Stop proccesing mail after rule triggering

[Know_new]

Hello there

How to implement to stop process any rules after first rule triggered?

For example - when AV rule detect virus in letter - do not process next rules like spam detect.

Now our rules look like (see att).

Logs are:
Aug 12:57:06 antispam postfix/smtpd[321288]: connect from unknown[192.168.1.16]
Aug 12:57:26 antispam postfix/smtpd[321288]: D3E6018109E: client=unknown[192.168.1.16]
Aug 12:57:48 antispam postfix/cleanup[321295]: D3E6018109E: message-id=<>
Aug 12:57:48 antispam postfix/qmgr[2439]: D3E6018109E: from=<mail@mail.com>, size=496, nrcpt=1 (queue active)
Aug 12:57:48 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: MIME::Body::File->open /tmp/.proxdump_177349_18118864DB4C1C97B63/msg-177349-27.txt: Operation not permitted at /usr/share/perl5/MIME/Body.pm line 435.
Aug 12:57:48 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: new mail message-id=
Aug 12:57:48 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: Subject: test AV #012
Aug 12:57:48 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: virus detected: EICAR-Test-File (custom)
Aug 12:57:54 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: SA score=4/5 time=5.056 bayes=undefined autolearn=no autolearn_force=no hits=ALL_TRUSTED(-1),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),MISSING_DATE(1.396),MISSING_FROM(1),MISSING_HEADERS(1.207),MISSING_MID(0.14),SPF_NONE(1)
Aug 12:57:54 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: notify <admin@domain.com> (rule: Block Viruses, 0EE48181208)
Aug 12:57:54 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: block mail to <user@domain.com> (rule: Block Viruses)
Aug 12:57:54 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: processing time: 5.486 seconds (5.056, 0, 0.271)
Aug 12:57:54 antispam postfix/lmtp[321297]: D3E6018109E: to=<user@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=33, delays=27/0.03/0.08/5.5, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (18118864DB4C1C97B63))
Aug 12:57:54 antispam postfix/qmgr[2439]: D3E6018109E: removed
Aug 12:57:55 antispam postfix/smtpd[321288]: disconnect from unknown[192.168.1.16] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

Is it possible to do this?

Regards

 

[Stoiko Ivanov]

Aug 12:57:48 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: MIME::Body::File->open /tmp/.proxdump_177349_18118864DB4C1C97B63/msg-177349-27.txt: Operation not permitted at /usr/share/perl5/MIME/Body.pm line 435.

This looks odd?! - did you modify anything on your system? - do you have some custom apparmor profiles?!

or example - when AV rule detect virus in letter - do not process next rules like spam detect.

rules in the rulesystem are processed by object-groups:
* from, what, when are evaluated first (as they do not change for mails with multiple recipients)
* to is evaluated
* for each match the actions are executed in a hard-coded priority
once any rule has a "final" action (Accept, Quarantine, Block) - no other actions are executed

I hope this explains it!

 

[Know_new]

This looks odd?! - did you modify anything on your system? - do you have some custom apparmor profiles?!

Hello, Stoiko

Yes, we use Custom Check Script to enable alternative AV solution (I opened thread https://forum.proxmox.com/threads/pmg-and-alternative-antivirus.131935/) and AV runs good.
Maybe we have to tuned anything to avoid this message? I will be appreciated 4 help.

rules in the rulesystem are processed by object-groups:
* from, what, when are evaluated first (as they do not change for mails with multiple recipients)
* to is evaluated
* for each match the actions are executed in a hard-coded priority
once any rule has a "final" action (Accept, Quarantine, Block) - no other actions are executed

Yes, I understand those mail's step processing
In our case we have AV rule has priority 96 and action Block.
If we look to our logs we saw

Aug 12:57:48 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: virus detected: EICAR-Test-File (custom)

Its good - and I thought system has to block email immediately without next processing.
But logs show next action - spam scorring action

Aug 12:57:54 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: SA score=4/5 time=5.056 bayes=undefined autolearn=no autolearn_force=no hits=ALL_TRUSTED(-1),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),MISSING_DATE(1.396),MISSING_FROM(1),MISSING_HEADERS(1.207),MISSING_MID(0.14),SPF_NONE(1)

And after that action Block was applied or I'm not right?

Aug 12:57:54 antispam pmg-smtp-filter[177349]: 18118864DB4C1C97B63: block mail to <user@domain.com> (rule: Block Viruses)

Regards.

 

[Stoiko Ivanov]

Yes, we use Custom Check Script to enable alternative AV solution (I opened thread https://forum.proxmox.com/threads/pmg-and-alternative-antivirus.131935/) and AV runs good.
Maybe we have to tuned anything to avoid this message? I will be appreciated 4 help.

don't know what your script does - or what the antivirus does - is the file still present - do the permissions get modified?!

ts good - and I thought system has to block email immediately without next processing.
But logs show next action - spam scorring action

as said - from, when and what objects (spam-checking and virus are both what objects) are evaluated first - then to objects, and then only the actions (which are the only part that actually do anything get run in the priorities you assign to them...

 

[Know_new]

as said - from, when and what objects (spam-checking and virus are both what objects) are evaluated first - then to objects, and then only the actions (which are the only part that actually do anything get run in the priorities you assign to them...

Thank you for clarity.