Enable Before Queue filtering
- Thread starter grefabu
- Start date
The entry needs to be in the section [mail] and booleans are written as 1 or 0 - something like this:
(the last two lines are not part of the before queue filtering - but I left them there so you see where to put it)
You need to run:
afterwards.
The difference shows in the logs - mostly in the initial smtpd logs (it logs proxying to pmg-smtp-filter with 'NOQUEUE' in the beginning)
I hope this helps!
Code:
section: mail
before_queue_filtering 1
dnsbl_sites zen.spamhaus.org,surbl.com
dnsbl_threshold 1(the last two lines are not part of the before queue filtering - but I left them there so you see where to put it)
You need to run:
Code:
pmgconfig sync --restart 1The difference shows in the logs - mostly in the initial smtpd logs (it logs proxying to pmg-smtp-filter with 'NOQUEUE' in the beginning)
I hope this helps!
thanks.
i tried adding
and it does "something" (as in: adding `--smtpd_proxy_filter` and similar lines to postfix/master.cf), but how can i test whether it actually works?
i tried sending a GTUBE-email to the gateway, but it was silently BLOCKED (aka: discarded).
is there a way to make pmg REJECT the mail instead (with a 5xx error-code)?
(the release-notes suggest that enabling "before queue filtering", will have pmg generate a 554-error)
i tried adding
Code:
before_queue_filtering 1i tried sending a GTUBE-email to the gateway, but it was silently BLOCKED (aka: discarded).
is there a way to make pmg REJECT the mail instead (with a 5xx error-code)?
(the release-notes suggest that enabling "before queue filtering", will have pmg generate a 554-error)
Last edited:
this is what i see in PMG's tracking center:
this is what the sending server (running exim) sees:
the email is gone/lost/...
this was done after a full reboot, so i figure that `pmgconfig sync --restart 1` was done (automatically?).
and fwiw: there is a "Block" rule in my "#pmgRuleConfiguration" which runs the pre-defined "block" action an any mail with spamscore>10. (i don't see a "reject" action)
Code:
Dec 2 13:01:27 mailgate postfix/smtpd[4953]: connect from anotherdomain.test[89.106.215.196]
Dec 2 13:01:27 mailgate postfix/smtpd[4953]: 5944420014: client=anotherdomain.test[89.106.215.196]
Dec 2 13:01:27 mailgate postfix/cleanup[5040]: 5944420014: message-id=<E1ibkOM-0004C4-Sp@anotherdomain.test>
Dec 2 13:01:27 mailgate postfix/qmgr[3907]: 5944420014: from=<me@anotherdomain.test>, size=793, nrcpt=1 (queue active)
Dec 2 13:01:27 mailgate pmg-smtp-filter[5152]: 205BA5DE4FD175CDA3: new mail message-id=<E1ibkOM-0004C4-Sp@anotherdomain.test>#012
Dec 2 13:01:27 mailgate postfix/smtpd[4953]: disconnect from anotherdomain.test[89.106.215.196] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Dec 2 13:01:27 mailgate pmg-smtp-filter[5152]: 205BA5DE4FD175CDA3: SA score=1000/5 time=0.483 bayes=0.15 autolearn=no autolearn_force=no hits=AWL(-0.136),BAYES_20(-0.001),GTUBE(1000),KAM_LAZY_DOMAIN_SECURITY(1),SPF_HELO_NONE(0.001),SPF_NONE(0.001),TVD_SPACE_RATIO(0.001)
Dec 2 13:01:27 mailgate pmg-smtp-filter[5152]: 205BA5DE4FD175CDA3: block mail to <me@somedomain.test> (rule: Block Spam (Level 10))
Dec 2 13:01:27 mailgate pmg-smtp-filter[5152]: 205BA5DE4FD175CDA3: processing time: 0.531 seconds (0.483, 0.033, 0)
Dec 2 13:01:27 mailgate postfix/lmtp[5091]: 5944420014: to=<me@somedomain.test>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.56, delays=0.02/0/0.01/0.54, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (205BA5DE4FD175CDA3))
Dec 2 13:01:27 mailgate postfix/qmgr[3907]: 5944420014: removedthis is what the sending server (running exim) sees:
Code:
2019-12-02 13:01:26 1ibkOM-0004C4-Sp <= me@anotherdomain.test U=me P=local S=485
2019-12-02 13:01:27 1ibkOM-0004C4-Sp => me@somedomain.test R=dnslookup T=remote_smtp H=mailgate.somedomain.test [193.170.191.178] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no DN="CN=mailgate.somedomain.test" C="250 2.0.0 Ok: queued as 5944420014"
2019-12-02 13:01:27 1ibkOM-0004C4-Sp Completedthe email is gone/lost/...
this was done after a full reboot, so i figure that `pmgconfig sync --restart 1` was done (automatically?).
and fwiw: there is a "Block" rule in my "#pmgRuleConfiguration" which runs the pre-defined "block" action an any mail with spamscore>10. (i don't see a "reject" action)
The logs would indicate that your system is still configured for after-queue filtering - did you change the configuration templates of postfix? (main.cf.in, master.cf.in)?
could you post your anonymized '/etc/postfix/main.cf', and '/etc/postfix/master.cf'?
could you post your anonymized '/etc/postfix/main.cf', and '/etc/postfix/master.cf'?
the Block action results in a 500 (if all recipients block the mail) when configured in before-queue filtering mode
DoH, i stand corrected.
it seems that a reboot does not fully include a `pmgconfig sync --restart 1`.
My main.cf was slightly modified, to use spamassassin-milter (following heutger's tutorial), but that part was commented out before doing the reboot (so I'm pretty sure that there were no side-effects).
it all boils down to a sync without a restart...
it seems that a reboot does not fully include a `pmgconfig sync --restart 1`.
My main.cf was slightly modified, to use spamassassin-milter (following heutger's tutorial), but that part was commented out before doing the reboot (so I'm pretty sure that there were no side-effects).
it all boils down to a sync without a restart...
ok - does it work now? i.e. does the gtube-test mail get a 5xx back?
if not please post your /etc/postfix/main.cf and /etc/postfix/master.cf
if not please post your /etc/postfix/main.cf and /etc/postfix/master.cf
oh sorry, my last post was actually meant to say: "yes it's working now. it seems i did something wrong in my first try".
thanks.
thanks.
Glad it is working now - and thanks for the feedback (always helpful, especially for new features!)
Please mark the thread as 'SOLVED' - it helps others in a similar situation
Thanks!
Please mark the thread as 'SOLVED' - it helps others in a similar situation
Thanks!
Sorry I overlooked that you're not the original poster - in that case - let's hope the thread might help them 
Currently this is not done yet - but we're working on it - see also the release notes for PMG 6.1 : https://pmg.proxmox.com/wiki/index.php/Release_History#Proxmox_Mail_Gateway_6.1
Ah, ok, didn't read that. Then I will wait until that's "fixed" too. Do you have any ETA?
for me, the current behaviour is already an improvement:
- it provides the same core-feature as the milter-solution: hard reject (544) at SMTP-time instead of discarding the email (this was the reason why i deployed heutger's setup in the first place)
- it has the same caveats as the milter-solution: no logging
but the big PROs are:
- no need to for a custom pmg-configuration (injecting milter)
- no need to scan each email twice (once via milter, afterwards by pmg)
- and most importantly: all spam scans use exactly the same rules (no need to manually sync the rule-sets of the to spamassassin instances)
- it provides the same core-feature as the milter-solution: hard reject (544) at SMTP-time instead of discarding the email (this was the reason why i deployed heutger's setup in the first place)
- it has the same caveats as the milter-solution: no logging
but the big PROs are:
- no need to for a custom pmg-configuration (injecting milter)
- no need to scan each email twice (once via milter, afterwards by pmg)
- and most importantly: all spam scans use exactly the same rules (no need to manually sync the rule-sets of the to spamassassin instances)
yes of course.
i was only talking about the webinterface.
journalctl and /var/log/mail.info are full of lines like:i was only talking about the webinterface.