How to filter ldap mail account plus external domains in same rule

Rojoblandino IBW

New Member
Aug 16, 2019
3
0
1
39
I want to avoid some user attaching a internal postfix server and try to send from his laptop or pc a fake origin, my firewall send all 25 coming port from inside to outside to my PMG for controlling my network and reputation, sometimes a client wants to joke and send a fake mail from a unknown mail to send it to a unknown mail, I want to block all that mails.

The problem is that I do not have ldap for external domains so i can not get all accounts of my external domains. I want to build a rule filter where an email not in the list of ldap and not owned by the external domains going to any account not in the list of ldap and not owned by the external domains, it must send a notification to the administrator and send the message to quarantine for postrevision.

Following this logic...

For building this rule i have created some rules for debugging, starting with two "Who Objects", 1. Known Accounts Containing accounts from ldap and external accounts from external domain allowed and 2. Unknown Accounts Containing address not in ldap and not in the domain accounts allowed.

"Known Accounts":
- RegExp -> ^\w+[-\.\w]*@(externaldomain1.com|externaldomain2.com)
- Existing LDAP address, any profile

"Unknown Accounts"
- Unknown LDAP address, any profile
- RegExp -> ^\w+[-\.\w]*@(?!(?:externaldomain1\.com|externaldomain2\.com)$)\w+[-\.\w]*

Then I added three Filters Rules as follow with only notification action to debug the rules match (I do not block to avoid lose of mails):

1. test FROM UNKNOWN TO KNOWN
Action -> Notify Admin
From -> Unknown Accounts
To -> Known Accounts

2. test FROM UNKNOWN TO UNKNOWN
Action -> Notify Admin
From -> Known Accounts
To -> Unknown Accounts

2. test FROM UNKNOWN TO UNKNOWN
Action -> Notify Admin
From -> Unknown Accounts
To -> Unknown Accounts

Then the output of the notification is as follow:

Proxmox Notifcation:

Sender: root@internaldomain.com
Receiver: user1@externaldomain1.com
Targets: user1@externaldomain1.com

Subject: Cron <root@monitor.internaldomain.com> bash /root/bin/checkall


Matching Rule: test FROM UNKNOWN TO KNOWN

Rule: test FROM UNKNOWN TO UNKNOWN
Receiver: user1@externaldomain1.com
Action: notify user2@internaldomain.com
Rule: test FROM UNKNOWN TO KNOWN
Receiver: user1@externaldomain1.com
Action: notify user2@internaldomain1.com



Spam detection results: 0
SPF_FAIL 0.919 SPF: sender does not match SPF record (fail)
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record

----------------------------------------------------------------------------------------------

My question is. Why the rule "test FROM UNKNOWN TO UNKNOWN" match if the regexp deny all external domains plus all accounts not in ldap?

How is the right way to build this filter to make work only match for example from: account1@gmail.com to: account2@yahoo.com?
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!