Plesk Postfix smtpd_milters blocking emails from PMG

[Zwankie]

Hi,

I find that the Plesk smtpd_milters in Postfix block emails that go through PMG.
In our setup PMG only scanns some of the domains hosted on Plesk Servers, many other domains do not have PMG scanning and we use the standard Plesk SA and Milter setup.

Maillog error
postfix/cleanup[1004108]: 6AFF7200EC7: milter-reject: END-OF-MESSAGE from pmg.hostname-here.com[IP Address here]: 5.7.1 Command rejected; from=<email@sender.com> to=<email@recipient.com> proto=ESMTP helo=<pmg.hostname-here.com>

When i comment the below line in Plesk /etc/postfix/main.cf the emails get delivered correctly.

#smtpd_milters = inet:127.0.0.1:12768,unix:/var/run/clamav-milter/clamav-milter.sock

Any advice to work around this so that the PMG emails are delivered correctly and so that normal emails that go to Plesk server without going through PMG also get Plesk SA and Milters checked.

 

[heutger]

I use milter for rejecting mails on PMG as well, so it needs to have a condition for rejecting. So maybe mails from PMG for whatever reason get a too high spam score or if looking at your uncommented line, ClamAV seems to see PMG mails as false-positive virus. Why don't whitelist your PMG mailserver address on your Plesk server (what's what I did). I also don't be aware of any milter on my Plesk installation, 17.8.11 I believe is the version, but I also don't have any antivirus or anti spam installed on my Plesk as I use PMG therefor.

 

[Zwankie]

Thanks for the reply.

Yes I use Plesk 17.8.11

Do you mean the PMG Ip to be whitelisted under Tools > Mail Server Settings > Whitelist or somewhere else?

I did that but the milter still rejects it

 

[heutger]

Thanks for the reply.

Yes I use Plesk 17.8.11

Do you mean the PMG Ip to be whitelisted under Tools > Mail Server Settings > Whitelist or somewhere else?

I did that but the milter still rejects it

Yes, I mean there. So maybe milter of e.g. Antivirus then has higher priority than this whitelist. You should disable all additional spam and virus checks on the machine itself (beside maybe you could use RBL as they are override by the whitelist for sure, as I also add the net blocks of German Telekom there as they often get on blacklists like Spamhaus) as it may break your setup otherwise. Minimum SPF should be disabled as I'm afraid, PMG won't forward SPF with SRS, it's also not recommended to use SPF with hard block as SPF is broken by design.

 

[Zwankie]

OK, so I got it working with Plesk.

Plesk Tools & Settings > Mail Server Settings

SPF local rules: include:spf.trusted-forwarder.org include:your-proxmox-fqdn-hostname

I started with this below but you can edit as required
SPF guess rules: v=spf1 a/24 mx/24 ptr

 

[sb-jw]

If it is possible I would recommend to disable all such features like spamfiltet, spf etc and disallow all connection and allow only the authenticated and white listed networks.

If you do this, you do not have such problems and nobody is able to deliver mails directly to the plesk server.

 

[heutger]

@Zwankie As recommended by sb-jw (as I also run the same setup) I would recommend to do the following:

Disable SPF, Disable and Remove SpamAssassin, Enable Firewall on Port 25, allow only PMG IP, also whitelist this IP on Mail Server Settings. You may(!) Enable DKIM, however, I don't believe in DKIM as most spam is signed and most legit is not signed.

Your adjustments don't make too much sense. spf.trusted-forwarder.org seems to be gone, I can't see any SPF record therefor, hostname resolves to 127.0.0.1 and the website, which seems to be gone. Including your hostname as well does not make sense, if you don't provide an useful SPF record. Guessing rules as well don't make too much sense, so why should you guess any SPF records, if there are non existing records, that only can result in false-positives.