Object with regular expression doesn't match

F

f4242

Well-Known Member
Proxmox Subscriber
Dec 19, 2016
101
4
58
Quebec, QC
Hello,

I created a filter rule that block email if *@ourdomain.tld is found in the from field:

Rule name: blacklist
Action Object: Quarantine
From: blacklist

Who object name: blacklist
Regular expression: .*@.*\.domain\.tld
Regular expression: .*@domain\.tld

This worked great when I tested when I implemented that rule some months ago but today, we received a phishing mail with this from:

Code: 
From: "domain.tld" <quarantine@domain.tld>

This mail was accepted by the default accept rule and was not catched by my rule.

When I test the rule's regexp by copy/paste the from field value, it says it doesn't match. This say "The regular expression '^.*@domain\.tld$' did not match the text 'domain.tld'". Wait, why does it ignore the part in the brackets where the email is included? My regexp seem fine. Any idea?
 
the regex in who objects does not match the 'From' header but the envelope-sender (smtp from)
if you want to match the from header, you have to use a what match with 'match field' for 'From'
 
How could I match only the from header from the "parent" or the "first" email? If someone transfer an email as attachment with a from address coming from our domain, my rule catches it and put the mail in quarantine but it should not.
 
can you post such an mail, the corresponding rule-set and mail-log ? (match-field should really only match the headers of the 'real' mail, not an attachment)
 
f4242 said:
Sure, can I send you in PM or email?
Click to expand...

Please post it in the forum.

(Or consider a purchase of a suitable support subscription with support ticket support for direct and private support channel)
 
Hello,

I understand. I hope I can help to diagnostic a possible bug :)

In my sample, I edited the reference of my internal domain and replaced it to example.com.

I'm able to create the email by sending smtp command directly to the proxmox's postfix server from a server outside of my network. The MAIL FROM command set the sender as sender@gmail.com in the smtp transaction. The first "from header" from the first mail is set to sender@gmail.com too. This mail is a multipart message containing an undelivered message report. The undelivered message contain a from header set to me@example.com (my internal domain). Unfortunately, this from header is catched by my rule "Bloque from example.com (header from)" but it should not.

You can find the eml downloaded from the quarantine GUI attached to this message.

The log when I received the message:
Code: 
Apr 28 16:24:51 mailgw pmg-smtp-filter[19575]: 203F25EA8911368A9B: new mail message-id=
Apr 28 16:24:51 mailgw pmg-smtp-filter[19575]: 203F25EA8911368A9B: SA score=7/5 time=0.224 bayes=0.37 autolearn=no autolearn_force=no hits=BAYES_40(-0.001),BODY_SINGLE_WORD(0.001),DKIM_ADSP_CUSTOM_MED(0.001),FORGED_GMAIL_RCVD(1),FREEMAIL_FROM(0.001),HTML_MESSAGE(0.001),HTML_MIME_NO_HTML_TAG(0.377),MIME_HEADER_CTYPE_ONLY(0.1),MIME_HTML_ONLY(0.1),MISSING_DATE(1.36),MISSING_MID(0.497),NML_ADSP_CUSTOM_MED(0.9),SPF_HELO_FAIL(0.001),SPF_SOFTFAIL(0.665),SPOOFED_FREEMAIL(1.997)
Apr 28 16:24:51 mailgw pmg-smtp-filter[19575]: 203F25EA8911368A9B: notify <root@example.com> (rule: Bloque from example.com (header from), AAAAE204E9)
Apr 28 16:24:51 mailgw pmg-smtp-filter[19575]: 203F25EA8911368A9B: moved mail for <me@example.com> to spam quarantine - 212C25EA89113B7044 (rule: Bloque from example.com (header from))
Apr 28 16:24:51 mailgw pmg-smtp-filter[19575]: 203F25EA8911368A9B: processing time: 0.328 seconds (0.224, 0.015, 0)
Apr 28 16:24:51 mailgw postfix/lmtp[20194]: 49CFA203DF: to=<me@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=18, delays=18/0/0.05/0.33, dsn=2.5.0, status=sent (250 2.5.0 OK (203F25EA8911368A9B))

The matched rule:
vUtFeNMWjAq2.png


The "what object":
dvZEWMGbYTnH.png
 

Attachments

ok after looking at the code in more detail (and thinking about it) it is correct and works like intended (was always this way)
it matches against every header of all mime parts, this is necessary or else some rule combinations regarding attachments would not work

i see the usecase of your request though and would suggest that you please open an enhancement request on https://bugzilla.proxmox.com , where we can discuss how we
could implement such a thing (if we decide this makes sense)
 
  • Like
Reactions: Stoiko Ivanov
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom