[SOLVED] Problem with Regex Filtering

I

itechniker

Member
Jan 6, 2022
6
0
6
31
Dear Proxmox experts,

I have a rule active (for quarantining mails) with a bunch of match fields, but two specific match fields are not working, the test-button says my regex is okay and working, but the mail isn't filtered out by the rule with the match fields:

match field/s:
Return-Path: .*@[^.]+\.[^.]+\.(si|su)$
From: same as above

Part of Mail-Header (anonymized my data):

Received: from mail.vikliss.azerbaijan.su (mail.vikliss.azerbaijan.su [217.79.191.84])
by xxx (Proxmox) with ESMTP id BA6B5A0E84
for <xxx>; Fri, 15 Sep 2023 04:49:59 +0200 (CEST)
Received: from vikliss.azerbaijan.su (unknown [95.47.161.31])
by mail.vikliss.azerbaijan.su (Postfix) with ESMTPA id CA6C981A31FF;
Fri, 15 Sep 2023 03:12:25 +0300 (EEST)
Message-ID: <06467636F32744242Q41765360J27813521Q@idoztensw>
From: Orgasmus-Garantie <oztensw@vikliss.azerbaijan.su>
To: <info@ambroso.at>
Subject: Dieser Trick garantiert einen Orgasmus
Date: Fri, 15 Sep 2023 03:12:23 +0300
X-SPAM-LEVEL: Spam detection results: 2
BAYES_00 -0.5 Spamwahrscheinlichkeit nach Bayes-Test: 0-1%
DMARC_MISSING 0.1 Missing DMARC policy
HTML_IMAGE_ONLY_08 1.651 =?UTF-8?Q?Au=C3=9Fer=20?=Bildern nur 400-800 Zeichen Text
HTML_IMAGE_RATIO_02 0.5 =?UTF-8?Q?Verh=C3=A4ltnis=20?= =?UTF-8?Q?Bilderfl=C3=A4che=20?=zu Text ist klein
HTML_MESSAGE 0.001 Nachricht =?UTF-8?Q?enth=C3=A4lt=20?=HTML
HTML_SHORT_LINK_IMG_1 1 HTML is very short with a linked image
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: Senderechner entspricht SPF-Datensatz
T_TVD_MIME_EPI 0.01 -
URIBL_DBL_BLOCKED_OPENDNS 0.001 ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [at.bellax.ink]
Return-Path: oztensw@vikliss.azerbaijan.su
Click to expand...
 
Last edited:
what's the output of `pmgversion -v`?
anything in the logs when receiving such a mail?
 
Stoiko Ivanov said:
what's the output of `pmgversion -v`?
anything in the logs when receiving such a mail?
Click to expand...
Can you please tell me which logs I should check?

proxmox-mailgateway: 7.3-2 (API: 7.3-8/d5acb693, running kernel: 5.15.116-1-pve)
pmg-api: 7.3-8
pmg-gui: 3.3-2
pve-kernel-5.15: 7.4-6
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.116-1-pve: 5.15.116-1
pve-kernel-5.15.108-1-pve: 5.15.108-2
pve-kernel-5.15.107-2-pve: 5.15.107-2
pve-kernel-5.15.104-1-pve: 5.15.104-2
pve-kernel-5.15.102-1-pve: 5.15.102-1
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-1-pve: 5.13.19-3
clamav-daemon: 0.103.10+dfsg-0+deb11u1
ifupdown2: 3.1.0-1+pmx4
libarchive-perl: 3.4.0-1
libjs-extjs: 7.0.0-1
libjs-framework7: 4.4.7-1
libproxmox-acme-perl: 1.4.4
libproxmox-acme-plugins: 1.4.4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.4-2
libpve-http-server-perl: 4.2-3
libxdgmime-perl: 1.0-1
lvm2: 2.03.11-2.1
pmg-docs: 7.3-3
pmg-i18n: 2.12-1
pmg-log-tracker: 2.3.2-1
postgresql-13: 13.11-0+deb11u1
proxmox-mini-journalreader: 1.3-1
proxmox-offline-mirror-helper: 0.5.2
proxmox-spamassassin: 4.0.0-2
proxmox-widget-toolkit: 3.7.3
pve-firmware: 3.6-5
pve-xtermjs: 4.16.0-2
zfsutils-linux: 2.1.11-pve1
Click to expand...
 
Last edited:
Nothing special:

Sep 15 04:49:59 antispam postfix/postscreen[35477]: CONNECT from [217.79.191.84]:46231 to [xxx]:25
Sep 15 04:49:59 antispam postfix/postscreen[35477]: PASS OLD [217.79.191.84]:46231
Sep 15 04:49:59 antispam postfix/smtpd[35498]: connect from mail.vikliss.azerbaijan.su[217.79.191.84]
Sep 15 04:49:59 antispam pmgpolicy[34964]: SPF says pass
Sep 15 04:49:59 antispam postfix/smtpd[35498]: BA6B5A0E84: client=mail.vikliss.azerbaijan.su[217.79.191.84]
Sep 15 04:49:59 antispam postfix/cleanup[35549]: BA6B5A0E84: message-id=<06467636F32744242Q41765360J27813521Q@idoztensw>
Sep 15 04:49:59 antispam postfix/qmgr[19165]: BA6B5A0E84: from=<oztensw@vikliss.azerbaijan.su>, size=236425, nrcpt=1 (queue active)
Sep 15 04:49:59 antispam postfix/smtpd[35498]: disconnect from mail.vikliss.azerbaijan.su[217.79.191.84] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 15 04:49:59 antispam pmg-smtp-filter[35370]: 2023/09/15-04:49:59 CONNECT TCP Peer: "[127.0.0.1]:56578" Local: "[127.0.0.1]:10024"
Sep 15 04:49:59 antispam pmg-smtp-filter[35370]: 1019366503C657E08F6: new mail message-id=<06467636F32744242Q41765360J27813521Q@idoztensw>
Sep 15 04:50:00 antispam pmg-smtp-filter[35370]: 1019366503C657E08F6: SA score=2/5 time=0.785 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-0.5),DMARC_MISSING(0.1),HTML_IMAGE_ONLY_08(1.651),HTML_IMAGE_RATIO_02(0.5),HTML_MESSAGE(0.001),HTML_SHORT_LINK_IMG_1(1),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_TVD_MIME_EPI(0.01),URIBL_DBL_BLOCKED_OPENDNS(0.001)
Sep 15 04:50:00 antispam postfix/smtpd[35555]: connect from localhost.localdomain[127.0.0.1]
Sep 15 04:50:00 antispam postfix/smtpd[35555]: D1219A0E85: client=localhost.localdomain[127.0.0.1], orig_client=mail.vikliss.azerbaijan.su[217.79.191.84]
Sep 15 04:50:00 antispam postfix/cleanup[35549]: D1219A0E85: message-id=<06467636F32744242Q41765360J27813521Q@idoztensw>
Sep 15 04:50:00 antispam postfix/qmgr[19165]: D1219A0E85: from=<oztensw@vikliss.azerbaijan.su>, size=237611, nrcpt=1 (queue active)
Sep 15 04:50:00 antispam postfix/smtpd[35555]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 15 04:50:00 antispam pmg-smtp-filter[35370]: 1019366503C657E08F6: accept mail to <xxx> (D1219A0E85) (rule: default-accept)
Sep 15 04:50:00 antispam pmg-smtp-filter[35370]: 1019366503C657E08F6: processing time: 0.991 seconds (0.785, 0.084, 0)
Sep 15 04:50:00 antispam postfix/lmtp[35550]: BA6B5A0E84: to=<xxx>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.2, delays=0.17/0/0.04/1, dsn=2.5.0, status=sent (250 2.5.0 OK (1019366503C657E08F6))
Sep 15 04:50:00 antispam postfix/qmgr[19165]: BA6B5A0E84: removed
Sep 15 04:50:01 antispam postfix/smtp[35556]: D1219A0E85: to=<xxx>, relay=xxx:25, delay=0.37, delays=0.06/0/0.05/0.26, dsn=2.6.0, status=sent (250 2.6.0 <06467636F32744242Q41765360J27813521Q@idoztensw> [InternalId=70858370449417, Hostname=xxx] 238879 bytes in 0.130, 1790,860 KB/sec Queued mail for delivery)
Sep 15 04:50:01 antispam postfix/qmgr[19165]: D1219A0E85: removed
 
Solution:

The regex for the from-match-fields should not end with (su|si)$, because the last character in the from-field is a bracket (>).
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom