I want to avoid some user attaching a internal postfix server and try to send from his laptop or pc a fake origin, my firewall send all 25 coming port from inside to outside to my PMG for controlling my network and reputation, sometimes a client wants to joke and send a fake mail from a unknown mail to send it to a unknown mail, I want to block all that mails.
The problem is that I do not have ldap for external domains so i can not get all accounts of my external domains. I want to build a rule filter where an email not in the list of ldap and not owned by the external domains going to any account not in the list of ldap and not owned by the external domains, it must send a notification to the administrator and send the message to quarantine for postrevision.
Following this logic...
For building this rule i have created some rules for debugging, starting with two "Who Objects", 1. Known Accounts Containing accounts from ldap and external accounts from external domain allowed and 2. Unknown Accounts Containing address not in ldap and not in the domain accounts allowed.
"Known Accounts":
- RegExp -> ^\w+[-\.\w]*@(externaldomain1.com|externaldomain2.com)
- Existing LDAP address, any profile
"Unknown Accounts"
- Unknown LDAP address, any profile
- RegExp -> ^\w+[-\.\w]*@(?!(?:externaldomain1\.com|externaldomain2\.com)$)\w+[-\.\w]*
Then I added three Filters Rules as follow with only notification action to debug the rules match (I do not block to avoid lose of mails):
1. test FROM UNKNOWN TO KNOWN
Action -> Notify Admin
From -> Unknown Accounts
To -> Known Accounts
2. test FROM UNKNOWN TO UNKNOWN
Action -> Notify Admin
From -> Known Accounts
To -> Unknown Accounts
2. test FROM UNKNOWN TO UNKNOWN
Action -> Notify Admin
From -> Unknown Accounts
To -> Unknown Accounts
Then the output of the notification is as follow:
Proxmox Notifcation:
Sender: root@internaldomain.com
Receiver: user1@externaldomain1.com
Targets: user1@externaldomain1.com
Subject: Cron <root@monitor.internaldomain.com> bash /root/bin/checkall
Matching Rule: test FROM UNKNOWN TO KNOWN
Rule: test FROM UNKNOWN TO UNKNOWN
Receiver: user1@externaldomain1.com
Action: notify user2@internaldomain.com
Rule: test FROM UNKNOWN TO KNOWN
Receiver: user1@externaldomain1.com
Action: notify user2@internaldomain1.com
Spam detection results: 0
SPF_FAIL 0.919 SPF: sender does not match SPF record (fail)
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
----------------------------------------------------------------------------------------------
My question is. Why the rule "test FROM UNKNOWN TO UNKNOWN" match if the regexp deny all external domains plus all accounts not in ldap?
How is the right way to build this filter to make work only match for example from: account1@gmail.com to: account2@yahoo.com?
The problem is that I do not have ldap for external domains so i can not get all accounts of my external domains. I want to build a rule filter where an email not in the list of ldap and not owned by the external domains going to any account not in the list of ldap and not owned by the external domains, it must send a notification to the administrator and send the message to quarantine for postrevision.
Following this logic...
For building this rule i have created some rules for debugging, starting with two "Who Objects", 1. Known Accounts Containing accounts from ldap and external accounts from external domain allowed and 2. Unknown Accounts Containing address not in ldap and not in the domain accounts allowed.
"Known Accounts":
- RegExp -> ^\w+[-\.\w]*@(externaldomain1.com|externaldomain2.com)
- Existing LDAP address, any profile
"Unknown Accounts"
- Unknown LDAP address, any profile
- RegExp -> ^\w+[-\.\w]*@(?!(?:externaldomain1\.com|externaldomain2\.com)$)\w+[-\.\w]*
Then I added three Filters Rules as follow with only notification action to debug the rules match (I do not block to avoid lose of mails):
1. test FROM UNKNOWN TO KNOWN
Action -> Notify Admin
From -> Unknown Accounts
To -> Known Accounts
2. test FROM UNKNOWN TO UNKNOWN
Action -> Notify Admin
From -> Known Accounts
To -> Unknown Accounts
2. test FROM UNKNOWN TO UNKNOWN
Action -> Notify Admin
From -> Unknown Accounts
To -> Unknown Accounts
Then the output of the notification is as follow:
Proxmox Notifcation:
Sender: root@internaldomain.com
Receiver: user1@externaldomain1.com
Targets: user1@externaldomain1.com
Subject: Cron <root@monitor.internaldomain.com> bash /root/bin/checkall
Matching Rule: test FROM UNKNOWN TO KNOWN
Rule: test FROM UNKNOWN TO UNKNOWN
Receiver: user1@externaldomain1.com
Action: notify user2@internaldomain.com
Rule: test FROM UNKNOWN TO KNOWN
Receiver: user1@externaldomain1.com
Action: notify user2@internaldomain1.com
Spam detection results: 0
SPF_FAIL 0.919 SPF: sender does not match SPF record (fail)
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
----------------------------------------------------------------------------------------------
My question is. Why the rule "test FROM UNKNOWN TO UNKNOWN" match if the regexp deny all external domains plus all accounts not in ldap?
How is the right way to build this filter to make work only match for example from: account1@gmail.com to: account2@yahoo.com?
Last edited: