[SOLVED] How i can see record off rule, that cause rule triggers

kalachev_89

New Member
Nov 7, 2022
5
2
3
Good day to all.
I have strange situation.
I have rule blocked e-mails by FROM field. I add differents domains to it for reject on PMG.
Today i get ticket from user, that e-mail from 1 sender don't come.
I find via Tracking Center, that e-mail was reject by this rule. But in list of domains i don't see anything simular to sender address. How i can check, that record triggers rule?
We use PMG 7.1-9. Logs look good.
 

poetry

Active Member
May 28, 2020
173
36
33
On the email logs you will usually see what rule was triggered for that email.
Can you provide the anonymized logs for that blocked email?
How are your priority rules set on your filter can you share?
Is it possible that you have rules that have the same names? make sure they are named differently so you can differentiate between them...

Line will tell you what rule blocked that email:
Nov 20 15:57:54 serverpmg-smtp-filter[9467]: 120F8D637A4070CDDB6: block mail to <receiver> (rule: OverLevel6BlockSpam)

Here is an example:
Code:
Nov 20 15:57:51 server postfix/smtpd[9710]: connect from mail-pl1-f171.google.com[209.85.214.171]
Nov 20 15:57:52 server postfix/smtpd[9710]: Anonymous TLS connection established from mail-pl1-f171.google.com[209.85.214.171]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Nov 20 15:57:52 server postfix/smtpd[9710]: NOQUEUE: client=mail-pl1-f171.google.com[209.85.214.171]
Nov 20 15:57:52 server pmg-smtp-filter[9467]: 120F8D637A4070CDDB6: new mail message-id=<CADowMUsdHfmKey1E4wCSjnW=pO1hb3Vfs_aY3MxzdRiQwGFwgQ@mail.gmail.com>#012
Nov 20 15:57:54 server pmg-smtp-filter[9467]: 120F8D637A4070CDDB6: SA score=7/5 time=1.178 bayes=undefined autolearn=disabled hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.25),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FREEMAIL_FROM(0.25),FREEMAIL_REPLYTO(1),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.25),SUBJ_ALL_CAPS(0.5),UNDISC_FREEM(6)
Nov 20 15:57:54 server pmg-smtp-filter[9467]: 120F8D637A4070CDDB6: added disclaimer (rule: OverLevel2SenderWarning)
Nov 20 15:57:54 server pmg-smtp-filter[9467]: 120F8D637A4070CDDB6: block mail to <receiver> (rule: OverLevel6BlockSpam)
Nov 20 15:57:54 server pmg-smtp-filter[9467]: 120F8D637A4070CDDB6: processing time: 1.252 seconds (1.178, 0.027, 0.025)
Nov 20 15:57:54 server postfix/smtpd[9710]: proxy-reject: END-OF-MESSAGE: 554 5.7.1 Rejected for policy reasons (120F8D637A4070CDDB6); from=<sender> to=<receiver> proto=ESMTP helo=<mail-pl1-f171.google.com>
Nov 20 15:58:24 server postfix/smtpd[9710]: disconnect from mail-pl1-f171.google.com[209.85.214.171] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=0/1 rset=1 quit=1 commands=7/8
 
Last edited:

kalachev_89

New Member
Nov 7, 2022
5
2
3
I see rule name, that blocked that e-mail.
I want see, what record from rule block e-mail.
Example:
Rule "block by sender domain". End it has 10 records
domain1
domain2
.....
domain10
End
And i want see, by that record from this 10 rule was triggered.
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
7,410
1,191
164
The individual fiels which match are not logged - you can split up a large What Object into multiple ones and thus bisect, which field matched - if you provide `pmgdb dump` and the complete logs for the mail, and the relevant parts of the header we might be able to help you...
 
  • Like
Reactions: kalachev_89

kalachev_89

New Member
Nov 7, 2022
5
2
3
The individual fiels which match are not logged - you can split up a large What Object into multiple ones and thus bisect, which field matched - if you provide `pmgdb dump` and the complete logs for the mail, and the relevant parts of the header we might be able to help you...
Thanks for great idea!
I outload pmg config via pmgdb dump and find block with all records in "block by sender domain" rule. Copy they to file and via simple powershell script find problem record by regex.
PS script for example:
Code:
$p = Get-Content -Path C:\Users\mail_admin\Desktop\rules.txt
# remove all unnecessary symbols in beginning of each line before =
$p = $p -creplace '^[^\\]*\=', ''
$example = "problem_email@domain.com"
foreach ($pl in $p)
{$result = $example|Select-String -Pattern "$pl"
if ($result -ne $null)
{ echo "Pattern $pl match to $example"
}
}
 
Last edited:
  • Like
Reactions: Stoiko Ivanov

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
7,410
1,191
164
Thanks for great idea!
I outload pmg config via pmgdb dump and find block with all records in "block by sender domain" rule. Copy they to file and via simple powershell script find problem record by regex.
also a viable solution! - would not have arrived at that - but then again - am not really using Powershell

In any case - glad you solved your issue!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!