Hello,
The last week I upgraded PMG to 8.0.7 version.
I have a rule to scan and block dangerous files. I think that with version 7 of PMG it was working fine, but I detected an email with a TGZ attachment that had an executable (Virus) inside, and PMG v8 has not quarantined.
Best regards,
The log of mail:
Sep 06 13:38:31 mail postfix/smtpd[108980]: connect from dd40514.kasserver.com[85.13.132.128]
Sep 06 13:38:31 mail postfix/smtpd[108980]: Anonymous TLS connection established from dd40514.kasserver.com[85.13.132.128]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Sep 06 13:38:31 mail pmgpolicy[108622]: SPF says pass
Sep 06 13:38:31 mail postfix/smtpd[108980]: D7DF520B25: client=dd40514.kasserver.com[85.13.132.128]
Sep 06 13:38:31 mail postfix/cleanup[108988]: D7DF520B25: message-id=<20230906113517.7A01EB9C2BBB@dd40514.kasserver.com>
Sep 06 13:38:32 mail postfix/qmgr[778]: D7DF520B25: from=<info@karosserie-johannes.de>, size=581338, nrcpt=1 (queue active)
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 2023/09/06-13:38:32 CONNECT TCP Peer: "[127.0.0.1]:46758" Local: "[127.0.0.1]:10024"
Sep 06 13:38:32 mail postfix/smtpd[108980]: disconnect from dd40514.kasserver.com[85.13.132.128] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 214D164F864B844A95: new mail message-id=<20230906113517.7A01EB9C2BBB@dd40514.kasserver.com>
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 214D164F864B844A95: found archive 'Transaccion_202207271553175701_8000044177100-1.tgz' (application/gzip)
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 214D164F864B844A95: unpack archive 'Transaccion_202207271553175701_8000044177100-1.tgz' done (67 ms)
Sep 06 13:38:33 mail pmg-smtp-filter[108954]: 214D164F864B844A95: SA score=0/5 time=0.766 bayes=0.00 autolearn=ham autolearn_force=no hits=BAYES_00(-1.9),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),DMARC_MISSING(0.1),HTML_IMAGE_ONLY_20(1.546),HTML_MESSAGE(0.001),JMQ_SPF_NEUTRAL(0.5),KAM_DMARC_STATUS(0.01),KAM_NUMSUBJECT(0.5),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_HI(-5),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
Sep 06 13:38:33 mail postfix/smtpd[108994]: connect from localhost.localdomain[127.0.0.1]
Sep 06 13:38:33 mail postfix/smtpd[108994]: 6C26721508: client=localhost.localdomain[127.0.0.1], orig_client=dd40514.kasserver.com[85.13.132.128]
Sep 06 13:38:33 mail postfix/cleanup[109012]: 6C26721508: message-id=<20230906113517.7A01EB9C2BBB@dd40514.kasserver.com>
Sep 06 13:38:33 mail postfix/qmgr[778]: 6C26721508: from=<info@karosserie-johannes.de>, size=582508, nrcpt=1 (queue active)
Sep 06 13:38:33 mail postfix/smtpd[108994]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 06 13:38:33 mail pmg-smtp-filter[108954]: 214D164F864B844A95: accept mail to <xxxxxx@xxxxxx.xxx> (6C26721508) (rule: default-accept)
Sep 06 13:38:33 mail postfix/smtp[109017]: Untrusted TLS connection established to 172.26.0.xx[172.26.0.xx]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Sep 06 13:38:33 mail pmg-smtp-filter[108954]: 214D164F864B844A95: processing time: 1.23 seconds (0.766, 0.283, 0)
Sep 06 13:38:33 mail postfix/lmtp[108989]: D7DF520B25: to=<xxxxxx@xxxxxx.xxx>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.7, delays=0.39/0/0.04/1.2, dsn=2.5.0, status=sent (250 2.5.0 OK (214D164F864B844A95))
Sep 06 13:38:33 mail postfix/qmgr[778]: D7DF520B25: removed
Sep 06 13:38:33 mail postfix/smtp[109017]: 6C26721508: to=<xxxxxx@xxxxxx.xxx>, relay=172.26.0.xx[172.26.0.xx]:25, delay=0.23, delays=0.08/0/0.01/0.14, dsn=2.6.0, status=sent (250 2.6.0 <20230906113517.7A01EB9C2BBB@dd40514.kasserver.com> [InternalId=215006062837934, Hostname=xxxx.xxxxxxx.local] 583849 bytes in 0.123, 4629,109 KB/sec Queued mail for delivery)
Sep 06 13:38:33 mail postfix/qmgr[778]: 6C26721508: removed
Mail Filter Rule
The last week I upgraded PMG to 8.0.7 version.
I have a rule to scan and block dangerous files. I think that with version 7 of PMG it was working fine, but I detected an email with a TGZ attachment that had an executable (Virus) inside, and PMG v8 has not quarantined.
Best regards,
The log of mail:
Sep 06 13:38:31 mail postfix/smtpd[108980]: connect from dd40514.kasserver.com[85.13.132.128]
Sep 06 13:38:31 mail postfix/smtpd[108980]: Anonymous TLS connection established from dd40514.kasserver.com[85.13.132.128]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Sep 06 13:38:31 mail pmgpolicy[108622]: SPF says pass
Sep 06 13:38:31 mail postfix/smtpd[108980]: D7DF520B25: client=dd40514.kasserver.com[85.13.132.128]
Sep 06 13:38:31 mail postfix/cleanup[108988]: D7DF520B25: message-id=<20230906113517.7A01EB9C2BBB@dd40514.kasserver.com>
Sep 06 13:38:32 mail postfix/qmgr[778]: D7DF520B25: from=<info@karosserie-johannes.de>, size=581338, nrcpt=1 (queue active)
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 2023/09/06-13:38:32 CONNECT TCP Peer: "[127.0.0.1]:46758" Local: "[127.0.0.1]:10024"
Sep 06 13:38:32 mail postfix/smtpd[108980]: disconnect from dd40514.kasserver.com[85.13.132.128] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 214D164F864B844A95: new mail message-id=<20230906113517.7A01EB9C2BBB@dd40514.kasserver.com>
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 214D164F864B844A95: found archive 'Transaccion_202207271553175701_8000044177100-1.tgz' (application/gzip)
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 214D164F864B844A95: unpack archive 'Transaccion_202207271553175701_8000044177100-1.tgz' done (67 ms)
Sep 06 13:38:33 mail pmg-smtp-filter[108954]: 214D164F864B844A95: SA score=0/5 time=0.766 bayes=0.00 autolearn=ham autolearn_force=no hits=BAYES_00(-1.9),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),DMARC_MISSING(0.1),HTML_IMAGE_ONLY_20(1.546),HTML_MESSAGE(0.001),JMQ_SPF_NEUTRAL(0.5),KAM_DMARC_STATUS(0.01),KAM_NUMSUBJECT(0.5),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_HI(-5),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
Sep 06 13:38:33 mail postfix/smtpd[108994]: connect from localhost.localdomain[127.0.0.1]
Sep 06 13:38:33 mail postfix/smtpd[108994]: 6C26721508: client=localhost.localdomain[127.0.0.1], orig_client=dd40514.kasserver.com[85.13.132.128]
Sep 06 13:38:33 mail postfix/cleanup[109012]: 6C26721508: message-id=<20230906113517.7A01EB9C2BBB@dd40514.kasserver.com>
Sep 06 13:38:33 mail postfix/qmgr[778]: 6C26721508: from=<info@karosserie-johannes.de>, size=582508, nrcpt=1 (queue active)
Sep 06 13:38:33 mail postfix/smtpd[108994]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 06 13:38:33 mail pmg-smtp-filter[108954]: 214D164F864B844A95: accept mail to <xxxxxx@xxxxxx.xxx> (6C26721508) (rule: default-accept)
Sep 06 13:38:33 mail postfix/smtp[109017]: Untrusted TLS connection established to 172.26.0.xx[172.26.0.xx]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Sep 06 13:38:33 mail pmg-smtp-filter[108954]: 214D164F864B844A95: processing time: 1.23 seconds (0.766, 0.283, 0)
Sep 06 13:38:33 mail postfix/lmtp[108989]: D7DF520B25: to=<xxxxxx@xxxxxx.xxx>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.7, delays=0.39/0/0.04/1.2, dsn=2.5.0, status=sent (250 2.5.0 OK (214D164F864B844A95))
Sep 06 13:38:33 mail postfix/qmgr[778]: D7DF520B25: removed
Sep 06 13:38:33 mail postfix/smtp[109017]: 6C26721508: to=<xxxxxx@xxxxxx.xxx>, relay=172.26.0.xx[172.26.0.xx]:25, delay=0.23, delays=0.08/0/0.01/0.14, dsn=2.6.0, status=sent (250 2.6.0 <20230906113517.7A01EB9C2BBB@dd40514.kasserver.com> [InternalId=215006062837934, Hostname=xxxx.xxxxxxx.local] 583849 bytes in 0.123, 4629,109 KB/sec Queued mail for delivery)
Sep 06 13:38:33 mail postfix/qmgr[778]: 6C26721508: removed
Mail Filter Rule
Last edited:
