Professional Documents
Culture Documents
Administration Guide
8/21/2017
MailGatewayAdminGuide-V3.5.docx
Proxmox Server Solutions GmbH
Bräuhausgasse 37 A-1050 Vienna office@proxmox.com www.proxmox.com
Proxmox Server Solutions GmbH reserves the right to make changes to this document and to the
products described herein without notice. Before installing and using the software, please review the
latest version of this document, which is available from https://www.proxmox.com/.
NOTE: All prices are one year subscription licenses. After expiration, Email flow continues but Spam-
and AV checks are not working anymore (Exception: ClamAV will continue working).
All other product or company names different from Proxmox may be trademarks or registered
trademarks of their owners.
Copyright © 2005 - 2017 Proxmox Server Solutions GmbH. All rights reserved. No part of this
publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the
express prior written consent of Proxmox.
Table of Contents
For detailed deployment scenarios see the “Proxmox Mail Gateway Deployment Guide”.
There is one ISO image for download covering all versions, features depends on the uploaded license
file.
If the installation succeeds you have to route all your incoming and outgoing e-mail traffic to the Mail
Gateway. For incoming traffic you have to configure your firewall, for outgoing traffic your existing e-
mail server configuration.
By using the Proxmox Mail Gateway, all your e-mail traffic is forwarded to the Proxmox Mail Gateway,
which filters the whole e-mail traffic and removes unwanted e-mails. You can manage incoming and
outgoing mail traffic.
1. Proxmox Mail Gateway is able to detect viruses sent from an internal host. In many countries
you are liable for not sending viruses to other people. Proxmox Mail Gateway outgoing e-mail
scanning feature is an additional protection to avoid that.
2. Proxmox Mail Gateway can gather statistics about outgoing e-mails too. Statistics about
incoming e-mails looks nice, but they are quite useless. Consider two users, user-1 receives
10 e-mails from news portals and wrote 1 e-mail to a person you never heard from. While
user-2 receives 5 e-mails from a customer and sent 5 e-mails back. Which user do you
consider more active? I am sure its user-2, because he communicates with your customers.
Proxmox Mail Gateway advanced address statistics can show you this important information.
Solution which does not scan outgoing e-mail can’t do that.
To enable outgoing e-mail filtering you just need to send all outgoing e-mails through your Proxmox
Mail Gateway (usually by specifying Proxmox as “smarthost” on your e-mail server- see chapter 7
Example mail server configuration (outgoing mails).
The outgoing HTTP connection is mainly used by virus pattern updates, and can be configured to use
a proxy instead of a direct internet connection.
You can use the nmap utility to test your firewall settings (see chapter 13.9).
Proxmox VE (KVM)
Vmware vSphere™ (open-vm tools are integrated in the ISO)
Hyper-V™ (Hyper-V Linux integration tools are integrated in the ISO)
KVM (virtio drivers are integrated, great performance)
Virtual box™
Citrix XenServer™
In order to get a benchmark from your hardware, just run “proxperf” after installation.
Note: All existing data on the hard disk will be lost during the installation!
If you like more features as offered with your license, you can always upgrade by buying another
license without reinstallation.
If you need to query MS Active Directory, an optional LDAP connector for one, three and five domains
can be purchased.
The Proxmox Mail Gateway HA Cluster uses a unique application level clustering scheme, which
provides extremely good performance. Special considerations where taken to make management as
easy as possible. Complete Cluster setup is done within minutes, and nodes automatically reintegrate
after temporary failures without any operator interaction.
Organization qualified:
Universities, Schools, Governmental Organizations, NGO, etc.
Note: If you have a hardware RAID controller, this option is NOT available.
Note: Please change the default password after successful log in!
Note: To determine which license meets your requirements, check chapter 3.4 Compare the
Proxmox Mail Gateway editions
Please visit https://www.proxmox.com/ to get a license. Without a valid subscription license, the
Proxmox Mail Gateway will not process any e-mail. All prices are one year subscription licenses. After
expiration, e-mail flow continues but Spam- and AV checks are not working anymore (Exception:
ClamAV will continue working)
5.3 Configuration
Note: By clicking these symbols on the configuration interface a dropdown menu is available
5.3.1 System
Time Review or update your NTP server settings and time zone
Check if your firewall enables you access to the NTP server
Backup Backup your system configuration and rule database to a file (a few Kbytes) –
statistical data will not be saved via web interface, only via scheduled backup!
Restore your system settings and rules from a valid backup. Backup/Restore
is only working between the same versions. (e.g. You cannot restore a backup
form a 2.5 to a 2.6)
Note: Restoring 2.6 to 3.0 is possible and the recommended upgrade path
Note: Advanced Statistic Filter only works if you filter outgoing emails
Syslog Lifetime
Define the lifetime of historical syslog data (maximum is 31 days). The syslog
is the basis for the message tracking center.
Syslog Server
Define a remote syslog server (sending Syslog entries to a centralized server)
Define the default language for the web interface and the daily reports
SSH Access SSH access is restricted for external networks by default to increase the
security.
Note: for remote support, all SSH connections from proxmox.com and
maurer-it.com are allowed – but you still need to open your firewall and
provide password
Relaying IP address (or FQDN) and SMTP port of your existing e-mail server
Note: If you use a Professional or HA License, you can edit this list
Ports Review external (default 25) and internal (default 26) SMTP port
Check these settings with your firewall and existing e-mail server.
Reject Unknown Senders: Reject the request when the MAIL FROM
address has no DNS A or MX record.
smtpd_helo_required
reject_non_fqdn_hostname
Reject the request when the HELO or EHLO hostname is not in fully-
qualified domain form, as required by the RFC.
reject_invalid_hostname
Reject the request when the HELO or EHLO hostname syntax is invalid.
Verify Receivers
select Yes or No (450 for temporary rejects or 550 for final rejects)
Note: You have to reconfigure your internal mail server if you use YES.
For details see the Proxmox Mail Gateway Deployment Guide in the latest
release.
SMTPD Banner
Type your custom SMTP Banner
Smarthost: Use this option if you want to send all outgoing mails via
another proxy (smarthost). You can use IP addresses or DNS names with
an optional port specification, for example:
192.168.2.1
192.168.2.1:25
outproxy.domain.tld:26
Transports You can use Proxmox Mail Gateway sending e-mails to different internal e-
mail servers. For example you can send e-mails addressed to domain.com
to your first e-mail server, and e-mails addressed to
subdomain.domain.com to a second one.
Note: you need for each domain an appropriate license, otherwise it will
not work!
Add the IP addresses, hostname and SMTP ports and mail domains (or just
single email addresses) of your additional e-mail servers.
Note: Hosts in the same subnet with Proxmox can relay by default and
it’s not needed to add them in this list.
To get additional information about SMTP TLS activity you can enable TLS
logging. That way information about TLS sessions and used certificate’s is
logged via syslog.
Set this option to include information about the protocol and cipher used
as well as the client and issuer CommonName into the "Received:"
message header.
Whitelist SMTP whitelist: All SMTP checks are disabled for those entries (e. g.
(formerly Greylisting, SPF, RBL, …)
Greylist excl.)
Note: If you use a backup-MX server (e.g. your ISP offers this service for
you) you should always add those servers.
Every single e-mail will be analyzed and get a spam score assigned. The systems attempt to optimize
the efficiency of the rules that are run in terms of minimizing the number of false positives and false
negatives.
Note: For detailed spam configuration, see also chapter 5.4 Mail filter.
Use OCR
Use image recognition to detect spam messages inside images. OCR is
CPU intensive, please do not activate is your server is already under heavy
load – most times its makes no sense to activate this option, its
depreciated.
Authentication mode
Choose how users access their spam quarantine. Ticket is default. If you
select LDAP, make sure you have a license for LDAP and a configured
LDAP profile (connection to MS Active Directory)
Report style
Verbose
Verbose (Outlook 2007)
Short
Note: If you use https, consider uploading a valid certificate, see chapter
13.8 SSL certificate
Allow HREFs
Enables links in the mail preview (disable to get a more secure preview)
Note: Please test your settings and review your quarantine to check
false positives
Theme Customize the end user quarantine interface, upload a custom logo.
Note: If you change anything, please reload the site in the browser to
ClamAV Review the database update server. Click “update now” and check the
output log file. The database will be regularly updated (several times a day) –
you don’t have to configure the update schedule.
Avira SAV Click “update now” and check the output log file.
Note: You need to purchase Avira SAV per user subscription license for
the Proxmox Mail Gateway, contact your Proxmox Partner for details.
Options Review the settings for dealing with archives (e.g. zip files)
If you have no direct connection to the web for updates, you can configure
your proxy server to get antivirus database updates.
View images
Enable images in the preview (if you uncheck this, images are not
downloaded and displayed)
Allow HREFs
Enables links in the mail preview (disable to get a more secure preview)
5.3.6 Cluster
Status See status of all nodes.
5.3.7 License
Check your license information or upload a new license file.
Displayed information:
License No.
Company
Name
Product
Expires
5.4.1 Rules
The object-oriented rule system enables custom rules for your domains. It’s an easy but very flexible
way to define filter rules by user, domains, time frame, content type and resulting action.
Who – object
for TO and/or FROM Category
Example: Mail object – Who is the sender or receiver of the e-mail?
When – object
Example: When is the e-mail received by Proxmox Mail Gateway?
What – object
Example: Does the e-mail contain spam?
Action – object
Example: Mark e-mail with “SPAM:” in the subject.
Every rule has got 5 categories (FROM, TO, WHEN, WHAT, ACTION) which can contain several objects.
For example a virus protection looks like this:
FROM: Anybody
TO: Anybody
WHEN: Always
WHAT: Virus
ACTION: Block
Inactive Rules Not active. New rules are always inactive, you have to set it active
manually by clicking the symbol “ ”.
Priority Set processing order between 1 and 100. The highest priority is
100.
5.4.2 Actions
Accept Accept mail for Delivery (Final action, no following rule will trigger)
Sample content:
Proxmox Notification:
Sender: __SENDER__
Receiver: __RECEIVERS__
Targets: __TARGETS__
Subject: __SUBJECT__
Matching Rule: __RULE__
__RULE_INFO__
__VIRUS_INFO__
__SPAM_INFO__
Sample content:
Proxmox Notification:
Sender: __SENDER__
Receiver: __RECEIVERS__
Targets: __TARGETS__
Subject: __SUBJECT__
Matching Rule: __RULE__
__RULE_INFO__
__VIRUS_INFO__
__SPAM_INFO__
Sample content:
Fieldname: X-SPAM-LEVEL
Value: __SPAMLEVEL__, hits=__SPAM_HITS__
Value: __SPAM_INFO__
This shows detailed scores
Sample content:
Fieldname: subject
Value: SPAM: __SUBJECT__
5.4.3 Who
5.4.4 What
Custom You can define custom what objects by adding the following items:
5.4.5 When
5.5 Administration
5.5.1 Server
Services Displays running services
If necessary you can reboot and shutdown the Proxmox Mail Gateway server.
5.5.2 Statistic
Those pages displays statistical data concerning e-mail traffic on the Proxmox Mail Gateway.
5.5.3 Quarantine
Manage Spam and Virus quarantine.
Spam Status
Displays statistical data about your quarantine
Archive
By specifying an e-mail address, you can access the quarantine section for this
user
Blacklist
View and edit personal blacklist
Whitelist
View and edit personal whitelist
Virus Status
Displays statistical date about your quarantine
Archive
By specifying an e-mail address, you can access the quarantine section for this
user
All log files from the last 7 days can be queried and the results are summarized by an intelligent
algorithm. The message tracking center is very fast and powerful, tested on Proxmox sites processing
1 million emails per day.
Status description:
Status Description
Accepted/delivered Email arrived, filtered, and successfully delivered to email server
Accepted/deferred Email arrived, filtered, but not delivered (still trying to deliver)
Accepted/bounced Email arrived, filtered, but not accepted by your email server (e. g. user
unknown)
Quarantine Email arrived, filtered, and moved to Proxmox Quarantine
Blocked Email arrived, but blocked by a filter rule.
Rejected Email rejected on SMTP level (e.g. sender IP is listed on a IP blacklist)
Greylisted Email greylisted on SMTP level
Queued/delivered Internal Emails from Proxmox, successfully delivered to email server
(e.g. Daily spam report, Notifications, Admin report, BCC emails, …)
Queued/deferred Internal Emails from Proxmox, not yet delivered
Queued/bounced Internal Emails from Proxmox, but not accepted by the email server (e.
g. user unknown)
5.5.4.2 Real-time
The real-time syslog shows the last 100 lines, the output can be filtered by selecting the log files from
a service or by entering an individual search string.
5.5.5 Queues
You can flush or delete the queue. By clicking on a recipient domain you will see
details about the queue status.
LDAP hierarchies can be complex, and it is quite usual to have more than one server. Proxmox
supports such infrastructure by having multiple LDAP profiles. Each profile has its own settings, and
you can query either a selected profile, or simple search all profiles. LDAP queries are using the local
cache, so they are extremely fast, even when you query multiple servers.
You first need to create one or more LDAP profiles in order to use LDAP queries inside the rule
system.
Proxmox Mail Gateway supports Windows 2003/2008/2008 and 2008r2 Active Directory, with
Exchange 2000, 2003, 2007 and 2010.
First, you now need to choose a profile name. Profile names may contain alphanumeric characters,
underscores and white spaces. Other characters are not allowed. A reasonable naming scheme is to
use the domain name separated by underscores (example.com example_com).
Now add the IP address of your LDAP server. You can also add a second IP address if you have a
backup/fallback server. That second server is used when the first server is not reachable.
We currently use the unencrypted LDAP protocol as default, but LDAPS is recommend for security
reasons. So please use LDAPS (secure LDAP) if available.
The last required setting is a username and password used to connect to the LDAP server. We
recommend using an unprivileged user who does not have any other right than querying the LDAP
database. Active Directory uses names like “domain\user” or email style usernames like
user@domain.tld.
Although not strictly required, we recommend specifying the LDAP BaseDN.
Proxmox now tries to connect to the server. On success it will display the number of found user,
groups and email addresses.
• LDAP user
Can be used to test if an email address belongs to a specific LDAP user (One LDAP user can have
more than one email address).
• LDAP group
Used to test if an email address belongs to a user in the specified group.
Both Objects refer to LDAP profiles. That way you can query individual servers.
The LDAP group object has 2 additional selections – “Existing Users” and “Unknown Users”. Those
objects can be used to test if a user (e-mail address) exists or not.
Outgoing Mails:
Configure your mail server to send all e-mails to the Proxmox Mail Gateway, port 26.
Please see the Proxmox Mail Gateway Deployment Guide for all scenarios.
With MS Exchange SMTP connectors you can't use port 26 for outgoing (as this conflicts with MS
Exchange internal replication mechanism) so you have to switch these two values (25 and 26). In the
end you have to use port 25 for outgoing and port 26 for incoming mails.
IMPORTANT NOTE:
To receive e-mails from the Internet you have to do port forwarding at your Firewall. So that you’re
external IP and Port 25 shows to the Proxmox Mail Gateway IP and port 26.
Figure 7-2 MS Exchange 2003: SMTP Connector (Define smart host: Proxmox Mail Gateway)
default_transport = smtp:1.2.3.4:26
8 Example rules
Proxmox uses a powerful rule system to handle e-mail traffic. The default setting is ready for use in
the first run.
Note: Please refer to the Proxmox Mail Gateway Deployment Guide for sample rules.
;; ANSWER SECTION:
proxmox.com. 22879 IN MX 10 mail.proxmox.com.
;; ADDITIONAL SECTION:
mail.proxmox.com. 22879 IN A 213.129.239.114
Please notice that there is one single MX record for the Domain proxmox.com, pointing to
mail.proxmox.com. The ‘dig’ command automatically puts out the corresponding address record if it
exists. In our case it points to “213.129.239.114”. The priority of our MX record is set to 10 (preferred
default value).
Sure, your provider must accept mails for your domain and forward received mails to you.
You will never lose mails with such a setup, because the sending Mail Transport Agent (MTA) will
simply deliver the mail to the backup server (mail.provider.tld) if the primary server
(mail.proxmox.com) is not available.
Anyways, it’s quite simple to set up a high performance load balanced mail cluster using MX records.
You just need to define two MX records with the same priority. I will explain this using a complete
example to make it clearer.
First, you need to have at least 2 working Proxmox mail gateways (mail1.example.com and
mail2.example.com) setup as cluster (see chapter 10 Proxmox Mail Gateway HA cluster), each having
its own IP address. Let us assume the following addresses (DNS address records):
Btw, it is always a good idea to add reverse lookup entries (PTR records) for those hosts. Many email
systems nowadays reject mails from hosts without valid PTR records.
This is all you need. You will receive mails on both hosts, more or less load-balanced using round-
robin scheduling. If one host fails the other is used.
The Proxmox Mail Gateway HA Cluster consists of a master and several nodes (minimum one node).
Configuration is done on the master. Configuration and data is synchronized to all cluster nodes over
a VPN tunnel. This provides the following advantages:
We use a unique application level clustering scheme, which provides extremely good performance.
Special considerations where taken to make management as easy as possible. Complete Cluster
setup is done within minutes, and nodes automatically reintegrate after temporary failures without
any operator interaction.
Note: Always setup the IP configuration before adding a node to the cluster. IP address, network
mask, gateway address and hostname can’t be changed later.
You need to enter the root password of the master host when asked for a password.
Attention: Node initialization deletes all existing databases, stops and then restarts all services
accessing the database. So do not add nodes which are already active and receive mails.
Also, joining a cluster can take several minutes, because the new node needs to synchronize all data
from the master (although this is done in the background).
Note: If you join a new node, existing quarantined items from the other nodes are not
synchronized to the new node.
The following scenarios only apply when you really loose the contents of the hard disk.
All information:
https://www.proxmox.com/
12 Table of figures
Figure 1-1 Processing of incoming e-mail traffic................................................................................................. 6
Figure 3-1 Infrastructure without Proxmox Mail Gateway ............................................................................... 8
Figure 3-2 Infrastructure with integrated Proxmox Mail Gateway ................................................................. 8
Figure 4-1 Selecting Software RAID during installation ................................................................................... 13
Figure 5-1 Login page Proxmox Mail Gateway .................................................................................................. 14
Figure 5-2 Start page Proxmox Mail Gateway after log in .............................................................................. 15
Figure 5-3 Preview of a quarantined Spam e-mail ........................................................................................... 28
Figure 5-4 Preview of a quarantined Spam e-mail with spam info ............................................................... 29
Figure 5-5 Preview of a quarantined Phishing e-mail ...................................................................................... 30
Figure 5-6 Message Tracking Center ................................................................................................................... 32
Figure 5-7 Real time log .......................................................................................................................................... 33
Figure 5-8 Display Mail Queue .............................................................................................................................. 34
Figure 6-1 LDAP Server settings: Create new LDAP Profile 1 ........................................................................ 35
Figure 6-2 LDAP Server settings: Create new LDAP Profile 2 ........................................................................ 36
Figure 6-3 LDAP Server settings: Three profiles configured .......................................................................... 36
Figure 7-1 MS Exchange: Port settings for use with MS Exchange .............................................................. 38
Figure 7-2 MS Exchange 2003: SMTP Connector (Define smart host: Proxmox Mail Gateway) ............ 39
Figure 7-3 MS Exchange 2003: SMTP connector – Address space .............................................................. 40
Figure 10-1 Proxmox Mail Gateway HA Cluster ................................................................................................ 44
Figure 13-1 Configure scheduled backup – Windows share ......................................................................... 52
13 Appendix
13.1 Available macros for rule system
It is possible to use macros inside most fields of action objects. That way it is possible to access and
include data contained in the original mail, get envelope sender and receivers addresses or include
additional information about Viruses and Spam. Currently the following macros are defined:
Macro Comment
__SENDER__ (envelope) sender mail address
__RECEIVERS__ (envelope) receiver mail address list
__ADMIN__ Email address of the administrator
__TARGETS__ Subset of receivers matched by the rule
__SUBJECT__ Subject of the message
__MSGID__ The message ID
__RULE__ Name of the matching rule
__RULE_INFO__ Additional information about the matching rule
__VIRUS_INFO__ Additional information about detected viruses
__SPAMLEVEL__ Computed spam level
__SPAM_INFO__ Additional information why message is spam
__SENDER_IP__ IP address of sending host
__VERSION__ The current software version (proxmox mail gateway)
__FILENAME__ Attachment file name
__SPAMSTARS__ A series of "*" characters where each one represents a full score
(__SPAMLEVEL__) point
A simple example is the “Modify Spam Subject” action which adds “SPAM:” to the original message
subject. To achieve this just use “SPAM: __SUBJECT__” as value for that action object.
A detailed report usually displays information about each mail. Inside the template everything
between <!--start entry--> and <!--end entry--> is repeated for every mail. Most macros
are only defined inside those marks. Only the global macros are available outside those marks.
Note: A template has to be correct html. You can use any html editor for easy and fast editing.
13.4.2 Metacharacters
Some characters have a special meaning. These characters are called metacharacters.
The Period (.) is a commonly used metacharacter. It matches exactly one character, regardless of
what the character is.
e.mail would match either “e-mail” or “e-mail” or “e2mail” but not “e-some-mail”.
The question mark (?) indicates that the character immediately preceding it either zero times ore one
time.
e?mail would match either “email” or “mail” but not “e-mail”
Another metacharacter is the star (*). This indicates that the character immediately to its left may
repeated any number of times, including zero.
e*mail would match either “email” or “mail” or “eeemail”.
The plus (+) metacharacter does the same as the star (*) excluding zero.
So e+mail do not match “mail”.
Metacharacters may be combined. A common combination includes the period and star
metacharacters, with the star immediately following the period. This is used to match an arbitrary
string of any length, including the null string. For example:
.*company.* matches “company@domain.com” or “company@domain.co.uk” or
department.company@domain.com.
13.4.3 References
Mastering Regular Expressions
Powerful Techniques for Perl and Other Tools
By Jeffrey E. F. Friedl
First Edition Januar 1997
ISBN 1-56592-257-3
And
cat /proc/mdstat
update-grub
grub-install /dev/sda
grub-install /dev/sdb
System configuration
Rule configuration
Statistic database
License
Log files and quarantined emails are never in the backup. A backup can only restored to an identical
version of Proxmox.
proxbackup -s full-backup.tgz
Please see the manual page for more information (man proxbackup).
proxbackup -c –d -s -r full-backup.tgz
If you want to get rid of these warnings, you have to generate a valid certificate for your server.
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: not necessary
An optional company name []: not necessary
After you finished this certificate request you have to send the file req.pem to your CA (Certification
Authority). The CA will issue the certificate (BASE64 encoded) based on your request – save this file as
“cert.pem” to your Proxmox.
/etc/init.d/apache2 restart
Note: To transfer files from and to your Proxmox, you can use secure copy: If you desktop is Linux,
you can use ‘scp’ – if your desktop PC is windows, please use a scp client like WinSCP (see
http://winscp.net/)
See the manual page (man nmap) for more information about nmap.
Using USB sticks is faster and more environmental friendly and therefore the recommended way to
install Proxmox Mail Gateway.
In order to boot the installation media you need to copy the ISO image to your USB media. You need
at least a 1024 mb USB stick.
Be sure to replace /dev/XYZ with the correct device name (be careful, and do not overwrite your hard
disk!)
- End of document -