default "block all" rule (using pmg with exchange online) ?

RolandK

Renowned Member
Mar 5, 2019
905
173
88
50
hello,

we move to exchange online and consider implementing pmg as a local mail relay for legacy services , which can't do smtp auth - as these are difficult to handle in exchange online.

so we allow our pmg by adding a connector in exchange online, to allow inbound mail receipt from pmg public static ip

now while reading into the docs, i'm curious whats the best way to configure pmg

if i see this right, you can add very sophisticated rule-sets.

we consider adding a ruleset, which blocks everything by default which is not explicitly allowed and then do explicit whitelisting for every sending system , based on ip-adress, from: address and (perhaps) to: adress

is that a good idea ?

what's the best approach or "best practise" to have some "default block all" rule and then allow mail send via whitelisting ?
 
we consider adding a ruleset, which blocks everything by default which is not explicitly allowed and then do explicit whitelisting for every sending system , based on ip-adress, from: address and (perhaps) to: adress

is that a good idea ?
sounds ok in general - as always - you can simply try it and keep an eye on the logs.

In principle - you can list the affected services in your trusted networks and use the internal port of PMG (on the internal port all mail to everywhere is accepted from trusted IPs (while the mail still is processed by the rulesystem (outbound rules only))
maybe this is already enough?

a simple ruleset for this use-case
* rule with higher prio: 'Allowed' Mail - containing a who-object describing who may relay (From object), and an action of accept
* if you want to limit where they can relay to - add a fitting To object (from and to must both match for the rule's actions to be applied)
* a rule with lower prio - action: Block

Of course - your actual use-case might be a bit more complicated - but if you notice something not working as you want - post your ruleset and logs - then we can look further

I hope this helps!
 
thank you , very helpful.

for now, i can use blacklist/whitelist to some degree, i just needed a while to find out that i needed "before queue filtering" set to "on" to make it work.

i increased whitelist priority above blacklist priority to be able to whitelist individual ip adresses or email adresses.

we only want to allow very specific IP adresses or to/from names to send mail without auth, so we would like to have a "deny all by default" policy (like firewalling default policy)

but how can i put "all domains" or "all ip networks" (like 0.0.0.0/0) into blacklist ?

can i use regex for this ?

in "edit ip network", when addding 0.0.0.0/0 , i get

"cidr: invalid format - value does not look like a valid CIDR network

i'm curious, why this is no valid CIDR network ? ( https://en.wikipedia.org/wiki/0.0.0.0 )

https://www.postfix.org/cidr_table.5.html
"The pattern 0.0.0.0/0 matches every IPv4 address, and ::/0 matches every IPv6 addres"



furthermore, as i tested for a while now and read into how filtering works:

i'd like to "deny all domains from all ips" and "only allow from: user@sendinghost to:user@dstdomain from interal host sending from IP xyz" , but it seems you cannot do logical AND with rules and if there is any rule with action "ACCEPT" then this is final one and all other rules being skipped ?

so for example when i blacklist "all IPs" and have a single rule with higher priority which tells "allow from mydomain" - then this will invalidate my "ip deny all" filtering ?
 
Last edited:
but how can i put "all domains" or "all ip networks" (like 0.0.0.0/0) into blacklist ?
just do not add any From/To object - that way it is not restricted to anything ;)
i'd like to "deny all domains from all ips" and "only allow from: user@sendinghost to:user@dstdomain from interal host sending from IP xyz" , but it seems you cannot do logical AND with rules and if there is any rule with action "ACCEPT" then this is final one and all other rules being skipped ?
yes - the final actions are Accept, Block, Quarantine

we only want to allow very specific IP adresses or to/from names to send mail without auth, so we would like to have a "deny all by default" policy (like firewalling default policy)
one thing that is not possible (with the rulesystem) is to say - only address X from IP Y ....
you can accept X and Y, but not in conjunction

please try it with a simple ruleset and send some mails - this usually helps far better in understanding how the rule-system works ;)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!