Block action not working as expected

Discussion in 'Mail Gateway: Installation and configuration' started by Pavel Hruška, Jun 5, 2018.

  1. Pavel Hruška

    Pavel Hruška New Member

    Joined:
    May 1, 2018
    Messages:
    22
    Likes Received:
    2
    Hello all, I'm not able to block emails from unwanted sources, so I just want to clarify that I am doing everything right.

    I do have "Who object" with name "Newsletters" and I've filled it with emails and whole domains that I want to block. I've created Mail Filter action with name "Block Newsletters" where I've put "Action Object: Block" and specified "From: Newsletters", but still some emails are passing over this rule even if the source of the email is listed there.

    My question is what is the source of the email address that is being compared with the Who object? Is it "From:" header in the email header?

    Here is example of "From" header of the message that passed over even though the "skoleni@xxx.com" is in the "Newsletters" (taken from the raw of the message where i've changed the real domain to xxx.com):

    From: =?UTF-8?B?S2zDoXJhIERvdWJvdsOh?= <skoleni@xxx.com>

    I see that email decoded well in the Spam Quarantine (full name followed by the email itself in sharp brackets)...

    I do have only one Accept action rule (whitelist) on the list before this Block action rule, but that whitelist does not contain this email... No Quarantine action before the block...

    Any chance to debug this or am I doing anything wrong?
     
  2. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,033
    Likes Received:
    333
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Pavel Hruška

    Pavel Hruška New Member

    Joined:
    May 1, 2018
    Messages:
    22
    Likes Received:
    2
    Well can you explain it a litte more in detail?

    Does it mean, that analysing rules against full email header means that:
    • there may be present another address in the header, that will cause to ACCEPT the mail based on different rule,
    • - or - there is any other address in the header that might override the "from" (what I see as the end user) listed in the blocklist and that means that the block rule WON'T be triggered?
    Thank you.
     
    #3 Pavel Hruška, Jun 5, 2018
    Last edited: Jun 5, 2018
  4. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,033
    Likes Received:
    333
    As I don´t see your full email header and the rule setup in detail, I cannot advice in detail.

    A common approach to get help here is going for a support subscription and you can send both files directly to our enterprise support team via a private ticket on https://my.proxmox.com
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Pavel Hruška

    Pavel Hruška New Member

    Joined:
    May 1, 2018
    Messages:
    22
    Likes Received:
    2
    Well I see another thread created recently here describing the same problem with black or white lists - emails are not triggering them when expected. You, tom, have answered there too.

    I have simple set of rules no where accepting anything from email addresses in header, just block address that is in from header. And emails are passing over that block.

    I dont think its okay that such basic feature like black or white list based on sender address (from) should lead to such confusion and not work as expected, not only for me...

    That is why its so hard to me to see that you want to keep attention to this kind of problem only on paid support...
     
  6. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,033
    Likes Received:
    333
    Without analyzing your settings in detail its just impossible to know what you did wrong. If you want that someone debug this for you, you need to provide all logs,

    As this is a public forum, a dedicated support ticket is better suited to protect your privacy, therefore I suggested our enterprise support for this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Pavel Hruška

    Pavel Hruška New Member

    Joined:
    May 1, 2018
    Messages:
    22
    Likes Received:
    2
    Okay, I do understand it.

    But please can you confirm one fundamental thing - giving the rule priority 100 (making it one and only topmost), the rule will contain only one action (block) and only one who object (from) with list of emails and domains, should it block (reject) the mail if the email address listed matches FROM in the email header? Or can anything other cause email to be quarantined or even accepted?

    Thank you.
     
  8. Pavel Hruška

    Pavel Hruška New Member

    Joined:
    May 1, 2018
    Messages:
    22
    Likes Received:
    2
    And once again, I face the same problem with whitelist - email from domain listed in whitelist with accept action (priority 87) was quarantined by quarantine rule with lower priroity (priority 73).

    There must be something wrong or really unclear in mail processing through the rules.
     
  9. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,033
    Likes Received:
    333
    Either you are matching the wrong fields (WHO objects) or you mixed up the SMTP ports settings somewhere.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Pavel Hruška

    Pavel Hruška New Member

    Joined:
    May 1, 2018
    Messages:
    22
    Likes Received:
    2
    I do have all mails counted as incoming (I see that on statistics), so I hope this is okay and this is not the case.

    I really can't see what is wrong with my configuration, see the screenshot to get quick overview.
     

    Attached Files:

  11. Pavel Hruška

    Pavel Hruška New Member

    Joined:
    May 1, 2018
    Messages:
    22
    Likes Received:
    2
    Well I think the problem is that mail processing and rules are checked only on server communication where the real address of sender may be hidden (especially for mass mailing) as the FROM field is envelope sender (machine) address and not real (human) address. This is of course the reason why the rules are not triggered.

    This situation makes it impossible to fine tune rules based on real addresses and it is funny that it happens especially on situations that I want to control - mass mailing (does not mean mass mailing is always bad).

    Here is example of the message from tracking center (little bit mangled to hide real addresses). There is no real FROM address visible and this email passed over the rule defined to block that address and so then following quarantine action based on spam score took place.

    Code:
    Jun 4 13:55:29 pmg postfix/smtpd[10390]: connect from smtpg243.se6ruq.cz[130.193.14.243]
    Jun 4 13:55:30 pmg postfix/smtpd[10390]: ADB7860AF0: client=smtpg243.se6ruq.cz[130.193.14.243]
    Jun 4 13:55:30 pmg postfix/cleanup[10560]: ADB7860AF0: message-id=<bce-se_n.13066.899.316477_yyy-yyy.yyy@se-acc-13066.se-bounce-0001.cz>
    Jun 4 13:55:30 pmg postfix/qmgr[326]: ADB7860AF0: from=<bce-se_n.13066.899.316477_yyy-yyy.cz@se-acc-13066.se-bounce-0001.cz>, size=13529, nrcpt=1 (queue active)
    Jun 4 13:55:30 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: new mail message-id=<bce-se_n.13066.899.316477_yyy-yyy.cz@se-acc-13066.se-bounce-0001.cz>
    Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: SA score=4/5 time=1.751 bayes=undefined autolearn=no autolearn_force=no hits=AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROM_EXCESS_BASE64,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS
    Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: moved mail for <yyy@yyy.yyy> to spam quarantine - 807E15B1528B49D20D
    Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: processing time: 1.859 seconds (1.751, 0.071)
    Jun 4 13:55:32 pmg postfix/lmtp[10561]: ADB7860AF0: to=<yyy@yyy.yyy>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=0.98/0/0.04/1.9, dsn=2.5.0, status=sent (250 2.5.0 OK (807A65B1528B2C2379))
    Jun 4 13:55:32 pmg postfix/qmgr[326]: ADB7860AF0: removed
    Jun 4 13:56:58 pmg postfix/smtpd[10390]: disconnect from smtpg243.se6ruq.cz[130.193.14.243] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 commands=6
    
    Here is example of email that has been sent from gmail, with from field containing real address and here the rule has been triggered as expected:

    Code:
    Jun 6 08:51:11 pmg postfix/smtpd[31644]: connect from mail-wm0-f42.google.com[74.125.82.42]
    Jun 6 08:51:11 pmg postfix/smtpd[31644]: D9A8B60011: client=mail-wm0-f42.google.com[74.125.82.42]
    Jun 6 08:51:11 pmg postfix/cleanup[31845]: D9A8B60011: message-id=<CAAHtm3FTiN+s65yAeGRNtVWM_K71mX_H_BRU5-0tA--nO_8KmQ@mail.gmail.com>
    Jun 6 08:51:11 pmg postfix/qmgr[326]: D9A8B60011: from=<xxx@xxx.xxx>, size=4124, nrcpt=1 (queue active)
    Jun 6 08:51:11 pmg postfix/smtpd[31644]: disconnect from mail-wm0-f42.google.com[74.125.82.42] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
    Jun 6 08:51:12 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: new mail message-id=<CAAHtm3FTiN+s65yAeGRNtVWM_K71mX_H_BRU5-0tA--nO_8KmQ@mail.gmail.com>
    Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: SA score=0/5 time=0.869 bayes=undefined autolearn=ham autolearn_force=no hits=DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS
    Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: block mail to <yyy@yyy.yyy>
    Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: processing time: 0.94 seconds (0.869, 0.044)
    Jun 6 08:51:13 pmg postfix/lmtp[31846]: D9A8B60011: to=<yyy@yyy.yyy>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=0.46/0.01/0.16/0.95, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (808375B1784601F35A))
    Jun 6 08:51:13 pmg postfix/qmgr[326]: D9A8B60011: removed
     
    #11 Pavel Hruška, Jun 6, 2018
    Last edited: Jun 6, 2018
  12. Pavel Hruška

    Pavel Hruška New Member

    Joined:
    May 1, 2018
    Messages:
    22
    Likes Received:
    2
    Of course would be great to hear any comment to this situation. Thank you...
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice