised a DMARC reject based on DMARC policy (as DMARC is not such spread as it's promoted, DKIM has big problems with lack of controlled key sizes, algorithms etc., OpenDMARC also seems to have an unpatched vulnerability, at all, DMARC isn't worth, what it get promoted for.
 
  • Like
Reactions: Stoiko Ivanov
thanks for the reply, so how would i disable temporary this issue? First time this is happening. I did put the dkim to go outbound but not sure why its affecting in the inbound?

Thank you
 
I did put the dkim to go outbound but not sure why its affecting in the inbound?
just to be sure - check for a running process matching dmarc (e.g. opendmarc is a popular milter for dmarc) : ps auxwf |grep -i dmarc
 
  • Like
Reactions: heutger
thanks for the reply, so how would i disable temporary this issue? First time this is happening. I did put the dkim to go outbound but not sure why its affecting in the inbound?

Thank you

How do you prevent DKIM to be invoked for inbound as I remember from my rspamd tests, that you need a special version of Postfix to be able to control, when milter is called, otherwise once integrated it's called inbound as well as outbound, although you see your benefits outbound only.
 
Thanks for the reply finally figured it out after lots of reading so this is what happened. so if anyone else has this issue ONLY if they have openDMARC on PMG (which does not come by default i installed it with openDKIM to send outbound emails though PMG)

The client had a dmarc (its a goverment domain i know so sad)
Code:
dig +short txt _dmarc.dian.gov.co
"v=DMARC1; p=reject;  rua=mailto:seguridadinfo@dian.gov.co"

so they had the p=reject meaning that if someone tries to send email which does not come from their IP and if someone else has DMARC it will reject it, here is the worst part their MX record

Code:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dian.gov.co.            IN    MX

;; ANSWER SECTION:
dian.gov.co.        71312    IN    MX    10 mailgw.dian.gov.co.

;; ADDITIONAL SECTION:
mailgw.dian.gov.co.    71312    IN    A    190.144.206.25

and this is the best part they have their email sending though exchange
Code:
: disconnect from mail-eopbgr690079.outbound.protection.outlook.com[40.107.69.79] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7

i told them something is wrong and they said that this has never happened to them, the only way i fixed this is on
nano /etc/opendmarc.conf
removed
RejectFailures true

Hope this helps someone else

and reboot
 
Thanks for the reply finally figured it out after lots of reading so this is what happened. so if anyone else has this issue ONLY if they have openDMARC on PMG (which does not come by default i installed it with openDKIM to send outbound emails though PMG)

The client had a dmarc (its a goverment domain i know so sad)
Code:
dig +short txt _dmarc.dian.gov.co
"v=DMARC1; p=reject;  rua=mailto:seguridadinfo@dian.gov.co"

so they had the p=reject meaning that if someone tries to send email which does not come from their IP and if someone else has DMARC it will reject it, here is the worst part their MX record

Code:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dian.gov.co.            IN    MX

;; ANSWER SECTION:
dian.gov.co.        71312    IN    MX    10 mailgw.dian.gov.co.

;; ADDITIONAL SECTION:
mailgw.dian.gov.co.    71312    IN    A    190.144.206.25

and this is the best part they have their email sending though exchange
Code:
: disconnect from mail-eopbgr690079.outbound.protection.outlook.com[40.107.69.79] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7

i told them something is wrong and they said that this has never happened to them, the only way i fixed this is on
nano /etc/opendmarc.conf
removed
RejectFailures true

Hope this helps someone else

and reboot

And that they never got this problem shows again, that DMARC is nice promoted but somehow not used at all. They also seem to have a SPF record (so don't follow your worst or best part, they would have to add their Office365 usage into the SPF policy and need to enable DMARC there, if won't have been done already), but forgot about it. That's not the exception, it's the rule. On my commercial installation therefor SPF is still off (I just play around with on my private installation), because I still see with looking at the tracking center for spf_fail, which mail would have been rejected and it's terrible. Beside forgetting to adjust SPF records also problems arise with forums (like this), mailing lists (like proxmox developer list) etc., they usually arise in my DMARC reports, I activated.
 
Very correct so sad people dont use the correct settings which makes people who want to use it cannot. So far the first case i have ever seen this before, usually people may have the wrong dmarc but they have p=none which does not have effect but the p=reject really killed it for them and having the wrong mx record too.
 
Very correct so sad people dont use the correct settings which makes people who want to use it cannot. So far the first case i have ever seen this before, usually people may have the wrong dmarc but they have p=none which does not have effect but the p=reject really killed it for them and having the wrong mx record too.

They often don't make wrong settings, they just forget about what they set and don't update it. The reason for that is, that it usually never occur, that this mistakes arise any problems, because the technique has so much obstacles, that it isn't adopted widely. SPF fails on any forwarding, mailing list or group mailing system (e.g. Google Groups!), DKIM the same and finally because of both also DMARC fails. SRS is not widely adopted and instead of solving such problems with DKIM or latest DMARC, the same problems arise again and they try to solve with another new technology called ARC.

p=none however is somehow completely useless DMARC (or also recognized by many rating sites, which test your settings and rate their success as "disabled" DMARC), so as you don't enforce anything, it also makes no sense at all. It's like ending up a SPF record with allowance, that everyone else also can send, that makes no sense at all, minimum should be for both to flag as softfail or get the mails quarantined with p=quarantine.
 
  • Like
Reactions: killmasta93
Not sure if anyone else has had this issue before on the version of pmg 5.2.1 with clamav-unofficial-sigs
These were the steps i took
Code:
cd /tmp
wget https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip
unzip master.zip
cp -r clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/sbin/
chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh
mkdir /etc/clamav-unofficial-sigs
cp clamav-unofficial-sigs-master/config/* /etc/clamav-unofficial-sigs/
mkdir /var/log/clamav-unofficial-sigs
cd /etc/clamav-unofficial-sigs
cat /etc/*release*
mv os.debian9.conf os.conf

but im getting email alert of this error
Code:
/usr/local/sbin/clamav-unofficial-sigs.sh: line 2828: /var/lib/clamav-unofficial-sigs/test/malwarepatrol.db: No such file or directory
LibClamAV Error: cl_load(): No such file or directory: /var/lib/clamav-unofficial-sigs/test/malwarepatrol.db
ERROR: Can't get file status
/usr/local/sbin/clamav-unofficial-sigs.sh: line 2835: /var/lib/clamav-unofficial-sigs/test/malwarepatrol.db-tmp: No such file or directory
mv: cannot stat '/var/lib/clamav-unofficial-sigs/test/malwarepatrol.db-tmp': No such file or directory

the only error when running the commands above is the last part the mv osdebian9
and on the tutorial it says

Code:
cp clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/sbin/
but it seems that it needed to add a cp -r not sure what could be the issue

Thank you again
 
hi guys...does this work on pmg 6.0 too?

I updated our Cluster yesterday. It works like a charm with the help of the update documentation. First Master and then Slave.

About DMARC:
We also do not check DMARC on our Mailserver. But I configure this for our domains to get reports about SPF/DKIM failures.

But we check and apply hard SPF rejects. Because the sender configure it in this way. Currently I only had 2 cases, where a hard reject result within a wrong reject. But this was human mistake and was fixed within minutes after mail to postmaster.
Most admins configure the ~all catch all, which only result in a bad spam rating.
We inform our clients about that, so they can decide to use another mailprovider. Most major mailinglists are listed in Whitelists and do anything against spam ratings. So this isn't a problem in combination with some major DNSBL.

Didn’t test it yet. As I would like to improve documentation as well as cleaning up my system instead of upgrading, I will test in the next days.

When you need help/time, I can invest some time. Probably @DerDanilo can help us with a Ansible. I just started to understand this deployment way, because it looks powerfull. So we can give something more then money to improve Proxmox Mail Gateway and hopefully get a Mail Archive some day. ^^
 
Not sure if anyone else has had this issue before on the version of pmg 5.2.1 with clamav-unofficial-sigs
These were the steps i took
Code:
cd /tmp
wget https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip
unzip master.zip
cp -r clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/sbin/
chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh
mkdir /etc/clamav-unofficial-sigs
cp clamav-unofficial-sigs-master/config/* /etc/clamav-unofficial-sigs/
mkdir /var/log/clamav-unofficial-sigs
cd /etc/clamav-unofficial-sigs
cat /etc/*release*
mv os.debian9.conf os.conf

but im getting email alert of this error
Code:
/usr/local/sbin/clamav-unofficial-sigs.sh: line 2828: /var/lib/clamav-unofficial-sigs/test/malwarepatrol.db: No such file or directory
LibClamAV Error: cl_load(): No such file or directory: /var/lib/clamav-unofficial-sigs/test/malwarepatrol.db
ERROR: Can't get file status
/usr/local/sbin/clamav-unofficial-sigs.sh: line 2835: /var/lib/clamav-unofficial-sigs/test/malwarepatrol.db-tmp: No such file or directory
mv: cannot stat '/var/lib/clamav-unofficial-sigs/test/malwarepatrol.db-tmp': No such file or directory

the only error when running the commands above is the last part the mv osdebian9
and on the tutorial it says

Code:
cp clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/sbin/
but it seems that it needed to add a cp -r not sure what could be the issue

Thank you again

Hi,

I'm sorry, but I don't support ClamAV any more as it does not work well and the sigs also provided more false-positives than useful results. I switched to Avast. New documentation will remove any ClamAV adjustments, new installation as well. I believe, the topic is because of the package of ClamAV Unofficial Sigs has been updated and may have been restructured. On the link above (without /archive/master.zip) you will also find the exact steps to follow to set the Signatures up.

Regards,
Christian
 
  • Like
Reactions: killmasta93
I updated our Cluster yesterday. It works like a charm with the help of the update documentation. First Master and then Slave.

About DMARC:
We also do not check DMARC on our Mailserver. But I configure this for our domains to get reports about SPF/DKIM failures.

But we check and apply hard SPF rejects. Because the sender configure it in this way. Currently I only had 2 cases, where a hard reject result within a wrong reject. But this was human mistake and was fixed within minutes after mail to postmaster.
Most admins configure the ~all catch all, which only result in a bad spam rating.
We inform our clients about that, so they can decide to use another mailprovider. Most major mailinglists are listed in Whitelists and do anything against spam ratings. So this isn't a problem in combination with some major DNSBL.



When you need help/time, I can invest some time. Probably @DerDanilo can help us with a Ansible. I just started to understand this deployment way, because it looks powerfull. So we can give something more then money to improve Proxmox Mail Gateway and hopefully get a Mail Archive some day. ^^

Thanks for feedback. We currently see as promoted some feature updates to PMG. So once PMG 6.1 is released, my plans are to rebuilt the tutorial to fit the newest version and features. I will for sure remove ClamAV support, maybe I also can remove spamass-milter as maybe prequeue will come as well.
 
Do you have an update to this that lets us use the GeoLite2 Libraries from Maxmind? Since GeoLite 1 ("Legacy") is no longer supported nor provided to nonpaying customers, we have to migrate to GeoIP2 support...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!