You are on page 1of 38

Proxmox Mail Gateway

Deployment Guide

1/17/2015
MailGatewayDeploymentGuide-V2.0.docx

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Proxmox Server Solutions GmbH reserves the right to make changes to this document
and to the products described herein without notice. Before installing and using the
software, please review the latest version of this document, which is available from
http://www.proxmox.com.
NOTE: All prices are one year subscription licenses. After expiration, Email flow continues
but Spam- and AV checks are not working anymore (Exception: ClamAV will continue
working).
All other product or company names different from Proxmox may be trademarks or
registered trademarks of their owners.
Copyright 2005 - 2015 Proxmox Server Solutions GmbH. All rights reserved. No part
of this publication may be reproduced, photocopied, stored in a retrieval system, or
transmitted without the express prior written consent of Proxmox.

17.01.2015 Proxmox Server Solutions GmbH

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Table of Contents
1
2

7
8
9

Introduction .................................................................................................... 4
Proxmox Mail Gateway Integration ..................................................................... 5
2.1 E-mail system without Proxmox Mail Gateway ................................................ 5
2.2 E-mail system with Proxmox Mail Gateway .................................................... 5
2.3 Proxmox Mail Gateway in the Intranet........................................................... 7
2.3.1
Default port settings ............................................................................ 7
2.3.2
Alternative port settings (e.g. for MS Exchange) ..................................... 7
2.4 Proxmox Mail Gateway in DMZ (demilitarized zone) ........................................ 9
2.5 Proxmox Mail Gateway with multiple e-mail server and e-mail domains ............10
Performance Tuning ........................................................................................11
3.1 Hardware benchmarks ...............................................................................11
3.2 Backup MX ...............................................................................................11
3.3 Blocking Emails on SMTP level ....................................................................11
3.3.1
Greylisting.........................................................................................12
3.3.2
Sender Policy Framework SPF ...........................................................12
3.3.3
Real time Blacklists (RBL) ...................................................................13
3.3.4
Receiver Verification ...........................................................................14
3.3.4.1
Proxmox Mail Gateway Solutions ....................................................14
3.3.4.2
Enabling Verify Receivers ..............................................................15
3.3.4.2.1 Settings for MS Exchange 2003 SP2 .............................................16
3.3.4.2.2 Settings for MS Exchange 2007 SP1 (and higher version) ...............19
Rule System ...................................................................................................20
4.1 Default Rules ............................................................................................22
4.1.1
Blacklist ............................................................................................22
4.1.2
Block Viruses .....................................................................................22
4.1.3
Virus Alert .........................................................................................23
4.1.4
Block Dangerous Files .........................................................................23
4.1.5
Modify Header ...................................................................................24
4.1.6
Whitelist ...........................................................................................24
4.1.7
Quarantine/Mark Spam (Level 3) .........................................................25
4.2 Custom Rules............................................................................................27
4.2.1
Enable Spam quarantine for just a selection of users ..............................27
4.2.2
Enable Spam quarantine for existing LDAP users ....................................27
4.2.3
Block Spam e-mails with a score higher 10 ............................................29
4.2.4
BCC object An simple archive solution ................................................29
4.2.5
Block Video and Audio Attachments ......................................................29
4.2.6
Add Admin Notification to Rules ...........................................................30
4.2.7
Block Video and Audio Attachments for LDAP Groups ..............................31
Proxmox Mail Gateway HA Cluster High availability ...........................................32
5.1 Load Balancing with MX Records .................................................................33
5.2 Multiple Address Records ............................................................................34
5.3 Using third party Firewall features ...............................................................34
Hardware selection and Virtualization ................................................................35
6.1 Physical Hardware .....................................................................................35
6.2 Proxmox VE ..............................................................................................35
6.3 VMware .................................................................................................35
Troubleshooting and technical support ...............................................................36
Table of figures ...............................................................................................37
Appendix .......................................................................................................38

17.01.2015 Proxmox Server Solutions GmbH

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

1 Introduction
The huge amount of e-mail traffic is a challenge for every e-mail environment. The daily
e-mail routine brings along some major problems, this includes: performance, reliability,
regulation under public law and e-mail threads like viruses or phishing attacks.
E-mail is an essential service for any organization, and professionally managed e-mail
improves organizational workflow and customer satisfaction. A missed e-mail could mean
a lost opportunity, or it could cause a public-relations problem that no organization would
want.
How does the Proxmox Mail Gateway work?
When an e-mail arrives at the Proxmox Mail Gateway, it is analyzed and forwarded to
your e-mail server which is responsible for sending the e-mail to the receiver. If the email server is not working, Proxmox Mail Gateway temporarily stores the message in the
e-mail queue for later transfer. The process works similar for outgoing e-mails.
This document covers samples and deployment information how to integrate and
customize Proxmox in your e-mail environment.
Note: See also the Proxmox Mail Gateway Administration Guide for a detailed product
description.

17.01.2015 Proxmox Server Solutions GmbH

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

2 Proxmox Mail Gateway Integration


2.1 E-mail system without Proxmox Mail Gateway
In a sample configuration, your e-mail traffic (SMTP) arrives on the firewall and will be
forwarded directly to your e-mail server.

Figure 2-1 System without Proxmox Mail Gateway

2.2 E-mail system with Proxmox Mail Gateway


A single Proxmox Mail Gateway Server can handle unlimited mail domains with multiple
internal mail servers and millions of e-mails per day. For high availability and maximum
performance it is recommended to use a Proxmox Mail Gateway HA Cluster, see chapter
5 Proxmox Mail Gateway HA Cluster High availability.
Proxmox Mail Gateway can process incoming AND outgoing SMTP traffic by using
different ports. One port is assigned to incoming, one port for outgoing e-mails.
With the integrated Proxmox Mail Gateway system all your e-mail traffic is forwarded to
the Proxmox Mail Gateway which filters the whole e-mail traffic and removes unwanted
e-mails. You can manage incoming and outgoing e-mail traffic.

Figure 2-2 Incoming e-mail with Proxmox Mail Gateway


17.01.2015 Proxmox Server Solutions GmbH

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Many mail filter solutions do not scan outgoing mails. Opposed to that Proxmox Mail
Gateway is designed to scan both incoming and outgoing mails. This has two major
advantages:

Figure 2-3 Outgoing with Proxmox Mail Gateway


1. Proxmox Mail Gateway is able to detect viruses sent from an internal host. I many
countries you are liable for not sending viruses to other people. Proxmox Mail
Gateway outgoing e-mail scanning feature is an additional protection to avoid
that.
2. Proxmox Mail Gateway can gather statistics about outgoing e-mails too. Statistics
about incoming e-mails looks nice, but they are quite useless. Consider two users,
user-1 receives 10 mails from news portals and wrote 1 mail to a person you
never heard from. While user-2 receiver 5 mails from a customer and sent 5 mails
back. Which user do you consider more active? I am sure its user-2, because he
communicates with your customers. Proxmox Mail Gateway advanced address
statistics can show you this important information. Solution which does not scan
outgoing mail cant do that.

17.01.2015 Proxmox Server Solutions GmbH

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

2.3 Proxmox Mail Gateway in the Intranet


2.3.1 Default port settings
The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and
port 26 for outgoing e-mails.

Figure 2-4 Incoming default port settings (port 25)


Outgoing Mails:
Configure your mail server to send all e-mails to the Proxmox Mail Gateway, port 26.
Note: Proxmox Mail Gateway receives the outgoing e-mails on port 26, so Proxmox Mail
Gateway knows its internal trusted e-mail. After processing, Proxmox Mail Gateway
sends the e-mails to Internet, using standard port 25.

Figure 2-5 Outgoing default port settings (port 26)

2.3.2 Alternative port settings (e.g. for MS Exchange)


Sometimes it is not possible to change the outgoing port due to third party software
limitations or existing network configurations (e.g. changing MS Exchange to another
sending port will have impact on Exchange internals and its not recommend)
To receive e-mails you have to do port forwarding at your Firewall. So that youre
external IP and port 25 shows to the Proxmox Mail Gateway IP and port 26.

17.01.2015 Proxmox Server Solutions GmbH

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Figure 2-6 Incoming alternative port settings (port 26)


With MS Exchange you should not use port 26 for outgoing so you have to switch these
two values (25 and 26). In the end you have to use port 25 for outgoing and port 26 for
incoming mails.

Figure 2-7 Outgoing alternative port settings (port 25)

17.01.2015 Proxmox Server Solutions GmbH

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

2.4 Proxmox Mail Gateway in DMZ (demilitarized zone)


To run a DMZ Zone you have to adjust your Firewall settings. The intranet (Local) and
DMZ needs to have different IP Networks, for example:
Interface
eth0
eth1
eth2

Zone
Local
Internet
DMZ

IP Address
192.168.1.1
10.0.0.2
192.168.16.1

Net mask
255.255.255.0
255.255.255.0
255.255.255.0

Figure 2-8 Proxmox Mail Gateway in DMZ

17.01.2015 Proxmox Server Solutions GmbH

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

2.5 Proxmox Mail Gateway with multiple e-mail server and email domains
You can use Proxmox Mail Gateway sending e-mails to different internal e-mail servers.
For example you can send e-mails addressed to domain.com to your first e-mail server,
and e-mails addressed to subdomain.domain.com to a second one. In the e-mail proxy
transport section add the IP addresses or hostname, SMTP ports and mail domains of
your additional e-mail servers.

Figure 2-9 Multiple e-mail servers


Note: you need for each e-mail domain an appropriate license, otherwise it will not
work!

17.01.2015 Proxmox Server Solutions GmbH

10

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

3 Performance Tuning
3.1 Hardware benchmarks
Please use the command line tool proxperf to get an overview about your hardware and
DNS performance.
Note: Never run proxperf if the system is under load.
Here is a sample output of proxperf:
root@proxmox:~# proxperf
CPU BOGOMIPS:
4266.81
REGEX/SECOND:
507952
HD SIZE:
30.98 GB (/dev/vda2)
BUFFERED READS: 87.32 MB/sec
AVERAGE SEEK TIME: 0.47 ms
FSYNCS/SECOND:
2902.06
DNS EXT:
44.18 ms
DNS INT:
3.70 ms (maurer-it.com)
DNSBL:
44.23 ms (black.rbl.commtouch.local)
root@proxmox:~#
Please compare your results against this reference. If you get lower results please
analyze your hardware and DNS setup for comments email your results to
support@proxmox.com.

3.2 Backup MX
Using your ISPs e-mail server is not a good idea, because many ISPs do not use
advanced spam prevention techniques. And spammers know this and they use your ISP
backup MX to work around your Proxmox Mail Gateway spam filtering.
Additionally, you can never benefit of blocking spam messages on SMTP level.
If you need redundancy, it is recommended to run a second Proxmox Mail Gateway
server in HA Cluster mode to avoid lower spam detection rates.

3.3 Blocking Emails on SMTP level


Blocking emails before they reach your network saves your internet bandwidth and
reduces processing power. By doing the following, you can reduce your e-mail traffic by
more than 90 %, depends on your environment.
If you want to exclude some senders or receivers from getting blocked on the SMTP
level, just enter them in the Mail proxy whitelist.

17.01.2015 Proxmox Server Solutions GmbH

11

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Figure 3-1 Mail proxy whitelist

3.3.1 Greylisting
Typically, a server that utilizes Greylisting will record the following three pieces of
information (referred to as triplet) for all incoming e-mail.

The IP address of the connecting host


The envelope sender address
The envelope recipient address

The client is checked against the mail server's internal whitelists (if any) first. Then, if
the triplet has never been seen before, it is greylisted for a period of time (how much
time is dependent on the server configuration). The e-mail is rejected with a temporary
error. The assumption is that since temporary failures are built into the RFC
specifications for e-mail delivery, a legitimate server will attempt to connect again later
on to deliver the e-mail.
Greylisting is effective because many mass e-mail tools utilized by spammers are not set
up to handle temporary failures (or any failures for that matter) so the Spam is never
received.
This feature can reduce e-mail traffic up to 50%. Greylisted e-mails never reach your
mail server and your mail server will stop sending useless "Non Delivery Reports" to
spammers, filling up the queue.
If a sender has a valid SPF record, he will never be greylisted.

3.3.2 Sender Policy Framework SPF


Domains use public records (DNS) to direct requests for different services (web, e-mail,
etc.) to the machines that perform those services. All domains already publish e-mail
(MX) records to tell the world what machines receive e-mail for the domain. SPF works
by domains publishing "reverse MX" records to tell the world what machines send email for the domain. When receiving a message from a domain, the recipient can check
those records to make sure e-mail is coming from where it should be coming from.
Please make sure, that you deploy a valid SPF record for your mail domain.
Note: see http://www.openspf.org for setting up a SPF for your mail domain.

17.01.2015 Proxmox Server Solutions GmbH

12

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

3.3.3 Real time Blacklists (RBL)


Proxmox Mail Gateway can use RBL checks on SMTP level to reject e-mails. Therefore
Proxmox Mail Gateway has to query the RBL server for every SMTP connection.
Proxmox use the following RBL providers by default:

Commtouch RPD and GlobalView

Figure 3-2 Enable RBL checks

17.01.2015 Proxmox Server Solutions GmbH

13

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

3.3.4 Receiver Verification


Nowadays, e-mail domains are receiving a lot of e-mails to non-existing users. This could
be up to 95 % of junk messages.
In short, this means for your systems:

Increased traffic on your internet connection


Your e-mail server is handling junk e-mails instead of working for you
High load on your scanners
Slow overall performance and high costs

3.3.4.1 Proxmox Mail Gateway Solutions


Proxmox Mail Gateway can detect these e-mails to non-existing users on SMTP level,
which means BEFORE the e-mails are transferred to your networks.
In short, this means for your systems:

Reduced traffic, up to 90 %
Your internal e-mail server is now working for you again
Reduced load on your scanners, 90 % less e-mails to analyze for spam and
viruses
Good performance and costs

17.01.2015 Proxmox Server Solutions GmbH

14

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

3.3.4.2 Enabling Verify Receivers


You can enable this option on the admin interface (Configuration/Mail Proxy/Options)
We recommend selecting yes (450). 450 means, that in the case of a short downtime
of your internal mail server no messages are lost.
Note: Your internal e-mail server has to be reconfigured to reject unknown user.
Proxmox Mail Gateway is doing a short query to the internal e-mail server to check if the
user is valid. For settings on Exchange 2003 SP2, see chapter 3.3.4.2.1 Settings for MS
Exchange 2003 SP2

Figure 3-3 Enable Verify Receivers

17.01.2015 Proxmox Server Solutions GmbH

15

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

3.3.4.2.1 Settings for MS Exchange 2003 SP2


You have to enable Recipient Filtering, please use the Exchange System Manager.

Figure 3-4 Exchange 2003: Filter recipients 1

17.01.2015 Proxmox Server Solutions GmbH

16

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Figure 3-5 Exchange 2003: Filter recipients 2

17.01.2015 Proxmox Server Solutions GmbH

17

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Figure 3-6 Exchange 2003: Filter recipients 3

Figure 3-7 Exchange 2003: Filter recipients 4

17.01.2015 Proxmox Server Solutions GmbH

18

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

3.3.4.2.2 Settings for MS Exchange 2007 SP1 (and higher version)


First, make sure that you have the MS Exchange 2007 Anti-Spam agent. If you installed
a typical one server installation, this is NOT installed by default.
Microsoft provides an install script to manually install the Anti-Spam agent:
1.
2.
3.
4.

Open the Exchange Management Shell


cd c:\program files\Microsoft\Exchange Server\Scripts
.\install-AntispamAgents
Restart the Microsoft Exchange Transport service

Figure 3-8 MS Exchange 2007 SP1: Install Anti-Spam agent


Now you can enable Recipient Filtering on the Anti-Spam agent, please use the MS
Exchange Management Console.

Figure 3-9 MS Exchange 2007 SP1: Filter recipients 1


17.01.2015 Proxmox Server Solutions GmbH

19

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Figure 3-10 MS Exchange 2007 SP1: Filter recipients 2

4 Rule System
The object-oriented rule system enables custom rules for your domains. Its an easy but
very powerful way to define filter rules by user, domains, time frame, content type and
resulting action.

Who - object
For TO and/or FROM Category
Example: Mail object - Who is the sender or receiver of the e-mail?
When - object
Example: When is the e-mail received by Proxmox Mail Gateway?
What - object
Example: Does the e-mail contain spam?
Action - object
Example: Mark e-mail with "SPAM:" in the subject.

Every rule has got 5 categories (FROM, TO, WHEN, WHAT, ACTION) which can contain
several objects. For example enable Archive Solutions with BCC Object (Blind carbon
copy, recipients not visible in the "To" field) to Mailbox or to a Public Folder

FROM: Anybody
TO: Anybody
WHEN: Always
WHAT: Mail
ACTION: BCC to Publicfolder

In most of the countries worldwide a company has to forward all e-mails to their
employees this includes spam e-mails as well.
For example to send Spam e-mails in quarantine
17.01.2015 Proxmox Server Solutions GmbH

20

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

FROM: Anybody
TO: Anybody
WHEN: Always
WHAT: Spam
ACTION: Quarantine

With this kind of setup the receiver gets detailed Information about the Spam e-mails.
Quarantine can be enabled just for existing LDAP groups or via BCC to Public Folders or
Mailboxes.
At present the usefulness of e-mail is being threatened by three phenomena: spamming,
phishing and e-mail worms.
Spamming is unsolicited commercial e-mail. Because of the very low cost of sending email, spammers can send hundreds of millions of e-mail messages each day over an
inexpensive internet connection. Hundreds of active spammers sending this volume of
mail results in information overload for many computer users who receive tens or even
hundreds of junk messages each day.
E-mail worms use e-mail as a way of replicating themselves into vulnerable computers.
The combination of spam and worm programs results in users receiving a constant
drizzle of junk e-mail, which reduces the usefulness of e-mail as a practical tool.
To increase the efficiency of e-mail communications the use of anti-spam, anti-phishing
and antivirus software is essential. With the deployment of Proxmox Mail Gateway you
get the job done. Based on the design as software appliance one of the strengths of
Proxmox Mail Gateway is its flexibility. It can be easy integrated in existing E-mail
architecture. Its compatible to every type of mail server or MTA (e.g. MS Exchange,
Lotus Domino, Postfix ).
For example a virus protection looks like this:

FROM: Anybody
TO: Anybody
WHEN: Always
WHAT: Virus
ACTION: Block (or Quarantine)

Options range from simple spam and virus filter setups to sophisticated, highly
customized configurations blocking certain types of e-mails and generating notifications.

17.01.2015 Proxmox Server Solutions GmbH

21

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

4.1 Default Rules


4.1.1 Blacklist
This rule blocks all emails received from the senders listed in the Blacklist. The
Blacklist can contain several items.
(Please note, the term Blacklist is widely used in industry and its not meant as racist.)

Figure 4-1 Rule: Blacklist

Figure 4-2 Who Object: Blacklist

4.1.2 Block Viruses


This rule quarantines all incoming virus e-mail and informs the admin via e-mail
notification.

17.01.2015 Proxmox Server Solutions GmbH

22

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Figure 4-3 Rule: Block Viruses

4.1.3 Virus Alert


This rule blocks all outgoing virus e-mail and informs the admin and sender via e-mail
notification.

Figure 4-4 Rule: Virus Alert

4.1.4 Block Dangerous Files


This rule removes dangerous attachments from incoming e-mails (.vbs,.bat,.com, )

17.01.2015 Proxmox Server Solutions GmbH

23

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Figure 4-5 Rule: Block Dangerous Files

4.1.5 Modify Header


This rule modifies e-mail header for all incoming e-email. It just adds the results of the
spam analysis, including the test names and the reached spam score.

Figure 4-6 Rule: Modify Header

4.1.6 Whitelist
This rule accepts all emails received from the senders listed in the Whitelist. The
Whitelist can contain several items.
(Please note, the term Whitelist is widely used in industry and its not meant as racist.)
17.01.2015 Proxmox Server Solutions GmbH

24

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Figure 4-7 Rule: Whitelist

Figure 4-8 Who Object: Whitelist

4.1.7 Quarantine/Mark Spam (Level 3)


This rule identifies Spam with Level 3 and modifies the e-mail subject and move the email to the spam quarantine.

17.01.2015 Proxmox Server Solutions GmbH

25

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Figure 4-9 Rule: Quarantine/Mark Spam (Level 3)

17.01.2015 Proxmox Server Solutions GmbH

26

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

4.2 Custom Rules


Proxmox Mail Gateway provides samples for custom rules to show the functionality. For
support
or
help
configuring
rules
the
Proxmox
support
forum
at
http://forum.proxmox.com or submit a support request via the Proxmox Customer Portal
at https://my.proxmox.com

4.2.1 Enable Spam quarantine for just a selection of users


If you want to use the spam quarantine for specific users or a specific domain (and for
the rest just Mark Spam), create a new WHO object containing these users or domains.
1. Create a new WHO object; give a name like Quarantine Users and add the users
or domains to this object
2. Use the existing (inactive) rule Spam Quarantine and set higher priority than the
Mark Spam rule (e.g. 81)
3. Add the WHO object Quarantine Users
4. Activate the rule

Figure 4-10 Enable Spam quarantine for just a selection of users

4.2.2 Enable Spam quarantine for existing LDAP users


If you want to use the spam quarantine only for existing internal e-mail addresses, you
can use the LDAP query Existing LDAP.
1. Create a new WHO object; give a name like Existing LDAP address and add the
LDAP group Existing LDAP address
2. Use the existing (inactive) rule Spam Quarantine and set higher priority than the
Mark Spam rule (e.g. 81)
3. Add the WHO object Existing LDAP address
4. Activate the rule

17.01.2015 Proxmox Server Solutions GmbH

27

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

Figure 4-11 Create WHO object Existing LDAP address

Figure 4-12 Enable Spam quarantine for existing LDAP addresses

17.01.2015 Proxmox Server Solutions GmbH

28

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

4.2.3 Block Spam e-mails with a score higher 10


The default rule moves Spam with a score higher 3 to the spam quarantine. By activating
this additional rule, you can block Spam with a score higher 10 to reduce the delivery of
spam e-mails to the user spam quarantine.

Figure 4-13 Activate Block Spam (Level 10)

4.2.4 BCC object An simple archive solution


If you need to archive e-mails its useful to send a copy to a special mailbox. If you have
Microsoft Exchange, you can also send a copy to a e-mail enabled public folder.
1. Create an Action Object: Add BCC Object, name it BCC to Archive Public folder
or Mailbox
2. Under Receiver, type the e-mail address of the public folder/Mailbox
3. Click on an already existing rule or create a new one
4. Add Action Object BCC to Archive Public folder or Mailbox to the rule
How to create a Mail Enable Public Folder under MS Exchange 2000/2003?
1. Create a public folder in MS Exchange (MS Exchange System Manager or via
Outlook)
2. "Mail enable" the public folder via MS Exchange system manager right click an
select Mail Enable
3. Wait a few minutes, MS Exchange creates the e-mail address
4. Right click the folder an check the e-mail address (or change it, if you want),
remember e-mail address
5. Set appropriate client permission (note: anonymous must have the right to create
items)
6. Optional: Set age limit: select Limits and set the age limit to 90 days (all
messages older than 90 days will be automatically deleted)

4.2.5 Block Video and Audio Attachments


1. Create a new rule, e.g. Block Multimedia Files, define direction and set priority
2. Add What Object Multimedia to the rule
17.01.2015 Proxmox Server Solutions GmbH

29

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

3. Add Action Object Block to the rule


4. Final review (still inactive)
5. Activate the rule

4.2.6 Add Admin Notification to Rules


If you block mails its useful to inform the Proxmox Mail Gateway Admin.
1. Click on the desired rule
2. Add the notify Admin action to the rule

17.01.2015 Proxmox Server Solutions GmbH

30

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

4.2.7 Block Video and Audio Attachments for LDAP Groups


The LDAP groups can be used to apply special settings to groups.
Most people like sending joke videos and audio files via e-mail this grows up your users
mailboxes. On the other side, you do not want to block these funny things for everybody.
We assume you have a MS ADS group called Staff (including all your active users)

Create a new WHO Object, give a name, e.g. Staff


Add LDAP Group to the Object, select your LDAP Profile and select Staff from
the dropdown menu, click save.
Now you can test your object against e-mail addresses
Add new rule, give a name, e.g. Block Multimedia for Staff, set priority to 70,
set direction to in, click save
Add the WHO object Staff from above to the rule (as to)
Add the WHAT Multimedia to the rule
Add the ACTION object Remove Attachments
Final review (still inactive)
Activate the rule

Note: Removed attachments from e-mails are replaced with a text file.

Figure 4-14 Block video and Audio attachment for LDAP group Staff

17.01.2015 Proxmox Server Solutions GmbH

31

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

5 Proxmox Mail Gateway HA Cluster High availability


We are living in a world where e-mail becomes more and more important - failures in email systems are just not acceptable. To meet these requirements we developed the
Proxmox Mail Gateway HA (High Availability) Cluster.
The Proxmox Mail Gateway HA Cluster consists of a master and several nodes (minimum
one maser and one node). Configuration is done on the master. Configuration and data is
synchronized to all cluster nodes over a VPN tunnel. This provides the following
advantages:

centralized configuration management


fully redundant data storage
high availability
high performance

Proxmox Mail Gateway uses a unique application level clustering scheme, which provides
extremely good performance. Special considerations where taken to make management
as easy as possible. Complete Cluster setup is done within minutes, and nodes
automatically reintegrate after temporary failures without any operator interaction.

Figure 5-1 Proxmox Mail Gateway HA Cluster with load balanced MX records

17.01.2015 Proxmox Server Solutions GmbH

32

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

5.1 Load Balancing with MX Records


Its quite simple to set up a high performance load balanced mail cluster using MX
records. You have to define two MX records with the same priority.
You need to have 2 working Proxmox Mail Gateways (mail1.example.com and
mail2.example.com), each having its own IP address (the rest of the setting should be
more or less equal, i.e. you can use backup/restore to copy the rules).
We recommend adding reverse lookup entries (PTR records) for those hosts. Many e-mail
systems nowadays reject mails from hosts without valid PTR records.
This is all you need. You will receive mails on both hosts, more or less load-balanced
(round-robin scheduling). If one host fails the other is used.

Figure 5-2 Load balancing via MX Records

17.01.2015 Proxmox Server Solutions GmbH

33

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

5.2 Multiple Address Records


Using several DNS MX record is sometime clumsy if you have many domains. It is also
possible to use one MX record per domain, but multiple address records:

Figure 5-3 Load balancing Multiple Address Records

5.3 Using third party Firewall features


Many firewalls can do some kind of RR-Scheduling (round-robin) when using DNAT. See
your firewall manual for more details.

17.01.2015 Proxmox Server Solutions GmbH

34

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

6 Hardware selection and Virtualization


Proxmox Mail Gateway always needs a dedicated PC or server hardware. Alternative,
Proxmox Mail Gateway can be run under the following virtualization technologies:

Proxmox VE (recommended OpenVZ or KVM)


Vmware vSphere (vmware tools are integrated in the ISO)
Hyper-V (Hyper-V Linux integration tools are integrated in the ISO)
KVM (virtio drivers are integrated, great performance)
OpenVZ (great performance)
Virtual box
Citrix XenServer

6.1 Physical Hardware


See http://www.proxmox.com for hardware recommendation or contact us via the
Proxmox Customer Portal at https://my.proxmox.com/. For maximum performance we
recommend:
Hard disks
CPU
RAM

SAS Disk (15.000rpm) or SSD, Hardware Raid with battery backup and
write cache enabled
Two physical CPU with a lot of cores (e.g. Intel Xeon)
4 GB ECC

6.2 Proxmox VE
The Proxmox Mail Gateway is available as a certified Virtual Appliance for Proxmox VE.
For all details see http://pve.proxmox.com/wiki/Proxmox_Mail_Gateway

6.3 VMware
Proxmox Mail Gateway runs perfectly under VMware.
Proxmox Mail Gateway 4 ISO installer includes open-vm tools by default. Just install from
ISO.

17.01.2015 Proxmox Server Solutions GmbH

35

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

7 Troubleshooting and technical support


Use the moderated Proxmox support forum or contact us via the Proxmox Customer
Portal at https://my.proxmox.com/
All information:
http://www.proxmox.com

17.01.2015 Proxmox Server Solutions GmbH

36

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

8 Table of figures
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure

2-1 System without Proxmox Mail Gateway ............................................ 5


2-2 Incoming e-mail with Proxmox Mail Gateway................................... 5
2-3 Outgoing with Proxmox Mail Gateway .............................................. 6
2-4 Incoming default port settings (port 25) .......................................... 7
2-5 Outgoing default port settings (port 26) .......................................... 7
2-6 Incoming alternative port settings (port 26) .................................... 8
2-7 Outgoing alternative port settings (port 25) .................................... 8
2-8 Proxmox Mail Gateway in DMZ ......................................................... 9
2-9 Multiple e-mail servers ....................................................................10
3-1 Mail proxy whitelist .........................................................................12
3-2 Enable RBL checks ...........................................................................13
3-3 Enable Verify Receivers ...................................................................15
3-4 Exchange 2003: Filter recipients 1 ..................................................16
3-5 Exchange 2003: Filter recipients 2 ..................................................17
3-6 Exchange 2003: Filter recipients 3 ..................................................18
3-7 Exchange 2003: Filter recipients 4 ..................................................18
3-8 MS Exchange 2007 SP1: Install Anti-Spam agent ............................19
3-9 MS Exchange 2007 SP1: Filter recipients 1 ......................................19
3-10 MS Exchange 2007 SP1: Filter recipients 2 ....................................20
4-1 Rule: Blacklist ..................................................................................22
4-2 Who Object: Blacklist ......................................................................22
4-3 Rule: Block Viruses ..........................................................................23
4-4 Rule: Virus Alert ..............................................................................23
4-5 Rule: Block Dangerous Files ............................................................24
4-6 Rule: Modify Header ........................................................................24
4-7 Rule: Whitelist .................................................................................25
4-8 Who Object: Whitelist ......................................................................25
4-9 Rule: Quarantine/Mark Spam (Level 3) ...........................................26
4-10 Enable Spam quarantine for just a selection of users ....................27
4-11 Create WHO object Existing LDAP address .................................28
4-12 Enable Spam quarantine for existing LDAP addresses ...................28
4-13 Activate Block Spam (Level 10) ..................................................29
4-14 Block video and Audio attachment for LDAP group Staff ............31
5-1 Proxmox Mail Gateway HA Cluster with load balanced MX records ..32
5-2 Load balancing via MX Records........................................................33
5-3 Load balancing Multiple Address Records ........................................34

17.01.2015 Proxmox Server Solutions GmbH

37

38

Proxmox Server Solutions GmbH


Kohlgasse 51/10

A-1050 Vienna

office@proxmox.com

www.proxmox.com

9 Appendix
Reference document: Mail Gateway AdminGuide
You can download the latest version from www.proxmox.com
- End of document -

17.01.2015 Proxmox Server Solutions GmbH

38

38