Blacklisting IP Address has zero effect - Mail Filters

[captainproton]

I am using PMG 6.4-4 and have added a couple of IP Addresses to the Mail Filters Blacklist. There seems to be no effect and the offending IP Addresses can still connect in the usual way. They are eventually rejected because they appear in DNSBL lists.

I would have thought that finding an IP Address in the Blacklist would cause PMG to simply disconnect without doing any further tests.

Can someone enlighten me as to the purpose of Blacklists if they appear to be ignored.

The mail gateway is running as an LXC on Proxmox 7.0-8.

Here is the output of pmgdb dump;


Found RULE 30 (prio: 98, in, active): Blacklist FOUND FROM GROUP 48: Blacklist OBJECT 118: do-not-reply@giftbox.com.au OBJECT 80: nomail@fromthisdomain.com OBJECT 117: noreply@dollardays.com OBJECT 123: dollardays.com OBJECT 124: 77.247.110.150 OBJECT 126: 77.247.110.0/24 OBJECT 125: 78.128.113.0/24 FOUND ACTION GROUP 64: Block OBJECT 110: block message Found RULE 29 (prio: 96, out, inactive): Virus Alert FOUND WHAT GROUP 55: Virus OBJECT 101: active FOUND ACTION GROUP 64: Block OBJECT 110: block message FOUND ACTION GROUP 66: Notify Admin OBJECT 112: notify __ADMIN__ FOUND ACTION GROUP 67: Notify Sender OBJECT 113: notify __SENDER__ Found RULE 28 (prio: 96, in, inactive): Block Viruses FOUND WHAT GROUP 55: Virus OBJECT 101: active FOUND ACTION GROUP 65: Quarantine OBJECT 111: Move to quarantine. FOUND ACTION GROUP 66: Notify Admin OBJECT 112: notify __ADMIN__ Found RULE 27 (prio: 93, in, active): Block Dangerous Files FOUND WHAT GROUP 54: Dangerous Content OBJECT 95: content-type=application/javascript OBJECT 96: content-type=application/x-executable OBJECT 94: content-type=application/x-java OBJECT 93: content-type=application/x-ms-dos-executable OBJECT 97: content-type=application/x-ms-dos-executable OBJECT 98: content-type=message/partial OBJECT 99: filename=.*\.(vbs|pif|lnk|shs|shb) OBJECT 100: filename=.*\.\{.+\} FOUND ACTION GROUP 61: Remove attachments OBJECT 107: remove matching attachments Found RULE 31 (prio: 90, in, active): Modify Header FOUND ACTION GROUP 59: Modify Spam Level OBJECT 105: modify field: X-SPAM-LEVEL:__SPAM_INFO__ FOUND ACTION GROUP 60: Modify Spam Subject OBJECT 106: modify field: subject:SPAM: __SUBJECT__ Found RULE 39 (prio: 89, in, inactive): Quarantine Office Files FOUND WHAT GROUP 53: Office Files OBJECT 88: content-type=application/msword OBJECT 86: content-type=application/vnd\.ms-excel OBJECT 87: content-type=application/vnd\.ms-powerpoint OBJECT 90: content-type=application/vnd\.oasis\.opendocument\..* OBJECT 89: content-type=application/vnd\.openxmlformats-officedocument\..* OBJECT 91: content-type=application/vnd\.stardivision\..* OBJECT 92: content-type=application/vnd\.sun\.xml\..* FOUND ACTION GROUP 69: Attachment Quarantine (remove matching) OBJECT 115: remove matching attachments Found RULE 38 (prio: 87, in+out, inactive): Block Multimedia Files FOUND WHAT GROUP 52: Multimedia OBJECT 84: content-type=audio/.* OBJECT 85: content-type=video/.* FOUND ACTION GROUP 61: Remove attachments OBJECT 107: remove matching attachments Found RULE 32 (prio: 85, in, active): Whitelist FOUND FROM GROUP 49: Whitelist OBJECT 81: mail@fromthisdomain.com OBJECT 121: luton.com.au OBJECT 119: propertytree.com OBJECT 120: propertytree.com.au FOUND ACTION GROUP 63: Accept OBJECT 109: accept message Found RULE 35 (prio: 82, in, inactive): Block Spam (Level 10) FOUND WHAT GROUP 58: Spam (Level 10) OBJECT 104: Level 10 FOUND ACTION GROUP 64: Block OBJECT 110: block message Found RULE 34 (prio: 81, in, inactive): Quarantine/Mark Spam (Level 5) FOUND WHAT GROUP 57: Spam (Level 5) OBJECT 103: Level 5 FOUND ACTION GROUP 60: Modify Spam Subject OBJECT 106: modify field: subject:SPAM: __SUBJECT__ FOUND ACTION GROUP 65: Quarantine OBJECT 111: Move to quarantine. Found RULE 33 (prio: 80, in, active): Quarantine/Mark Spam (Level 3) FOUND WHAT GROUP 56: Spam (Level 3) OBJECT 102: Level 3 FOUND ACTION GROUP 65: Quarantine OBJECT 111: Move to quarantine. Found RULE 36 (prio: 70, out, inactive): Block outgoing Spam FOUND WHAT GROUP 56: Spam (Level 3) OBJECT 102: Level 3 FOUND ACTION GROUP 64: Block OBJECT 110: block message FOUND ACTION GROUP 66: Notify Admin OBJECT 112: notify __ADMIN__ FOUND ACTION GROUP 67: Notify Sender OBJECT 113: notify __SENDER__ Found RULE 37 (prio: 60, out, inactive): Add Disclaimer FOUND ACTION GROUP 68: Disclaimer OBJECT 114: disclaimer

 

[Stoiko Ivanov]

check the reference documentation on black/whitelists:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_whitelist_overview

the mails should get dropped by pmg-smtp-filter (which runs after postfix initially accepts the mail (depending on whether you have before-queue filtering enabled or not..)) - if it does not get rejected by pmg-smtp-filter -please provide the logs of such a mail

I hope this explains it!

 

[captainproton]

check the reference documentation on black/whitelists:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_whitelist_overview

the mails should get dropped by pmg-smtp-filter (which runs after postfix initially accepts the mail (depending on whether you have before-queue filtering enabled or not..)) - if it does not get rejected by pmg-smtp-filter -please provide the logs of such a mail

I hope this explains it!

Thanks for you reply.

I have a better understanding now. I did initially think that the blacklist was applied after accepting the mail, although I convinced myself that wasn't sensible. In my mind it makes more sense to check the blacklist for IP Addresses and drop them immediately. That way connections that persist over a number of days might simply give up.

Now that I think about it, and after your explantation, I see that Postfix answers the connection rather than PMG and therefore PMG can do nothing until Postfix has "done its thing".

I guess what I'll do is manually add addresses to the firewall and drop the connection.

Again, thanks for you help. You have answered my question.