IP NW messages not being blocked, am I doing something wrong?

[MiamiJack]

Hello All,

I have the following IP's blocked at the network level, at least I believe it to be, however messages are getting through, I believe I set it up to reject, and this I should see these in quarrantine.

I'm blocking the WHO->IP-Network->213.238.172.0/24

I have made all IP Network Blocks to be identified as BL-IP-NW, both at the RULE and the Object, this allows me to see blocks and where they are matching.
I can see my rules in general are working by filtering the mail.log file and totaling some stats:
grep "rule:" /var/log/mail.log | grep block | awk '{print $12}' | sort | uniq -c
14 BL-DomainMatch)
19 BL-Domains)
51 BL-DomainsR)
117 BL-FromRules)
5 BL-IP)
1666 BL-IP-NW)
61 Block
3 (rule:

But at some point these made it through.
I attached the message header text, and my rules and objects images.

Thanks

Dec 17 06:14:30 mgw postfix/postscreen[23626]: CONNECT from [213.238.172.174]:59034 to [1.2.3.4]:25
Dec 17 06:14:36 mgw postfix/postscreen[23626]: PASS NEW [213.238.172.174]:59034
Dec 17 06:14:37 mgw postfix/smtpd[23259]: connect from gubatz.guerring.eu[213.238.172.174]
Dec 17 06:14:37 mgw postfix/smtpd[23259]: F151780212: client=gubatz.guerring.eu[213.238.172.174]
Dec 17 06:14:38 mgw postfix/smtpd[23259]: disconnect from gubatz.guerring.eu[213.238.172.174] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 17 12:19:20 mgw postfix/postscreen[23626]: CONNECT from [213.238.172.132]:59945 to [1.2.3.4]:25
Dec 17 12:19:26 mgw postfix/postscreen[23626]: PASS NEW [213.238.172.132]:59945
Dec 17 12:19:28 mgw postfix/smtpd[4936]: connect from xhood.guerring.eu[213.238.172.132]
Dec 17 12:19:28 mgw postfix/smtpd[4936]: C0DBC80EF6: client=xhood.guerring.eu[213.238.172.132]
Dec 17 12:19:29 mgw postfix/smtpd[4936]: disconnect from xhood.guerring.eu[213.238.172.132] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 17 21:20:43 mgw postfix/postscreen[25803]: CONNECT from [213.238.172.51]:54104 to [1.2.3.4]:25
Dec 17 21:20:49 mgw postfix/postscreen[25803]: PASS NEW [213.238.172.51]:54104
Dec 17 21:20:50 mgw postfix/smtpd[25938]: connect from axik.condinal.eu[213.238.172.51]
Dec 17 21:20:50 mgw postfix/smtpd[25938]: C7D04825F7: client=axik.condinal.eu[213.238.172.51]
Dec 17 21:20:51 mgw postfix/smtpd[25938]: disconnect from axik.condinal.eu[213.238.172.51] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 18 05:31:14 mgw postfix/postscreen[941]: CONNECT from [213.238.172.118]:54416 to [1.2.3.4]:25
Dec 18 05:31:20 mgw postfix/postscreen[941]: PASS NEW [213.238.172.118]:54416
Dec 18 05:31:20 mgw postfix/smtpd[1895]: connect from kpmac.guerring.eu[213.238.172.118]
Dec 18 05:31:21 mgw postfix/smtpd[1895]: 474DC808B7: client=kpmac.guerring.eu[213.238.172.118]
Dec 18 05:31:21 mgw postfix/smtpd[1895]: disconnect from kpmac.guerring.eu[213.238.172.118] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 18 08:20:49 mgw postfix/postscreen[2508]: CONNECT from [213.238.172.132]:33519 to [1.2.3.4]:25
Dec 18 08:20:49 mgw postfix/postscreen[2508]: PASS OLD [213.238.172.132]:33519
Dec 18 08:20:51 mgw postfix/smtpd[6329]: connect from xhood.guerring.eu[213.238.172.132]
Dec 18 08:20:51 mgw postfix/smtpd[6329]: 7D0298090D: client=xhood.guerring.eu[213.238.172.132]
Dec 18 08:20:51 mgw postfix/smtpd[6329]: disconnect from xhood.guerring.eu[213.238.172.132] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 18 16:36:57 mgw postfix/postscreen[2508]: CONNECT from [213.238.172.71]:44960 to [1.2.3.4]:25
Dec 18 16:37:03 mgw postfix/postscreen[2508]: PASS NEW [213.238.172.71]:44960
Dec 18 16:37:03 mgw postfix/smtpd[28813]: connect from musbo.condinal.eu[213.238.172.71]
Dec 18 16:37:04 mgw postfix/smtpd[28813]: 3600F80EBA: client=musbo.condinal.eu[213.238.172.71]
Dec 18 16:37:05 mgw postfix/smtpd[28813]: disconnect from musbo.condinal.eu[213.238.172.71] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 20 13:32:34 mgw postfix/postscreen[19833]: CONNECT from [213.238.172.161]:48797 to [1.2.3.4]:25
Dec 20 13:32:40 mgw postfix/postscreen[19833]: PASS NEW [213.238.172.161]:48797
Dec 20 13:32:43 mgw postfix/smtpd[20440]: connect from bresch.guerring.eu[213.238.172.161]
Dec 20 13:32:43 mgw postfix/smtpd[20440]: B83F380F2C: client=bresch.guerring.eu[213.238.172.161]
Dec 20 13:32:44 mgw postfix/smtpd[20440]: disconnect from bresch.guerring.eu[213.238.172.161] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 20 16:38:49 mgw postfix/postscreen[23526]: CONNECT from [213.238.172.213]:45786 to [1.2.3.4]:25
Dec 20 16:38:55 mgw postfix/postscreen[23526]: PASS NEW [213.238.172.213]:45786
Dec 20 16:38:56 mgw postfix/smtpd[23642]: connect from tessus.janually.eu[213.238.172.213]
Dec 20 16:38:57 mgw postfix/smtpd[23642]: 2191680F9B: client=tessus.janually.eu[213.238.172.213]
Dec 20 16:38:57 mgw postfix/smtpd[23642]: disconnect from tessus.janually.eu[213.238.172.213] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 21 08:46:00 mgw postfix/postscreen[6871]: CONNECT from [213.238.172.190]:40511 to [1.2.3.4]:25
Dec 21 08:46:06 mgw postfix/postscreen[6871]: PASS NEW [213.238.172.190]:40511
Dec 21 08:46:06 mgw postfix/smtpd[9064]: connect from epshp.janually.eu[213.238.172.190]
Dec 21 08:46:06 mgw postfix/smtpd[9064]: DEEB480EE3: client=epshp.janually.eu[213.238.172.190]
Dec 21 08:46:07 mgw postfix/smtpd[9064]: disconnect from epshp.janually.eu[213.238.172.190] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 21 09:32:33 mgw postfix/postscreen[6871]: CONNECT from [213.238.172.16]:35879 to [1.2.3.4]:25
Dec 21 09:32:39 mgw postfix/postscreen[6871]: PASS NEW [213.238.172.16]:35879
Dec 21 09:32:40 mgw postfix/smtpd[9064]: connect from nstrip.dacially.eu[213.238.172.16]
Dec 21 09:32:40 mgw postfix/smtpd[9064]: 6853B80EE7: client=nstrip.dacially.eu[213.238.172.16]
Dec 21 09:32:40 mgw postfix/smtpd[9064]: disconnect from nstrip.dacially.eu[213.238.172.16] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 21 12:13:21 mgw postfix/postscreen[6871]: CONNECT from [213.238.172.209]:38365 to [1.2.3.4]:25
Dec 21 12:13:27 mgw postfix/postscreen[6871]: PASS NEW [213.238.172.209]:38365
Dec 21 12:13:28 mgw postfix/smtpd[20913]: connect from lagubi.janually.eu[213.238.172.209]
Dec 21 12:13:28 mgw postfix/smtpd[20913]: CA18180A99: client=lagubi.janually.eu[213.238.172.209]
Dec 21 12:13:29 mgw postfix/smtpd[20913]: disconnect from lagubi.janually.eu[213.238.172.209] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 21 16:47:44 mgw postfix/postscreen[6871]: CONNECT from [213.238.172.64]:40905 to [1.2.3.4]:25
Dec 21 16:47:50 mgw postfix/postscreen[6871]: PASS NEW [213.238.172.64]:40905
Dec 21 16:47:52 mgw postfix/smtpd[2449]: connect from ephor.condinal.eu[213.238.172.64]
Dec 21 16:47:53 mgw postfix/smtpd[2449]: 05AE7802CE: client=ephor.condinal.eu[213.238.172.64]
Dec 21 16:47:53 mgw postfix/smtpd[2449]: disconnect from ephor.condinal.eu[213.238.172.64] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 21 19:55:26 mgw postfix/postscreen[6871]: CONNECT from [213.238.172.237]:33944 to [1.2.3.4]:25
Dec 21 19:55:32 mgw postfix/postscreen[6871]: PASS NEW [213.238.172.237]:33944
Dec 21 19:55:33 mgw postfix/smtpd[8840]: connect from lorcom.criminato.eu[213.238.172.237]
Dec 21 19:55:33 mgw postfix/smtpd[8840]: 86E82809DC: client=lorcom.criminato.eu[213.238.172.237]
Dec 21 19:55:33 mgw postfix/smtpd[8840]: disconnect from lorcom.criminato.eu[213.238.172.237] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5

 

[Stoiko Ivanov]

The blocking in the rule system is done by pmg-smtp-filter and not by postfix or postscreen - does the mail go through PMG and arrive at the destination mailbox?! - please paste the complete logs for such a connection - so that we see why the mail gets through

Thanks!

 

[MiamiJack]

So first I would get the entries ID lets say 7D0298090D, search that in mail.log, then from there get the message ID, which in the case of this would be A16C25FDCACB3AD88E, and from there on this specific one I see:
A16C25FDCACB3AD88E: moved mail for <user@user.net> to spam quarantine - A16BB5FDCACB5606AF (rule: Quarantine/Mark Spam (Level 3))

This also references A16BB5FDCACB5606AF, which is an almost repeat of the above
Dec 18 08:20:53 mgw pmg-smtp-filter[6889]: A16C25FDCACB3AD88E: moved mail for <user@user.net> to spam quarantine - A16BB5FDCACB5606AF (rule: Quarantine/Mark Spam (Level 3))

This particular one may have been marked because of content and not the IP NW block.

Is there a tool or better way to search what I just did, which is basically 3 searches?

 

[Stoiko Ivanov]

Is there a tool or better way to search what I just did, which is basically 3 searches?

the Message Tracking Center in the GUI should yield the same result

please post the complete result of what you grepped - since else it's hard to understand why the mail passed if it indeed was sent from 213.238.172.0/24 ...

 

[MiamiJack]

Those grep results are everything and simply modified to hide the identity of the recipient or the mail gateway.
Based on your above notes, I believe you are saying the message would be quarantined and not rejected.
Since so many messages are in logs, I will have to do a better job of capturing all of the data when submitting my request for assistance.

Thank you.

 

[Stoiko Ivanov]

Those grep results are everything and simply modified to hide the identity of the recipient or the mail gateway.

the lines you posted are missing:
* the logs from all postfix daemons (smtpd/qmgr/cleanup/postscreen) related to that message (these should contain the IP where the connection originated - so that we can check why it did not get caught by the who-object...
* 2-3 lines of log from pmg-smtp-filter also related to that message...

without the complete logs (you can change the e-mail addresses - as far as it does not disturb matching) it is not possible to get a clear picture what happened to that mail ...