Why are there two whitelists in proxmox?

Miktash

Active Member
Mar 6, 2015
56
1
28
There are two locations for a whitelist:
Configuration > Mail Proxy > Whitelist and Mail Filter > Who objects > Whitelist

I'm not sure what the difference is between these two?

Is Configuration > Mail Proxy > Whitelist for postfix's whitelist and the who objects for pmg-smtp-filter?

If so, will the spam filter still run on messages that are whitelisted under configuartion > mailproxy > whitelist?


Some of our domains have been migrated to office365 but not all mailboxes are moved. Half of them stay on our own server.
So our domain's MX has been changed to office365 but for non-existing domains office365 is forwarding those mails back to our own SMTP server (proxmox mail gateway).
While this is currently working, it will potentially fail for many mails because office365 is sending those mails from their IP's and this will cause SPF failures from pmg's point of view.
For this reason we need to whitelist all IP's from office365 so that pmg will just accept it and won't even scan them with the anti spam filter.
We can programatically get the IP's from microsoft's API but where do they go in pmg?

Do they need to be in both places or just one?
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
4,268
388
103
31
Vienna
that info is in our documentation[0]

the config -> mail proxy -> whitelist is the smtp whitelist and only for smtp (so it will run normally through the rule system)
and the 'Whitelist' Who object is only by default named like this. There is nothing stopping you from disabling that rule/who object or use a different name for it

0: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_features
 

chotaire

Member
Dec 25, 2019
103
23
18
To clarify this:

Mailproxy -> Whitelist will whitelist senders that would otherwise already get blocked on SMTP level (e.g. missing From: field, RBL list entries etc.)
The Who object -> Whitelist entry will whitelist senders that would e.g. get knocked out by spamassassin/clamav/configured rules etc.
And lastly, there is a third one. Administration -> User -> Whitelist which is a per user whitelist.

https://forum.proxmox.com/threads/white-black-lists-in-different-locations.62168/ aims to describe the priority order of these but leaves too many questions open. I personally find Mailproxy and Who object Whitelist being very confusing.

Will both be needed to whitelist a sender who would manage to get refused by both SMTP and Post-SMTP checks? Or is Mail Proxy Whitelist sufficient? Will, in this case, the User Whitelist still be top priority? Does User Whitelist actually include both SMTP and Post-SMTP?

This needs much better documentation and may also need a redesign.
Last but not least, the Who object Whitelist currently appears to suffer a bug with CIDR matching for IPv6 blocks.
 
Last edited:
  • Like
Reactions: thiagotgc

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!