[SOLVED] How to configure rule set priority for two different block levels for domains and some additional requirements

poetry

Active Member
May 28, 2020
206
57
33
So I am struggling to make this optimal it seems like every way I try to configure this it just does not work the way I want it. I don't want to configure yet another mail gateway just for this it's too painful to manage just one pmg. I understand there are limitations with pmg https://forum.proxmox.com/threads/h...vd-bytecode-cvd-databases.117813/#post-510260 but this for me is a deal breaker and I am considering just finishing my work with pmg and letting someone else deal with it. It's taking too much of my time away from other important work.

My goal for our setup is to have two different configurations (for domains we filter mail):
  • primary configuration that is more aggressive and will block message at spam level 6 (this is the default for almost all domains)
  • secondary configuration that is more relaxed and will block at spam level 10 (for some domains the default setup is too aggressive) rule OverLevel5AcceptSpamException
Additional requirement for both configurations:
  • processing should be minimized if possible (no adding of disclaimer or modify field: subject if message is to be blocked) ?
  • every message spam level higher then 2 add disclaimer to message (OverLevel2SenderWarning rule)
  • every message spam level higher then 4 modify field: subject (OverLevel4MarkSpam rule)
  • every message that contains virus block and notify sender (?)
  • every message that contains forbidden attachment block and notify sender (?)
  • whitelist and blocklist should work also for both configurations (?)
I have quite a few of ? marks for like
  • how to minimize processing I see that in my current configuration disclaimer is added on messages that are blocked
  • should I actually notify sender if they are sending a virus message (some mail providers will not notify sender if message is detected as virus by pmg (example google mail) right now I see that someone is sending virus from some compromised server and in the envelope from another domain so we are sending notifications to sender that is not actually sending virus that is bad like really bad it should not do that
  • I want to make sure if someone is sending messages that contain forbidden attachment they are notified that they are sending forbidden attachment (but want to minimize the notifications for spam senders that will send massive amounts of messages with forbidden attachment)
  • I want the detected message virus or forbidden attachment in the quarantine for analytics so if I need to report a false positive I can and I have the data this is not possible if I want to use block rule and I want to have message in the quarantine
  • where to actually put whitelist or blocklist priority. I don't want virus delivery even if domain/network,ip ect is on whitelist
So if we take into the account everything I said above here is something I come up with but it just does not work the way I want it to work. I understand this is a hard problem but it should be possible to configure this in the optimal way maybe I am just not experienced enough?

As far as I understand the highest priority rules will be processed first as I noticed by making whitelist highest priority then viruses were delivered as well if that network/ip was on the whitelist (that is a bad thing).
Action Object Accept, Block, Quarantine are final so if a message is processed with this rule then the message is delivered or blocked or quarantined without any other rules processing.

So how would you set up the priority for all my requirements so they will work the most optimal way they can with proxmox mail gateway?

Here is something I come up with but it does not seem to work the way I want it (main thing right now it's adding disclaimer to blocked messages why it's doing that?? rule OverLevel6BlockSpam is pocessed)

Here are my rules:
1. Blocklist on top because if it's on blocklist it should be blocked no point in processing just block immediately
1669027435372.png

2. If it's a forbidden attachment then it should also block immediately no need to processes any further
1669027507024.png

3. If there is a virus it should then also block and no need to process any more as we don't want this delivered
1669027594968.png

4. This seems like a good place to put whitelist and avoid viruses delivered or other items we don't want to deliver even if they are on whitelist
1669027683874.png

5. This seems like a good place to put modify header spam level so we can see on mails that are delivered what spam score is in the headers. Maybe I should put this before Whitelist that might be even better
1669027727647.png

6. spam score 2 add disclaimer to message how will this work? will I have disclaimer on blocked message will this increase processing time?
1669027793199.png

7. spam score 4 modify field: subject on message how will this work? will I have disclaimer on blocked message will this increase processing time?
1669027930397.png

8. don't know if this is correct for my secondary configuration that is more relaxed
1669027979030.png
9. don't know if this is correct for my secondary configuration that is more relaxed
1669028037235.png

10. final rule again don't know if this is correct
1669028073662.png

Let me know if you have any idea if this can be improved or should I just give up on two different block levers for domains and just let everything be blocked only if spam score is higher then 10?.
I spend a lot of my brain energy on this and I am stuck how I can improve it so it will work the way I want it to work...
 
One quick questions before going into the details - do you experience any issue with the processing time of PMG?
* in almost all healthy/not broken setups the limiting factor is spam-analysis - which runs the message through SpamAssassin.
* adding disclaimers, modifying headers usually does not take long, and should not take long
* analyzing with spamassassin also should not take too long (a few seconds usually)

I'm just asking because it seems like your creating quite a complicated setup, just to optimize things that don't need optimization

if your rule-processing takes longer - please provide some logs - maybe I can see something relevant
 
@Stoiko Ivanov I understand your point but I do not agree with it. I was expecting this answer that is why I simplified the configuration so now I have just one ruleset for all domains. But again even with this setup I cannot do what I want to do.

Why would you not want to optimize and minimize processing on mails? I only see benefits from this no downsides.
Example of few benefits:
- Faster mail delivery
- Less notifications to virus senders
- Less chance of errors
- More clean logs
- More clear statistics
- Less irrelevant items in quarantine

If I make the rules badly I am just adding unnecessary processing and maybe even some unexpected behavior because of additional rules processing for no reason. It pains me to see that people don't think like this. Clean, optimized solution should always win over badly optimized and ugly solution.

Example I cannot do this simple requirement. I want to virus scan whitelisted messages so even if I whitelist something virus messages will not be delivered to receiver.

You can say this is the correct solution but I do not agree with this solution:
1669149228504.png

Reason is now I will be adding virus messages to quarantine even if this messages has spam score over 10. On all this virus messages I will be also sending notifications to virus sender. I had a case yesterday where there was a virus sender with score over 10 and it was sending over 25 unique notifications to some sender that was not actually the real sender.

This is again limitation in pmg.

How do you solve this? I have tested with gmail that is my standard testing provider that even if I block virus messages gmail sender is not notified that message has been blocked. I think I read on the forum it has to do something with how the virus processing is done. Again this is not acceptable because I want people to know that we have blocked their message acceptable behavior would be that they are notified the same way as other blocked spam messages. Best block behavior would be something like google where they actually give you reason why you have been blocked but I guess that takes quite a lot of work to implement.

Again I want virus messages to be in the quarantine so I have information for reporting false positives so blocking is not an option as I then lose the message.

This is the reason why I am trying to optimize rules to reduce the number of notifications to virus senders that are not actually sending virus messages but someone is spoofing their email address.


In my opinion if message has high spam score then I don't care if it's a virus message and should just be blocked no need to do additional processing and adding to quarantine and sending notifications. It's clear this message has to be blocked and the only reason I am adding messages to quarantine is to check for virus false positives so I can submit them as false positives if I need to. If message is blocked by spam score I can always see clearly why it's been blocked by spam scores it's not that easy to do that with virus messages.

Now another way to do this that I think it's a better way is like this:
1669149682124.png

I like this configuration much better because now if message is spam level over 10 it will be blocked immediately. Even if this message is virus notification will not be send to virus sender. I will probably stay at this configuration but it pains me to have this kind configuration because I have a lot of whitelist items.

The main problem with whitelist items is that you cannot add them in a way that would stop malicious senders. Any smart malicious sender can modify from address so it will be sending messages in a name of another domain. Example if I want to add a domain to whitelist and they are using office 365 servers for sending email I cannot add office 365 servers (IP/Network) to whitelist because then I will be allowing all the malicious senders using hotmail and other domains that use office 365 servers. So the only way to add to whitelist some sender is to add domain whitelist that would mean I am exposed to malicious senders they will go around this whitelist.

Simple example is dhl.com I want to whitelist dhl.com I had done this by adding domain whitelist for dhl.com and I have noticed that virus and messages with over 30 spam score have been delivered. After looking at this further I have found that senders have been spoofing from address and that is the reason why malicious senders have been successfully delivering mail with my whitelist.

I was thinking about how to solve this and I see only one way you can actually solve (but not really) this is that if you add domain whitelist it will actually also check the SPF record for whitelisted domain and even if domain is whitelisted and it fails SPF check then it will be blocked.
This could be even a separate way to add a whitelist then what is build in now in pmg.

For example dhl.com they do not really seem to care about abuse that is happening of their domains because their SPF configuration is soft fail allowed and they even use include:e2ma.net include:spf.mandrillapp.com so if I go and create account via mandrillapp.com or e2ma.net and I start sending email as dhl.com I will actually succeed by making SPF complaint mail from dhl.com. This is bad and if dhl.com was serious about people not abusing their domain they would not use softfail but spf hard fail and they would not be using mandrillapp.com or e2ma.net services. They would also configure their dmarc to enforce SPF and DKIM to script and reject everything.
I have configured Custom Scores to block if you have dmarc and spf policy configured correctly for your domain and this works extremely well for domains that know how to configure this properly.

1669152801113.png
1669152812741.png

https://app.dmarcanalyzer.com/dns/spf?customerid=0
1669152150129.png

How do you block malicious sender that is spoofing dhl.com domain that has been added as domain whitelist? Don't think you can but by checking SPF for whitelisted domains. Even with this smart malicious senders will go around it.

So you might say remove everything from whitelist and remove all custom spam scores and just run with the default configuration but in my experience this will just mean that you are not blocking almost any spam. It is really that bad.

You might say enable bayesian filter but in my experience it produced more false positives than useful detection's.

I also don't know if this is a good way to detect forbidden attachments. I want to detect attachments in archives. I see that messages processed by this rule take the most time to process:
1669156002103.png

Code:
.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|wim|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)

Is there any difference if I add as Archive Filter each extension I want to block? Will it be faster at processing or the same? I want to also block all extensions in archives.
1669156054858.png


I see errors on messages that are processed by this rule (is this just a case of encrypted files or some other error?)
Code:
Nov 22 22:26:24 server pmg-smtp-filter[137619]: 1212E9637D3E8043888: found archive ' anon.txt' (message/rfc822)
Nov 22 22:26:24 server pmg-smtp-filter[137619]: 1212E9637D3E8043888: unpack failed - unexpected number of files '0' at /usr/share/perl5/PMG/Unpack.pm line 481.
Nov 22 22:26:24 server pmg-smtp-filter[137619]: 1212E9637D3E8043888: unpack archive ' anon.txt' done (4 ms)

Nov 22 10:58:49 server pmg-smtp-filter[69949]: 1215A7637C9D598A0E2: found archive ' anon' (application/zip)
Nov 22 10:58:49 server pmg-smtp-filter[69949]: 1215A7637C9D598A0E2: unpack failed - child '70100' failed: 512
Nov 22 10:58:49 server pmg-smtp-filter[69949]: 1215A7637C9D598A0E2: unpack archive ' anon' done (42 ms)

Nov 22 18:19:54 server pmg-smtp-filter[120764]: 121805637D04B96F93A: found archive ' anon.docx' (application/zip)
Nov 22 18:19:54 server pmg-smtp-filter[120764]: 121805637D04B96F93A: unpack failed - child '120876' failed: 512
Nov 22 18:19:54 server pmg-smtp-filter[120764]: 121805637D04B96F93A: unpack archive ' anon.docx' done (31 ms)

Nov 22 18:46:24 server pmg-smtp-filter[121731]: 1212B5637D0AF093DB1: found archive ' anon.txt' (message/rfc822)
Nov 22 18:46:24 server pmg-smtp-filter[121731]: 1212B5637D0AF093DB1: unpack failed - unexpected number of files '0' at /usr/share/perl5/PMG/Unpack.pm line 481.
Nov 22 18:46:24 server pmg-smtp-filter[121731]: 1212B5637D0AF093DB1: unpack archive ' anon.txt' done (3 ms)

