Spoofing incoming email is not blocked in proxmos

dhinilkv

Member
Feb 24, 2022
40
0
6
32
Hello,
For example, my domain is example.com and I have set the spf record with my email server ip and DMARC record to reject policy and in the DKIM ,SPF and DMARC records are fine. When I send a email from other than from email server ip address to gmail it shows blocked because of DMARC policy. But when I send the same email to my email server its receiving in inbox. The below i tried from different relay server and is received, I need to block the spoofed incoming emails.
mail -s "test email" -S from=test@example.com test@example.com <<< 'How are you?'
 
Hello,
For example, my domain is example.com and I have set the spf record with my email server ip and DMARC record to reject policy and in the DKIM ,SPF and DMARC records are fine. When I send a email from other than from email server ip address to gmail it shows blocked because of DMARC policy. But when I send the same email to my email server its receiving in inbox. The below i tried from different relay server and is received, I need to block the spoofed incoming emails.
mail -s "test email" -S from=test@example.com test@example.com <<< 'How are you?'

I would recommend you post full mail log for your test message (anonymized if you want) from tracking center so we can see more details.

For starters you can do the following:
Configuration - Mail Proxy - Options - Use SPF - Yes
Configuration - Spam Detector - Custom Scores - Create - Name: SPF_FAIL - Score any high number like 30
Configuration - Spam Detector - Custom Scores - Create - Name: KAM_DMARC_QUARANTINE - Score any high number like 30
Configuration - Spam Detector - Custom Scores - Create - Name: KAM_DMARC_REJECT - Score any high number like 30

This will only work if your domain has set SPF records with FAIL policy https://en.wikipedia.org/wiki/Sender_Policy_Framework#Qualifiers & http://www.open-spf.org/SPF_Record_Syntax/
and/or you have set your DMARC policy properly to reject.

With your full mail log we can advice you more.
 
Last edited:
Hello,


Configuration - Mail Proxy - Options - Use SPF - Yes
Configuration - Spam Detector - Custom Scores - Create - Name: SPF_FAIL - Score any high number like 30
Configuration - Spam Detector - Custom Scores - Create - Name: KAM_DMARC_QUARANTINE - Score any high number like 30
Configuration - Spam Detector - Custom Scores - Create - Name: KAM_DMARC_REJECT - Score any high number like 30
I have done this step, but it is not blocking this type of emails.

abc.com is the domain name of the email server.

Below is the command which I tried from the linux postfix server.

mail -s "dhinil testdsdas email" -S from=test@abc.com dhinil@abc.com <<< 'How are you?'


Below is the proxmos logs
===========================
Dec 24 10:13:25 relay postfix/smtpd[24751]: connect from ec2-52-88-63-64.us-west-2.compute.amazonaws.com[52.88.63.64]
Dec 24 10:13:25 relay postfix/smtpd[24751]: EFD63181897: client=ec2-52-88-63-64.us-west-2.compute.amazonaws.com[52.88.63.64]
Dec 24 10:13:26 relay postfix/cleanup[22385]: EFD63181897: message-id=<63a698f7.Y0HklXD7CvB20B+P%test@abc.com>
Dec 24 10:13:26 relay postfix/smtpd[24751]: disconnect from ec2-52-88-63-64.us-west-2.compute.amazonaws.com[52.88.63.64] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Dec 24 10:13:26 relay postfix/qmgr[15447]: EFD63181897: from=<saturn@test.ae>, size=846, nrcpt=1 (queue active)
Dec 24 10:13:26 relay pmg-smtp-filter[22451]: 1A19A863A698863E317: new mail message-id=<63a698f7.Y0HklXD7CvB20B+P%test@abc.com>#012
Dec 24 10:13:27 relay pmg-smtp-filter[22451]: 1A19A863A698863E317: SA score=0/5 time=1.312 bayes=0.00 autolearn=ham autolearn_force=no hits=AWL(1.864),BAYES_00(-1.9),HEADER_FROM_DIFFERENT_DOMAINS(0.249),KAM_DMARC_REJECT(3),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),NO_DNS_FOR_FROM(0.001),PDS_RDNS_DYNAMIC_FP(0.001),RCVD_IN_DNSWL_HI(-5),RDNS_DYNAMIC(0.982),SPF_HELO_NONE(0.001),SPF_NONE(0.001)
Dec 24 10:13:27 relay postfix/smtpd[12836]: connect from localhost.localdomain[127.0.0.1]
Dec 24 10:13:27 relay postfix/smtpd[12836]: 96B9718192B: client=localhost.localdomain[127.0.0.1], orig_client=ec2-52-88-63-64.us-west-2.compute.amazonaws.com[52.88.63.64]
Dec 24 10:13:27 relay postfix/cleanup[12646]: 96B9718192B: message-id=<63a698f7.Y0HklXD7CvB20B+P%test@abc.com>
Dec 24 10:13:27 relay postfix/qmgr[15447]: 96B9718192B: from=<saturn@test.ae>, size=2080, nrcpt=1 (queue active)
Dec 24 10:13:27 relay postfix/smtpd[12836]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Dec 24 10:13:27 relay pmg-smtp-filter[22451]: 1A19A863A698863E317: accept mail to <dhinil@abc.com> (96B9718192B) (rule: default-accept)
Dec 24 10:13:27 relay pmg-smtp-filter[22451]: 1A19A863A698863E317: processing time: 1.367 seconds (1.312, 0.026, 0)
Dec 24 10:13:27 relay postfix/lmtp[16346]: EFD63181897: to=<dhinil@abc.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=0.27/0/0/1.4, dsn=2.5.0, status=sent (250 2.5.0 OK (1A19A863A698863E317))
Dec 24 10:13:27 relay postfix/qmgr[15447]: EFD63181897: removed
Dec 24 10:13:27 relay postfix/smtp[12356]: 96B9718192B: to=<dhinil@abc.com>, relay=10.70.11.242[10.70.11.242]:25, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BFE5A197A88)
Dec 24 10:13:27 relay postfix/qmgr[15447]: 96B9718192B: removed
===========================


Below is the Show original message which received email in theinbox.

==============================

Return-Path: <saturn@saturnme.ae>
Received: from 185.23.199.219 (LHLO metallic.abc.com) (185.23.199.219) by
metallic.abc.com with LMTP; Sat, 24 Dec 2022 10:11:03 +0400 (GST)
Received: from localhost (localhost [127.0.0.1])
by metallic.abc.com (Postfix) with ESMTP id 4039D197A88
for <dhinil@abc.com>; Sat, 24 Dec 2022 10:11:03 +0400 (+04)
X-Spam-Flag: NO
X-Spam-Score: -1.766
X-Spam-Level:
X-Spam-Status: No, score=-1.766 required=6.6 tests=[ALL_TRUSTED=-1,
BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.249, NO_DNS_FOR_FROM=0.001,
RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no
Authentication-Results: metallic.abc.com (amavisd-new);
dkim=pass (2048-bit key) header.d=abc.com
Received: from metallic.abc.com ([127.0.0.1])
by localhost (metallic.abc.com [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id fVZ_AuGrBTMX for <dhinil@abc.com>;
Sat, 24 Dec 2022 10:11:02 +0400 (+04)
Received: from localhost (localhost [127.0.0.1])
by metallic.abc.com (Postfix) with ESMTP id D9F8219D5DE
for <dhinil@abc.com>; Sat, 24 Dec 2022 10:11:02 +0400 (+04)
DKIM-Filter: OpenDKIM Filter v2.10.3 metallic.abc.com D9F8219D5DE
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=abc.com;
s=C66DB522-14AF-11ED-96F0-8EB2030E9B18; t=1671862262;
bh=qLKbpaSndNO6Wp/cm+OE7R8kTAxUkYfIjerX8SOSVtc=;
h=Date:From:To:Message-ID:MIME-Version;
b=Udxy9IXrm+XhRoLVZnr+nUkpYiL5mDs0viDYDSU6FYgoU8V0qr9GtWklZLMnAPOKK
XMWX42wtnnfXWq27EUPelRtUPf1QMaaucZD9PB+BR1LJ78Fx7btXh7RmFDaOoNYaCB
YQPzT2UP1ciOuCO0XYojePX6EfVIC76C10zwid3xSE8e8PKuFtvU4hKpyWGcRQ2E7R
DK80BzSapBSu0/3Ui+b3iVHoffbILsxgKZzK2fRXPS3kItYkWD4tY3QzLjCTp5h8Q9
nfjtIl/TnEjb1OiMuPUuFS6TafPfzd17v8YyYGAl7IZfPjEb2KntyTPNa5+fXO5lhN
cMjkw6KIzb+Vg==
X-Virus-Scanned: amavisd-new at metallic.abc.com
Received: from metallic.abc.com ([127.0.0.1])
by localhost (metallic.abc.com [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id ljJGk7MBNyv3 for <dhinil@abc.com>;
Sat, 24 Dec 2022 10:11:02 +0400 (+04)
Received: from relay.local (unknown [10.70.11.243])
by metallic.abc.com (Postfix) with ESMTP id BFE5A197A88
for <dhinil@abc.com>; Sat, 24 Dec 2022 10:11:02 +0400 (+04)
Received: from relay.local (localhost.localdomain [127.0.0.1])
by relay.local (Proxmox) with ESMTP id 96B9718192B
for <dhinil@abc.com>; Sat, 24 Dec 2022 10:13:27 +0400 (+04)
Received: from saturnme.ae (ec2-52-88-63-64.us-west-2.compute.amazonaws.com [52.88.63.64])
by relay.local (Proxmox) with ESMTP id EFD63181897
for <dhinil@abc.com>; Sat, 24 Dec 2022 10:13:25 +0400 (+04)
Received: from saturnme (nagios [127.0.0.1])
by saturnme.ae (Postfix) with ESMTP id 1FE7066975
for <dhinil@abc.com>; Sat, 24 Dec 2022 10:15:19 +0400 (+04)
Received: (from root@localhost)
by saturnme (8.14.4/8.14.4/Submit) id 2BO6FJOU003615
for dhinil@abc.com; Sat, 24 Dec 2022 10:15:19 +0400
Date: Sat, 24 Dec 2022 10:15:19 +0400
From: test@abc.com
To: dhinil@abc.com
Subject: dhinil testdsdas email
Message-ID: <63a698f7.Y0HklXD7CvB20B+P%test@abc.com>
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-asci
Content-Transfer-Encoding: 7bit
How are you?
==============================
 
Last edited:
Here is your spamassassin score 0/5 that is why message is not blocked.

Dec 24 10:13:27 relay pmg-smtp-filter[22451]: 1A19A863A698863E317:
SA score=0/5 time=1.312 bayes=0.00 autolearn=ham autolearn_force=no
hits=
  • AWL(1.864),
  • BAYES_00(-1.9),
  • HEADER_FROM_DIFFERENT_DOMAINS(0.249),
  • KAM_DMARC_REJECT(3),
  • KAM_DMARC_STATUS(0.01),
  • KAM_LAZY_DOMAIN_SECURITY(1),
  • NO_DNS_FOR_FROM(0.001),
  • PDS_RDNS_DYNAMIC_FP(0.001),
  • RCVD_IN_DNSWL_HI(-5),
  • RDNS_DYNAMIC(0.982),
  • SPF_HELO_NONE(0.001),
  • SPF_NONE(0.001)

You have not changed the configuration or restarted the server/services or we would see the change of the score number KAM_DMARC_REJECT(3) to higher number and the message would have been blocked depending on your rules in pmg at what score the messages are blocked.

Additional things you can do:
You can try to disable BAYES_00 as it produces a lot of false positives to do that go to Configuration - Spam Detector - User Bayesian filter - No
You can change the score RCVD_IN_DNSWL_HI(-5) because this is the main reason (and BAYES_00(-1.9)) why message is not blocked. You get negative 6.9 score just from this two hits. This score description is "Sender listed at https://www.dnswl.org/, high trust"
https://github.com/apache/spamassassin/search?q=RCVD_IN_DNSWL_HI

You can do this by
Configuration - Spam Detector - Custom Scores - Create - Name: RCVD_IN_DNSWL_HI - Score 0.01 or similar would work...

There are some negative scores in spamassassin ruleset that sometimes bad senders use for sending bad email only way to change the SA score so this messages will be blocked but you might introduce more false positives so do all this modifications with care and monitoring, testing in your environment.

From the manual https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_spamdetector (4.8.3. Customization of Rulescores)
"In general, it is strongly recommended not to make large changes to the default scores."

Use at your own risk but at least in my environment without changing the SA scores the spam detection is poor.
 
