Rules not being applied?

K

killmasta93

Renowned Member
Aug 13, 2017
973
58
68
31
Hi
I was wondering if someone could shed some light on the issue im having,
Currently i created rules so that external emails cannot send fake email to my domain
ex: synchronization@mydomain.com to cartera@mydomain.com

synchronization@mydomain.com being the fake email

i created a rule to quarantine emails that are from @mydomain.com

1639148107338.png
1639148303236.png

this is the snip of the email

Code: 
Dec 9 13:16:53 mail postfix/smtpd[32053]: connect from cloudgate.m1net.com.sg[203.211.152.60]
Dec 9 13:16:54 mail postfix/smtpd[32053]: Anonymous TLS connection established from cloudgate.m1net.com.sg[203.211.152.60]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 9 13:16:56 mail postfix/smtpd[32053]: 0BEBC3C138A: client=cloudgate.m1net.com.sg[203.211.152.60]
Dec 9 13:16:56 mail postfix/cleanup[32055]: 0BEBC3C138A: message-id=<3CU6NHBA-HKCY-0HLD-DBA7-XFKWL2AY07RO@[Company]>
Dec 9 13:16:56 mail postfix/cleanup[32055]: 0BEBC3C138A: info: header From: "synchronization@mydomain.com" <synchronization@mydomain.com> from cloudgate.m1net.com.sg[203.211.152.60]; from=<synchronization@mydomain.com> to=<cartera@mydomain.com> proto=ESMTP helo=<cloudgate.m1net.com.sg>
Dec 9 13:16:56 mail postfix/cleanup[32055]: 0BEBC3C138A: info: header To: cartera <cartera@mydomain.com> from cloudgate.m1net.com.sg[203.211.152.60]; from=<synchronization@mydomain.com> to=<cartera@mydomain.com> proto=ESMTP helo=<cloudgate.m1net.com.sg>
Dec 9 13:16:56 mail postfix/cleanup[32055]: 0BEBC3C138A: info: header Subject: =?utf-8?Q?cartera_=E2=80=94_email_service_report?= from cloudgate.m1net.com.sg[203.211.152.60]; from=<synchronization@mydomain.com> to=<cartera@mydomain.com> proto=ESMTP helo=<cloudgate.m1net.com.sg>
Dec 9 13:16:57 mail postfix/qmgr[3871]: 0BEBC3C138A: from=<synchronization@mydomain.com>, size=19456, nrcpt=1 (queue active)
Dec 9 13:16:57 mail pmg-smtp-filter[31674]: 3C148E61B2481949054: new mail message-id=<3CU6NHBA-HKCY-0HLD-DBA7-XFKWL2AY07RO@[Company]>#012
Dec 9 13:16:59 mail pmg-smtp-filter[31674]: 3C148E61B2481949054: SA score=5/5 time=2.589 bayes=0.49 autolearn=no autolearn_force=no hits=AWL(0.001),BAYES_50(0.8),DCC_CHECK(1.1),DCC_REPUT_00_12(-0.4),FSL_BULK_SIG(1.757),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),MIME_HTML_ONLY(0.1),SPF_HELO_PASS(-0.001),SPF_NEUTRAL(0.779),UNICODE_OBFU_ZW(1),URIBL_BLOCKED(0.001)
Dec 9 13:16:59 mail postfix/smtpd[32068]: connect from localhost.localdomain[127.0.0.1]
Dec 9 13:16:59 mail postfix/smtpd[32068]: E90AD3C14AD: client=localhost.localdomain[127.0.0.1], orig_client=cloudgate.m1net.com.sg[203.211.152.60]
Dec 9 13:16:59 mail postfix/cleanup[32055]: E90AD3C14AD: message-id=<3CU6NHBA-HKCY-0HLD-DBA7-XFKWL2AY07RO@[Company]>
Dec 9 13:17:00 mail postfix/qmgr[3871]: E90AD3C14AD: from=<synchronization@mydomain.com>, size=19663, nrcpt=1 (queue active)
Dec 9 13:17:00 mail postfix/smtpd[32068]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Dec 9 13:17:00 mail pmg-smtp-filter[31674]: 3C148E61B2481949054: accept mail to <cartera@mydomain.com> (E90AD3C14AD) (rule: Whitelist)
Dec 9 13:17:00 mail pmg-smtp-filter[31674]: 3C148E61B2481949054: processing time: 2.713 seconds (2.589, 0.047, 0)
Dec 9 13:17:00 mail postfix/lmtp[32056]: 0BEBC3C138A: to=<cartera@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.7, delays=1.9/0/0/2.7, dsn=2.5.0, status=sent (250 2.5.0 OK (3C148E61B2481949054))
Dec 9 13:17:00 mail postfix/qmgr[3871]: 0BEBC3C138A: removed
Dec 9 13:17:00 mail postfix/smtp[31898]: E90AD3C14AD: to=<cartera@mydomain.com>, relay=192.168.3.170[192.168.3.170]:27, delay=0.12, delays=0.06/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 115CD3829632)
Dec 9 13:17:00 mail postfix/qmgr[3871]: E90AD3C14AD: removed
Dec 9 13:17:02 mail postfix/smtpd[32053]: disconnect from cloudgate.m1net.com.sg[203.211.152.60] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
 
I assume your fakemail is a who object. Who object only look for Return-Path header. Double check your spam mail's Return-Path.
Another option is use what object Match Field with the From header.

1639174425554.png
 
thanks for the reply, the rule was to block any @mydomain.com because internally email do not pass though PMG
the fakeemail is @mydomain.com
 
killmasta93 said:
thanks for the reply, the rule was to block any @mydomain.com because internally email do not pass though PMG
the fakeemail is @mydomain.com
Click to expand...
Still who object, no matter is email or domain still refer to spam mail Return-Path header. Do your fakemail object match it?
 
on the return path i get this
the who object is @mydomain.com


Code: 
Return-Path: <synchronization@mydomain.com>
Received: from mail.mydomain.com (LHLO mail.mydomain.com)
 (192.168.3.170) by mail.mydomain.com with LMTP; Thu, 9 Dec 2021
 13:17:00 -0500 (COT)
Received: from mail.mydomain.com (unknown [192.168.3.169])
    by mail.mydomain.com (Postfix) with ESMTPS id 115CD3829632
    for <cartera@mydomain.com>; Thu,  9 Dec 2021 13:17:00 -0500 (-05)
Received: from mail.mydomain.com (localhost.localdomain [127.0.0.1])
    by mail.mydomain.com (Proxmox) with ESMTP id E90AD3C14AD
    for <cartera@mydomain.com>; Thu,  9 Dec 2021 13:16:59 -0500 (-05)
Received-SPF: neutral (mydomain.com: Default neutral result due to no mechanism matches) receiver=mail.mydomain.com; identity=mailfrom; envelope-from="synchronization@mydomain.com"; helo=cloudgate.m1net.com.sg; client-ip=203.211.152.60
Received: from cloudgate.m1net.com.sg (cloudgate.m1net.com.sg [203.211.152.60])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.mydomain.com (Proxmox) with ESMTPS id 0BEBC3C138A
    for <cartera@mydomain.com>; Thu,  9 Dec 2021 13:16:55 -0500 (-05)
 
thanks for the reply, correct they both have the same domain, but synchronization@mydomain.com is not an email we have it was a fake email that was sent from cloudgate.m1net.com.sg what i did was a reboot and now i saw that it was getting blocked, it seems that the rules were getting blocked
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back