Is the rule system "Network address" supposed to work with IPv6 CIDR?

Miktash

Active Member
Mar 6, 2015
56
1
28
I have 2a01:111:f400::/48 in my Mail Filter > Who Objects > Whitelist
A test email was delivered from 2a01:111:f400:7e0a::208

I added the "notify admin" action to the default whitelist filter (which is using the Who Object > Whitelist for matching).

But I do not get any notification. It seems like the spam filter is not whitelisting based on the IPv6 network ?
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
2,661
290
83
could you please share the log for that particular mail (/var/log/mail.log)

Thanks!
 

Miktash

Active Member
Mar 6, 2015
56
1
28
Other example:

Code:
Jan 17 20:57:40 mx10 postfix/smtpd[26337]: connect from mail-he1eur04lp0206.outbound.protection.outlook.com[2a01:111:f400:7e0d::206]
Jan 17 20:57:41 mx10 postfix/smtpd[26337]: Anonymous TLS connection established from mail-he1eur04lp0206.outbound.protection.outlook.com[2a01:111:f400:7e0d::206]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 17 20:57:47 mx10 postfix/smtpd[26337]: 30411101D50: client=mail-he1eur04lp0206.outbound.protection.outlook.com[2a01:111:f400:7e0d::206]
Jan 17 20:57:47 mx10 postfix/cleanup[26353]: 30411101D50: message-id=<CAFSpSre_2pb1YqJ1Uq5Odi1Tv8LrQ0tJH9FETyerq-J2Jb7j=g@mail.gmail.com>
Jan 17 20:57:47 mx10 postfix/qmgr[21385]: 30411101D50: from=<redacted@gmail.com>, size=10754, nrcpt=1 (queue active)
Jan 17 20:57:47 mx10 postfix/smtpd[26337]: disconnect from mail-he1eur04lp0206.outbound.protection.outlook.com[2a01:111:f400:7e0d::206] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jan 17 20:57:47 mx10 pmg-smtp-filter[26354]: 101D745E2211BBD9CC6: new mail message-id=<CAFSpSre_2pb1YqJ1Uq5Odi1Tv8LrQ0tJH9FETyerq-J2Jb7j=g@mail.gmail.com>
Jan 17 20:57:49 mx10 pmg-smtp-filter[26354]: 101D745E2211BBD9CC6: SA score=4/5 time=1.200 bayes=0.50 autolearn=no autolearn_force=no hits=AWL(0.263),BAYES_50(0.8),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FORGED_SPF_HELO(1),FREEMAIL_FROM(0.001),HTML_FONT_FACE_BAD(0.001),HTML_IMAGE_ONLY_24(1.618),HTML_MESSAGE(0.001),HTML_SHORT_LINK_IMG_3(0.148),RCVD_IN_DNSWL_NONE(-0.0001),SPF_HELO_PASS(-0.001),SPF_SOFTFAIL(0.665),T_REMOTE_IMAGE(0.01)
Jan 17 20:57:49 mx10 pmg-smtp-filter[26354]: 101D745E2211BBD9CC6: moved mail for <redacted@redacted.com> to spam quarantine - 101DCC5E2211BD3A71D (rule: Quarantine/Mark Spam (Level 3))
Jan 17 20:57:49 mx10 pmg-smtp-filter[26354]: 101D745E2211BBD9CC6: processing time: 1.383 seconds (1.2, 0.07, 0)
Jan 17 20:57:49 mx10 postfix/lmtp[26358]: 30411101D50: to=<redacted@redacted.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.2, delays=6.2/0.02/0.51/1.4, dsn=2.5.0, status=sent (250 2.5.0 OK (101D745E2211BBD9CC6))
Jan 17 20:57:49 mx10 postfix/qmgr[21385]: 30411101D50: removed
I have a very long list in my whitelists, including 2a01:111:f400::/48
It's added under Mail Filter > Who Objects > Whitelist and Confinguration > Mail Proxy > Whitelist

The filter rule "Whitelist" is untouched, using the default, and has default priority 85
The filter rule "Quarantine/Mark Spam (Level 3)" is also the default with priority 80

As you can see the mail was blocked with the Quarantine/Mark Spam rule.
The Whitelist rule did not trigger which is unexpected?
 

chotaire

Member
Dec 25, 2019
103
23
18
Wow, good find. Your config looks good. I probably don't need to ask if the Whitelist rule is enabled, has Action Object "Accept" and if it is looking up the correct Whitelist (per Default that is just "Whitelist")?

Are you seeing similar issues when whitelisting IPv4 networks?
 

Miktash

Active Member
Mar 6, 2015
56
1
28
When email arrives from an IPv4 IP (whitelisted the same way as the IPv6 IP's) it works as expected.
So I think this confirms the whitelist rule is configured perfectly fine ;)
 

chotaire

Member
Dec 25, 2019
103
23
18
Indeed. Just out of curiosity, and don't beat me for this... but can you test if this is similarily broken here?

whitelist.jpg
 

Miktash

Active Member
Mar 6, 2015
56
1
28
The IPv6 IP's are whitelisted there already.
In my mail.log I can see this prior to the log posted earlier:

Code:
Jan 17 20:57:40 mx10 postfix/postscreen[26283]: CONNECT from [2a01:111:f400:7e0d::206]:64039 to [2001:xxxx:xxx:xxx::x]:25
Jan 17 20:57:40 mx10 postfix/postscreen[26283]: WHITELISTED [2a01:111:f400:7e0d::206]:64039
 

chotaire

Member
Dec 25, 2019
103
23
18
Have you always added the IPv6 blocks to both whitelists? Or did you do this afterwards to somehow get this running? Is the non-working behavior the same if the iPv6 block is configured only on one of these whitelists? Have you tried with a smaller CIDR (/1 - /32), e.g. 2a01:1111::/32 (you likely guess what I am going at)?
 

Miktash

Active Member
Mar 6, 2015
56
1
28
A couple of days ago I extensively tested this by adding the blocks in one or both of the lists.

The example above was an example with the IP address added to both whitelists.
If It's not in Configuration > Mail Proxy > Whitelist then there's no "postfix/postscreen[26283]: WHITELISTED " entry in my mail.log.

Not adding it to Mail Filter > Who Objectes > Whitelist doesn't seem to make any difference.

I did not trying with a bigger IPv6 block range. I can try this tomorrow when I'm back at the office.
 

chotaire

Member
Dec 25, 2019
103
23
18
Unfortunately I cannot try here. I am avoiding SMTP via IPv6 for as long as possible (it's an insane spam galore with a low quality of RBL lists / snort rules and native IPv6 only MX are extremely rare) so I have disabled IPv6 on PMG entirely.

Anyhow, if someone else can reproduce this then it looks to me like you've found a significant PMG bug here.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!