Good day!
I have an organization with domain f.e. axo-pe.kz with Exchange 2019 on-premise inside. Also there is a PMG as exchange frontend.
Setup in PMG is RElay Domains also axo-pe.kz
Just in test I made a test and register a russian domain axo-pe.kz :
If or even When somebody register a domain axo-pe.kz BUT with the same RUSSIAN letters it will looks like ахо-ре.kz.
Such domains are processed by PMG and Exchange, and somebody can send me FAKE email from Russian letters domain.
For Example:
English letters email address: somebody@axo-pe.kz
Russian letters email address: somebody@ахо-ре.kz
As you can see - they are looks same.
In Outlook it will be shown to user as a somebody@ахо-ре.kz
In OWA as somebody@xn----7spb1hgysj0a.kz
In PMG syslog as somebody@xn----7spb1hgysj0a.kz
Here a part of SYSLOG from PMG with sensitive data removed:
Feb 27 14:55:48 PMG postfix/postscreen[31579]: CONNECT from [89.x.x.1x]:35408 to [19x.x.x.x]:25
Feb 27 14:55:48 PMG postfix/postscreen[31579]: PASS OLD [89.x.x.1x]:35408
Feb 27 14:55:49 PMG postfix/smtpd[31583]: warning: hostname www.xxx.xxxx.kz does not resolve to address 89.x.x.1x
Feb 27 14:55:49 PMG postfix/smtpd[31583]: connect from unknown[89.xx.xx.1xx]
Feb 27 14:55:49 PMG postfix/smtpd[31583]: Anonymous TLS connection established from unknown[89.xxx.xxx.1xx]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Feb 27 14:55:49 PMG pmgpolicy[31234]: reloading configuration Proxmox_ruledb
Feb 27 14:55:49 PMG pmgpolicy[31234]: SPF says pass
Feb 27 14:55:49 PMG postfix/smtpd[31583]: 25F0A120393: client=unknown[89.xxx.xxx.1xx]
Feb 27 14:55:49 PMG pmgpolicy[31234]: SPF says pass
Feb 27 14:55:49 PMG postfix/cleanup[31588]: 25F0A120393: message-id=<31715f3a18bdec6c58feaf7ebeb7f543@xn----8sbp6bhi9a.kz>
Feb 27 14:55:49 PMG postfix/qmgr[28459]: 25F0A120393: from=<xxx@xn----8sbp2bhi9a.kz>, size=2222, nrcpt=2 (queue active)
Feb 27 14:55:49 PMG postfix/smtpd[31583]: disconnect from unknown[89.xxx.xxx.1xx] ehlo=2 starttls=1 mail=1 rcpt=2 data=1 quit=1 commands=8
Feb 27 14:55:49 PMG pmg-smtp-filter[27391]: 2024/02/27-14:55:49 CONNECT TCP Peer: "[127.0.0.1]:52622" Local: "[127.0.0.1]:10024"
Feb 27 14:55:49 PMG pmg-smtp-filter[27391]: 12039F65DDA3952B734: new mail message-id=<31715f3a18bdec6c58feaf7ebeb7f543@xn----8sbp6bhi9a.kz>
Feb 27 14:55:49 PMG clamd[22572]: SelfCheck: Database status OK.
Feb 27 14:55:49 PMG clamd[22572]: SelfCheck: Database status OK.
Feb 27 14:55:50 PMG pmg-smtp-filter[27391]: 12039F65DDA3952B734: SA score=0/5 time=1.199 bayes=undefined autolearn=no autolearn_force=no hits=BODY_SINGLE_WORD(0.001),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),DMARC_PASS(-0.1),RDNS_NONE(1.274),SCC_BODY_SINGLE_WORD(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01)
Feb 27 14:55:50 PMG postfix/smtpd[31594]: connect from localhost[127.0.0.1]
Feb 27 14:55:50 PMG postfix/smtpd[31594]: 674FA1203A3: client=localhost[127.0.0.1], orig_client=unknown[89.xxx.xxx.1xx]
Feb 27 14:55:50 PMG postfix/cleanup[31588]: 674FA1203A3: message-id=<31715f3a18bdec6c58feaf7ebeb7f543@xn----8sbp6bhi9a.kz>
Feb 27 14:55:50 PMG postfix/qmgr[28459]: 674FA1203A3: from=<xxx@xn----8sbp2bhi9a.kz>, size=3230, nrcpt=2 (queue active)
Feb 27 14:55:50 PMG postfix/smtpd[31594]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=2 data=1 commands=6
Feb 27 14:55:50 PMG pmg-smtp-filter[27391]: 12039F65DDA3952B734: accept mail to <yyy@domain.kz> (674FA1203A3) (rule: default-accept)
Feb 27 14:55:50 PMG pmg-smtp-filter[27391]: 12039F65DDA3952B734: accept mail to <zzz@domain.kz> (674FA1203A3) (rule: default-accept)
Feb 27 14:55:50 PMG pmg-smtp-filter[27391]: 12039F65DDA3952B734: processing time: 1.251 seconds (1.199, 0.024, 0)
Feb 27 14:55:50 PMG postfix/lmtp[31589]: 25F0A120393: to=<yyy@domain.kz>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.3, delays=0.08/0.01/0/1.3, dsn=2.5.0, status=sent (250 2.5.0 OK (12039F65DDA3952B734))
Feb 27 14:55:50 PMG postfix/lmtp[31589]: 25F0A120393: to=<zzz@domain.kz>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.3, delays=0.08/0.01/0/1.3, dsn=2.5.0, status=sent (250 2.5.0 OK (12039F65DDA3952B734))
Feb 27 14:55:50 PMG postfix/qmgr[28459]: 25F0A120393: removed
Feb 27 14:55:50 PMG postfix/smtp[31595]: Untrusted TLS connection established to 19x.xxx.xxx.xxx[19x.xxx.xxx.xxx]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Feb 27 14:55:56 PMG postfix/smtp[31595]: 674FA1203A3: to=<yyy@domain.kz>, relay=19x.xxx.xxx.xxx[19x.xxx.xxx.xxx]:25, delay=5.8, delays=0.01/0.02/0.02/5.8, dsn=2.6.0, status=sent (250 2.6.0 <31715f3a18bdec6c58feaf7ebeb7f543@xn----8sbp6bhi9a.kz> [InternalId=12253541695521, Hostname=internalhost.domain.local] 4592 bytes in 5.579, 0.804 KB/sec Queued mail for delivery)
Feb 27 14:55:56 PMG postfix/smtp[31595]: 674FA1203A3: to=<zzz@domain.kz>, relay=19x.xxx.xxx.xxx[19x.xxx.xxx.xxx]:25, delay=5.8, delays=0.01/0.02/0.02/5.8, dsn=2.6.0, status=sent (250 2.6.0 <31715f3a18bdec6c58feaf7ebeb7f543@xn----8sbp6bhi9a.kz> [InternalId=12253541695521, Hostname=internalhost.domain.local] 4592 bytes in 5.579, 0.804 KB/sec Queued mail for delivery)
Feb 27 14:55:56 PMG postfix/qmgr[28459]: 674FA1203A3: removed
The question:
How can I set up a PMG to filter such emails with Cyrillic letters in domain name?
Thank you!
I have an organization with domain f.e. axo-pe.kz with Exchange 2019 on-premise inside. Also there is a PMG as exchange frontend.
Setup in PMG is RElay Domains also axo-pe.kz
Just in test I made a test and register a russian domain axo-pe.kz :
If or even When somebody register a domain axo-pe.kz BUT with the same RUSSIAN letters it will looks like ахо-ре.kz.
Such domains are processed by PMG and Exchange, and somebody can send me FAKE email from Russian letters domain.
For Example:
English letters email address: somebody@axo-pe.kz
Russian letters email address: somebody@ахо-ре.kz
As you can see - they are looks same.
In Outlook it will be shown to user as a somebody@ахо-ре.kz
In OWA as somebody@xn----7spb1hgysj0a.kz
In PMG syslog as somebody@xn----7spb1hgysj0a.kz
Here a part of SYSLOG from PMG with sensitive data removed:
Feb 27 14:55:48 PMG postfix/postscreen[31579]: CONNECT from [89.x.x.1x]:35408 to [19x.x.x.x]:25
Feb 27 14:55:48 PMG postfix/postscreen[31579]: PASS OLD [89.x.x.1x]:35408
Feb 27 14:55:49 PMG postfix/smtpd[31583]: warning: hostname www.xxx.xxxx.kz does not resolve to address 89.x.x.1x
Feb 27 14:55:49 PMG postfix/smtpd[31583]: connect from unknown[89.xx.xx.1xx]
Feb 27 14:55:49 PMG postfix/smtpd[31583]: Anonymous TLS connection established from unknown[89.xxx.xxx.1xx]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Feb 27 14:55:49 PMG pmgpolicy[31234]: reloading configuration Proxmox_ruledb
Feb 27 14:55:49 PMG pmgpolicy[31234]: SPF says pass
Feb 27 14:55:49 PMG postfix/smtpd[31583]: 25F0A120393: client=unknown[89.xxx.xxx.1xx]
Feb 27 14:55:49 PMG pmgpolicy[31234]: SPF says pass
Feb 27 14:55:49 PMG postfix/cleanup[31588]: 25F0A120393: message-id=<31715f3a18bdec6c58feaf7ebeb7f543@xn----8sbp6bhi9a.kz>
Feb 27 14:55:49 PMG postfix/qmgr[28459]: 25F0A120393: from=<xxx@xn----8sbp2bhi9a.kz>, size=2222, nrcpt=2 (queue active)
Feb 27 14:55:49 PMG postfix/smtpd[31583]: disconnect from unknown[89.xxx.xxx.1xx] ehlo=2 starttls=1 mail=1 rcpt=2 data=1 quit=1 commands=8
Feb 27 14:55:49 PMG pmg-smtp-filter[27391]: 2024/02/27-14:55:49 CONNECT TCP Peer: "[127.0.0.1]:52622" Local: "[127.0.0.1]:10024"
Feb 27 14:55:49 PMG pmg-smtp-filter[27391]: 12039F65DDA3952B734: new mail message-id=<31715f3a18bdec6c58feaf7ebeb7f543@xn----8sbp6bhi9a.kz>
Feb 27 14:55:49 PMG clamd[22572]: SelfCheck: Database status OK.
Feb 27 14:55:49 PMG clamd[22572]: SelfCheck: Database status OK.
Feb 27 14:55:50 PMG pmg-smtp-filter[27391]: 12039F65DDA3952B734: SA score=0/5 time=1.199 bayes=undefined autolearn=no autolearn_force=no hits=BODY_SINGLE_WORD(0.001),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),DMARC_PASS(-0.1),RDNS_NONE(1.274),SCC_BODY_SINGLE_WORD(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01)
Feb 27 14:55:50 PMG postfix/smtpd[31594]: connect from localhost[127.0.0.1]
Feb 27 14:55:50 PMG postfix/smtpd[31594]: 674FA1203A3: client=localhost[127.0.0.1], orig_client=unknown[89.xxx.xxx.1xx]
Feb 27 14:55:50 PMG postfix/cleanup[31588]: 674FA1203A3: message-id=<31715f3a18bdec6c58feaf7ebeb7f543@xn----8sbp6bhi9a.kz>
Feb 27 14:55:50 PMG postfix/qmgr[28459]: 674FA1203A3: from=<xxx@xn----8sbp2bhi9a.kz>, size=3230, nrcpt=2 (queue active)
Feb 27 14:55:50 PMG postfix/smtpd[31594]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=2 data=1 commands=6
Feb 27 14:55:50 PMG pmg-smtp-filter[27391]: 12039F65DDA3952B734: accept mail to <yyy@domain.kz> (674FA1203A3) (rule: default-accept)
Feb 27 14:55:50 PMG pmg-smtp-filter[27391]: 12039F65DDA3952B734: accept mail to <zzz@domain.kz> (674FA1203A3) (rule: default-accept)
Feb 27 14:55:50 PMG pmg-smtp-filter[27391]: 12039F65DDA3952B734: processing time: 1.251 seconds (1.199, 0.024, 0)
Feb 27 14:55:50 PMG postfix/lmtp[31589]: 25F0A120393: to=<yyy@domain.kz>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.3, delays=0.08/0.01/0/1.3, dsn=2.5.0, status=sent (250 2.5.0 OK (12039F65DDA3952B734))
Feb 27 14:55:50 PMG postfix/lmtp[31589]: 25F0A120393: to=<zzz@domain.kz>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.3, delays=0.08/0.01/0/1.3, dsn=2.5.0, status=sent (250 2.5.0 OK (12039F65DDA3952B734))
Feb 27 14:55:50 PMG postfix/qmgr[28459]: 25F0A120393: removed
Feb 27 14:55:50 PMG postfix/smtp[31595]: Untrusted TLS connection established to 19x.xxx.xxx.xxx[19x.xxx.xxx.xxx]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Feb 27 14:55:56 PMG postfix/smtp[31595]: 674FA1203A3: to=<yyy@domain.kz>, relay=19x.xxx.xxx.xxx[19x.xxx.xxx.xxx]:25, delay=5.8, delays=0.01/0.02/0.02/5.8, dsn=2.6.0, status=sent (250 2.6.0 <31715f3a18bdec6c58feaf7ebeb7f543@xn----8sbp6bhi9a.kz> [InternalId=12253541695521, Hostname=internalhost.domain.local] 4592 bytes in 5.579, 0.804 KB/sec Queued mail for delivery)
Feb 27 14:55:56 PMG postfix/smtp[31595]: 674FA1203A3: to=<zzz@domain.kz>, relay=19x.xxx.xxx.xxx[19x.xxx.xxx.xxx]:25, delay=5.8, delays=0.01/0.02/0.02/5.8, dsn=2.6.0, status=sent (250 2.6.0 <31715f3a18bdec6c58feaf7ebeb7f543@xn----8sbp6bhi9a.kz> [InternalId=12253541695521, Hostname=internalhost.domain.local] 4592 bytes in 5.579, 0.804 KB/sec Queued mail for delivery)
Feb 27 14:55:56 PMG postfix/qmgr[28459]: 674FA1203A3: removed
The question:
How can I set up a PMG to filter such emails with Cyrillic letters in domain name?
Thank you!
Last edited: