Enable Before Queue filtering

[grefabu]

I'm searching how enable before queue filtering?

Only the entry in /etc/pmg/pmg.conf:

section: mail
before_queue_filtering true

Did I've to restart a service?
How could I check it? In the /var/log/mail.info?

Thank you for help.

Gregor

 

[Stoiko Ivanov]

The entry needs to be in the section [mail] and booleans are written as 1 or 0 - something like this:

section: mail
    before_queue_filtering 1
    dnsbl_sites zen.spamhaus.org,surbl.com
    dnsbl_threshold 1

(the last two lines are not part of the before queue filtering - but I left them there so you see where to put it)

You need to run:

pmgconfig sync --restart 1

afterwards.

The difference shows in the logs - mostly in the initial smtpd logs (it logs proxying to pmg-smtp-filter with 'NOQUEUE' in the beginning)

I hope this helps!

 

[IEM]

thanks.

i tried adding

before_queue_filtering 1

and it does "something" (as in: adding `--smtpd_proxy_filter` and similar lines to postfix/master.cf), but how can i test whether it actually works?

i tried sending a GTUBE-email to the gateway, but it was silently BLOCKED (aka: discarded).
is there a way to make pmg REJECT the mail instead (with a 5xx error-code)?
(the release-notes suggest that enabling "before queue filtering", will have pmg generate a 554-error)

 

[Stoiko Ivanov]

did you restart all services ? (pmgconfig sync --restart 1 should do that)

is there a way to make it REJECT the mail instead (with a 5xx error-code)?

That should happen, if your rulesystem 'BLOCK's mails with a high spam-score

please post the logs of this testmail - that should help in narrowing down the issue

 

[IEM]

this is what i see in PMG's tracking center:

Dec 2 13:01:27 mailgate postfix/smtpd[4953]: connect from anotherdomain.test[89.106.215.196]
Dec 2 13:01:27 mailgate postfix/smtpd[4953]: 5944420014: client=anotherdomain.test[89.106.215.196]
Dec 2 13:01:27 mailgate postfix/cleanup[5040]: 5944420014: message-id=<E1ibkOM-0004C4-Sp@anotherdomain.test>
Dec 2 13:01:27 mailgate postfix/qmgr[3907]: 5944420014: from=<me@anotherdomain.test>, size=793, nrcpt=1 (queue active)
Dec 2 13:01:27 mailgate pmg-smtp-filter[5152]: 205BA5DE4FD175CDA3: new mail message-id=<E1ibkOM-0004C4-Sp@anotherdomain.test>#012
Dec 2 13:01:27 mailgate postfix/smtpd[4953]: disconnect from anotherdomain.test[89.106.215.196] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Dec 2 13:01:27 mailgate pmg-smtp-filter[5152]: 205BA5DE4FD175CDA3: SA score=1000/5 time=0.483 bayes=0.15 autolearn=no autolearn_force=no hits=AWL(-0.136),BAYES_20(-0.001),GTUBE(1000),KAM_LAZY_DOMAIN_SECURITY(1),SPF_HELO_NONE(0.001),SPF_NONE(0.001),TVD_SPACE_RATIO(0.001)
Dec 2 13:01:27 mailgate pmg-smtp-filter[5152]: 205BA5DE4FD175CDA3: block mail to <me@somedomain.test> (rule: Block Spam (Level 10))
Dec 2 13:01:27 mailgate pmg-smtp-filter[5152]: 205BA5DE4FD175CDA3: processing time: 0.531 seconds (0.483, 0.033, 0)
Dec 2 13:01:27 mailgate postfix/lmtp[5091]: 5944420014: to=<me@somedomain.test>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.56, delays=0.02/0/0.01/0.54, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (205BA5DE4FD175CDA3))
Dec 2 13:01:27 mailgate postfix/qmgr[3907]: 5944420014: removed

this is what the sending server (running exim) sees:

2019-12-02 13:01:26 1ibkOM-0004C4-Sp <= me@anotherdomain.test U=me P=local S=485
2019-12-02 13:01:27 1ibkOM-0004C4-Sp => me@somedomain.test R=dnslookup T=remote_smtp H=mailgate.somedomain.test [193.170.191.178] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no DN="CN=mailgate.somedomain.test" C="250 2.0.0 Ok: queued as 5944420014"
2019-12-02 13:01:27 1ibkOM-0004C4-Sp Completed

the email is gone/lost/...

this was done after a full reboot, so i figure that `pmgconfig sync --restart 1` was done (automatically?).

and fwiw: there is a "Block" rule in my "#pmgRuleConfiguration" which runs the pre-defined "block" action an any mail with spamscore>10. (i don't see a "reject" action)

 

[Stoiko Ivanov]

The logs would indicate that your system is still configured for after-queue filtering - did you change the configuration templates of postfix? (main.cf.in, master.cf.in)?
could you post your anonymized '/etc/postfix/main.cf', and '/etc/postfix/master.cf'?

and fwiw: there is a "Block" rule in my "#pmgRuleConfiguration" which runs the pre-defined "block" action an any mail with spamscore>10. (i don't see a "reject" action)

the Block action results in a 500 (if all recipients block the mail) when configured in before-queue filtering mode

 

[IEM]

DoH, i stand corrected.

it seems that a reboot does not fully include a `pmgconfig sync --restart 1`.

My main.cf was slightly modified, to use spamassassin-milter (following heutger's tutorial), but that part was commented out before doing the reboot (so I'm pretty sure that there were no side-effects).

it all boils down to a sync without a restart...

 

[Stoiko Ivanov]

ok - does it work now? i.e. does the gtube-test mail get a 5xx back?
if not please post your /etc/postfix/main.cf and /etc/postfix/master.cf

 

[IEM]

oh sorry, my last post was actually meant to say: "yes it's working now. it seems i did something wrong in my first try".
thanks.

 

[Stoiko Ivanov]

Glad it is working now - and thanks for the feedback (always helpful, especially for new features!)

Please mark the thread as 'SOLVED' - it helps others in a similar situation

Thanks!

 

[IEM]

i would add 'SOLVED' myself, but i'm not the owner of this thread, since i only continued what @grefabu started...

 

[Stoiko Ivanov]

Sorry I overlooked that you're not the original poster - in that case - let's hope the thread might help them

 

[heutger]

@IEM would be happy for feedback on how/if it's working well/similar to my setup. Especially before queue is interesting for me, if I can then block (reject) in a legal manner on high spam score. And would be great, to see the logs in the tracking center as milter doesn't log there.

 

[Stoiko Ivanov]

And would be great, to see the logs in the tracking center as milter doesn't log there.

Currently this is not done yet - but we're working on it - see also the release notes for PMG 6.1 : https://pmg.proxmox.com/wiki/index.php/Release_History#Proxmox_Mail_Gateway_6.1

 

[heutger]

Currently this is not done yet - but we're working on it - see also the release notes for PMG 6.1 : https://pmg.proxmox.com/wiki/index.php/Release_History#Proxmox_Mail_Gateway_6.1

Ah, ok, didn't read that. Then I will wait until that's "fixed" too. Do you have any ETA?

 

[IEM]

for me, the current behaviour is already an improvement:
- it provides the same core-feature as the milter-solution: hard reject (544) at SMTP-time instead of discarding the email (this was the reason why i deployed heutger's setup in the first place)
- it has the same caveats as the milter-solution: no logging

but the big PROs are:
- no need to for a custom pmg-configuration (injecting milter)
- no need to scan each email twice (once via milter, afterwards by pmg)
- and most importantly: all spam scans use exactly the same rules (no need to manually sync the rule-sets of the to spamassassin instances)

 

[IEM]

- it has the same caveats as the milter-solution: no logging

to be sure: i would *love* to see the rejected emails in my log-files.
but since this is no regression from the milter-solution, i immediately adapted "before queue".

 

[tom]

to be sure: i would *love* to see the rejected emails in my log-files.

There are of course logs.

But the logs are not yet perfectly visible via the Message Tracking Center (GUI).

 

[IEM]

yes of course.
journalctl and /var/log/mail.info are full of lines like:

Dec 4 04:46:31 proxmox postfix/smtpd[11581]: proxy-reject: END-OF-MESSAGE: 554 5.7.1 Rejected for policy reasons; from=<soraya@failmayor.icu> to=<user@example.com> proto=ESMTP helo=<failmayor.icu>

i was only talking about the webinterface.

 

[heutger]

Many thanks for the feedback. Sounds good.

@tom any ETA of the logs been available in the tracking center?