You are on page 1of 55

Proxmox Mail Gateway

Administration Guide

8/21/2017

MailGatewayAdminGuide-V3.5.docx
Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Proxmox Server Solutions GmbH reserves the right to make changes to this document and to the
products described herein without notice. Before installing and using the software, please review the
latest version of this document, which is available from https://www.proxmox.com/.

NOTE: All prices are one year subscription licenses. After expiration, Email flow continues but Spam-
and AV checks are not working anymore (Exception: ClamAV will continue working).

All other product or company names different from Proxmox may be trademarks or registered
trademarks of their owners.

Copyright © 2005 - 2017 Proxmox Server Solutions GmbH. All rights reserved. No part of this
publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the
express prior written consent of Proxmox.

© 21.08.2017 Proxmox Server Solutions GmbH 2 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Table of Contents

1 What is Proxmox Mail Gateway? .......................................................................................... 6


2 Quick start guide ..................................................................................................................... 7
3 Planning for deployment ....................................................................................................... 8
3.1 Easy integration into existing e-mail server architecture ................................................................ 8
3.1.1 Filtering outgoing e-mails ................................................................................................................... 9
3.2 Firewall settings ......................................................................................................................................... 9
3.3 System requirements ............................................................................................................................... 9
3.3.1 Minimum system requirements...................................................................................................... 10
3.3.2 Recommended system requirements ........................................................................................... 10
3.4 Compare the Proxmox Mail Gateway editions ................................................................................ 10
3.4.1 Proxmox Mail Gateway Free version ............................................................................................. 10
3.4.2 Proxmox Mail Gateway Standard versions ................................................................................... 10
3.4.3 Proxmox Mail Gateway Professional ............................................................................................. 11
3.4.4 Proxmox Mail Gateway HA Cluster................................................................................................. 11
3.4.5 EDU, GOV and non-profit organization licensing ........................................................................ 11

4 Installing Proxmox Mail Gateway ....................................................................................... 12


4.1 Complete installation in 3 to 5 minutes ............................................................................................. 12
4.2 Software RAID .......................................................................................................................................... 12
4.2.1 Differences between RAID systems ............................................................................................... 12

5 Getting started with Mail Gateway ..................................................................................... 14


5.1 Web interface ........................................................................................................................................... 14
5.2 Upload license file ................................................................................................................................... 15
5.3 Configuration ........................................................................................................................................... 15
5.3.1 System................................................................................................................................................... 16
5.3.2 Mail proxy ............................................................................................................................................. 17
5.3.3 Spam detector .................................................................................................................................... 20
5.3.4 Virus detector ...................................................................................................................................... 22
5.3.5 User management ............................................................................................................................. 22
5.3.6 Cluster ................................................................................................................................................... 23
5.3.7 License .................................................................................................................................................. 23
5.4 Mail filter ................................................................................................................................................... 23
5.4.1 Rules ...................................................................................................................................................... 23
5.4.2 Actions .................................................................................................................................................. 24
5.4.3 Who ....................................................................................................................................................... 26
5.4.4 What ...................................................................................................................................................... 26
5.4.5 When ..................................................................................................................................................... 27
5.5 Administration ......................................................................................................................................... 27
5.5.1 Server .................................................................................................................................................... 27
5.5.2 Statistic.................................................................................................................................................. 27
5.5.3 Quarantine ........................................................................................................................................... 27
5.5.4 Tracking center ................................................................................................................................... 31

© 21.08.2017 Proxmox Server Solutions GmbH 3 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

5.5.4.2 Real-time ..................................................................................................................................... 33


5.5.4.3 Greylist log .................................................................................................................................. 33
5.5.5 Queues ................................................................................................................................................. 34

6 LDAP integration (professional version or LDAP option) ................................................ 35


6.1 Creating a new LDAP profile ................................................................................................................. 35
6.2 LDAP queries............................................................................................................................................ 36
6.3 Sample LDAP rules ................................................................................................................................. 37

7 Example mail server configuration (outgoing mails) ....................................................... 38


7.1 Configuration for Microsoft Exchange ............................................................................................... 38
7.2 Configuration for Postfix ....................................................................................................................... 40

8 Example rules ........................................................................................................................ 41


9 Redundant servers and load balancing............................................................................. 42
9.1 Hot standby with backup MX records ................................................................................................ 42
9.2 Load balancing with MX records ......................................................................................................... 42
9.3 Other ways................................................................................................................................................ 43
9.3.1 Multiple address records.................................................................................................................. 43
9.3.2 Using firewall features ....................................................................................................................... 43

10 Proxmox Mail Gateway HA cluster ..................................................................................... 44


10.1 Hardware requirements ........................................................................................................................ 45
10.2 Required licenses .................................................................................................................................... 45
10.3 Load balancing ........................................................................................................................................ 45
10.4 Cluster administration ........................................................................................................................... 45
10.4.1 Creating a cluster ........................................................................................................................... 45
10.4.2 List cluster status ........................................................................................................................... 45
10.4.3 Adding cluster nodes .................................................................................................................... 45
10.4.4 Deleting nodes ............................................................................................................................... 46
10.5 Disaster recovery .................................................................................................................................... 46
10.5.1 Single node failure ......................................................................................................................... 46
10.5.2 Master failure .................................................................................................................................. 46
10.5.3 Total cluster failure ........................................................................................................................ 46

11 Troubleshooting and technical support ............................................................................ 47


11.1 Console login ........................................................................................................................................... 47

12 Table of figures ..................................................................................................................... 48


13 Appendix ................................................................................................................................ 49
13.1 Available macros for rule system ........................................................................................................ 49
13.2 Individual SpamAssassin configuration ............................................................................................. 49
13.3 Customized daily spam reports ........................................................................................................... 49
13.4 Using regular expressions .................................................................................................................... 50
13.4.1 Simple regular expressions ......................................................................................................... 50
13.4.2 Metacharacters .............................................................................................................................. 50
13.4.3 References ....................................................................................................................................... 51
13.5 Managing software RAID ....................................................................................................................... 51

© 21.08.2017 Proxmox Server Solutions GmbH 4 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

13.6 Backup considerations .......................................................................................................................... 52


13.6.1 Scheduled backup ......................................................................................................................... 52
13.6.2 Backup via console ........................................................................................................................ 53
13.6.3 Restore via console ....................................................................................................................... 53
13.7 Avira SAV antivirus integration ............................................................................................................. 53
13.8 SSL certificate ........................................................................................................................................... 53
13.9 Port scans (nmap) ................................................................................................................................... 54
13.10 Create bootable USB stick ................................................................................................................ 54
13.10.1 Instructions for Windows ............................................................................................................. 54
13.10.2 Instructions for Linux (and OSX)................................................................................................. 55
13.10.3 Boot your server from USB media ............................................................................................. 55

© 21.08.2017 Proxmox Server Solutions GmbH 5 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

1 What is Proxmox Mail Gateway?


E-mail security begins at the gateway by controlling all incoming and outgoing e-mail messages.
Proxmox Mail Gateway addresses the full spectrum of unwanted e-mail traffic, focusing spam and
virus detection. Proxmox Mail Gateway provides a powerful and affordable server solution to
eliminate spam, viruses and blocking undesirable content from your e-mail system. All products are
self-installing and can be used without deep knowledge of Linux.

Figure 1-1 Processing of incoming e-mail traffic

© 21.08.2017 Proxmox Server Solutions GmbH 6 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

2 Quick start guide


Experienced users can use this guide for a quick installation. For detailed instructions please read the
whole documentation.

1. Burn the downloaded ISO image to a CD or create a USB stick


2. Boot from this CD/USB stick on your dedicated hardware - see 3.3 System requirements
3. Follow the instructions on the graphical screen – all existing data on your hard disk will be
lost!
4. After reboot, go to your desktop PC and point your browser to the given IP address.
5. Upload license file and change the root password
6. Check the IP configuration and hostname
7. Select Time Zone and save
8. Check your Firewall settings – see 3.2 Firewall settings
9. Configure Proxmox Mail Gateway to forward the incoming SMTP traffic to your Mail server
(Configuration/Mail Proxy/Default Relay), Default Relay is your e-mail server
10. Configure your e-mail server to send all outgoing messages through your Proxmox (Smart
Host, port 26) – see 3.1.1 Filtering outgoing e-mails

For detailed deployment scenarios see the “Proxmox Mail Gateway Deployment Guide”.

There is one ISO image for download covering all versions, features depends on the uploaded license
file.

If the installation succeeds you have to route all your incoming and outgoing e-mail traffic to the Mail
Gateway. For incoming traffic you have to configure your firewall, for outgoing traffic your existing e-
mail server configuration.

Download from https://www.proxmox.com/

© 21.08.2017 Proxmox Server Solutions GmbH 7 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

3 Planning for deployment


3.1 Easy integration into existing e-mail server architecture
In this sample configuration, your e-mail traffic (SMTP) arrives on the firewall and will be directly
forwarded to your e-mail server.

Figure 3-1 Infrastructure without Proxmox Mail Gateway

By using the Proxmox Mail Gateway, all your e-mail traffic is forwarded to the Proxmox Mail Gateway,
which filters the whole e-mail traffic and removes unwanted e-mails. You can manage incoming and
outgoing mail traffic.

Figure 3-2 Infrastructure with integrated Proxmox Mail Gateway

© 21.08.2017 Proxmox Server Solutions GmbH 8 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

3.1.1 Filtering outgoing e-mails


Many e-mail filter solutions do not scan outgoing mails. Opposed to that Proxmox Mail Gateway is
designed to scan both incoming and outgoing e-mails. This has two major advantages:

1. Proxmox Mail Gateway is able to detect viruses sent from an internal host. In many countries
you are liable for not sending viruses to other people. Proxmox Mail Gateway outgoing e-mail
scanning feature is an additional protection to avoid that.
2. Proxmox Mail Gateway can gather statistics about outgoing e-mails too. Statistics about
incoming e-mails looks nice, but they are quite useless. Consider two users, user-1 receives
10 e-mails from news portals and wrote 1 e-mail to a person you never heard from. While
user-2 receives 5 e-mails from a customer and sent 5 e-mails back. Which user do you
consider more active? I am sure its user-2, because he communicates with your customers.
Proxmox Mail Gateway advanced address statistics can show you this important information.
Solution which does not scan outgoing e-mail can’t do that.

To enable outgoing e-mail filtering you just need to send all outgoing e-mails through your Proxmox
Mail Gateway (usually by specifying Proxmox as “smarthost” on your e-mail server- see chapter 7
Example mail server configuration (outgoing mails).

3.2 Firewall settings


In order to pass e-mail traffic to the Proxmox Mail Gateway you need to enable SMTP the port. Our
servers use the Network Time Protocol (NTP) for time synchronization, RAZOR, DNS and HTTP(S).

Service Port Protocol From To


SMTP 25 TCP Proxmox Internet
SMTP 25 TCP Internet Proxmox
NTP 123 TCP/UDP Proxmox Internet
RAZOR 2703 TCP Proxmox Internet
DNS 53 TCP/UDP Proxmox DNS Server
HTTP 80 TCP Proxmox Internet
HTTPS (optional) 443 TCP Internet Proxmox

The outgoing HTTP connection is mainly used by virus pattern updates, and can be configured to use
a proxy instead of a direct internet connection.

You can use the nmap utility to test your firewall settings (see chapter 13.9).

3.3 System requirements


Proxmox Mail Gateway needs dedicated server hardware but can also run as a Virtual Appliance:

 Proxmox VE (KVM)
 Vmware vSphere™ (open-vm tools are integrated in the ISO)
 Hyper-V™ (Hyper-V Linux integration tools are integrated in the ISO)
 KVM (virtio drivers are integrated, great performance)
 Virtual box™
 Citrix XenServer™

Please see http://www.proxmox.com for details.

© 21.08.2017 Proxmox Server Solutions GmbH 9 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Please check our website for a list of certified hardware.

In order to get a benchmark from your hardware, just run “proxperf” after installation.

Note: All existing data on the hard disk will be lost during the installation!

3.3.1 Minimum system requirements


 CPU: 64bit (Intel EMT64 or AMD64)
 1024 MB RAM
 bootable CD-ROM-drive or USB boot support
 1024x768 capable VGA/Monitor for Installer
 Hard disk 8 GB - ATA/SATA/SCSI
 10/100 MBps Network interface card

3.3.2 Recommended system requirements


 Multicore CPU: 64bit (Intel EMT64 or AMD64)
 4096 MB RAM
 bootable CD-ROM-drive or USB boot support
 1024x768 capable VGA/Monitor for Installer
 1 GBps Network interface card
 Hardware RAID1 or RAID10, Raid Controllers need write cache with batteries backup module
for best performance
 Enterprise class SSD with power loss protection (e.g. Intel SSD DC 35xx/36xx/37xx)

3.4 Compare the Proxmox Mail Gateway editions


Proxmox Mail Gateway must be licensed for the number of relaying domains. For example, if you run
a mail server receiving e-mails for three domains (e.g. domain.net, domain.com, domain.at), then you
need the three domain version. All Editions are for unlimited users – only the optional Avira SAV is
licensed per user.

Note: Please see https://www.proxmox.com/ for details

If you like more features as offered with your license, you can always upgrade by buying another
license without reinstallation.

3.4.1 Proxmox Mail Gateway Free version


The free version is discontinued with V3.0 and later and is not available anymore (due to license
restriction from third party tools).

3.4.2 Proxmox Mail Gateway Standard versions


Standard versions are available for one, three, five and unlimited domains.

If you need to query MS Active Directory, an optional LDAP connector for one, three and five domains
can be purchased.

© 21.08.2017 Proxmox Server Solutions GmbH 10 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

3.4.3 Proxmox Mail Gateway Professional


This edition is intended to meet the demands of complex and high performance installations. This
license provides the highest flexibility and performance (Relayed domains can be edited on the web
interface, LDAP integration, etc.).

3.4.4 Proxmox Mail Gateway HA Cluster


The Proxmox HA Cluster consists of a master and several nodes (minimum one node). Configuration
is done on the master. Configuration and all data are synchronized to all cluster nodes over a VPN
tunnel. This provides the following advantages:

 centralized configuration management


 fully redundant data storage without the need of expensive SAN
 high availability
 high performance
 runs also in virtualization environments

The Proxmox Mail Gateway HA Cluster uses a unique application level clustering scheme, which
provides extremely good performance. Special considerations where taken to make management as
easy as possible. Complete Cluster setup is done within minutes, and nodes automatically reintegrate
after temporary failures without any operator interaction.

3.4.5 EDU, GOV and non-profit organization licensing


To purchase Proxmox Mail Gateway EDU/GOV/Non-Profit licenses, Proxmox must have proof of
eligible status. Please attach information regarding your eligibility to an email and send it to
office@proxmox.com. Once the information is validated, we will reply as soon as possible.

Organization qualified:
Universities, Schools, Governmental Organizations, NGO, etc.

Currently, the following license is available for a reduced price:

 Proxmox Mail Gateway Professional


 Proxmox Mail Gateway HA Cluster

© 21.08.2017 Proxmox Server Solutions GmbH 11 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

4 Installing Proxmox Mail Gateway


4.1 Complete installation in 3 to 5 minutes
The installer boots from CD or USB stick and detects your hardware without interaction. All Proxmox
products are based on Linux packages and most amd64 based PC and server hardware will work.

 Download ISO image and burn it on a CD or create bootable USB stick


 Boot from CD/USB stick and start the automatic installer on your dedicated hardware
 Request a trial license or buy one
 Configure the Proxmox Mail Gateway via web interface

4.2 Software RAID


The installer supports hardware RAID and software RAID (mirroring with mdraid). Please see chapter
13.5 Managing software RAID for details.

Requirements: two identical hard drives

Note: If you have a hardware RAID controller, this option is NOT available.

4.2.1 Differences between RAID systems

Hardware RAID Description Examples

Hardware RAID Hardware XOR engine, integrated  LSI Logic MegaRAID


memory, high-performance bus,  HP Smart Array SCSI/SAS
optional battery backup and audio  Adaptec
alarm, Hot-swap drive support, Easy of  …
management and monitoring
Write cache with batteries backup
Software RAID Mirroring is done from the operating Supported from the Proxmox Mail
system Gateway operation system

HostRAID It is NOT hardware RAID, do not  Intel ICH7, ICH8, ICH9,


(integrated in the activate this in the bios – use Proxmox ICH10
main board) Mail Gateway Software RAID instead  HP embedded SATA
 LSI Logic integrated SATA
RAID
 Nvidia RAID
 …

© 21.08.2017 Proxmox Server Solutions GmbH 12 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Figure 4-1 Selecting Software RAID during installation

© 21.08.2017 Proxmox Server Solutions GmbH 13 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

5 Getting started with Mail Gateway


5.1 Web interface
After successful installation point your web browser to the IP address.

Web interface: https://youripaddress/


Default user: root
Default password: admin

Note: Please change the default password after successful log in!

Figure 5-1 Login page Proxmox Mail Gateway

© 21.08.2017 Proxmox Server Solutions GmbH 14 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

5.2 Upload license file


There are several types of licenses:

 Trial version (30 day functional, including full installation support)


 Standard Edition (for one, three, five, and unlimited mail domains)
 Professional Edition (unlimited domains with host locked license model)
 HA Cluster (unlimited domains with host locked license model)

Note: To determine which license meets your requirements, check chapter 3.4 Compare the
Proxmox Mail Gateway editions

Please visit https://www.proxmox.com/ to get a license. Without a valid subscription license, the
Proxmox Mail Gateway will not process any e-mail. All prices are one year subscription licenses. After
expiration, e-mail flow continues but Spam- and AV checks are not working anymore (Exception:
ClamAV will continue working)

5.3 Configuration

Figure 5-2 Start page Proxmox Mail Gateway after log in

Note: By clicking these symbols on the configuration interface a dropdown menu is available

© 21.08.2017 Proxmox Server Solutions GmbH 15 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

5.3.1 System

 Network Review your IP configuration and complete all settings

 Time Review or update your NTP server settings and time zone
Check if your firewall enables you access to the NTP server

 Backup Backup your system configuration and rule database to a file (a few Kbytes) –
statistical data will not be saved via web interface, only via scheduled backup!

Configure Scheduled Backups to FTP or Windows Share.

Note: see chapter 13.6 Backup considerations

 Restore Reset your rule settings to factory defaults.

Restore your system settings and rules from a valid backup. Backup/Restore
is only working between the same versions. (e.g. You cannot restore a backup
form a 2.5 to a 2.6)

Note: Restoring 2.6 to 3.0 is possible and the recommended upgrade path

 Reports Enable or disable daily reports to the given e-mail address

Enable or disable Advanced Statistic Filter (default is disabled)

Note: Advanced Statistic Filter only works if you filter outgoing emails

If you enable “Advanced Statistics”, the Statistics/Domain-Address/Receivers


page shows only receivers who sent emails within the last 3 months (so only
“active” receivers are displayed).

The Statistics/Domain-Address/Contacts page shows only recipients where


internal users have sent one or more emails within the last 3 months. See:
3.1.1 Filtering outgoing e-mails

Syslog Lifetime
Define the lifetime of historical syslog data (maximum is 31 days). The syslog
is the basis for the message tracking center.

Syslog Server
Define a remote syslog server (sending Syslog entries to a centralized server)

Language (Currently we support: English, German, Japanese, Spanish,


Portuguese (Brazilian), Italian, French, Romanian)

© 21.08.2017 Proxmox Server Solutions GmbH 16 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Define the default language for the web interface and the daily reports

 SSH Access SSH access is restricted for external networks by default to increase the
security.

Note: for remote support, all SSH connections from proxmox.com and
maurer-it.com are allowed – but you still need to open your firewall and
provide password

5.3.2 Mail proxy

 Relaying IP address (or FQDN) and SMTP port of your existing e-mail server

Relayed domains: list of relayed mail domains (displayed information from


the uploaded license file)

If you need more mail domains, upgrade your license

Note: If you use a Professional or HA License, you can edit this list

 Ports Review external (default 25) and internal (default 26) SMTP port

Check these settings with your firewall and existing e-mail server.

 Options Set maximum message size for e-mails in bytes

Reject Unknown Clients: Reject the SMTP request when

1) the client IP address->name mapping fails,


2) the name->address mapping fails, or
3) the name->address mapping does not match the client IP
address.

Reject Unknown Senders: Reject the request when the MAIL FROM
address has no DNS A or MX record.

Note: If you enable these features, a lot of misconfigured mail servers


cannot send mails anymore to your system – please use with care.

SMTP HELO checks

The following checks are performed:

smtpd_helo_required

© 21.08.2017 Proxmox Server Solutions GmbH 17 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Require that a remote SMTP client introduces itself at the beginning of an


SMTP session with the HELO or EHLO command.

reject_non_fqdn_hostname

Reject the request when the HELO or EHLO hostname is not in fully-
qualified domain form, as required by the RFC.

reject_invalid_hostname

Reject the request when the HELO or EHLO hostname syntax is invalid.

Use RBL checks

Use real time black lists checks on SMTP level.

Verify Receivers
select Yes or No (450 for temporary rejects or 550 for final rejects)

Note: You have to reconfigure your internal mail server if you use YES.
For details see the Proxmox Mail Gateway Deployment Guide in the latest
release.

Enable or disable Greylisting, default enabled

Enable or disable SPF (Sender Policy Framework), default enabled

Delay Warning Time (4 hours default)

Client Connection Count Limit (50 is default): How many simultaneous


connections any client is allowed to make to the SMTP service. To disable
this feature, specify a limit of 0.

Client Connection Rate Limit: The maximal number of connection attempts


any client is allowed to make to this service per minute. To disable this
feature, specify a limit of 0.

Client Message Rate Limit: The maximal number of message delivery


requests that any client is allowed to make to this service per minute. To
disable this feature, specify a limit of 0.

SMTPD Banner
Type your custom SMTP Banner

Smarthost: Use this option if you want to send all outgoing mails via
another proxy (smarthost). You can use IP addresses or DNS names with
an optional port specification, for example:

 192.168.2.1

© 21.08.2017 Proxmox Server Solutions GmbH 18 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

 192.168.2.1:25
 outproxy.domain.tld:26

 Transports You can use Proxmox Mail Gateway sending e-mails to different internal e-
mail servers. For example you can send e-mails addressed to domain.com
to your first e-mail server, and e-mails addressed to
subdomain.domain.com to a second one.

Note: you need for each domain an appropriate license, otherwise it will
not work!

Add the IP addresses, hostname and SMTP ports and mail domains (or just
single email addresses) of your additional e-mail servers.

 Networks Add Internal (trusted) IP Networks or Hosts

All hosts in this list are allowed to relay.

Note: Hosts in the same subnet with Proxmox can relay by default and
it’s not needed to add them in this list.

 TLS TLS support

Transport Layer Security (TLS) provides certificate-based authentication


and encrypted sessions. An encrypted session protects the information
that is transmitted with SMTP mail. When you activate TLS, Proxmox Mail
Gateway automatically generates a new self signed certificate for you.

Proxmox Mail Gateway uses opportunistic TLS encryption. The SMTP


transaction is encrypted if the STARTTLS ESMTP feature is supported by
the server. Otherwise, messages are sent in the clear.

Enable TLS logging

To get additional information about SMTP TLS activity you can enable TLS
logging. That way information about TLS sessions and used certificate’s is
logged via syslog.

Add TLS received header

Set this option to include information about the protocol and cipher used
as well as the client and issuer CommonName into the "Received:"
message header.

 Whitelist SMTP whitelist: All SMTP checks are disabled for those entries (e. g.
(formerly Greylisting, SPF, RBL, …)
Greylist excl.)
Note: If you use a backup-MX server (e.g. your ISP offers this service for
you) you should always add those servers.

© 21.08.2017 Proxmox Server Solutions GmbH 19 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

5.3.3 Spam detector


Proxmox Mail Gateway uses a wide variety of local and network tests to identify spam signatures. This
makes it harder for spammers to identify one aspect which they can craft their messages to work
around.

Every single e-mail will be analyzed and get a spam score assigned. The systems attempt to optimize
the efficiency of the rules that are run in terms of minimizing the number of false positives and false
negatives.

Note: For detailed spam configuration, see also chapter 5.4 Mail filter.

 Options Use auto-whitelists

Use Bayesian filter

Use RBL checks

Use OCR
Use image recognition to detect spam messages inside images. OCR is
CPU intensive, please do not activate is your server is already under heavy
load – most times its makes no sense to activate this option, its
depreciated.

By default, all features are enabled except OCR.

Max Spam Size (bytes)


Specify the maximum size of a single email targeted for spam analysis. E-
mails bigger than this are not scanned for spam.

 Languages By default, all languages are enabled.

Selecting languages means you will prefer this one.


E-mails in unwanted languages get a higher spam score.
 Quarantine Lifetime (days)
Specify the lifetime of quarantined e-mails

Authentication mode
Choose how users access their spam quarantine. Ticket is default. If you
select LDAP, make sure you have a license for LDAP and a configured
LDAP profile (connection to MS Active Directory)

Report style

 Verbose
 Verbose (Outlook 2007)
 Short

© 21.08.2017 Proxmox Server Solutions GmbH 20 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

 Custom (see 13.3 Customized daily spam reports)


 No reports

Allow access via http


Enables access to the spam quarantine via http. If you do not select this,
access is only via https.

Note: If you use https, consider uploading a valid certificate, see chapter
13.8 SSL certificate

Quarantine Host (optional)


This name will be used for the links to the quarantine

EMail 'From:' (optional)


Default value:
Proxmox Mail Gateway <postmaster@yourdomain.tld>

Please enter only values in the following format:


Name <youremail@yourdomain.com>

Mail preview settings


View images
Enable images in the preview (disable to speed up the system)

Allow HREFs
Enables links in the mail preview (disable to get a more secure preview)

 Backscatter What are backscatter emails?

When spammers or worms send emails with forged sender addresses,


sites are flooded with undeliverable mail notifications. These emails are
called backscatter emails.

Bounce message score (0 – means disabled)


Define the spam score for detected backscatters

Whitelist bounce relays


Add your valid bounce relays

Note: Please test your settings and review your quarantine to check
false positives

 Theme Customize the end user quarantine interface, upload a custom logo.

The theme is only for visible on this part "Configuration/Spam


Detector/Theme" and for the end users spam quarantine web interface. It
does not change the style of the admin interface.

Note: If you change anything, please reload the site in the browser to

© 21.08.2017 Proxmox Server Solutions GmbH 21 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

see the changes

5.3.4 Virus detector


Proxmox Mail Gateway uses the following antivirus engines:

 ClamAV, no additional license required


 Avira SAV: You need to purchase Avira SAV per user subscription license for the Proxmox
Mail Gateway, contact your Proxmox Partner for details.

 ClamAV Review the database update server. Click “update now” and check the
output log file. The database will be regularly updated (several times a day) –
you don’t have to configure the update schedule.

 Avira SAV Click “update now” and check the output log file.

Note: You need to purchase Avira SAV per user subscription license for
the Proxmox Mail Gateway, contact your Proxmox Partner for details.

 Options Review the settings for dealing with archives (e.g. zip files)

If you have no direct connection to the web for updates, you can configure
your proxy server to get antivirus database updates.

Max credit card numbers (new data loss prevention DLP)


Detect credit card numbers (a reasonable setting is 3, 0 means disabled). If
an email contains 3 credit card numbers it gets detected.

HTTP Proxy Settings


Configure a http proxy for accessing the internet for signature updates

 Quarantine Lifetime (days)


Specify the lifetime of quarantined virus e-mails

Mail preview settings:

View images
Enable images in the preview (if you uncheck this, images are not
downloaded and displayed)

Allow HREFs
Enables links in the mail preview (disable to get a more secure preview)

5.3.5 User management


 Local Local User Database: Default is the root (super user) account

Enable SSH login (insert allowed SSH public keys)

© 21.08.2017 Proxmox Server Solutions GmbH 22 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Note: A Restore Job does not change (restore) the password!

The root users can add local users

Following roles can be assigned:


 Administrator (full access to the web interface)
 Quarantine Manager (Access to Spam and Virus quarantine)
 Audit (Read only)

 LDAP LDAP Integration: See chapter 6 LDAP integration (professional version or


LDAP option)
 POP POP3 support. Messaged fetched from those POP3 accounts are injected
into the filter system.

5.3.6 Cluster
 Status See status of all nodes.

For Cluster configuration details see chapter 10 Proxmox Mail Gateway HA


cluster

5.3.7 License
Check your license information or upload a new license file.

Displayed information:
 License No.
 Company
 Name
 Product
 Expires

5.4 Mail filter


The following default settings are available. You can add or edit custom settings by clicking on the “
” symbols.

Note: See also the Deployment Guide

5.4.1 Rules
The object-oriented rule system enables custom rules for your domains. It’s an easy but very flexible
way to define filter rules by user, domains, time frame, content type and resulting action.

 Who – object
for TO and/or FROM Category
Example: Mail object – Who is the sender or receiver of the e-mail?

 When – object
Example: When is the e-mail received by Proxmox Mail Gateway?

© 21.08.2017 Proxmox Server Solutions GmbH 23 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

 What – object
Example: Does the e-mail contain spam?

 Action – object
Example: Mark e-mail with “SPAM:” in the subject.

Every rule has got 5 categories (FROM, TO, WHEN, WHAT, ACTION) which can contain several objects.
For example a virus protection looks like this:

 FROM: Anybody
 TO: Anybody
 WHEN: Always
 WHAT: Virus
 ACTION: Block

 Active Rules Currently active rules

 Inactive Rules Not active. New rules are always inactive, you have to set it active
manually by clicking the symbol “ ”.

 Priority Set processing order between 1 and 100. The highest priority is
100.

 Direction Set the processing direction.

In Rule applies for all incoming e-mails


Out Rule applies for all outgoing e-mails
In & Out Rule applies for both directions

5.4.2 Actions

 Accept Accept mail for Delivery (Final action, no following rule will trigger)

 Block Block mail (Final action, no following rule will trigger)

 Quarantine Move to quarantine (virus mails are moved to the “virus


quarantine”, other mails are moved to “spam quarantine”); (Final
action, no following rule will trigger)
 Notify Admin Send notification to admin

Sample content:

Proxmox Notification:

© 21.08.2017 Proxmox Server Solutions GmbH 24 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Sender: __SENDER__
Receiver: __RECEIVERS__
Targets: __TARGETS__
Subject: __SUBJECT__
Matching Rule: __RULE__

__RULE_INFO__

__VIRUS_INFO__
__SPAM_INFO__

 Notify Sender Send notification to sender

Sample content:

Proxmox Notification:

Sender: __SENDER__
Receiver: __RECEIVERS__
Targets: __TARGETS__
Subject: __SUBJECT__
Matching Rule: __RULE__

__RULE_INFO__

__VIRUS_INFO__
__SPAM_INFO__

 Modify Spam Level Mark mail as spam by adding a header tag.

Sample content:

Fieldname: X-SPAM-LEVEL
Value: __SPAMLEVEL__, hits=__SPAM_HITS__

New in 2.0: use this instead of (__SPAMLEVEL__, hits=__SPAM_HITS__)

Value: __SPAM_INFO__
This shows detailed scores

 Modify Spam Subject Mark mail as spam by modifying the subject.

Sample content:

Fieldname: subject
Value: SPAM: __SUBJECT__

 Remove all Remove all attachments


attachments
You can edit the text replacement
 Remove attachments Remove matching attachments

© 21.08.2017 Proxmox Server Solutions GmbH 25 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

You can edit the text replacement


 Disclaimer Add Disclaimer

5.4.3 Who

 Blacklist Global Blacklist

 Whitelist Global Whitelist

 User defined Define custom WHO objects, possible values:


 Add Domain
 Add Mail address
 Add Regular Expression
 Add IP Address
 Add IP Network
 Add LDAP Group: See chapter 6 LDAP integration
(professional version or LDAP option)
 Add LDAP User: See chapter 6 LDAP integration
(professional version or LDAP option)

5.4.4 What

 Dangerous Content executable files and partial messages

The default list contains most common known dangerous


attachments.

 Images All kinds of graphic files

 Multimedia Audio and video files

 Office Files Common Office files

 Spam Matches possible spam mail

Spam Filter Settings

Spam Level: 3 (default)

Note: Start with the default level.

 Virus Matches virus infected mail

 Custom You can define custom what objects by adding the following items:

Add Spam Filter

© 21.08.2017 Proxmox Server Solutions GmbH 26 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Specify a specific spam level


Add Virus Filter
Detect viruses

Add ContentType Filter


Match attachments (eg. images, videos, …)

Add Archive Filter


Match content types (attachments) in archive files (eg. detect exe
files in zip archives)

Add Match Field


Match for mail header fields (eg. Subject:, From:, …)

Add Match Filename


Match filenames, eg. *.exe, *.bat, …

5.4.5 When

 Office Hours Usual office hours

Note: valid all days (7 days a week)

5.5 Administration
5.5.1 Server
 Services Displays running services
If necessary you can reboot and shutdown the Proxmox Mail Gateway server.

 Updates Upload Proxmox Mail Gateway service packs and hotfixes.


Check http://www.proxmox.com for available updates and make sure you
follow the update instructions in the release notes of each service pack or
hotfix.

5.5.2 Statistic
Those pages displays statistical data concerning e-mail traffic on the Proxmox Mail Gateway.

5.5.3 Quarantine
Manage Spam and Virus quarantine.

Note: Default, quarantine is activated

 Spam Status
Displays statistical data about your quarantine

© 21.08.2017 Proxmox Server Solutions GmbH 27 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Archive
By specifying an e-mail address, you can access the quarantine section for this
user

Blacklist
View and edit personal blacklist

Whitelist
View and edit personal whitelist

 Virus Status
Displays statistical date about your quarantine

Archive
By specifying an e-mail address, you can access the quarantine section for this
user

Figure 5-3 Preview of a quarantined Spam e-mail

© 21.08.2017 Proxmox Server Solutions GmbH 28 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Figure 5-4 Preview of a quarantined Spam e-mail with spam info

© 21.08.2017 Proxmox Server Solutions GmbH 29 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Figure 5-5 Preview of a quarantined Phishing e-mail

© 21.08.2017 Proxmox Server Solutions GmbH 30 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

5.5.4 Tracking center


5.5.4.1 Message Tracking Center
Introduced in Proxmox Mail Gateway 2.1, the message tracking center simplifies the search for
emails dramatically.

All log files from the last 7 days can be queried and the results are summarized by an intelligent
algorithm. The message tracking center is very fast and powerful, tested on Proxmox sites processing
1 million emails per day.

All corresponding log files are displayed:

 Arrival of the email


 Proxmox filtering processing with results
 Internal queue to your email server
 Status of final delivery

Status description:

Status Description
Accepted/delivered Email arrived, filtered, and successfully delivered to email server
Accepted/deferred Email arrived, filtered, but not delivered (still trying to deliver)
Accepted/bounced Email arrived, filtered, but not accepted by your email server (e. g. user
unknown)
Quarantine Email arrived, filtered, and moved to Proxmox Quarantine
Blocked Email arrived, but blocked by a filter rule.
Rejected Email rejected on SMTP level (e.g. sender IP is listed on a IP blacklist)
Greylisted Email greylisted on SMTP level
Queued/delivered Internal Emails from Proxmox, successfully delivered to email server
(e.g. Daily spam report, Notifications, Admin report, BCC emails, …)
Queued/deferred Internal Emails from Proxmox, not yet delivered
Queued/bounced Internal Emails from Proxmox, but not accepted by the email server (e.
g. user unknown)

© 21.08.2017 Proxmox Server Solutions GmbH 31 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Figure 5-6 Message Tracking Center

© 21.08.2017 Proxmox Server Solutions GmbH 32 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

5.5.4.2 Real-time
The real-time syslog shows the last 100 lines, the output can be filtered by selecting the log files from
a service or by entering an individual search string.

Figure 5-7 Real time log

5.5.4.3 Greylist log


Displays the greylist log. For message tracking issues use the search function in the message tracking
center.

© 21.08.2017 Proxmox Server Solutions GmbH 33 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

5.5.5 Queues

 Mail Display the mail queue

You can flush or delete the queue. By clicking on a recipient domain you will see
details about the queue status.

Figure 5-8 Display Mail Queue

© 21.08.2017 Proxmox Server Solutions GmbH 34 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

6 LDAP integration (professional version or LDAP option)


The Proxmox Mail Gateway can query existing LDAP directories (MS ADS only) for Users, Groups and
e-mail addresses. Proxmox Mail Gateway uses a unique approach to cache LDAP data. That way,
LDAP data is always available, even when the LDAP servers are temporarily unavailable.

LDAP hierarchies can be complex, and it is quite usual to have more than one server. Proxmox
supports such infrastructure by having multiple LDAP profiles. Each profile has its own settings, and
you can query either a selected profile, or simple search all profiles. LDAP queries are using the local
cache, so they are extremely fast, even when you query multiple servers.

You first need to create one or more LDAP profiles in order to use LDAP queries inside the rule
system.

Proxmox Mail Gateway supports Windows 2003/2008/2008 and 2008r2 Active Directory, with
Exchange 2000, 2003, 2007 and 2010.

6.1 Creating a new LDAP profile


LDAP profiles are created on the Configuration/System/LDAP page. Please select ‘Create new LDAP
profile’ on the menu:

Figure 6-1 LDAP Server settings: Create new LDAP Profile 1

First, you now need to choose a profile name. Profile names may contain alphanumeric characters,
underscores and white spaces. Other characters are not allowed. A reasonable naming scheme is to
use the domain name separated by underscores (example.com  example_com).

Now add the IP address of your LDAP server. You can also add a second IP address if you have a
backup/fallback server. That second server is used when the first server is not reachable.

We currently use the unencrypted LDAP protocol as default, but LDAPS is recommend for security
reasons. So please use LDAPS (secure LDAP) if available.

The last required setting is a username and password used to connect to the LDAP server. We
recommend using an unprivileged user who does not have any other right than querying the LDAP
database. Active Directory uses names like “domain\user” or email style usernames like
user@domain.tld.
Although not strictly required, we recommend specifying the LDAP BaseDN.

© 21.08.2017 Proxmox Server Solutions GmbH 35 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Press “save” when you are finished.

Figure 6-2 LDAP Server settings: Create new LDAP Profile 2

Proxmox now tries to connect to the server. On success it will display the number of found user,
groups and email addresses.

Figure 6-3 LDAP Server settings: Three profiles configured

6.2 LDAP queries


The object-oriented rule system enables LDAP based “Who – objects”. There are two different kinds
of LDAP objects:

• LDAP user

© 21.08.2017 Proxmox Server Solutions GmbH 36 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Can be used to test if an email address belongs to a specific LDAP user (One LDAP user can have
more than one email address).

• LDAP group
Used to test if an email address belongs to a user in the specified group.

Both Objects refer to LDAP profiles. That way you can query individual servers.

The LDAP group object has 2 additional selections – “Existing Users” and “Unknown Users”. Those
objects can be used to test if a user (e-mail address) exists or not.

6.3 Sample LDAP rules


Note: Please refer to the Proxmox Mail Gateway Deployment Guide for sample rules.

© 21.08.2017 Proxmox Server Solutions GmbH 37 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

7 Example mail server configuration (outgoing mails)


The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and port 26 for
outgoing e-mails.

Outgoing Mails:
Configure your mail server to send all e-mails to the Proxmox Mail Gateway, port 26.

Incoming Mails: see 3.2 Firewall settings

Please see the Proxmox Mail Gateway Deployment Guide for all scenarios.

7.1 Configuration for Microsoft Exchange


The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and port 26 for
outgoing e-mails.

With MS Exchange SMTP connectors you can't use port 26 for outgoing (as this conflicts with MS
Exchange internal replication mechanism) so you have to switch these two values (25 and 26). In the
end you have to use port 25 for outgoing and port 26 for incoming mails.

Figure 7-1 MS Exchange: Port settings for use with MS Exchange

IMPORTANT NOTE:

To receive e-mails from the Internet you have to do port forwarding at your Firewall. So that you’re
external IP and Port 25 shows to the Proxmox Mail Gateway IP and port 26.

© 21.08.2017 Proxmox Server Solutions GmbH 38 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Figure 7-2 MS Exchange 2003: SMTP Connector (Define smart host: Proxmox Mail Gateway)

© 21.08.2017 Proxmox Server Solutions GmbH 39 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Figure 7-3 MS Exchange 2003: SMTP connector – Address space

7.2 Configuration for Postfix


Just add a ‘default_transport’ entry to your Postfix main configuration file (usually /etc/postfix/main.cf),
for example if you mail gateway uses address 1.2.3.4 add the line:

default_transport = smtp:1.2.3.4:26

© 21.08.2017 Proxmox Server Solutions GmbH 40 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

8 Example rules
Proxmox uses a powerful rule system to handle e-mail traffic. The default setting is ready for use in
the first run.

Note: Please refer to the Proxmox Mail Gateway Deployment Guide for sample rules.

© 21.08.2017 Proxmox Server Solutions GmbH 41 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

9 Redundant servers and load balancing


The normal mail delivery process looks up DNS Mail Exchange (MX) records to determine the
destination host. A MX record tells the sending system where to deliver mail for a certain domain. It is
also possible to have several MX records for a single domain, they can have different priorities. For
example, our MX record looks like that:

 > dig -t mx proxmox.com

;; ANSWER SECTION:
proxmox.com. 22879 IN MX 10 mail.proxmox.com.

;; ADDITIONAL SECTION:
mail.proxmox.com. 22879 IN A 213.129.239.114

Please notice that there is one single MX record for the Domain proxmox.com, pointing to
mail.proxmox.com. The ‘dig’ command automatically puts out the corresponding address record if it
exists. In our case it points to “213.129.239.114”. The priority of our MX record is set to 10 (preferred
default value).

9.1 Hot standby with backup MX records


Many people do not want to install two redundant mail proxies, instead they use the mail proxy of
their ISP as fall-back. This is simply done by adding an additional MX Record with a lower priority
(higher number). With the example above this looks like that:

proxmox.com. 22879 IN MX 100 mail.provider.tld.

Sure, your provider must accept mails for your domain and forward received mails to you.

You will never lose mails with such a setup, because the sending Mail Transport Agent (MTA) will
simply deliver the mail to the backup server (mail.provider.tld) if the primary server
(mail.proxmox.com) is not available.

9.2 Load balancing with MX records


Using your ISPs mail server is not always a good idea, because many ISPs do not use advanced spam
prevention techniques like Greylisting. It is often better to run a second server yourself to avoid lower
spam detection rates.

Anyways, it’s quite simple to set up a high performance load balanced mail cluster using MX records.
You just need to define two MX records with the same priority. I will explain this using a complete
example to make it clearer.

First, you need to have at least 2 working Proxmox mail gateways (mail1.example.com and
mail2.example.com) setup as cluster (see chapter 10 Proxmox Mail Gateway HA cluster), each having
its own IP address. Let us assume the following addresses (DNS address records):

mail1.example.com. 22879 IN A 1.2.3.4


mail2.example.com. 22879 IN A 1.2.3.5

Btw, it is always a good idea to add reverse lookup entries (PTR records) for those hosts. Many email
systems nowadays reject mails from hosts without valid PTR records.

© 21.08.2017 Proxmox Server Solutions GmbH 42 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Then you need to define your MX records:

example.com. 22879 IN MX 10 mail1.example.com.


example.com. 22879 IN MX 10 mail2.example.com.

This is all you need. You will receive mails on both hosts, more or less load-balanced using round-
robin scheduling. If one host fails the other is used.

9.3 Other ways


9.3.1 Multiple address records
Using several DNS MX record is sometime clumsy if you have many domains. It is also possible to use
one MX record per domain, but multiple address records:

example.com. 22879 IN MX 10 mail.example.com.


mail.example.com. 22879 IN A 1.2.3.4
mail.example.com. 22879 IN A 1.2.3.5

9.3.2 Using firewall features


Many firewalls can do some kind of RR-Scheduling (round-robin) when using DNAT. See your firewall
manual for more details.

© 21.08.2017 Proxmox Server Solutions GmbH 43 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

10 Proxmox Mail Gateway HA cluster


We are living in a world where email becomes more and more important - failures in email systems
are just not acceptable. To meet these requirements we developed the Proxmox HA (High
Availability) Cluster.

The Proxmox Mail Gateway HA Cluster consists of a master and several nodes (minimum one node).
Configuration is done on the master. Configuration and data is synchronized to all cluster nodes over
a VPN tunnel. This provides the following advantages:

 centralized configuration management


 fully redundant data storage
 high availability
 high performance

We use a unique application level clustering scheme, which provides extremely good performance.
Special considerations where taken to make management as easy as possible. Complete Cluster
setup is done within minutes, and nodes automatically reintegrate after temporary failures without
any operator interaction.

Figure 10-1 Proxmox Mail Gateway HA Cluster

© 21.08.2017 Proxmox Server Solutions GmbH 44 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

10.1 Hardware requirements


There are no special hardware requirements, although it is highly recommended to use fast and
reliable server with redundant disks on all cluster nodes (Hardware RAID with BBU and write cache
enabled).

The HA Cluster can also run in virtualized environments.

10.2 Required licenses


Each host in a Cluster needs its own Cluster Subscription License file. Please upload the license file
before adding a node to the cluster.

10.3 Load balancing


You can use one of the mechanism described in chapter 9 if you want to distribute mail traffic among
the cluster nodes. Please note that this is not always required, because it is also reasonable to use
only one node to handle SMTP traffic. The second node is used as quarantine host (provide the web
interface to user quarantine).

10.4 Cluster administration


Cluster administration is done with a single command line utility called proxca. So you need to login
via ssh to manage the cluster setup.

Note: Always setup the IP configuration before adding a node to the cluster. IP address, network
mask, gateway address and hostname can’t be changed later.

10.4.1 Creating a cluster


You can create a cluster from any existing Proxmox host. All data is preserved.

 upload a cluster licence


 make sure you have the right IP configuration (IP/MASK/GATEWAY/HOSTNAME), because you
cannot changed that later
 run: proxca –c

10.4.2 List cluster status


Run: proxca -l

10.4.3 Adding cluster nodes


When you add a new node to a cluster (join) all data on that node is destroyed. The whole database
is initialized with cluster data from the master.

 Upload a cluster license to the node


 make sure you have the right IP configuration
 run (on new node): proxca –a –h $MASTERIP

You need to enter the root password of the master host when asked for a password.

Attention: Node initialization deletes all existing databases, stops and then restarts all services
accessing the database. So do not add nodes which are already active and receive mails.

© 21.08.2017 Proxmox Server Solutions GmbH 45 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Also, joining a cluster can take several minutes, because the new node needs to synchronize all data
from the master (although this is done in the background).

Note: If you join a new node, existing quarantined items from the other nodes are not
synchronized to the new node.

10.4.4 Deleting nodes


Run (on master): proxca –d CID

CID (Cluster ID) is the unique ID displayed by proxca -l

10.5 Disaster recovery


It is highly recommended to use redundant disks on all cluster nodes (RAID). So in almost any
circumstances you just need to replace the damaged Hardware or Disk. Proxmox Mail Gateway uses
an asynchronous clustering algorithm, so you just need to reboot the repaired node, and everything
will work again transparently.

The following scenarios only apply when you really loose the contents of the hard disk.

10.5.1 Single node failure


 delete failed node on master: proxca –d CID
 add (re-join) a new node: proxca –a –h $MASTERIP

10.5.2 Master failure


 force another node to be master: proxca –m
 tell other nodes that master has changed: proxca –s –h $MASTERIP

10.5.3 Total cluster failure


 restore backup (Cluster and node information is not restored, you have to recreate master
and nodes)
 tell it to become master: proxca –c
 add new nodes: proxca –a –h $MASTERIP

© 21.08.2017 Proxmox Server Solutions GmbH 46 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

11 Troubleshooting and technical support


Use the moderated Proxmox support forum or contact a Proxmox partner for their support
offerings.

All information:
https://www.proxmox.com/

Proxmox Customer Portal:


https://my.proxmox.com

11.1 Console login


Advanced users can use the console or SSH login. For normal operation, this is never necessary.

Default user: root


Default password: admin (the same as for the web interface!)

Note: It’s not recommended to change settings via the console.

© 21.08.2017 Proxmox Server Solutions GmbH 47 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

12 Table of figures
Figure 1-1 Processing of incoming e-mail traffic................................................................................................. 6
Figure 3-1 Infrastructure without Proxmox Mail Gateway ............................................................................... 8
Figure 3-2 Infrastructure with integrated Proxmox Mail Gateway ................................................................. 8
Figure 4-1 Selecting Software RAID during installation ................................................................................... 13
Figure 5-1 Login page Proxmox Mail Gateway .................................................................................................. 14
Figure 5-2 Start page Proxmox Mail Gateway after log in .............................................................................. 15
Figure 5-3 Preview of a quarantined Spam e-mail ........................................................................................... 28
Figure 5-4 Preview of a quarantined Spam e-mail with spam info ............................................................... 29
Figure 5-5 Preview of a quarantined Phishing e-mail ...................................................................................... 30
Figure 5-6 Message Tracking Center ................................................................................................................... 32
Figure 5-7 Real time log .......................................................................................................................................... 33
Figure 5-8 Display Mail Queue .............................................................................................................................. 34
Figure 6-1 LDAP Server settings: Create new LDAP Profile 1 ........................................................................ 35
Figure 6-2 LDAP Server settings: Create new LDAP Profile 2 ........................................................................ 36
Figure 6-3 LDAP Server settings: Three profiles configured .......................................................................... 36
Figure 7-1 MS Exchange: Port settings for use with MS Exchange .............................................................. 38
Figure 7-2 MS Exchange 2003: SMTP Connector (Define smart host: Proxmox Mail Gateway) ............ 39
Figure 7-3 MS Exchange 2003: SMTP connector – Address space .............................................................. 40
Figure 10-1 Proxmox Mail Gateway HA Cluster ................................................................................................ 44
Figure 13-1 Configure scheduled backup – Windows share ......................................................................... 52

© 21.08.2017 Proxmox Server Solutions GmbH 48 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

13 Appendix
13.1 Available macros for rule system
It is possible to use macros inside most fields of action objects. That way it is possible to access and
include data contained in the original mail, get envelope sender and receivers addresses or include
additional information about Viruses and Spam. Currently the following macros are defined:

Macro Comment
__SENDER__ (envelope) sender mail address
__RECEIVERS__ (envelope) receiver mail address list
__ADMIN__ Email address of the administrator
__TARGETS__ Subset of receivers matched by the rule
__SUBJECT__ Subject of the message
__MSGID__ The message ID
__RULE__ Name of the matching rule
__RULE_INFO__ Additional information about the matching rule
__VIRUS_INFO__ Additional information about detected viruses
__SPAMLEVEL__ Computed spam level
__SPAM_INFO__ Additional information why message is spam
__SENDER_IP__ IP address of sending host
__VERSION__ The current software version (proxmox mail gateway)
__FILENAME__ Attachment file name
__SPAMSTARS__ A series of "*" characters where each one represents a full score
(__SPAMLEVEL__) point

A simple example is the “Modify Spam Subject” action which adds “SPAM:” to the original message
subject. To achieve this just use “SPAM: __SUBJECT__” as value for that action object.

13.2 Individual SpamAssassin configuration


This is only for advanced users. To add/change configuration of the Proxmox SpamAssassin please
login to the console via SSH. Go to /etc/mail/spamassasin/. In this directory there are two files
(init.pre, local.cf) – do not change this. To add your special configuration, you have to create a new file
and name it custom.cf (in this directory). Now you can add your configuration to custom.cf, be aware
to use the SpamAssassin syntax. For more information see http://spamassassin.apache.org/

The custom.cf file is also synchronized in a HA Cluster environment.

13.3 Customized daily spam reports


It’s possible to customize the daily spam reports. The report generator uses a simple HTML template
file which may contain macros. To activate customized reports you need to generate such template
file and copy it to ‘/etc/proxmox/spamreport.tmpl’. Two examples can be found in
‘/var/lib/proxmox/templates/spamreport-verbose.tmpl’ or
‘/var/lib/proxmox/templates/spamreport-short.tmpl’ – those templates are actually
used to generate the default spam reports. You also need to select the ‘Custom’ report style on the
web interface to use the custom template (Configuration/Spam/Quarantine/ReportStyle).

The following macros are currently defined:

© 21.08.2017 Proxmox Server Solutions GmbH 49 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

Macro global Comment


__SENDER__ No (envelope) sender mail address
__RECEIVER__ No (envelope) receiver mail address
__SUBJECT__ No subject of the message
__FROM__ No from field
__DATE__ Yes message arrival date or report date
__TIME__ No message arrival time
__TICKET__ Yes authorization ticket
__BYTES__ No message size
__SPAMLEVEL__ No spam level of message
__SPAMINFO__ No additional information about why it is spam
__PMAIL__ Yes primary mail address of receiver
__HREF__ No href to view message
__WLHREF__ NO href to whitelist sender
__BLHREF__ NO href to blacklist sender
__DELETEHREF__ NO href to delete message
__DELIVERHREF__ NO href to deliver message
__PROTOCOL__ Yes selected protocol (http or https)
__FQDN__ Yes fully qualified domain name of quarantine host
__HOSTNAME__ Yes quarantine host ‘hostname’
__DOMAIN__ Yes quarantine host ‘domain’
__ACTIONHREF__ Yes href to perform various actions
__MAILCOUNT__ Yes number of mails
__MSG_XXXX__ Yes Standard messages use by standard reports (translated to
various languages)

A detailed report usually displays information about each mail. Inside the template everything
between <!--start entry--> and <!--end entry--> is repeated for every mail. Most macros
are only defined inside those marks. Only the global macros are available outside those marks.

Note: A template has to be correct html. You can use any html editor for easy and fast editing.

13.4 Using regular expressions


A regular expression is a string of characters which tells us which string you are looking for. The
following is a short introduction in the syntax of regular expressions linked to editing Who Objects. If
you are familiar with Perl, you already know the syntax.

13.4.1 Simple regular expressions


In its simplest form, a regular expression is just a word or phrase to search for.
Mail would match the string “Mail”. The search is case sensitive so “MAIL”, “Mail”, “mail” would
not be matched.

13.4.2 Metacharacters
Some characters have a special meaning. These characters are called metacharacters.
The Period (.) is a commonly used metacharacter. It matches exactly one character, regardless of
what the character is.
e.mail would match either “e-mail” or “e-mail” or “e2mail” but not “e-some-mail”.

© 21.08.2017 Proxmox Server Solutions GmbH 50 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

The question mark (?) indicates that the character immediately preceding it either zero times ore one
time.
e?mail would match either “email” or “mail” but not “e-mail”

Another metacharacter is the star (*). This indicates that the character immediately to its left may
repeated any number of times, including zero.
e*mail would match either “email” or “mail” or “eeemail”.

The plus (+) metacharacter does the same as the star (*) excluding zero.
So e+mail do not match “mail”.

Metacharacters may be combined. A common combination includes the period and star
metacharacters, with the star immediately following the period. This is used to match an arbitrary
string of any length, including the null string. For example:
.*company.* matches “company@domain.com” or “company@domain.co.uk” or
department.company@domain.com.

For more information take a look at the references

13.4.3 References
Mastering Regular Expressions
Powerful Techniques for Perl and Other Tools
By Jeffrey E. F. Friedl
First Edition Januar 1997
ISBN 1-56592-257-3

13.5 Managing software RAID


Software RAID is managed on the console with the unix command mdadm. Please see the manual
pages for more information (man mdadm).

To view the RAID status use:

 mdadm --detail /dev/md0

And

 cat /proc/mdstat

To add a new disk after a crash:


(Assuming /dev/sdb2 is the newly created partition on a new disk, please use fdisk to partition
harddisks)):

 mdadm --manage /dev/md0 –-add /dev/sdb2

After success, update bootloader on all hard disks (example):

 update-grub
 grub-install /dev/sda
 grub-install /dev/sdb

To initialize the swap partitions, type:

 mkswap /dev/sda1 (assuming that sda1 is a swap)

© 21.08.2017 Proxmox Server Solutions GmbH 51 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

 mkswap /dev/sdb1 (assuming that sdb1 is a swap)


 swapon –a

Finally reboot the machine and check all services.

13.6 Backup considerations


13.6.1 Scheduled backup
Scheduled backups can be configured to store the backup data to a FTP host or Windows share. Old
backup files can be deleted automatically.

The following data will be stored via scheduled backups:

 System configuration
 Rule configuration
 Statistic database
 License

Log files and quarantined emails are never in the backup. A backup can only restored to an identical
version of Proxmox.

Figure 13-1 Configure scheduled backup – Windows share

© 21.08.2017 Proxmox Server Solutions GmbH 52 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

13.6.2 Backup via console


You can use the command line utility proxbackup to backup the whole database including statistical
data:

 proxbackup -s full-backup.tgz

Please see the manual page for more information (man proxbackup).

13.6.3 Restore via console


In order to restore system configuration, rules database and statistical data you need to restore on
the console.

 proxbackup -c –d -s -r full-backup.tgz

After restore you need to reboot to activate changes.

13.7 Avira SAV antivirus integration


Proxmox supports Avira SAV engine as an additional virus scanner. Please check
https://www.proxmox.com/ for details and pricing.

13.8 SSL certificate


Access to the administration web interface is always done via https. The default certificate is never
valid for your browser and you get always warnings. You can safely ignore these warnings.

If you want to get rid of these warnings, you have to generate a valid certificate for your server.

Login to your Proxmox via ssh or use the console:

 openssl req -newkey rsa:2048 -nodes -keyout key.pem -out req.pem

Follow the instructions on the screen, see this example:

Country Name (2 letter code) [AU]: AT


State or Province Name (full name) [Some-State]:Vienna
Locality Name (eg, city) []:Vienna
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Proxmox GmbH
Organizational Unit Name (eg, section) []:Proxmox Mail Gateway
Common Name (eg, YOUR name) []: yourproxmox.yourdomain.com
Email Address []:support@yourdomain.com

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: not necessary
An optional company name []: not necessary

After you finished this certificate request you have to send the file req.pem to your CA (Certification
Authority). The CA will issue the certificate (BASE64 encoded) based on your request – save this file as
“cert.pem” to your Proxmox.

© 21.08.2017 Proxmox Server Solutions GmbH 53 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

To activate the new certificate, do the following on your Proxmox:

 cat key.pem cert.pem >/etc/apache2/apache.pem

 /etc/init.d/apache2 restart

Test your new certificate by using your browser.

Note: To transfer files from and to your Proxmox, you can use secure copy: If you desktop is Linux,
you can use ‘scp’ – if your desktop PC is windows, please use a scp client like WinSCP (see
http://winscp.net/)

13.9 Port scans (nmap)


Nmap is designed to allow system administrators to scan large networks to determine which hosts
are up and what services they are offering. You can use nmap to test your firewall setting, for example
to see if the required ports are open.

Test Razor port (tcp port 2703):

nmap -P0 -sS -p 2703 c301.cloudmark.com

Starting Nmap 5.00 ( http://nmap.org ) at 2012-07-31 11:10 CEST


Interesting ports on c301.cloudmark.com (208.83.137.114):
PORT STATE SERVICE
2703/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

See the manual page (man nmap) for more information about nmap.

13.10 Create bootable USB stick


The installation media is a hybrid ISO image, working in two ways:

 An ISO image file ready to burn on CD


 A raw sector (IMG) image file ready to directly dd to flash media (USB Stick)

Using USB sticks is faster and more environmental friendly and therefore the recommended way to
install Proxmox Mail Gateway.

In order to boot the installation media you need to copy the ISO image to your USB media. You need
at least a 1024 mb USB stick.

13.10.1 Instructions for Windows


Make sure that your USB media is not mounted and does not contain any data.

Download ImageUSB (http://www.osforensics.com/tools/write-usb-images.html) tool and copy the


Proxmox Mail Gateway ISO image to your USB media.

© 21.08.2017 Proxmox Server Solutions GmbH 54 | 55


Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna  office@proxmox.com  www.proxmox.com

13.10.2 Instructions for Linux (and OSX)


You can simply use dd on unix like systems. First download the iso image, the plug in the USB stick
(you need to find out what device name gets assigned to the usb stick).

 dd if= proxmox-mailgateway*.iso of=/dev/XYZ bs=1M

Be sure to replace /dev/XYZ with the correct device name (be careful, and do not overwrite your hard
disk!)

13.10.3 Boot your server from USB media


Connect your USB media to your server and make sure that the server boots from USB - and follow
the installation wizard.

- End of document -

© 21.08.2017 Proxmox Server Solutions GmbH 55 | 55