All incoming mail being blocked suddenly

B

bwatsonfc

New Member
Jul 25, 2024
2
0
1
Hello, we are using PMG to filter incoming email to a domain for our Fax2Email server we host for our customers. We have a Who Object for the Global Blacklist that essentially blocks everything, regex for ".*", with a priority (50) lower than the Whitelist (55). In the Whitelist we add emails and/or domains for our customers that are authorized to send faxes. For 10 days now this has been working flawlessly, the email comes into PMG, if it is a domain/email on the whitelist it gets passed to the fax server, which then sends the email and its attachments out as a fax, if it does not match anything on the whitelist, it gets blocked and does not get sent to the fax server. This prevents unknown users from sending spam faxes through our fax server.

Suddenly between 8:16 AM and 8:29 AM today, everything started being blocked due to the blacklist regardless of whether or not they are on the whitelist. I understand there is a difference between envelope-from and mail-from, and that the Global Whitelist/Who Object is going to key off the envelope-from, but it has been working for ten days now without issue. As a test, I bumped the priority of the Whitelist to 95, so only the virus checks are above it, and rebooted PMG, but items are still blocked via the blacklist. I then added a What Object for from=myemail and sent a test and it was accepted due to that rule, but from what I can tell, my envelope-from and my mail-from are both signaling "myemail".

Here is an example from the tracking center of an accepted email before the problem started earlier today. customer.domain is listed as a Domain Who Object under the Whitelist.

2024-10-18T07:04:08.381192-05:00 hylafaxmailgateway postfix/smtpd[408000]: connect from mail-bn8nam11on2119.outbound.protection.outlook.com[40.107.236.119]
2024-10-18T07:04:08.580069-05:00 hylafaxmailgateway postfix/smtpd[408000]: Anonymous TLS connection established from mail-bn8nam11on2119.outbound.protection.outlook.com[40.107.236.119]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2024-10-18T07:04:09.222395-05:00 hylafaxmailgateway postfix/smtpd[408000]: 3645C20051A: client=mail-bn8nam11on2119.outbound.protection.outlook.com[40.107.236.119]
2024-10-18T07:04:09.651314-05:00 hylafaxmailgateway postfix/smtpd[408000]: 9EF0D2008D6: client=mail-bn8nam11on2119.outbound.protection.outlook.com[40.107.236.119]
2024-10-18T07:04:09.720093-05:00 hylafaxmailgateway postfix/cleanup[408005]: 9EF0D2008D6: message-id=<SA3PR12MB876126ECD036009B93BB39A59C402@SA3PR12MB8761.namprd12.prod.outlook.com>
2024-10-18T07:04:09.759983-05:00 hylafaxmailgateway postfix/qmgr[833]: 9EF0D2008D6: from=<customeremail@customer.domain>, size=18408, nrcpt=1 (queue active)
2024-10-18T07:04:09.808395-05:00 hylafaxmailgateway pmg-smtp-filter[403746]: 2008DA67124EB9C3C13: new mail message-id=<SA3PR12MB876126ECD036009B93BB39A59C402@SA3PR12MB8761.namprd12.prod.outlook.com>#012
2024-10-18T07:04:09.840198-05:00 hylafaxmailgateway postfix/smtpd[408000]: disconnect from mail-bn8nam11on2119.outbound.protection.outlook.com[40.107.236.119] ehlo=2 starttls=1 mail=2 rcpt=2 bdat=2 quit=1 commands=10
2024-10-18T07:04:10.439442-05:00 hylafaxmailgateway pmg-smtp-filter[403746]: 2008DA67124EB9C3C13: SA score=0/5 time=0.599 bayes=undefined autolearn=disabled hits=ARC_SIGNED(0.001),ARC_VALID(0.001),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DMARC_MISSING(0.1),HK_RANDOM_ENVFROM(0.001),HK_RANDOM_FROM(1),HTML_MESSAGE(0.001),RCVD_IN_MSPIKE_H2(-1.249),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),UPPERCASE_50_75(0.791)
2024-10-18T07:04:10.441934-05:00 hylafaxmailgateway postfix/smtpd[408017]: connect from localhost.localdomain[127.0.0.1]
2024-10-18T07:04:10.442817-05:00 hylafaxmailgateway postfix/smtpd[408017]: 6C16720051A: client=localhost.localdomain[127.0.0.1], orig_client=mail-bn8nam11on2119.outbound.protection.outlook.com[40.107.236.119]
2024-10-18T07:04:10.444538-05:00 hylafaxmailgateway postfix/cleanup[408005]: 6C16720051A: message-id=<SA3PR12MB876126ECD036009B93BB39A59C402@SA3PR12MB8761.namprd12.prod.outlook.com>
2024-10-18T07:04:10.487509-05:00 hylafaxmailgateway postfix/qmgr[833]: 6C16720051A: from=<customeremail@customer.domain>, size=19479, nrcpt=1 (queue active)
2024-10-18T07:04:10.487567-05:00 hylafaxmailgateway postfix/smtpd[408017]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2024-10-18T07:04:10.487613-05:00 hylafaxmailgateway pmg-smtp-filter[403746]: 2008DA67124EB9C3C13: accept mail to <5555555555@fax.ourdomain.com> (6C16720051A) (rule: Whitelist)
2024-10-18T07:04:10.490552-05:00 hylafaxmailgateway pmg-smtp-filter[403746]: 2008DA67124EB9C3C13: processing time: 0.685 seconds (0.599, 0.029, 0)
2024-10-18T07:04:10.490977-05:00 hylafaxmailgateway postfix/lmtp[408006]: 9EF0D2008D6: to=<5555555555@fax.ourdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.91, delays=0.17/0/0.04/0.69, dsn=2.5.0, status=sent (250 2.5.0 OK (2008DA67124EB9C3C13))
2024-10-18T07:04:10.491128-05:00 hylafaxmailgateway postfix/qmgr[833]: 9EF0D2008D6: removed
2024-10-18T07:04:10.520819-05:00 hylafaxmailgateway postfix/smtp[408019]: Untrusted TLS connection established to 10.226.40.94[10.226.40.94]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)
2024-10-18T07:04:10.565734-05:00 hylafaxmailgateway postfix/smtp[408019]: 6C16720051A: to=<5555555555@fax.ourdomain.com>, relay=10.226.40.94[10.226.40.94]:25, delay=0.12, delays=0.04/0/0.07/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8936C80E23BE)
2024-10-18T07:04:10.565857-05:00 hylafaxmailgateway postfix/qmgr[833]: 6C16720051A: removed

