Proxmox Mail Gateway not rejecting email that failed DMARC

A

AFrenchCompany

Member
Dec 6, 2021
35
3
13
46
Hi,

I'm a bit confused by the behavior of PMG on a specific case.

The situations is as follows :

On a pmg node (7.2), we received an email pretending to be from whatever.tld.
The DMARC policity of whatever.tld is reject.
PMG identified that this email failed DKIM checks and DMARC policy, identified that the policy was reject but still accepted and delivered it.

X-SPAM-LEVEL: Spam detection results: 3
KAM_DMARC_REJECT 3 DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy

Is this the expected behavior?

If it is, is there a way to tell PMG to actually honor the DMARC policy and reject such emails altogether?

Thanks
 
Last edited:
Currently not really (and I'd recommend against it in practice, since a lot of setups might break DMARC in transit resulting in many false positives)

you can set a custom score for KAM_DMARC_REJECT to something very high and then configure a rule, which Blocks with such a high spam-score
(with before-queue filtering the sender will get a 5XX reply)

I hope this helps!
 
Stoiko Ivanov said:
Currently not really (and I'd recommend against it in practice, since a lot of setups might break DMARC in transit resulting in many false positives)

you can set a custom score for KAM_DMARC_REJECT to something very high and then configure a rule, which Blocks with such a high spam-score
(with before-queue filtering the sender will get a 5XX reply)

I hope this helps!
Click to expand...
Thanks for this answer.

Could you point me to a ressource regarding enabling before-queue filtering for very high spam scores ?
 
AFrenchCompany said:
Could you point me to a ressource regarding enabling before-queue filtering for very high spam scores ?
Click to expand...
before-queue filtering is enabled in GUI->Configuration->Mail Proxy->Options
documented in https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration (section 4.7.5)

regarding rules - also check the reference documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_mailfilter

regarding customization of spamassassin scores:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_spamdetector (section 4.8.3)

roughly speaking:
* create a rule with What Object Spam Level 12 and action BLOCK
* create a custom spamassassin score for KAM_DMARC_REJECT raising the score to 12

keep in mind that this is not 100% targeted - i.e. it is perfectly possible to get a mail, with valid DMARC, which still scores 12 and above - and which will be blocked due to the rule

I hope this explains it.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom