frustration with PMG feels like it doesn't work.

[MiamiJack]

I want to share my frustration with PMG, it seems that nothing is really working as described.

The purpose of the gui is to simplify usability and if there is a rule be it who or what, and you add the rule according to the documentation it should work.
Yes, there may be occasions where something doesn't, however you can't have 30 rules, and none work.

As an example I read through the documentation and it says to block IP's, add it in WHO, so you go to who->blacklist-> IP or IP Network.
Adding a rule there doesn't work.

Sharing the information in a post, I really don't get an answer to simply make it work.
So I search some more posts and find the below 2.


In this post we're told add it to the who
https://forum.proxmox.com/threads/blacklist-ip-address.352/

In this post it says it wont work
https://forum.proxmox.com/threads/ip-network-blacklists.71362/

So if this doesn't work, why don't we either change the code to block the IP's in the proper way as described in the 2nd post,
or remove the feature from the GUI since it doesn't work giving the user a false sense of security.

First, I have to thank everyone on the forum that tries to help, but there has to be more of an example and working answers.
If you can't block something as mentioned in the above 2nd post, then say it, not to create some random other rule to try and block the information which doesn't work.
That was the purpose of adding the who->blacklist->ip.

To share, yes I am a subscriber, not at a high level but wanted to help the project as I try out this tool.
2nd I have run postfix servers for several years manually, which works well, but doesn't make it easy for people with less knowledge to manage, so PMG sounds like it fills a void.
I appreciate all the contributors at the code level, forum etc.

I simply want to use the tool as described and have it work and not spend countless hours and frustration trying to get it to work, to find out it won't.

 

[hata_ph]

I have a rules to notify me if it is from certain IP from internet and it work. I believe it should work to block/quarantine too.

 

[Stoiko Ivanov]

As an example I read through the documentation and it says to block IP's, add it in WHO, so you go to who->blacklist-> IP or IP Network.
Adding a rule there doesn't work.

Blocking IP's, by adding them to a WHO object works (just tested it here) in general.

3 points that might cause some confusion or are quite often the source of such problems:
* make sure that mails arrive on the appropriate port (25 for inbound, 26 for outbound (they are configurable)) - and that the rules are configured to trigger in the correct direction
* blocking in the rule-system does not happen during the smtp-dialog (by postfix), but during the scanning (pmg-smtp-filter)
* if a rule triggers an action (e.g. Block, Quarantine, Accept) - this is written in the logs (pmg-smtp-filter is the program that does the writing)

if things don't work as expected please share the logs of such a mail (anonymize them, as sharing via private channel is something that we do in our enterprise support channel only)

I hope this helps!

 

[MiamiJack]

Hello,

Thanks for your response, sorry but this will be a little long, but I believe you will find clear concise information.
I was heavy into postfix under 2.11 so it's taken me a little to test this version more to makes sure I was clear on functionality.
Mind you the purpose of PMG is to NOT have to know this and for other team members to simply add what they wish, I just had that experience which is of value here.

Since the reject table for IP's isn't in postfix tables, I don't get to see exactly what is in there or happens, and I'm not sure when those rules get tested versus when the test I did does, but here is what I have been able to detect.

For me, the who object is not blocking the emails for me. Extracting the exact portion of the log is sometimes not as easy since there are multiple parts intermixed with other emails.

But I can share an example here. ( I have only obfuscated the receiving user email, the PMG server IP )
File 1 - has the email inbound info

Image 1 has the who object - Block-Spam shown
Image 2 has the Rule - and shows the action BLOCK and the object Block-Spam

File 2 - has a quick grep of *some* of the connections from the IP's in range, none blocked/rejected.
Note the LAST 4 entries show blocked. that is me with additional Postfix configuration, I block it and assign it my own error code.
SPR- ( for me that means Spam Relay ) then the rest tells me which of my rules blocked the messages.
Should the sender get back that message and be legit, I fully know which policy blocked them.

My who Object has been in place for a long time, and didn't block these messages, so I feel just in saying correctly that it didn't work and this information should prove it. I also attempted to block it with a what object, and was even suggested to do a regex for the IP but that wouldn't work for a range.

How did I block it?

I didn't want to add my own table manually, but it was the only way to make sure I understood everything properly.

I added to the postfix template the following 2 lines under smtpd_recipient_restrictions:
check_client_access hash:/etc/postfix/sender_reject_domain
check_client_access cidr:/etc/postfix/sender_reject_ip

Within the sender_reject_ip table I have:
23.90.0.0/18 REJECT 550 SPR-23.90.0.0

Once those 4 messages came in since I put the rule in place, and as you can see they were blocked immediately.


----

I hope this shows what I have mentioned accurately.

Now I would share an opinion ( you know how those are ).
I would prefer to see all the rules/entries put into postfix tables making postfix almost completely independent per se and allowing you to visualize table content when you are troubleshooting at the postfix level.

I would love to see where we take those who objects, which according to the documentation are for this exact purpose, and have them write out the configuration table as I have shown in this example.

If I want to get greedy with my sort of request, I would ask that each IP block or any field we put into IP/Domain etc have a custom code for the error ( or it can be done automatically and add a number or some kind of reference to improve troubleshooting ) and a note field so that whoever puts in a block for a domain insurace.com as an example would put, sent over 50K spam 10/25.


One other note is for matching a domain I had to put in regex which slows that system down some, but according to http://www.postfix.org/access.5.html
Postfix will match
"domain.tld
Matches domain.tld as the domain part of an email address."

So you don't need to do a regex and it will also match
".domain.tld
Matches subdomains of domain.tld, but only when the string
smtpd_access_maps is not listed in the Postfix par-
ent_domain_matches_subdomains configuration setting."

So based on that on the PMG side, I feel it would be easier than having user create a regex which for some isn't as easy.

Please share with me your thoughts and let me know if I'm being way off here.

Thanks for your time!!!!!!!!!!!

 

[hata_ph]

Try a test rule with IP Network range who object and it work.
FYI, no custom postfix config on latest PMG.

Oct 29 21:27:44 pmg postfix/smtpd[989]: connect from mail-yb1-f181.google.com[209.85.219.181]
Oct 29 21:27:44 pmg postfix/smtpd[989]: NOQUEUE: client=mail-yb1-f181.google.com[209.85.219.181]
Oct 29 21:27:44 pmg pmg-smtp-filter[985]: 43A125F9AC350A58D8: new mail message-id=<CAKETK8EcYGQs+7Vdwmv_Bpa3Mu6DLJ2WbejqAR2EY=WL7xh69w@mail.gmail.com>#012
Oct 29 21:27:51 pmg pmg-smtp-filter[985]: 43A125F9AC350A58D8: SA score=0/5 time=6.928 bayes=0.00 autolearn=ham autolearn_force=no hits=AWL(0.411),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FREEMAIL_FROM(0.001),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),TVD_SPACE_RATIO(0.001)
Oct 29 21:27:51 pmg pmg-smtp-filter[985]: 43A125F9AC350A58D8: notify <user1@domain.com> (rule: testing - who, A307443B8E)
Oct 29 21:27:51 pmg postfix/smtpd[1004]: connect from localhost.localdomain[127.0.0.1]
Oct 29 21:27:51 pmg postfix/smtpd[1004]: A4FC743B90: client=localhost.localdomain[127.0.0.1], orig_client=mail-yb1-f181.google.com[209.85.219.181]
Oct 29 21:27:51 pmg postfix/cleanup[1005]: A4FC743B90: message-id=<CAKETK8EcYGQs+7Vdwmv_Bpa3Mu6DLJ2WbejqAR2EY=WL7xh69w@mail.gmail.com>
Oct 29 21:27:51 pmg postfix/qmgr[963]: A4FC743B90: from=<user1@gmail.com>, size=4053, nrcpt=1 (queue active)
Oct 29 21:27:51 pmg postfix/smtpd[1004]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Oct 29 21:27:51 pmg pmg-smtp-filter[985]: 43A125F9AC350A58D8: accept mail to <user1@domain.com> (A4FC743B90) (rule: default-accept)
Oct 29 21:27:51 pmg pmg-smtp-filter[985]: 43A125F9AC350A58D8: processing time: 7.002 seconds (6.928, 0.017, 0)
Oct 29 21:27:51 pmg postfix/smtpd[989]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (43A125F9AC350A58D8); from=<user1@gmail.com> to=<user1@domain.com> proto=ESMTP helo=<mail-yb1-f181.google.com>
Oct 29 21:27:51 pmg postfix/smtpd[989]: disconnect from mail-yb1-f181.google.com[209.85.219.181] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Oct 29 21:28:00 pmg postfix/smtp[1126]: A4FC743B90: to=<user1@domain.com>, relay=remote.domain.com[192.168.40.230]:25, delay=8.6, delays=0/0/8.6/0, dsn=2.0.0, status=sent (250 Ok)
Oct 29 21:28:00 pmg postfix/qmgr[963]: A4FC743B90: removed

 

[Stoiko Ivanov]

Since the reject table for IP's isn't in postfix tables, I don't get to see exactly what is in there or happens, and I'm not sure when those rules get tested versus when the test I did does, but here is what I have been able to detect.

Maybe a general architectural overview of PMG would help to clear out most questions:
for the inbound (port 25) case:
* an SMTP connection initially gets passed to postscreen (for protocol checks and rbl-lookups for the IPs) - see http://www.postfix.org/POSTSCREEN_README.html
* during the SMTP-dialogue, before the DATA command (no mail content yet) - the pmgpolicy service gets the information (MailProxy Whitelist, SPF-checks in the mail-proxy (not the ones done by Spam Assassin), Greylisting)
* afterwards processing is passed on to pmg-smtp-filter (in before-queue mode pmg-smtp-filter acts as smtpd-proxy ( see http://www.postfix.org/SMTPD_PROXY_README.html ) in after-queue mode as content-filter (http://www.postfix.org/FILTER_README.html))
=== here the processing of the rules start and most actions are logged by pmg-smtp-filter in your mail.log

in other words - everything you configure in the rule-system is handled and logged by pmg-smtp-filter (and not by postfix!!):
* Adding IPs, Networks, Regular Expressions, Domains to Who Objects (and using the Who Object in a Rule with Block Action) will work _after postfix handled the mail to pmg-smtp-filter

* If pmg-smtp-filter accepts a mail it 'reinjects' it (by sending it to a postfix/smtpd instance listening on 127.0.0.1:10025)

Regarding your example:

File 1 - has the email inbound info

Image 1 has the who object - Block-Spam shown
Image 2 has the Rule - and shows the action BLOCK and the object Block-Spam

File 1 shows:
* a connection from ' mx.mailhubone.com[170.130.34.36]'
* with a mail from: 'usco_certification_team-obriens=userdom.com@classifiedminds.com'
The screenshots from your Who object neither contains 170.13.34.36, nor mx.mailhubone.com, nor the domain classifiedminds.com, nor the email usco_certification_team-obriens=userdom.com@classifiedminds.com', nor a regular expression matching that.
So why should this mail get blocked by the rule-system?

Additionally (although unrelated) your regular expressions seem a bit odd/wrong:
* no need to escape '\' (unless you want to match a literal backslash) for example
Try adding simpler regular expressions - if you want to block smtp-envelop addressess from 'phxwebserver.com' (or any subdomain of it) - try:
'.*phxwebserver.com' (also use the test field for regular expressions to see if it matches or not)

I also attempted to block it with a what object, and was even suggested to do a regex for the IP but that wouldn't work for a range.

regular expression matches in Who objects match the e-mail addresses and not the IPs - so that suggestion seems wrong

Now I would share an opinion ( you know how those are ).
I would prefer to see all the rules/entries put into postfix tables making postfix almost completely independent per se and allowing you to visualize table content when you are troubleshooting at the postfix level.

I can relate to that (also have a bit of experience in running mail-infrastructures in the past), but PMG's architecture (and the rulesystem) is simply not laid out to be translated to postfix tables (pmg-smtp-filter invokes spamassassin directly, and has access to the result from the Antivirus, which are used in the decisions of the rule-system).
Not saying that it's impossible to do most things also with plugging together some milters and deciding based on added headers, but that's quite a different setup from PMG.

I hope this explains it!

 

[MiamiJack]

@Stoiko Ivanov
I will review the above and read through the documentation, I have to grasp the stage at which the filter hits before or after in respect to postscreen.

For reference if you do a whois of the IP address you will find:
NetRange: 170.130.0.0 - 170.130.255.255
CIDR: 170.130.0.0/16

YES I got a little aggressive with that block and I blocked CIDR:170.130.0.0/16

I was using a snipe tool and provided you an older file, the active at that time Block-Spam object is the one I'm attaching here.

I have added/removed several times IP's and domains to who and what several times, and upon receiving message from them, trying a different method based on suggestions and frustration.

I promise you I have had the WHO->to an object from the beginning as per docs to block domains and IP's.

But to better understand something

if I have my rules as shown, will your WHO or WHAT rule apply before or after the below?


smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
check_recipient_access regexp:/etc/postfix/rcptaccess check_sender_access regexp:/etc/postfix/senderaccess
check_client_access hash:/etc/postfix/sender_reject_domain
check_client_access cidr:/etc/postfix/sender_reject_ip
check_recipient_access hash:/etc/postfix/sender_reject_invalid


If before, then all of the domains not being blocked, and the IP's not being blocked would never make it to my rule.

I will provide another example shortly.

 

[MiamiJack]

Quick edition
You can see some of the messages being blocked by SPR- ( my rule ) and then at some point they became blacklisted.

If correct, this tells me postscreen blocked it, prior to rules. (right?)
This also points me back to the above, it never made it to PMG filter right?

Oct 29 14:11:03 mgw postfix/smtpd[15282]: NOQUEUE: reject: RCPT from mx.mailhubone.com[170.130.34.58]: 554 5.7.1 <mx.mailhubone.com[170.130.34.58]>: Client host rejected: 550 SPR-170.130.0.0; from=<kn95-masks-tedybear=userdom.com@securematerial.com> to=<tedybear@userdom.com> proto=ESMTP helo=<mail.securematerial.com>
Oct 29 14:11:03 mgw postfix/smtpd[15282]: NOQUEUE: reject: RCPT from mx.mailhubone.com[170.130.34.58]: 554 5.7.1 <mx.mailhubone.com[170.130.34.58]>: Client host rejected: 550 SPR-170.130.0.0; from=<kn95_masks-image=userdom.com@securematerial.com> to=<image@userdom.com> proto=ESMTP helo=<mail.securematerial.com>
Oct 29 14:11:03 mgw postfix/smtpd[15282]: NOQUEUE: reject: RCPT from mx.mailhubone.com[170.130.34.58]: 554 5.7.1 <mx.mailhubone.com[170.130.34.58]>: Client host rejected: 550 SPR-170.130.0.0; from=<kn95-mask-special-obriens=userdom.com@securematerial.com> to=<obriens@userdom.com> proto=ESMTP helo=<mail.securematerial.com>
Oct 29 14:11:03 mgw postfix/smtpd[15282]: disconnect from mx.mailhubone.com[170.130.34.58] ehlo=1 mail=3 rcpt=0/3 rset=2 quit=1 commands=7/10
Oct 29 14:11:07 mgw postfix/postscreen[10459]: CONNECT from [170.130.34.58]:58534 to [39.33.130.51]:25
Oct 29 14:11:07 mgw postfix/postscreen[10459]: PASS OLD [170.130.34.58]:58534
Oct 29 14:11:07 mgw postfix/smtpd[14674]: connect from mx.mailhubone.com[170.130.34.58]
Oct 29 14:11:07 mgw postfix/smtpd[14674]: NOQUEUE: reject: RCPT from mx.mailhubone.com[170.130.34.58]: 554 5.7.1 <mx.mailhubone.com[170.130.34.58]>: Client host rejected: 550 SPR-170.130.0.0; from=<kn95_mask_special-nightengale=userdom.com@securematerial.com> to=<nightengale@userdom.com> proto=ESMTP helo=<mail.securematerial.com>
Oct 29 14:11:07 mgw postfix/smtpd[14674]: disconnect from mx.mailhubone.com[170.130.34.58] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
Oct 29 14:12:20 mgw postfix/postscreen[10459]: CONNECT from [170.130.34.58]:39394 to [39.33.130.51]:25
Oct 29 14:12:20 mgw postfix/postscreen[10459]: PASS OLD [170.130.34.58]:39394
Oct 29 14:12:20 mgw postfix/smtpd[15282]: connect from mx.mailhubone.com[170.130.34.58]
Oct 29 14:12:20 mgw postfix/smtpd[15282]: NOQUEUE: reject: RCPT from mx.mailhubone.com[170.130.34.58]: 554 5.7.1 <mx.mailhubone.com[170.130.34.58]>: Client host rejected: 550 SPR-170.130.0.0; from=<kn95_masks-nbliss=userdom.com@securematerial.com> to=<nbliss@userdom.com> proto=ESMTP helo=<mail.securematerial.com>
Oct 29 14:12:21 mgw postfix/smtpd[15282]: NOQUEUE: reject: RCPT from mx.mailhubone.com[170.130.34.58]: 554 5.7.1 <mx.mailhubone.com[170.130.34.58]>: Client host rejected: 550 SPR-170.130.0.0; from=<kn95.mask.special-huella.bitnet=userdom.com@securematerial.com> to=<huella.bitnet@userdom.com> proto=ESMTP helo=<mail.securematerial.com>
Oct 29 14:12:21 mgw postfix/smtpd[15282]: disconnect from mx.mailhubone.com[170.130.34.58] ehlo=1 mail=2 rcpt=0/2 rset=1 quit=1 commands=5/7
Oct 29 14:45:49 mgw postfix/postscreen[10459]: CONNECT from [170.130.214.45]:39982 to [39.33.130.51]:25
Oct 29 14:45:49 mgw postfix/dnsblog[16571]: addr 170.130.214.45 listed by domain bl.spameatingmonkey.net as 127.0.0.2
Oct 29 14:45:49 mgw postfix/dnsblog[12276]: addr 170.130.214.45 listed by domain zen.spamhaus.org as 127.0.0.3
Oct 29 14:45:49 mgw postfix/dnsblog[16084]: addr 170.130.214.45 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 29 14:45:49 mgw postfix/postscreen[10459]: PREGREET 31 after 0.08 from [170.130.214.45]:39982: EHLO 01b15dd5.basiclifes.guru\r\n
Oct 29 14:45:49 mgw postfix/postscreen[10459]: DNSBL rank 3 for [170.130.214.45]:39982
Oct 29 14:45:49 mgw postfix/postscreen[10459]: NOQUEUE: reject: RCPT from [170.130.214.45]:39982: 550 5.7.1 Service unavailable; client [170.130.214.45] blocked using bl.spameatingmonkey.net; from=<High-speedWiFi@basiclifes.guru>, to=<kevinfeil@oceancadillac.net>, proto=ESMTP, helo=<01b15dd5.basiclifes.guru>
Oct 29 14:45:49 mgw postfix/postscreen[10459]: DISCONNECT [170.130.214.45]:39982
Oct 29 15:32:41 mgw postfix/postscreen[10459]: CONNECT from [170.130.214.46]:37630 to [39.33.130.51]:25
Oct 29 15:32:41 mgw postfix/dnsblog[18756]: addr 170.130.214.46 listed by domain noptr.spamrats.com as 127.0.0.37
Oct 29 15:32:41 mgw postfix/dnsblog[18406]: addr 170.130.214.46 listed by domain bl.spameatingmonkey.net as 127.0.0.2
Oct 29 15:32:41 mgw postfix/dnsblog[18405]: addr 170.130.214.46 listed by domain zen.spamhaus.org as 127.0.0.3
Oct 29 15:32:41 mgw postfix/dnsblog[18411]: addr 170.130.214.46 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 29 15:32:41 mgw postfix/postscreen[10459]: PREGREET 31 after 0.08 from [170.130.214.46]:37630: EHLO 08233a16.cleansonus.guru\r\n
Oct 29 15:32:41 mgw postfix/postscreen[10459]: DNSBL rank 4 for [170.130.214.46]:37630
Oct 29 15:32:41 mgw postfix/postscreen[10459]: NOQUEUE: reject: RCPT from [170.130.214.46]:37630: 550 5.7.1 Service unavailable; client [170.130.214.46] blocked using noptr.spamrats.com; from=<VitiligoMiracle@cleansonus.guru>, to=<victor.torres@dtvwchicago.com>, proto=ESMTP, helo=<08233a16.cleansonus.guru>
Oct 29 15:32:41 mgw postfix/postscreen[10459]: DISCONNECT [170.130.214.46]:37630
Oct 29 15:41:03 mgw postfix/postscreen[10459]: CONNECT from [170.130.214.46]:42398 to [39.33.130.51]:25
Oct 29 15:41:03 mgw postfix/dnsblog[18403]: addr 170.130.214.46 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 29 15:41:03 mgw postfix/dnsblog[18405]: addr 170.130.214.46 listed by domain noptr.spamrats.com as 127.0.0.37
Oct 29 15:41:03 mgw postfix/dnsblog[18412]: addr 170.130.214.46 listed by domain bl.spameatingmonkey.net as 127.0.0.2
Oct 29 15:41:03 mgw postfix/dnsblog[18404]: addr 170.130.214.46 listed by domain zen.spamhaus.org as 127.0.0.3
Oct 29 15:41:03 mgw postfix/postscreen[10459]: PREGREET 31 after 0.08 from [170.130.214.46]:42398: EHLO 07f096ed.cleansonus.guru\r\n
Oct 29 15:41:03 mgw postfix/postscreen[10459]: DNSBL rank 4 for [170.130.214.46]:42398
Oct 29 15:41:04 mgw postfix/postscreen[10459]: NOQUEUE: reject: RCPT from [170.130.214.46]:42398: 550 5.7.1 Service unavailable; client [170.130.214.46] blocked using b.barracudacentral.org; from=<HealsVitiligoFAST@cleansonus.guru>, to=<jack@userdom.com>, proto=ESMTP, helo=<07f096ed.cleansonus.guru>
Oct 29 15:41:05 mgw postfix/postscreen[10459]: DISCONNECT [170.130.214.46]:42398
Oct 29 15:42:30 mgw postfix/postscreen[10459]: CONNECT from [170.130.214.46]:37681 to [39.33.130.51]:25
Oct 29 15:42:30 mgw postfix/dnsblog[18404]: addr 170.130.214.46 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 29 15:42:30 mgw postfix/dnsblog[18756]: addr 170.130.214.46 listed by domain noptr.spamrats.com as 127.0.0.37
Oct 29 15:42:30 mgw postfix/dnsblog[19143]: addr 170.130.214.46 listed by domain bl.spameatingmonkey.net as 127.0.0.2
Oct 29 15:42:30 mgw postfix/dnsblog[18860]: addr 170.130.214.46 listed by domain bl.spamcop.net as 127.0.0.2
Oct 29 15:42:30 mgw postfix/dnsblog[18406]: addr 170.130.214.46 listed by domain zen.spamhaus.org as 127.0.0.3
Oct 29 15:42:30 mgw postfix/postscreen[10459]: PREGREET 31 after 0.08 from [170.130.214.46]:37681: EHLO 07f096ed.cleansonus.guru\r\n
Oct 29 15:42:30 mgw postfix/postscreen[10459]: DNSBL rank 5 for [170.130.214.46]:37681
Oct 29 15:42:30 mgw postfix/postscreen[10459]: NOQUEUE: reject: RCPT from [170.130.214.46]:37681: 550 5.7.1 Service unavailable; client [170.130.214.46] blocked using b.barracudacentral.org; from=<Vitiligo-freelife!@cleansonus.guru>, to=<jack@userdom.com>, proto=ESMTP, helo=<07f096ed.cleansonus.guru>
Oct 29 15:42:31 mgw postfix/postscreen[10459]: DISCONNECT [170.130.214.46]:37681

 

[hata_ph]

It could be blocked by your custom postfix config before make it to pmg-smtp-filter.

 

[MiamiJack]

My custom script did block it, however it the who filter did not which is the point.

 

[hata_ph]

My custom script did block it, however it the who filter did not which is the point.

Who object IP Network & Address work on my PMG setup. Maybe you try a new default setup and try again?

 

[MiamiJack]

I did create the new object, and pointed to it with a rule, and even a new separate rule with a higher priority with no difference based on your suggestion from a block that didn't work for a domain.

 

[hata_ph]

I did create the new object, and pointed to it with a rule, and even a new separate rule with a higher priority with no difference based on your suggestion from a block that didn't work for a domain.

On a new setup or with your custom PMG config?

 

[Stoiko Ivanov]

If correct, this tells me postscreen blocked it, prior to rules. (right?)
This also points me back to the above, it never made it to PMG filter right?

exactly - the (simplified) mailflow inbound is:
postscreen -> postfix (smtpd_rcpt_restrictions, etc.) -> pmg-smtp-filter (rule-system) -> postfix (10025) -> downstream server
(as explained in my post above in more details)

I hope this explains it!

 

[MiamiJack]

On a new setup or with your custom PMG config?

sorry for the delay.
On my existing 6-8 week old installation, which we have in production.
Thanks

 

[MiamiJack]

Hello Again, sorry for the delays, just a little crazy in the IT world as I'm sure you are as well.

Here is an example of a WHO object, showing it should be blocked and it's header.

 

[hata_ph]

Don't think your regex is working. Have you test it first?
Try this regex (\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}abideedict\.com(\W|$)

 

[Stoiko Ivanov]

Additionally (although unrelated) your regular expressions seem a bit odd/wrong:
* no need to escape '\' (unless you want to match a literal backslash) for example
Try adding simpler regular expressions - if you want to block smtp-envelop addressess from 'phxwebserver.com' (or any subdomain of it) - try:
'.*phxwebserver.com' (also use the test field for regular expressions to see if it matches or not)

also please post the logs if you think that the rule-system did not work as you expect it to work

 

[MiamiJack]

Don't think your regex is working. Have you test it first?
Try this regex (\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}abideedict\.com(\W|$)

View attachment 20995

Those are the regular expressions you provided me within the threads here in the forum, and there was even a time I mentioned it didn't work.
I mentioned I used an online regex test site to confirm it.
I then switched some of my rules to this (^|^[^:]+:\/\/|[^\.]+\.)embluemail\.com
I will update all of mine to this format.

To confirm, if I just put the domain as what to block, so embluemail.com will that not work as long as it's contained within whatever is being verified against, instead of having to do a regex?

also please post the logs if you think that the rule-system did not work as you expect it to work

Hello,

While I can see the information at times within the PMG tracker or other areas, I can search mail.log and not find a match.
Is there another log I should be looking in?

Thanks

 

[MiamiJack]

Don't think your regex is working. Have you test it first?
Try this regex (\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}abideedict\.com(\W|$)

View attachment 20995

I just wanted to share the post where I mentioned the issue in testing the regex between you and I.