Less than an hour later, that same sender attempted to send another fax to a different destination number and it was blocked

2024-10-18T07:57:42.302175-05:00 hylafaxmailgateway postfix/smtpd[408748]: connect from mail-dm3nam02on2138.outbound.protection.outlook.com[40.107.95.138]
2024-10-18T07:57:42.477728-05:00 hylafaxmailgateway postfix/smtpd[408748]: Anonymous TLS connection established from mail-dm3nam02on2138.outbound.protection.outlook.com[40.107.95.138]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2024-10-18T07:57:42.636795-05:00 hylafaxmailgateway postfix/smtpd[408748]: 9B70F200034: client=mail-dm3nam02on2138.outbound.protection.outlook.com[40.107.95.138]
2024-10-18T07:57:42.721111-05:00 hylafaxmailgateway postfix/cleanup[408751]: 9B70F200034: message-id=<SA3PR12MB8761179D36C430C095B416299C402@SA3PR12MB8761.namprd12.prod.outlook.com>
2024-10-18T07:57:42.724638-05:00 hylafaxmailgateway postfix/qmgr[833]: 9B70F200034: from=<customeremail@customer.domain>, size=20151, nrcpt=1 (queue active)
2024-10-18T07:57:42.790173-05:00 hylafaxmailgateway postfix/smtpd[408748]: disconnect from mail-dm3nam02on2138.outbound.protection.outlook.com[40.107.95.138] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
2024-10-18T07:57:42.810762-05:00 hylafaxmailgateway pmg-smtp-filter[403746]: 20087367125B46C400C: new mail message-id=<SA3PR12MB8761179D36C430C095B416299C402@SA3PR12MB8761.namprd12.prod.outlook.com>#012
2024-10-18T07:57:43.514086-05:00 hylafaxmailgateway pmg-smtp-filter[403746]: 20087367125B46C400C: SA score=0/5 time=0.667 bayes=undefined autolearn=disabled hits=ARC_SIGNED(0.001),ARC_VALID(0.001),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DMARC_MISSING(0.1),HK_RANDOM_ENVFROM(0.001),HK_RANDOM_FROM(1),HTML_MESSAGE(0.001),RCVD_IN_MSPIKE_H2(-1.249),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),UPPERCASE_50_75(0.791)
2024-10-18T07:57:43.516479-05:00 hylafaxmailgateway pmg-smtp-filter[403746]: 20087367125B46C400C: block mail to <5555555555@fax.ourdomain.com> (rule: Blacklist)
2024-10-18T07:57:43.519596-05:00 hylafaxmailgateway pmg-smtp-filter[403746]: 20087367125B46C400C: processing time: 0.713 seconds (0.667, 0.033, 0)
2024-10-18T07:57:43.519949-05:00 hylafaxmailgateway postfix/lmtp[408752]: 9B70F200034: to=<5555555555@fax.ourdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.95, delays=0.16/0.04/0.04/0.72, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (20087367125B46C400C))
2024-10-18T07:57:43.520087-05:00 hylafaxmailgateway postfix/qmgr[833]: 9B70F200034: removed

I have opened a support ticket but posting here as well. I am assuming that what shows up in the tracking center under the From column is the envelope-from, and once an item is expanded, from=<customeremail@customer.domain> is the mail-from. In this instance, both show the exact same thing. Is that not the case? Is there a way in the tracking center to see what is being sent in the envelope-from that the Who Object Whitelist is matching against.
 
It appears that while editing the Whitelist someone changed the "Any matches" dropdown to "All Match", which I did not realize at first because on the Mail Filter screen for the Whitelist it showed

Action Accept
From > Any Matches > Whitelist

The whitelist itself the drop down got changed by a user who thought that was for the search filter.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom