Professional Documents
Culture Documents
Deployment Guide
1/17/2015
MailGatewayDeploymentGuide-V2.0.docx
A-1050 Vienna
office@proxmox.com
www.proxmox.com
Proxmox Server Solutions GmbH reserves the right to make changes to this document
and to the products described herein without notice. Before installing and using the
software, please review the latest version of this document, which is available from
http://www.proxmox.com.
NOTE: All prices are one year subscription licenses. After expiration, Email flow continues
but Spam- and AV checks are not working anymore (Exception: ClamAV will continue
working).
All other product or company names different from Proxmox may be trademarks or
registered trademarks of their owners.
Copyright 2005 - 2015 Proxmox Server Solutions GmbH. All rights reserved. No part
of this publication may be reproduced, photocopied, stored in a retrieval system, or
transmitted without the express prior written consent of Proxmox.
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
Table of Contents
1
2
7
8
9
Introduction .................................................................................................... 4
Proxmox Mail Gateway Integration ..................................................................... 5
2.1 E-mail system without Proxmox Mail Gateway ................................................ 5
2.2 E-mail system with Proxmox Mail Gateway .................................................... 5
2.3 Proxmox Mail Gateway in the Intranet........................................................... 7
2.3.1
Default port settings ............................................................................ 7
2.3.2
Alternative port settings (e.g. for MS Exchange) ..................................... 7
2.4 Proxmox Mail Gateway in DMZ (demilitarized zone) ........................................ 9
2.5 Proxmox Mail Gateway with multiple e-mail server and e-mail domains ............10
Performance Tuning ........................................................................................11
3.1 Hardware benchmarks ...............................................................................11
3.2 Backup MX ...............................................................................................11
3.3 Blocking Emails on SMTP level ....................................................................11
3.3.1
Greylisting.........................................................................................12
3.3.2
Sender Policy Framework SPF ...........................................................12
3.3.3
Real time Blacklists (RBL) ...................................................................13
3.3.4
Receiver Verification ...........................................................................14
3.3.4.1
Proxmox Mail Gateway Solutions ....................................................14
3.3.4.2
Enabling Verify Receivers ..............................................................15
3.3.4.2.1 Settings for MS Exchange 2003 SP2 .............................................16
3.3.4.2.2 Settings for MS Exchange 2007 SP1 (and higher version) ...............19
Rule System ...................................................................................................20
4.1 Default Rules ............................................................................................22
4.1.1
Blacklist ............................................................................................22
4.1.2
Block Viruses .....................................................................................22
4.1.3
Virus Alert .........................................................................................23
4.1.4
Block Dangerous Files .........................................................................23
4.1.5
Modify Header ...................................................................................24
4.1.6
Whitelist ...........................................................................................24
4.1.7
Quarantine/Mark Spam (Level 3) .........................................................25
4.2 Custom Rules............................................................................................27
4.2.1
Enable Spam quarantine for just a selection of users ..............................27
4.2.2
Enable Spam quarantine for existing LDAP users ....................................27
4.2.3
Block Spam e-mails with a score higher 10 ............................................29
4.2.4
BCC object An simple archive solution ................................................29
4.2.5
Block Video and Audio Attachments ......................................................29
4.2.6
Add Admin Notification to Rules ...........................................................30
4.2.7
Block Video and Audio Attachments for LDAP Groups ..............................31
Proxmox Mail Gateway HA Cluster High availability ...........................................32
5.1 Load Balancing with MX Records .................................................................33
5.2 Multiple Address Records ............................................................................34
5.3 Using third party Firewall features ...............................................................34
Hardware selection and Virtualization ................................................................35
6.1 Physical Hardware .....................................................................................35
6.2 Proxmox VE ..............................................................................................35
6.3 VMware .................................................................................................35
Troubleshooting and technical support ...............................................................36
Table of figures ...............................................................................................37
Appendix .......................................................................................................38
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
1 Introduction
The huge amount of e-mail traffic is a challenge for every e-mail environment. The daily
e-mail routine brings along some major problems, this includes: performance, reliability,
regulation under public law and e-mail threads like viruses or phishing attacks.
E-mail is an essential service for any organization, and professionally managed e-mail
improves organizational workflow and customer satisfaction. A missed e-mail could mean
a lost opportunity, or it could cause a public-relations problem that no organization would
want.
How does the Proxmox Mail Gateway work?
When an e-mail arrives at the Proxmox Mail Gateway, it is analyzed and forwarded to
your e-mail server which is responsible for sending the e-mail to the receiver. If the email server is not working, Proxmox Mail Gateway temporarily stores the message in the
e-mail queue for later transfer. The process works similar for outgoing e-mails.
This document covers samples and deployment information how to integrate and
customize Proxmox in your e-mail environment.
Note: See also the Proxmox Mail Gateway Administration Guide for a detailed product
description.
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
Many mail filter solutions do not scan outgoing mails. Opposed to that Proxmox Mail
Gateway is designed to scan both incoming and outgoing mails. This has two major
advantages:
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
Zone
Local
Internet
DMZ
IP Address
192.168.1.1
10.0.0.2
192.168.16.1
Net mask
255.255.255.0
255.255.255.0
255.255.255.0
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
2.5 Proxmox Mail Gateway with multiple e-mail server and email domains
You can use Proxmox Mail Gateway sending e-mails to different internal e-mail servers.
For example you can send e-mails addressed to domain.com to your first e-mail server,
and e-mails addressed to subdomain.domain.com to a second one. In the e-mail proxy
transport section add the IP addresses or hostname, SMTP ports and mail domains of
your additional e-mail servers.
10
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
3 Performance Tuning
3.1 Hardware benchmarks
Please use the command line tool proxperf to get an overview about your hardware and
DNS performance.
Note: Never run proxperf if the system is under load.
Here is a sample output of proxperf:
root@proxmox:~# proxperf
CPU BOGOMIPS:
4266.81
REGEX/SECOND:
507952
HD SIZE:
30.98 GB (/dev/vda2)
BUFFERED READS: 87.32 MB/sec
AVERAGE SEEK TIME: 0.47 ms
FSYNCS/SECOND:
2902.06
DNS EXT:
44.18 ms
DNS INT:
3.70 ms (maurer-it.com)
DNSBL:
44.23 ms (black.rbl.commtouch.local)
root@proxmox:~#
Please compare your results against this reference. If you get lower results please
analyze your hardware and DNS setup for comments email your results to
support@proxmox.com.
3.2 Backup MX
Using your ISPs e-mail server is not a good idea, because many ISPs do not use
advanced spam prevention techniques. And spammers know this and they use your ISP
backup MX to work around your Proxmox Mail Gateway spam filtering.
Additionally, you can never benefit of blocking spam messages on SMTP level.
If you need redundancy, it is recommended to run a second Proxmox Mail Gateway
server in HA Cluster mode to avoid lower spam detection rates.
11
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
3.3.1 Greylisting
Typically, a server that utilizes Greylisting will record the following three pieces of
information (referred to as triplet) for all incoming e-mail.
The client is checked against the mail server's internal whitelists (if any) first. Then, if
the triplet has never been seen before, it is greylisted for a period of time (how much
time is dependent on the server configuration). The e-mail is rejected with a temporary
error. The assumption is that since temporary failures are built into the RFC
specifications for e-mail delivery, a legitimate server will attempt to connect again later
on to deliver the e-mail.
Greylisting is effective because many mass e-mail tools utilized by spammers are not set
up to handle temporary failures (or any failures for that matter) so the Spam is never
received.
This feature can reduce e-mail traffic up to 50%. Greylisted e-mails never reach your
mail server and your mail server will stop sending useless "Non Delivery Reports" to
spammers, filling up the queue.
If a sender has a valid SPF record, he will never be greylisted.
12
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
13
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
Reduced traffic, up to 90 %
Your internal e-mail server is now working for you again
Reduced load on your scanners, 90 % less e-mails to analyze for spam and
viruses
Good performance and costs
14
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
15
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
16
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
17
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
18
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
19
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
4 Rule System
The object-oriented rule system enables custom rules for your domains. Its an easy but
very powerful way to define filter rules by user, domains, time frame, content type and
resulting action.
Who - object
For TO and/or FROM Category
Example: Mail object - Who is the sender or receiver of the e-mail?
When - object
Example: When is the e-mail received by Proxmox Mail Gateway?
What - object
Example: Does the e-mail contain spam?
Action - object
Example: Mark e-mail with "SPAM:" in the subject.
Every rule has got 5 categories (FROM, TO, WHEN, WHAT, ACTION) which can contain
several objects. For example enable Archive Solutions with BCC Object (Blind carbon
copy, recipients not visible in the "To" field) to Mailbox or to a Public Folder
FROM: Anybody
TO: Anybody
WHEN: Always
WHAT: Mail
ACTION: BCC to Publicfolder
In most of the countries worldwide a company has to forward all e-mails to their
employees this includes spam e-mails as well.
For example to send Spam e-mails in quarantine
17.01.2015 Proxmox Server Solutions GmbH
20
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
FROM: Anybody
TO: Anybody
WHEN: Always
WHAT: Spam
ACTION: Quarantine
With this kind of setup the receiver gets detailed Information about the Spam e-mails.
Quarantine can be enabled just for existing LDAP groups or via BCC to Public Folders or
Mailboxes.
At present the usefulness of e-mail is being threatened by three phenomena: spamming,
phishing and e-mail worms.
Spamming is unsolicited commercial e-mail. Because of the very low cost of sending email, spammers can send hundreds of millions of e-mail messages each day over an
inexpensive internet connection. Hundreds of active spammers sending this volume of
mail results in information overload for many computer users who receive tens or even
hundreds of junk messages each day.
E-mail worms use e-mail as a way of replicating themselves into vulnerable computers.
The combination of spam and worm programs results in users receiving a constant
drizzle of junk e-mail, which reduces the usefulness of e-mail as a practical tool.
To increase the efficiency of e-mail communications the use of anti-spam, anti-phishing
and antivirus software is essential. With the deployment of Proxmox Mail Gateway you
get the job done. Based on the design as software appliance one of the strengths of
Proxmox Mail Gateway is its flexibility. It can be easy integrated in existing E-mail
architecture. Its compatible to every type of mail server or MTA (e.g. MS Exchange,
Lotus Domino, Postfix ).
For example a virus protection looks like this:
FROM: Anybody
TO: Anybody
WHEN: Always
WHAT: Virus
ACTION: Block (or Quarantine)
Options range from simple spam and virus filter setups to sophisticated, highly
customized configurations blocking certain types of e-mails and generating notifications.
21
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
22
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
23
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
4.1.6 Whitelist
This rule accepts all emails received from the senders listed in the Whitelist. The
Whitelist can contain several items.
(Please note, the term Whitelist is widely used in industry and its not meant as racist.)
17.01.2015 Proxmox Server Solutions GmbH
24
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
25
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
26
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
27
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
28
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
29
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
30
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
Note: Removed attachments from e-mails are replaced with a text file.
Figure 4-14 Block video and Audio attachment for LDAP group Staff
31
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
Proxmox Mail Gateway uses a unique application level clustering scheme, which provides
extremely good performance. Special considerations where taken to make management
as easy as possible. Complete Cluster setup is done within minutes, and nodes
automatically reintegrate after temporary failures without any operator interaction.
Figure 5-1 Proxmox Mail Gateway HA Cluster with load balanced MX records
32
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
33
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
34
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
SAS Disk (15.000rpm) or SSD, Hardware Raid with battery backup and
write cache enabled
Two physical CPU with a lot of cores (e.g. Intel Xeon)
4 GB ECC
6.2 Proxmox VE
The Proxmox Mail Gateway is available as a certified Virtual Appliance for Proxmox VE.
For all details see http://pve.proxmox.com/wiki/Proxmox_Mail_Gateway
6.3 VMware
Proxmox Mail Gateway runs perfectly under VMware.
Proxmox Mail Gateway 4 ISO installer includes open-vm tools by default. Just install from
ISO.
35
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
36
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
8 Table of figures
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
37
38
A-1050 Vienna
office@proxmox.com
www.proxmox.com
9 Appendix
Reference document: Mail Gateway AdminGuide
You can download the latest version from www.proxmox.com
- End of document -
38
38