Nov 22 18:19:54 server pmg-smtp-filter[120852]: 1212AF637D04B967D14: found archive ' anon.docx' (application/zip)
Nov 22 18:19:54 server pmg-smtp-filter[120852]: 1212AF637D04B967D14: unpack failed - child '120877' failed: 512
Nov 22 18:19:54 server pmg-smtp-filter[120852]: 1212AF637D04B967D14: unpack archive ' anon.docx' done (17 ms)

Nov 22 11:56:29 server pmg-smtp-filter[79219]: 1215A7637CAADD0D161: found archive ' anon.zip' (application/zip)
Nov 22 11:56:29 server pmg-smtp-filter[79219]: 1215A7637CAADD0D161: unpack failed - child '79262' failed: 512
Nov 22 11:56:29 server pmg-smtp-filter[79219]: 1215A7637CAADD0D161: unpack archive ' anon.zip' done (44 ms)

Nov 22 19:01:06 server pmg-smtp-filter[122593]: 121578637D0E62A7739: found archive ' anon.zip' (application/zip)
Nov 22 19:01:06 server pmg-smtp-filter[122593]: 121578637D0E62A7739: unpack failed - child '122636' failed: 512
Nov 22 19:01:06 server pmg-smtp-filter[122593]: 121578637D0E62A7739: unpack archive ' anon.zip' done (36 ms)


I had four outstanding issues with filtering one was virus filtering but this looks like it's solved by this https://forum.proxmox.com/threads/o...inux-integration-with-pmg.116858/#post-509574 but in my opinion is it not solved until we have official support for eset right now I am in the dark how it actually works I would like a more in depth view how mails are processed and if there are any errors while processing and any other detail about how the scripts are working and how we can even improve or implement this solution natively to proxmox mail gateway. I don't want to use Avast as we already have ESET and we use the product extensively.

Another issue is phishing emails this seems to be really popular right now I am struggling to block them and it's taking a lot of my time and I don't see a solution that could solve this for me in an automated way. Before I block them damage is already done many phishing mails are delivered. How do you actually implement deep link detection (usually there are multiple redirects that then point to the final server that is doing the phishing). Usually are this new servers with generic forms that have not been reported yet so this is an extremely hard problem to deal with.

Another outstanding issue is just generally better spam detection I am hitting the local maximum with what I can do even after I have enabled everything I can with pmg that could help me to filter better and after all work I put in.

Last it's this is not actually multitenant solution so if I would actually want to give access to log view to our consumer administrators this is not possible and I did not even start looking at how to enable access to spam quarantine for users I am guessing this is not simple to actually do well and exposing our mail gateway via ssl to internet could be another attack vector for attacker. Almost all our users are outside the network where this gateway is located so the only way is to expose the gateway to the internet via https don't think I am comfortable with doing that.

Should I just revert to default configuration of proxmox and let it go? What will the results be? They are not going to be good. If I do not see the path for improvement then I am forced to complete my work with proxmox mail gateway. Even if I put 10x more hours in I don't see a path for success that means that I should move my attention to something else that will provide more value to our company and to me.

Is there actually something on proxmox mail gateway roadmap that will significantly improve all points noted above?

It really pains me after putting so much work into this and after finally kind of understanding how it works that this is all there is. This is not a solution I could say I have implemented well and I could say it's excellent. It's not a solution or service I can confidently say to our customers that is the best in our country even after putting in so many hours to make it good. After all optimization I would still give it 3 of 10 score on scale of 1 to 10. Seriously.

Will see how many false positives I will get in the future I will reduce spam detection to get less false positives because it's a big pain to add good whitelists and it just takes away time I could be using for something I can actually improve.

EDIT: NOT Solved I am giving up on this for now. It's a big pain but there is nothing I can actually do to go around all the limitations pmg has. We should switch to other solution if we want better results.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!