Block action not working as expected

Pavel Hruška

Member
May 1, 2018
75
8
8
45
Hello all, I'm not able to block emails from unwanted sources, so I just want to clarify that I am doing everything right.

I do have "Who object" with name "Newsletters" and I've filled it with emails and whole domains that I want to block. I've created Mail Filter action with name "Block Newsletters" where I've put "Action Object: Block" and specified "From: Newsletters", but still some emails are passing over this rule even if the source of the email is listed there.

My question is what is the source of the email address that is being compared with the Who object? Is it "From:" header in the email header?

Here is example of "From" header of the message that passed over even though the "skoleni@xxx.com" is in the "Newsletters" (taken from the raw of the message where i've changed the real domain to xxx.com):

From: =?UTF-8?B?S2zDoXJhIERvdWJvdsOh?= <skoleni@xxx.com>

I see that email decoded well in the Spam Quarantine (full name followed by the email itself in sharp brackets)...

I do have only one Accept action rule (whitelist) on the list before this Block action rule, but that whitelist does not contain this email... No Quarantine action before the block...

Any chance to debug this or am I doing anything wrong?
 
Well can you explain it a litte more in detail?

Does it mean, that analysing rules against full email header means that:
  • there may be present another address in the header, that will cause to ACCEPT the mail based on different rule,
  • - or - there is any other address in the header that might override the "from" (what I see as the end user) listed in the blocklist and that means that the block rule WON'T be triggered?
Thank you.
 
Last edited:
As I don´t see your full email header and the rule setup in detail, I cannot advice in detail.

A common approach to get help here is going for a support subscription and you can send both files directly to our enterprise support team via a private ticket on https://my.proxmox.com
 
Well I see another thread created recently here describing the same problem with black or white lists - emails are not triggering them when expected. You, tom, have answered there too.

I have simple set of rules no where accepting anything from email addresses in header, just block address that is in from header. And emails are passing over that block.

I dont think its okay that such basic feature like black or white list based on sender address (from) should lead to such confusion and not work as expected, not only for me...

That is why its so hard to me to see that you want to keep attention to this kind of problem only on paid support...
 
Well I see another thread created recently here describing the same problem with black or white lists - emails are not triggering them when expected. You, tom, have answered there too.

I have simple set of rules no where accepting anything from email addresses in header, just block address that is in from header. And emails are passing over that block.

I dont think its okay that such basic feature like black or white list based on sender address (from) should lead to such confusion and not work as expected, not only for me...

That is why its so hard to me to see that you want to keep attention to this kind of problem only on paid support...

Without analyzing your settings in detail its just impossible to know what you did wrong. If you want that someone debug this for you, you need to provide all logs,

As this is a public forum, a dedicated support ticket is better suited to protect your privacy, therefore I suggested our enterprise support for this.
 
Okay, I do understand it.

But please can you confirm one fundamental thing - giving the rule priority 100 (making it one and only topmost), the rule will contain only one action (block) and only one who object (from) with list of emails and domains, should it block (reject) the mail if the email address listed matches FROM in the email header? Or can anything other cause email to be quarantined or even accepted?

Thank you.
 
And once again, I face the same problem with whitelist - email from domain listed in whitelist with accept action (priority 87) was quarantined by quarantine rule with lower priroity (priority 73).

There must be something wrong or really unclear in mail processing through the rules.
 
And once again, I face the same problem with whitelist - email from domain listed in whitelist with accept action (priority 87) was quarantined by quarantine rule with lower priroity (priority 73).

There must be something wrong or really unclear in mail processing through the rules.

Either you are matching the wrong fields (WHO objects) or you mixed up the SMTP ports settings somewhere.
 
I do have all mails counted as incoming (I see that on statistics), so I hope this is okay and this is not the case.

I really can't see what is wrong with my configuration, see the screenshot to get quick overview.
 

Attachments

  • rules_pmg.jpg
    rules_pmg.jpg
    126 KB · Views: 60
Well I think the problem is that mail processing and rules are checked only on server communication where the real address of sender may be hidden (especially for mass mailing) as the FROM field is envelope sender (machine) address and not real (human) address. This is of course the reason why the rules are not triggered.

This situation makes it impossible to fine tune rules based on real addresses and it is funny that it happens especially on situations that I want to control - mass mailing (does not mean mass mailing is always bad).

Here is example of the message from tracking center (little bit mangled to hide real addresses). There is no real FROM address visible and this email passed over the rule defined to block that address and so then following quarantine action based on spam score took place.

Code:
Jun 4 13:55:29 pmg postfix/smtpd[10390]: connect from smtpg243.se6ruq.cz[130.193.14.243]
Jun 4 13:55:30 pmg postfix/smtpd[10390]: ADB7860AF0: client=smtpg243.se6ruq.cz[130.193.14.243]
Jun 4 13:55:30 pmg postfix/cleanup[10560]: ADB7860AF0: message-id=<bce-se_n.13066.899.316477_yyy-yyy.yyy@se-acc-13066.se-bounce-0001.cz>
Jun 4 13:55:30 pmg postfix/qmgr[326]: ADB7860AF0: from=<bce-se_n.13066.899.316477_yyy-yyy.cz@se-acc-13066.se-bounce-0001.cz>, size=13529, nrcpt=1 (queue active)
Jun 4 13:55:30 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: new mail message-id=<bce-se_n.13066.899.316477_yyy-yyy.cz@se-acc-13066.se-bounce-0001.cz>
Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: SA score=4/5 time=1.751 bayes=undefined autolearn=no autolearn_force=no hits=AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROM_EXCESS_BASE64,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS
Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: moved mail for <yyy@yyy.yyy> to spam quarantine - 807E15B1528B49D20D
Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: processing time: 1.859 seconds (1.751, 0.071)
Jun 4 13:55:32 pmg postfix/lmtp[10561]: ADB7860AF0: to=<yyy@yyy.yyy>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=0.98/0/0.04/1.9, dsn=2.5.0, status=sent (250 2.5.0 OK (807A65B1528B2C2379))
Jun 4 13:55:32 pmg postfix/qmgr[326]: ADB7860AF0: removed
Jun 4 13:56:58 pmg postfix/smtpd[10390]: disconnect from smtpg243.se6ruq.cz[130.193.14.243] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 commands=6

Here is example of email that has been sent from gmail, with from field containing real address and here the rule has been triggered as expected:

Code:
Jun 6 08:51:11 pmg postfix/smtpd[31644]: connect from mail-wm0-f42.google.com[74.125.82.42]
Jun 6 08:51:11 pmg postfix/smtpd[31644]: D9A8B60011: client=mail-wm0-f42.google.com[74.125.82.42]
Jun 6 08:51:11 pmg postfix/cleanup[31845]: D9A8B60011: message-id=<CAAHtm3FTiN+s65yAeGRNtVWM_K71mX_H_BRU5-0tA--nO_8KmQ@mail.gmail.com>
Jun 6 08:51:11 pmg postfix/qmgr[326]: D9A8B60011: from=<xxx@xxx.xxx>, size=4124, nrcpt=1 (queue active)
Jun 6 08:51:11 pmg postfix/smtpd[31644]: disconnect from mail-wm0-f42.google.com[74.125.82.42] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jun 6 08:51:12 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: new mail message-id=<CAAHtm3FTiN+s65yAeGRNtVWM_K71mX_H_BRU5-0tA--nO_8KmQ@mail.gmail.com>
Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: SA score=0/5 time=0.869 bayes=undefined autolearn=ham autolearn_force=no hits=DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS
Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: block mail to <yyy@yyy.yyy>
Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: processing time: 0.94 seconds (0.869, 0.044)
Jun 6 08:51:13 pmg postfix/lmtp[31846]: D9A8B60011: to=<yyy@yyy.yyy>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=0.46/0.01/0.16/0.95, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (808375B1784601F35A))
Jun 6 08:51:13 pmg postfix/qmgr[326]: D9A8B60011: removed
 
Last edited:
Well I think the problem is that mail processing and rules are checked only on server communication where the real address of sender may be hidden (especially for mass mailing) as the FROM field is envelope sender (machine) address and not real (human) address. This is of course the reason why the rules are not triggered.

This situation makes it impossible to fine tune rules based on real addresses and it is funny that it happens especially on situations that I want to control - mass mailing (does not mean mass mailing is always bad).

Here is example of the message from tracking center (little bit mangled to hide real addresses). There is no real FROM address visible and this email passed over the rule defined to block that address and so then following quarantine action based on spam score took place.

Code:
Jun 4 13:55:29 pmg postfix/smtpd[10390]: connect from smtpg243.se6ruq.cz[130.193.14.243]
Jun 4 13:55:30 pmg postfix/smtpd[10390]: ADB7860AF0: client=smtpg243.se6ruq.cz[130.193.14.243]
Jun 4 13:55:30 pmg postfix/cleanup[10560]: ADB7860AF0: message-id=<bce-se_n.13066.899.316477_yyy-yyy.yyy@se-acc-13066.se-bounce-0001.cz>
Jun 4 13:55:30 pmg postfix/qmgr[326]: ADB7860AF0: from=<bce-se_n.13066.899.316477_yyy-yyy.cz@se-acc-13066.se-bounce-0001.cz>, size=13529, nrcpt=1 (queue active)
Jun 4 13:55:30 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: new mail message-id=<bce-se_n.13066.899.316477_yyy-yyy.cz@se-acc-13066.se-bounce-0001.cz>
Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: SA score=4/5 time=1.751 bayes=undefined autolearn=no autolearn_force=no hits=AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROM_EXCESS_BASE64,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS
Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: moved mail for <yyy@yyy.yyy> to spam quarantine - 807E15B1528B49D20D
Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: processing time: 1.859 seconds (1.751, 0.071)
Jun 4 13:55:32 pmg postfix/lmtp[10561]: ADB7860AF0: to=<yyy@yyy.yyy>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=0.98/0/0.04/1.9, dsn=2.5.0, status=sent (250 2.5.0 OK (807A65B1528B2C2379))
Jun 4 13:55:32 pmg postfix/qmgr[326]: ADB7860AF0: removed
Jun 4 13:56:58 pmg postfix/smtpd[10390]: disconnect from smtpg243.se6ruq.cz[130.193.14.243] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 commands=6

Here is example of email that has been sent from gmail, with from field containing real address and here the rule has been triggered as expected:

Code:
Jun 6 08:51:11 pmg postfix/smtpd[31644]: connect from mail-wm0-f42.google.com[74.125.82.42]
Jun 6 08:51:11 pmg postfix/smtpd[31644]: D9A8B60011: client=mail-wm0-f42.google.com[74.125.82.42]
Jun 6 08:51:11 pmg postfix/cleanup[31845]: D9A8B60011: message-id=<CAAHtm3FTiN+s65yAeGRNtVWM_K71mX_H_BRU5-0tA--nO_8KmQ@mail.gmail.com>
Jun 6 08:51:11 pmg postfix/qmgr[326]: D9A8B60011: from=<xxx@xxx.xxx>, size=4124, nrcpt=1 (queue active)
Jun 6 08:51:11 pmg postfix/smtpd[31644]: disconnect from mail-wm0-f42.google.com[74.125.82.42] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jun 6 08:51:12 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: new mail message-id=<CAAHtm3FTiN+s65yAeGRNtVWM_K71mX_H_BRU5-0tA--nO_8KmQ@mail.gmail.com>
Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: SA score=0/5 time=0.869 bayes=undefined autolearn=ham autolearn_force=no hits=DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS
Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: block mail to <yyy@yyy.yyy>
Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: processing time: 0.94 seconds (0.869, 0.044)
Jun 6 08:51:13 pmg postfix/lmtp[31846]: D9A8B60011: to=<yyy@yyy.yyy>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=0.46/0.01/0.16/0.95, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (808375B1784601F35A))
Jun 6 08:51:13 pmg postfix/qmgr[326]: D9A8B60011: removed
Well I think the problem is that mail processing and rules are checked only on server communication where the real address of sender may be hidden (especially for mass mailing) as the FROM field is envelope sender (machine) address and not real (human) address. This is of course the reason why the rules are not triggered.

This situation makes it impossible to fine tune rules based on real addresses and it is funny that it happens especially on situations that I want to control - mass mailing (does not mean mass mailing is always bad).

Here is example of the message from tracking center (little bit mangled to hide real addresses). There is no real FROM address visible and this email passed over the rule defined to block that address and so then following quarantine action based on spam score took place.

Code:
Jun 4 13:55:29 pmg postfix/smtpd[10390]: connect from smtpg243.se6ruq.cz[130.193.14.243]
Jun 4 13:55:30 pmg postfix/smtpd[10390]: ADB7860AF0: client=smtpg243.se6ruq.cz[130.193.14.243]
Jun 4 13:55:30 pmg postfix/cleanup[10560]: ADB7860AF0: message-id=<bce-se_n.13066.899.316477_yyy-yyy.yyy@se-acc-13066.se-bounce-0001.cz>
Jun 4 13:55:30 pmg postfix/qmgr[326]: ADB7860AF0: from=<bce-se_n.13066.899.316477_yyy-yyy.cz@se-acc-13066.se-bounce-0001.cz>, size=13529, nrcpt=1 (queue active)
Jun 4 13:55:30 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: new mail message-id=<bce-se_n.13066.899.316477_yyy-yyy.cz@se-acc-13066.se-bounce-0001.cz>
Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: SA score=4/5 time=1.751 bayes=undefined autolearn=no autolearn_force=no hits=AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROM_EXCESS_BASE64,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS
Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: moved mail for <yyy@yyy.yyy> to spam quarantine - 807E15B1528B49D20D
Jun 4 13:55:32 pmg pmg-smtp-filter[10416]: 807A65B1528B2C2379: processing time: 1.859 seconds (1.751, 0.071)
Jun 4 13:55:32 pmg postfix/lmtp[10561]: ADB7860AF0: to=<yyy@yyy.yyy>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=0.98/0/0.04/1.9, dsn=2.5.0, status=sent (250 2.5.0 OK (807A65B1528B2C2379))
Jun 4 13:55:32 pmg postfix/qmgr[326]: ADB7860AF0: removed
Jun 4 13:56:58 pmg postfix/smtpd[10390]: disconnect from smtpg243.se6ruq.cz[130.193.14.243] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 commands=6

Here is example of email that has been sent from gmail, with from field containing real address and here the rule has been triggered as expected:

Code:
Jun 6 08:51:11 pmg postfix/smtpd[31644]: connect from mail-wm0-f42.google.com[74.125.82.42]
Jun 6 08:51:11 pmg postfix/smtpd[31644]: D9A8B60011: client=mail-wm0-f42.google.com[74.125.82.42]
Jun 6 08:51:11 pmg postfix/cleanup[31845]: D9A8B60011: message-id=<CAAHtm3FTiN+s65yAeGRNtVWM_K71mX_H_BRU5-0tA--nO_8KmQ@mail.gmail.com>
Jun 6 08:51:11 pmg postfix/qmgr[326]: D9A8B60011: from=<xxx@xxx.xxx>, size=4124, nrcpt=1 (queue active)
Jun 6 08:51:11 pmg postfix/smtpd[31644]: disconnect from mail-wm0-f42.google.com[74.125.82.42] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jun 6 08:51:12 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: new mail message-id=<CAAHtm3FTiN+s65yAeGRNtVWM_K71mX_H_BRU5-0tA--nO_8KmQ@mail.gmail.com>
Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: SA score=0/5 time=0.869 bayes=undefined autolearn=ham autolearn_force=no hits=DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS
Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: block mail to <yyy@yyy.yyy>
Jun 6 08:51:13 pmg pmg-smtp-filter[31546]: 808375B1784601F35A: processing time: 0.94 seconds (0.869, 0.044)
Jun 6 08:51:13 pmg postfix/lmtp[31846]: D9A8B60011: to=<yyy@yyy.yyy>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=0.46/0.01/0.16/0.95, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (808375B1784601F35A))
Jun 6 08:51:13 pmg postfix/qmgr[326]: D9A8B60011: removed

Yes all this is very good, and it is understood when you want to block a specific address in blacklist, but if instead we have in blacklist domains, ip addresses, because these are also blocked and have no effect. How to add these blacklists directly to postfix, because pmg only brings to add whitelists and not blacklist for blocking in smtp communication.
 
Yes all this is very good, and it is understood when you want to block a specific address in blacklist, but if instead we have in blacklist domains, ip addresses, because these are also blocked and have no effect. How to add these blacklists directly to postfix, because pmg only brings to add whitelists and not blacklist for blocking in smtp communication.

You need to perform your own postfix header or body checks via shell.
 
same problem, this rule doesn't have any effect
please share the logs of a mail which got through despite it should have been blocked.
Just as a hint - emails in WHO objects match the envelope sender (the address used in the MAIL FROM smtp command) - if you want to match the address in the 'From' mail-header use a 'Match Field' what object

I hope this helps!
 
Hello all, I'm not able to block emails from unwanted sources, so I just want to clarify that I am doing everything right.

I do have "Who object" with name "Newsletters" and I've filled it with emails and whole domains that I want to block. I've created Mail Filter action with name "Block Newsletters" where I've put "Action Object: Block" and specified "From: Newsletters", but still some emails are passing over this rule even if the source of the email is listed there.

My question is what is the source of the email address that is being compared with the Who object? Is it "From:" header in the email header?

Here is example of "From" header of the message that passed over even though the "skoleni@xxx.com" is in the "Newsletters" (taken from the raw of the message where i've changed the real domain to xxx.com):

From: =?UTF-8?B?S2zDoXJhIERvdWJvdsOh?= <skoleni@xxx.com>

I see that email decoded well in the Spam Quarantine (full name followed by the email itself in sharp brackets)...

I do have only one Accept action rule (whitelist) on the list before this Block action rule, but that whitelist does not contain this email... No Quarantine action before the block...

Any chance to debug this or am I doing anything wrong?

Pls show us the content of your "Block Newsletter" action object.
Try use below regex to filter the from address.

1587514759525.png
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!