Filter based on "received" header ?

admail

New Member
Apr 14, 2022
17
2
3
I need to create a filter for mails sent by a specific host to modify their subject.

Between the sender and the PROXMOX other MTAs are involved.
I tried to use a "What object" with "Match field" for "received" checking for a unique string but it never matches.

I assume this happens because multiple "Received" lines Can be found in each header? Any other idea, how to modify subject of mails that passed a specific MTA?
This needs to be done on PROXMOX as we can't do it on the sending system...
 
any other specifics of those mails (e.g. envelope sender)?

Else I'd need to try that here explicitly - but currently do not think that this should not work - please share your what object and the rule where it's used
 
any other specifics of those mails (e.g. envelope sender)?
No, unfortunately not. The senders are dynamic.

Mailheaders:
Code:
Received: from Exchange.intern.domain.de (XX.X.X.XX) by Exchange2.intern.domain.de
 (XX.X.X.XX) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.9 via Mailbox
 Transport; Tue, 17 May 2022 09:57:53 +0200
Received: from Exchange.intern.domain.de (XX.X.X.XX9) by Exchange.intern.domain.de
 (XX.X.X.XXX9) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.9; Tue, 17 May
 2022 09:57:53 +0200
Received: from mail.domain.de (XX.X.X.XX) by mail.intern.domain.de
 (XX.X.X.XX) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.9 via Frontend
 Transport; Tue, 17 May 2022 09:57:53 +0200
Received: from smtp2.intern.domain.de (localhost.localdomain [127.0.0.1])
    by mail.domain.de (Proxmox) with ESMTP id 0A35723D55
    for <user@domain.de>; Tue, 17 May 2022 09:57:53 +0200 (CEST)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.14])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.domain.de (Proxmox) with ESMTPS id 0F39823D52
    for <user@domain.de>; Tue, 17 May 2022 09:57:52 +0200 (CEST)
Received: from [X.X.XXX.XX] (helo=webserver.domain.de)
    by smtprelay02.ispgateway.de with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (Exim 4.94.2)
    (envelope-from <no-reply@domain.de>)
    id 1nqs5V-0008En-Pi
    for user@domain.de; Tue, 17 May 2022 09:57:49 +0200
Content-Type: text/plain
From: no-reply <no-reply@domain.de>
To: <user@domain.de>
Subject: SMTP Test Email
Message-ID: <5bce9c08-c8ac-3f99-333b-c906f91912c9@domain.de>
Content-Transfer-Encoding: 7bit
Date: Tue, 17 May 2022 07:57:51 +0000
MIME-Version: 1.0
X-Df-Sender: c210cHJlbGF5QGFkZWxwaGkuZGU=
X-SPAM-LEVEL: Spam detection results:  0
    AWL                     0.548 Adjusted score from AWL reputation of From: address
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RCVD_IN_MSPIKE_H3       0.001 Good reputation (+3)
    RCVD_IN_MSPIKE_WL       0.001 Mailspike good senders
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    T_SCC_BODY_TEXT_LINE    -0.01 -
Return-Path: no-reply@domain.de
X-MS-Exchange-Organization-Network-Message-Id: 0f847fe0-1bb7-40b8-46eb-08da37daf21e
X-MS-Exchange-Organization-SCL: 1
X-Spam-Flag: NO
X-Spam-Status: NO, hits=1 required=5, details=Build: [Engines: 2.15.15.1355,
 Stamp: 3], Multi: [Enabled, t: (0.000005,0.002590)], BW: [Enabled, t:
 (0.000014)], RTDA: [Enabled, t: (0.051596), Hit: No, Details: v2.39.0; Id:
 18.1i6p4db.1g38gc07o.bdm], total: 0(775)
X-MS-Exchange-Organization-AuthSource: Echxange.domain.de
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.1663132
X-MS-Exchange-Processed-By-BccFoldering: 15.01.2507.009


I want to filter if one of the received header fields contain specific IP: "Received: from [X.X.XXX.XX]".

I created a "What" object for the IP (regex test matched correctly):

1652775027158.png

Action:
1652775309817.png

Rule:
1652775272839.png
 
  • Like
Reactions: hata_ph
Thanks for the sample - managed to reproduce the issue - currently the match field objects only match on the first header of its kind - which works quite well usually - but of course not with the Received chain - I prepared a patch - and should I not have overlooked something and it gets applied it should be in one of the next pmg-api releases:
https://lists.proxmox.com/pipermail/pmg-devel/2022-May/002009.html
 
Hello Stoiko Ivanov

Do you have any information if the feature is already implemented in one of the updates?
 
Do you have any information if the feature is already implemented in one of the updates?
yes - this was applied and is available in all public repos (pmg-api version 7.1-4)

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!