Last edited:
Jan 21 17:04:08 relay postfix/smtpd[3520]: connect from emkei.cz[89.187.129.29]
Jan 21 17:04:09 relay postfix/smtpd[3520]: 04B5818189C: client=emkei.cz[89.187.129.29]
Jan 21 17:04:09 relay postfix/cleanup[3538]: 04B5818189C: message-id=<20230121130407.D8285541B9E@emkei.cz>
Jan 21 17:04:09 relay postfix/qmgr[4261]: 04B5818189C: from=<accnts@tp.com>, size=640, nrcpt=1 (queue active)
Jan 21 17:04:09 relay postfix/smtpd[3520]: disconnect from emkei.cz[89.187.129.29] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jan 21 17:04:09 relay pmg-smtp-filter[32701]: 1A292163CBE2C926D4C: new mail message-id=<20230121130407.D8285541B9E@emkei.cz>#012
Jan 21 17:04:13 relay pmg-smtp-filter[32701]: 1A292163CBE2C926D4C: SA score=30/5 time=4.334 bayes=undefined autolearn=disabled hits=AWL(-0.919),KAM_DMARC_REJECT(30),KAM_DMARC_STATUS(0.01),RCVD_IN_DNSWL_BLOCKED(0.001),SPF_FAIL(0.919),SPF_HELO_PASS(-0.001),TO_EQ_FM_DOM_SPF_FAIL(0.001),TO_EQ_FM_SPF_FAIL(0.001)
Jan 21 17:04:13 relay postfix/smtpd[3762]: connect from localhost.localdomain[127.0.0.1]
Jan 21 17:04:13 relay postfix/smtpd[3762]: 892A51818DF: client=localhost.localdomain[127.0.0.1], orig_client=emkei.cz[89.187.129.29]
Jan 21 17:04:13 relay postfix/cleanup[3538]: 892A51818DF: message-id=<20230121130407.D8285541B9E@emkei.cz>
Jan 21 17:04:13 relay postfix/qmgr[4261]: 892A51818DF: from=<accnts@tp.com>, size=1627, nrcpt=1 (queue active)
Jan 21 17:04:13 relay postfix/smtpd[3762]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jan 21 17:04:13 relay pmg-smtp-filter[32701]: 1A292163CBE2C926D4C: accept mail to <accnts@tp.com> (892A51818DF) (rule: Whitelist)
Jan 21 17:04:13 relay pmg-smtp-filter[32701]: 1A292163CBE2C926D4C: processing time: 4.407 seconds (4.334, 0.027, 0)
Jan 21 17:04:13 relay postfix/lmtp[3539]: 04B5818189C: to=<accnts@tp.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.6, delays=0.14/0.01/0/4.4, dsn=2.5.0, status=sent (250 2.5.0 OK (1A292163CBE2C926D4C))
Jan 21 17:04:13 relay postfix/qmgr[4261]: 04B5818189C: removed
Jan 21 17:04:13 relay postfix/smtp[2764]: 892A51818DF: to=<accnts@tp.com>, relay=10.70.11.242[10.70.11.242]:25, delay=0.1, delays=0.01/0/0.06/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7EB0C1AC4D6)
Jan 21 17:04:13 relay postfix/qmgr[4261]: 892A51818DF: removed
====================================
Sorry for the late reply for one domain it is working. for another domain its not working it is receiving in inbox
 
Jan 21 17:04:13 relay pmg-smtp-filter[32701]: 1A292163CBE2C926D4C: SA score=30/5 time=4.334 bayes=undefined autolearn=disabled hits=AWL(-0.919),KAM_DMARC_REJECT(30),KAM_DMARC_STATUS(0.01),RCVD_IN_DNSWL_BLOCKED(0.001),SPF_FAIL(0.919),SPF_HELO_PASS(-0.001),TO_EQ_FM_DOM_SPF_FAIL(0.001),TO_EQ_FM_SPF_FAIL(0.001)
Jan 21 17:04:13 relay pmg-smtp-filter[32701]: 1A292163CBE2C926D4C: accept mail to <accnts@tp.com> (892A51818DF) (rule: Whitelist)
====================================
Sorry for the late reply for one domain it is working. for another domain its not working it is receiving in inbox
SA score is high so it should be blocked but you have a whitelist item that is allowing this to pass.

Be careful what whitelists you add. You should only add the minimal number of whitelists or you will allow spam. Whitelist will allow email bypassing all checks.

When action accept that is default action on whitelist rule is executed this is a final action no more rules will process after this...

Check Mail Filter - Who Objects - Whitelist and remove the whitelist item that is matching this. IP or domain or sender or whatever whitelist item you have...
 
Last edited:
  • Like
Reactions: Stoiko Ivanov

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!