Rule to block domain

thiagotgc

Active Member
Dec 17, 2019
144
16
38
36
I created these two rules to block any domain that has the word top

But unfortunately it is not blocking.

block_domain.PNG


1.PNG


2.PNG

Does anyone have any ideas?
 
In that Context the regex is already anchored - try dropping the extra '^' and '$'

I hope this helps!
 
Just use this.

Code:
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.ae(\W|$)

It will block domain @xxx.ae. Add more to block others.

1577326943407.png
 
  • Like
Reactions: thiagotgc
Just use this.

Code:
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.ae(\W|$)

It will block domain @xxx.ae. Add more to block others.

View attachment 13656

Even with this rule, continuous receipt or regex error does not match.

(.*)\@.*top

It seems to me that this way, it catches correctly.

Do you think I may have problems?
 
Last edited:
I am putting together a lot of blocking rules.

But I'm wondering what is the simplest and most efficient way to block any domain with ".top" termination


(.*)\@.*top
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.top(\W|$)
.+\.top$
 
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.top(\W|$) work well for me.
Test your blacklist what object.

1578617283652.png
 
  • Like
Reactions: thiagotgc
Nowadays there are over 1,500 TLDs, I would be lucky if 50 of them were the source of legetimate emails we receive, so how do I block 1,500 TLDs I don't wish receive spam from?

In sendmail I just add a single line for each TLD or domain into /etc/mail/access and make a hash db from it.

eg.

live REJECT
top REJECT
com OK

I just want to be able to do that exact same thing in PMG
I know postfix can support an /etc/postfix/access file like that.
Can I do it in PMG or is it disabled?
 
In sendmail I just add a single line for each TLD or domain into /etc/mail/access and make a hash db from it.
In PMG the matching for domains is limted to that domain (and not to it's subdomains) - to match everything that ends in e.g. '.top' use a regex:

'.*\.top'
(they get anchored while matching in the system so this will match everything that matches '^.*\.top' )


I just want to be able to do that exact same thing in PMG
I know postfix can support an /etc/postfix/access file like that.
Can I do it in PMG or is it disabled?


You can do everything in PMG that you can do with plain postfix - you just need to use the templateing system to adapt the postfix configuration:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine


I hope this helps!
 
...
You can do everything in PMG that you can do with plain postfix - you just need to use the templateing system to adapt the postfix configuration:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine


I hope this helps!

Thanks, that seemed to work.

A recap of the steps involved for anyone interested.

I created the /etc/pmg/templates directory as the docs said to.
Copied /var/lib/pmg/templates/main.cf.in to it
Edited main.cf.in as follows

Code:
smtpd_sender_restrictions =
        permit_mynetworks
        reject_non_fqdn_sender
        check_client_access       cidr:/etc/postfix/clientaccess
        check_sender_access     hash:/etc/postfix/access
#      check_sender_access     regexp:/etc/postfix/senderaccess

I disabled /etc/postfix/senderaccess which only had one line in it anyway and replaced it with my /etc/postfix/access table which has 1,363 lines in it.
Then I did postmap hash /etc/postfix/access to build the access.db database, (which you have to after each time you alter the access file).
Finally ran pmgconfig sync --restart 1 to make the new main.cf.in template take effect.

So now in /etc/postfix/access I have a bunch of REJECT lines for most of these newer TLDs the spam is coming from.

eg.

Code:
aaa            REJECT
aarp        REJECT
abarth        REJECT
abb            REJECT
abbott        REJECT
abbvie        REJECT

etc.

In /var/log/mail.log I see entries that contain Sender address rejected: Access denied instead of Recipient address rejected: Service is unavailable (try later) which was what it was saying previously with just the blacklist regexp working, that suggests it's hitting the access.db first which is good.

If you read the Postfix access(5) man page, it's got a lot of features! http://www.postfix.org/access.5.html
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!