Possible Block message?

K

killmasta93

Renowned Member
Aug 13, 2017
974
59
68
31
Hi,
I was wondering if its possible to put a reject message for block domains? As on Scrolloutf1 domains that were on the blacklist, if they send an email scrolloutf1 automatic would send the blacklister that their domain was on our blacklist, is there something like this on proxmox?

Thank you
 
Thanks for the reply, but i tested it out it blocks the message but the end user does not get an email from proxmox saying that that email is blocked
 
Thanks for the reply, on the who objects i put an example on blacklist @masdiseno.com (its a test domain) then from that domain i send an email to my domain which the email gets blocked which is great but @masdiseno.com does not get a reject message saying that his domain was blocked

https://imgur.com/a/F80NSMw

Thank you
 
Right, that's what I wrote. All rule actions are done by pmg-smtp-filter together with SpamAssassin check and are postqueue, so there is no reject available any more as the message already got delivered to PMG. It's part of the concept, how PMG is built. It would require a milter built to be able to reject. Otherwise you can only send a NDR, however, you then get into backscattering problems.
 
Thanks for the reply, so if the email does not exist the is a reject message because postfix rejects that message but if its blocked its because postfix received the message. hmmm so i would need to find out how to install milter on proxmox? something like what it has on scrolloutf1
 
Maybe Scrollout F1 worked with a milter setup here, PMG doesn't. My described milter-setup also only integrate milter with spamassassin, the rules are not reflected here. However, if pmg-smtp-filter would react as spamassassin, it would also be possible to "milter it". Maybe in future versions, PMG will support milter as well. Until then you would be in need to use postfix checks to reject.
 
Thanks for the reply, so for the postfix checks to reject is something like when a user does not exist, so in this case if i want to blacklist a domain i would need to do it inside of my email server and not in proxmox?

I also saw on your advance config this

Code: 
apt-get --no-install-recommends install spamass-milter
mkdir /var/lib/spamass-milter
vi /etc/default/spamassassin
vi /lib/systemd/system/spamassassin.service
systemctl enable spamassassin
systemctl start spamassassin
vi /etc/default/spamass-milter
systemctl restart spamass-milter
vi /etc/pmg/templates/main.cf.in
vi /etc/cron.hourly/sa-update
vi /etc/cron.daily/spamass-milter
chmod +x /etc/cron.daily/spamass-milter
/etc/cron.daily/spamass-milter
chown -R spamass-milter:spamass-milter /var/lib/spamass-milter
pmgconfig sync --restart 1
 
Last edited:
Hi,

some explanations:

A mail can have two stages: prequeue and postqueue. Prequeue is a stage, where the mail is still in the connection dialogue with the sending mail server, so at this stage it's possible to reject a message, that the sending mailserver get informed, this message is rejected and can inform the sender. Postqueue is a stage, where the mail has already been accepted by the receiving mail server, so the sending mail server already got a 250 OK code, so the sending mail server is expecting the mail been delivered well and does not expect any other state and also may inform the sender, that the mail is well delivered. If you want to "reject" a message at this stage, a NDR is required, however, such NDR are seen as backscattering, as spammers or other criminals may flood mail servers with mails, they would "postreject" and send NDRs to senders, which never sent the mail, so you get a spammer too that way, because of that, it's bad practice to send NDR, it's much better to reject at connection level. In addition in Germany it's illegal, if a mail is in postqueue stage and you will block the message here without reject at connection level (which is not possible any more in postqueue) or NDR as then you suppress the message and that's illegal.

The current PMG setup is, that PMG does some checks for spam mails:
1. pregreet checks like does the sending mail server have a fqdn, is the fqdn solvable and does it fit the connection IP etc. => prequeue
2. spf and greylisting checks (although I recommend to use non of them) => prequeue
3. rbl blacklists as given in the mail options via PMG UI => prequeue
4. mail server black- and whitelists (at mail options level in PMG UI) => prequeue
5. spamassassin content check => postqueue
6. clamav content check => postqueue
7. pmg rules check (also any RegEx, black- and whitelists not been performed at mail options level) => postqueue

What I improved to PMG is:
3a. I add dbl blacklists which also check the helo, sender server, sender address etc. against a domain blacklist => prequeue
3b. I add an additional spamassassin content check (like 5) via milter integration to reject at a particular level => prequeue

Beside the possibility, that Proxmox in future will change from postqueue to prequeue checking by adjusting their pmg-smtp-filter, which perform all the steps 5 to 7, as been able to be "miltered", what I would welcome as well as greylisting just at a particular spam score level (only possible as well, if performing the spamassassin check upfront, also would require greylisting to be invoked by pmg-smtp-filter to be able to conditional invoke greylisting) as been seen by rspamd, that is a great idea as I saw there, that possible spam mails got rejected at second connection try because of getting blacklisted at rbl or dbl blacklists in the meanwhile (see https://bugzilla.proxmox.com/show_bug.cgi?id=1890), you have two options to reject messages:

1. blacklist at mail options level
2. create your own header or body checks with postfix via CLI
3. create a spamassassin rule with high score and integrate spamassassin (additional) via milter as in my explanations

I wouldn't do rejects on your destination server instead of PMG as then you would only be able to suppress the message (as reject will be performed against PMG, not against the sending server) or do NDR, which I would not recommend.

However, I also won't recommend to blacklist every domain, which send mail to an unknown recipient. This could result in many false-positives if a sender just did a mistake or written the recipient address in a wrong style. If you try to establish honeypots like scrollout f1 included, you may therefor set up a honeypot blacklist. I'm still unsure here, if blacklisting IP or domain is a good way or if it's better for such "stupid spam" to set up a mailbox, which you always learn as spam to spamassassin to be sure, that such spam is rejected, however, it's somehow similar as importing foreign spam: You would dilute your spamassassin quality with such "stupid" spam. So maybe you should setup a blacklist server here (any may contribute to others), I did not found any server software therefor yet, maybe have a look here: http://drbl.gremlin.ru/en.html#soft or file a feature bug to get sth. similar from Proxmox or ask a the Scrollout project, if they would extract that part of their code as extra project (I would welcome also).

Regards,
Christian
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom