blacklisted email addresses showing up in quarantine

[AvdN]

Some users have quite a few emails every day from .shop TLD email addresses that rightfully ended up in the quarantine as spam. The sheer number of the emails makes looking for potential non-spam emails that inadvertedly end up in the quarantine difficult, so we added an entry "*.shop" to the blacklist for them.

I did expect emails from such domains to not arrive in the quarantine anymore, but it seems that that entry only forces all email from TLD .shop to go in the quarantine independent of spam score.
Assuming this is how blacklist is supposed to operate, how can I, per user, make '*.shop' matching senders get discarded instead of added to the quarantine?
(If that is not possible, can I instead programmatically clean up matching entries from the quarantine before the nightly email is sent out?).

To be clear: some other users need to be able to get emails from .shop email addresses.

Before PMG I had (manually, on request) set up procmailrc rules for a few users that forward emails, matching some pattern, to /dev/null. So they were used to not see these emails ever, and now they have to deal with them in the quarantine. I had hopen PMG blacklist would do away with maintaining those procmailrc files for them.

 

[Stoiko Ivanov]

I did expect emails from such domains to not arrive in the quarantine anymore, but it seems that that entry only forces all email from TLD .shop to go in the quarantine independent of spam score.
Assuming this is how blacklist is supposed to operate, how can I, per user, make '*.shop' matching senders get discarded instead of added to the quarantine?

What happens if a mail matches a particular Who/What object depends entirely on your ruleset (the default ruleset happens to have a rule where things matching the Blacklist Who object are blocked, but maybe you changed that)?

share the logs of such a mail and a (redacted) version of your rulesystem (e.g. through `pmgdb dump`)

Assuming this is how blacklist is supposed to operate, how can I, per user, make '*.shop' matching senders get discarded instead of added to the quarantine?

I'd create 2 rules:
* put those users that want to get .shop mails in a 'To' Object, add a rule which accepts mail 'From' *.shop and 'To' Them
* create one rule without 'To' Object at a lower priority with 'From' *.shop and block as action

I hope this helps!

 

[AvdN]

What happens if a mail matches a particular Who/What object depends entirely on your ruleset (the default ruleset happens to have a rule where things matching the Blacklist Who object are blocked, but maybe you changed that)?

I don't think I did change something there. Does block mean, not going to the quarantine or does it mean it does directly go to the quarantine.

share the logs of such a mail and a (redacted) version of your rulesystem (e.g. through `pmgdb dump`)

An email for which the sender address is in the blacklist that arrives in the quarantne has this in the mail.log

Jan 29 22:34:27 pmg postfix/qmgr[819]: 3168C1809E8: from=<somename@xzy.com>, size=94407, nrcpt=1 (queue active)
Jan 29 22:34:27 pmg postfix/smtpd[407529]: disconnect from unknown[10.0.2.2] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jan 29 22:34:27 pmg pmg-smtp-filter[404700]: 2023/01/29-22:34:27 CONNECT TCP Peer: "[127.0.0.1]:44432" Local: "[127.0.0.1]:10024"
Jan 29 22:34:27 pmg pmg-smtp-filter[404700]: 1810F963D6E6633D4B0: new mail message-id=<c1ae8b33-4bab-4202-9430-ff3b0127584c@az.westeurope.unknown.xyz.com>#012
Jan 29 22:34:42 pmg pmg-smtp-filter[404700]: 1810F963D6E6633D4B0: SA score=6/5 time=15.078 bayes=undefined autolearn=no autolearn_force=no hits=AWL(-0.223),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_HUGEIMGSRC(0.2),KAM_MAILBOX2(6.25),KAM_SHORT(0.001),SPF_PASS(-0.001),T_SPF_HELO_TEMPERROR(0.01)
Jan 29 22:34:42 pmg pmg-smtp-filter[404700]: 1810F963D6E6633D4B0: moved mail for <avdn@myxyz.com> to spam quarantine - 18115063D6E67264D3B (rule: Quarantine/Mark Spam (Level 3))

I attached the dump output, the only thing I remember changing is X-SPAM status to Y-SPAM-status

I'd create 2 rules:
* put those users that want to get .shop mails in a 'To' Object, add a rule which accepts mail 'From' *.shop and 'To' Them
* create one rule without 'To' Object at a lower priority with 'From' *.shop and block as action

I hope this helps!

But that would mean I have to manage this for the users (or create a some web interface for them), that is what I hoped to circumvent with the blacklists. And that would not be necessary if blaclisted email addresses (or domains) would not get into the quarantine in the first place.

 

[Stoiko Ivanov]

I don't think I did change something there. Does block mean, not going to the quarantine or does it mean it does directly go to the quarantine.

Block means the mail is discarded or rejected (depending on the settings of before queue filtering and send ndr on block):
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration (section 4.7.5)

But that would mean I have to manage this for the users (or create a some web interface for them), that is what I hoped to circumvent with the blacklists. And that would not be necessary if blaclisted email addresses (or domains) would not get into the quarantine in the first place.

check the reference documentation on the different blocklist and their function:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_whitelist_overview

usually adding a sender to the user-whitelists simply discards the spamanalysis and adding to the user-blacklist sets the mails score to 100 (which you need to block in your rulesystem ..

I hope this explains it!