[TUTORIAL] Advancing Proxmox Mail Gateway (especially Spam and Virus Detection)
- Thread starter heutger
- Start date
Thanks for the info, but im getting an issue after running
Code:
echo "test" | spamassassin -D pyzor 2>&1 | lessi got this error
Code:
Jan 5 21:36:43.516 [2744] warn: config: created user preferences file: /root/.spamassassin/user_prefs
Jan 5 21:36:43.537 [2744] dbg: pyzor: network tests on, attempting Pyzor
Jan 5 21:36:48.746 [2744] info: config: country_db_path "/usr/share/GeoIP/GeoLite2-Country.mmdb" is not accessible
Jan 5 21:36:48.746 [2744] info: config: SpamAssassin failed to parse line, "/usr/share/GeoIP/GeoLite2-Country.mmdb" is not valid for "country_db_path", skipping: country_db_path /usr/share/GeoIP/GeoLite2-Country.mmdbwhats odd is that i checked /usr/share and did not see GeoIP folder
Thank you
Any easy way to remove all rules created by custom channels ?
Getting too many false-positives from schaal-it.
First step - remove sa-update from cron.hourly, what other steps are required ?
Found the answer.
/var/lib/spamassassin/3.004002 - includes custom ruleset.
Getting too many false-positives from schaal-it.
First step - remove sa-update from cron.hourly, what other steps are required ?
Found the answer.
/var/lib/spamassassin/3.004002 - includes custom ruleset.
Last edited:
I am on PMG 6.2-5, and do not use the Filter, so I am removing the line for restarting Spamassassin - but my question is, are these rules in the current directory also used by 6.2-5 in it's Spam Assassin @heutger
Why shouldn't the rules do it with 6.2.5? See not reason for your question... You can safely skip the SA restart line (like you already did!), as it's not required by PMG default install, only when you use the additional miltered setup....
@heutger and @Stoiko Ivanov :
And I really wonder, why the tweaks use systemctl restart pmg-smtp-filter and not systemctl reload pmg-smtp-filter?
Shouldn't the systemctl reload pmg-smtp-filter just do the same, to apply SA-Ruleset changes on the fly, without interrupting the whole pmg-filter-service process (and creating new PID) when executing systemctl restart pmg-smtp-filter?
Last edited:
The reason I ask this question is because, when I do
spamassassin -D --lint 2>&1 | grep -i --color KAM.cf - I can see that it is loading KAM.cf as shown in dbg: config: using "/usr/share/spamassassin-extra/KAM.cf" for included filebut when I do
spamassassin -D --lint 2>&1 | grep -i --color nonKAMrules.cf I get no output. I do not have a separate MILTER based spamassassin setup, and am using only the one with PMG only. I had also added some more custom Rules that I need like the bogus-virus-warnings.cf and even they are not getting loaded - hence the question.I believe I should edit
/etc/mail/spamassassin/local.cf as instead of including the extra's directory - it only includes the KAM.cf thereHi, Were you able to get get the Header working - I would like to see the Relay Country in all my emails.
@ittk @thebiggeek I recently always did restart on service changes, but maybe @Stoiko Ivanov could answer, when reload is enough and when restart is really required. I believe, that config changes should be performed by a restart, maybe just value changes a reload will be enough but enabling additional modules a restart would be better, I'm unsure. As I also recompile the rules before I perform my restart, I believe, a restart is much more safe, but again, I didn't found anything about the difference on reload or restart, I just found, that in some postings about amavis, which is somehow a similar wrapper as pmg-smtp-filter to spamassassin, just performing a reload has been told to be enough.
About adding X-SPAM_Relay-Country I'm unsure if the reason why this header is not been added is also because of pmg-smtp-filter wrapping SpamAssassin as pmg-smtp-filter is also performing own spam score headers than e.g. my miltered SpamAssassin, so maybe they suppress adding the header. Again @Stoiko Ivanov may help here.
About adding X-SPAM_Relay-Country I'm unsure if the reason why this header is not been added is also because of pmg-smtp-filter wrapping SpamAssassin as pmg-smtp-filter is also performing own spam score headers than e.g. my miltered SpamAssassin, so maybe they suppress adding the header. Again @Stoiko Ivanov may help here.
@heutger @Stoiko Ivanov
PMG currently use restart for the daily sa-update routine. In one of the Apache RuleUpdates Docs you have mentioned restart on one side , and reload on other SA 3.4.x SA-update document. Very strange divergence... So what is actually the best way without the lowest impact for long-term running systems?
PMG currently use restart for the daily sa-update routine. In one of the Apache RuleUpdates Docs you have mentioned restart on one side , and reload on other SA 3.4.x SA-update document. Very strange divergence... So what is actually the best way without the lowest impact for long-term running systems?
I have also started noticing a bug - whatever additional rules I add to the file
I have also started publishing some of my own Custom Rules in case someone needs - these rules are from spams messages that I have seen that pass by and are hard to detect. Typically sent by new senders from Yahoo / Gmail and hence they dont' fail anything - other than the content. The Rules are available here on my GitHub - Thanks to the script by @heutger I have been able to setup a Daily update of these to the server - now only to figure out why the Include Statements from my local.cf are getting removed
/etc/mail/spamassassin/local.cf keep getting removed, the only rule line that survives this is the KAM.CF but others get removed, not sure how to handle this, maybe @Stoiko Ivanov can give inputs? I am currently on 6.2-5I have also started publishing some of my own Custom Rules in case someone needs - these rules are from spams messages that I have seen that pass by and are hard to detect. Typically sent by new senders from Yahoo / Gmail and hence they dont' fail anything - other than the content. The Rules are available here on my GitHub - Thanks to the script by @heutger I have been able to setup a Daily update of these to the server - now only to figure out why the Include Statements from my local.cf are getting removed
Some updates @Stoiko Ivanov I added the links in
/usr/share/spamassassin-extras/ into the customs.cf instead of local.cf and now changes from there are also disappearing. This is only happening on the machine where I updated pve-kernel-5.4 (pve-kernel-5.44-2-pve) and not on the machine were update is pending (I have 2 machines setup in cluster)To find what could be causing this, I upgraded my second node in the cluster too and I am loosing any settings I make in the custom.cf or local.cf
you need to use PMG's templateing system to override the configuration files:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine
Upon reload the rule-database and configuration are loaded, however the SpamAssassin rules are not reloaded.
In those cases a restart should be carried out.
OTOH this should not affect mailprocessing - the pre-forked children, which at that moment inspect a mail with finish doing so before exiting.
I hope this explains it.
Thank you @heutger for your reference of Invaluement - I am right now testing these out. In the meantime, there were a few questions I had from your Advancing setup and thought will ask you here
1. I notice that you are not using Greylisting - in the pmgconfig dump you have shared, your
2. I notice you are not testing for SPF - I understand that a lot of people are not complaint, I would love to hear more about you on your setting of
3. For TLS - you are using both TLS LOG and TLS Header - Can you elaborate more on these settings and how this helps
4. For PMG Verify Receivers, I am unable to find documentation - Does this require me to map each individual email id on the PMG servers?
5. Can you help me understand the setting and it's impact for
1. I notice that you are not using Greylisting - in the pmgconfig dump you have shared, your
pmg.mail.greylist = 0 is shown - maybe it changed over time - I have personally found that greaylist keeps away a bit of Spam - but have also found many mail servers are not complaint - What is your opinion here?2. I notice you are not testing for SPF - I understand that a lot of people are not complaint, I would love to hear more about you on your setting of
pmg.mail.spf = 03. For TLS - you are using both TLS LOG and TLS Header - Can you elaborate more on these settings and how this helps
pmg.mail.tlsheader=1, pmg.mail.tlslog = 14. For PMG Verify Receivers, I am unable to find documentation - Does this require me to map each individual email id on the PMG servers?
mg.mail.verifyreceivers = 5505. Can you help me understand the setting and it's impact for
pmg.mail.rejectunknown = 0Thank you - I will read up about this - so just to get it correct - all changes to be made for anything are to be in templates, but changes to file
/etc/mail/spamassassin/custom.cf are ok?
You're welcome, best wishes to Rob. Maybe he should negotiate with Proxmox team to offer his list with a special discount as an option to their subscription packages (maybe I should signup as a reseller for Proxmox and built the packages myself).
1. I already mentioned to Proxmox team (maybe @Stoiko Ivanov will discuss on that again, as it recently had been declined, but maybe times changed) that Greylisting in the current times (maybe 10+ years before it was different) is useless as been (usually) implemented. It result in somehow any mail get delayed, which is no good behavior in current times (where everything needs to be fast or e.g. timeouts may occur on password resets etc.). To "disable" Greylisting based on SPF also does not make sense as SPF is also no good solution. If enabled also -all rules apply, which may get you in trouble as SPF is not well implemented. Forwarded or group mails (also Proxmox had that issue BTW) would result in a reject on -all, some configured SPF and forgot about it (because of its useless state) and finally most spam reaching my inbox is from Google Mail, Outlook.com or Yahoo Mail, which is well DKIM signed and with valid SPF records, so it's no indicator for spam or no-spam any more. But(!) there is only one setup, which really makes much sense in conjunction with Greylisting, which I saw on rspamd, but isn't adopted by Proxmox (yet?). If a mail has a particular spam score (maybe with post-queue filtering that did not make sense or was somehow impossible, with pre-queue filtering it's possible now), greylist that mail and just that mail. You may ask why? So you may have three states of a mail: mail is (somehow seriously sure) ham, let's pass that one, fast and without any hassle, mail is (somehow seriously sure) spam, let's reject that, fast and without any hassle, mail is unsure, maybe spam or not, greylist that one with the benefit, that the sender need to retry and the hope, if the sender retry and the mail is really spam, the sender is now already listed on necessary blacklists, so it get then rejected or it's still unsure and maybe (with a higher percentage of success) ham, then let it pass. I call that conditional greylisting and that's the only way, I believe greylisting has an existential reason today.
2. As mentioned before and sorry for being such direct now, I believe in some of the current techniques are bullshit. This ones are: SPF, DKIM, DMARC (as result of SPF and DKIM), DANE, DNSSEC. The reasons are somehow the same (as mentioned in my posts) failed by design. And I really don't understand, why this failures are often done again and again, as e.g. SPF is killed by forwarding, mail groups, etc. DMARC has the same design failure and requires ARC to fix that. Why doing the same failure again and again? However, that's the reason, why I disabled SPF (on my commercial trial setup, on my private playground one it's sometimes enabled).
3. Just for debugging purposes. You may keep it off. I somehow used TLS log very often at the time of optimizing my TLS cipher suite setting.
4. Verify receivers needs to be supported by the destination server (and if exist the full path until the destination server). Then PMG will perform checks to such server(s), if the address get reported as unreachable or not, so you could safely reject a message for not existing recipients instead of having anyone in the flow sending NDR, which may result in getting your infrastructure recognized as backscatterer or more unserious and in Germany illegal any server in the path tries to report back and is unable to do so, finally resulting in suppressing the message without any response. Code 550 is hard, 450 would result in retries.
5. As documented unknown clients are rejected (should be enabled in my example configuration, isn't it?). However be careful with this setting and read my documentation on that. I changed the behavior on my commercial trial (not on my private playground) as the default setting provided by PMG (@Stoiko Ivanov maybe Proxmox should offer both options) is a FCrDNS check, so the client IP need to resolve to a hostname and vice versa this hostname need to resolve back to the same IP address. On particular clustered setups, that may fail so the check will result in unnecessary rejects. So I changed that in adjusting the template to reject_unknown_reverse_client_hostname which only perform the IP to hostname check but omit the consistency check back to the IP address, which result in less false-positives. As PMG offers sometimes options like 450 or 550 (however not on all settings, I therefor did manually some more), PMG should also offer the harder or softer option of reject_client_hostname with rejectunknown.
Hope, that helps! ;-)
TLDR: Thank you for your inputs - I am disabling SPF checks and also grey listing, will keep you updated on what happens next.
That was a long read, and I thank you for taking the time out to answer my queries. Reference Bundling Invaluement lists inside Proxmox maybe a good idea, but that will depend on these two parties. Am glad that we can integrate his solution - thanks to you making it simpler, and yes may all the power be to Rob. (About you bundling a solution - I did see a thread where there was a mention someone wanted you to consult them - I would love to speak about this - I remember when I started using Mail Scanner the first time around, there were a few people who launched services based on Mail Scanner)
1. Reference Greylist. you make a good point, and add that with SPF - yes a lot of emails get rejected. I am not sure about SPF. I have actually seen hosting companies and clients getting tighter about SPF - I understand it's not fully out there, but then the debate is - people will implement only if you start returning emails. For DKIM - That is still a far cry - not all servers support it - and I personally started testing PMG as an outbound relay for DKIM Signing before switching the Antispam capabilities to it. Let me see if I find a solution and or alternative to SPF. I like the way you are thinking of the Greylist and the absolute SPAM/HAM and am sure this is an area where there will be some stuff to be done.
2. I am not a big believer in DMARC / DKIM and DANE - I think these were just pushed down our throats (like. IPV6) and we are far far away to see proper implementations. DNS Servers by virtue of their design are old and aging and no one is really doing much on this front (I recently migrated our BIND Servers setup in 1995 to Power DNS - and thought I will find a good front end - but na.. I am still back to editing BIND files that have 2000+ Lines for historical reasons, and other deployments that have happened since 1995). So I get it - that it's just not laziness but the porting of essential services are a complex thought, add to that legacy systems (On Premise Exchange for example does not support DKIM/DMARC) - Old Zimbra and QMAIL / Postfix servers still have a problem doing this, and as you said - one looses this in mailing lists / groups / forwards.
3. I would love to know more about your TLS experience, and what you are doing here - maybe you could setup a thread on that, like you did for Advancing and for your Filtering lists.
4. I will let the Verify Receivers bit for now, I am anyway wary of this. I use INUMBO for some of our work and it needs to list each email id every time you create one. I love what INUMBO and HALON are doing, and they have priced it nicely too, but making sure you add the users at both the places, always result in a chaos. Ensuring full path is also a challenge, I would rather send NDR's.
5. Thanks got the Unknown client bit. I actually love that setting only on Direct Mail Servers and yes with Proxy's such as PMG delivering email and SPF not setup properly this may become a challenge.