1. Introduction

1.1. What is Proxmox Mail Gateway?

E-mail security begins at the gateway by controlling all incoming and outgoing e-mail messages. Proxmox Mail Gateway addresses the full spectrum of unwanted e-mail traffic, focusing spam and virus detection. Proxmox Mail Gateway provides a powerful and affordable server solution to eliminate spam, viruses and blocking undesirable content from your e-mail system. All products are self-installing and can be used without deep knowledge of Linux.

images/Proxmox_Mail_Gateway_Mailprocessing_final_1024.png

1.2. Features

1.2.1. Spam detection

Proxmox Mail Gateway uses a wide variety of local and network tests to identify spam mail. Here is a short list of used filtering methods:

Receiver Verification

Many of the junk messages reaching your network are emails to non-existent users. Proxmox Mail Gateway detects these emails on SMTP level, which means before they are transferred to your networks. This reduces the traffic to be analyzed for spam and viruses up to 90% and reduces the working load on your mail servers and scanners.

Sender policy framework (SPF)

Sender Policy Framework (SPF) is an open standard for validating emails and to prevent sender IP address forgery. SPF allows the administrator of an Internet domain to specify which computers are authorized to send emails with a given domain by creating a specific SPF record in the Domain Name System (DNS).

DNS-based Blackhole List

A DNS-based Blackhole List (DNSBL) is a means by which an Internet site may publish a list of IP addresses, in a format which can be easily queried by computer programs on the internet. The technology is built on top of the Domain Name System. DNSBLs are used to publish lists of addresses linked to spamming.

SMTP Whitelist

Exclude senders from SMTP blocking. To prevent all SMTP checks (Greylisting, Receiver Verification, SPF and RBL) and accept all e-mails for the analysis in the filter rule system, you can add the following to this list: Domains (Sender/Receiver), Mail address (Sender/Receiver), Regular Expression (Sender/Receiver), IP address (Sender), IP network (Sender)

Bayesian Filter - Automatically trained statistical filters

Some particular words have a higher probability of occurring in spam emails rather than in legitimate emails. By being trained to recognize those words, the Bayesian checks every email and adjusts the probabilities of it being a spam word or not in its database. This is done automatically.

Black- and Whitelists

Black- and Whitelists are an access control mechanism to accept, block, or quarantine emails to recipients. This allows you to tune the rule-system by applying different objects like domains, email address, regular expression, IP Network, LDAP Group, and others.

Autolearning algorithm

Proxmox Mail Gateway gathers statistical information about spam emails. This information is used by an autolearning algorithm, so the system becomes smarter over time.

Spam Uri Realtime BlockList (SURBL)

SURBLs are used to detect spam based on message body URIs (usually web sites). This makes them different from most other Real-time Blocklists, because SURBLs are not used to block spam senders. SURBLs allow you to block messages that have spam hosts which are mentioned in message bodies.

Greylisting

Greylisting an email from a sender your system does not recognize, means, that it will be temporarily rejected. Since temporary failures are built into the RFC specifications for mail delivery, a legitimate server will try to resend the email later on. This is an effective method because spammers do not queue and reattempt mail delivery as is normal for a regular Mail Transport Agent.

Greylisting can reduce e-mail traffic up to 50%. A greylisted email never reaches your mail server and thus your mail server will not send useless "Non Delivery Reports" to spammers.

SMTP Protocol Tests

Postfix is able to do some sophisticated SMTP protocol tests (see man postscreen). Most spam is sent out by zombies (malware on compromised end-user computers), and those zombies often try to maximize the amount of mails delivered. In order to do that, many of them violates the SMTP protocol specification and can thus be detected by these tests.

1.2.2. Virus detection

Proxmox Mail Gateway integrates ClamAV®, which is an open-source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats.

It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates.

1.2.3. Object-Oriented Rule System

The object-oriented rule system enables custom rules for your domains. It’s an easy but very powerful way to define filter rules by user, domains, time frame, content type and resulting action. Proxmox Mail Gateway offers a lot of powerful objects to configure your own custom system.

WHO - objects

Who is the sender or receiver of the e-mail?

WHAT - objects

What is in the e-mail?

WHEN - objects

When is the e-mail received by Proxmox Mail Gateway?

ACTIONS - objects

Defines the final actions.

Every rule has five categories FROM, TO, WHEN, WHAT and ACTION. Every of these categories can contain several objects and a direction (in, out or both).

Options range from simple spam and virus filter setups to sophisticated, highly customized configurations blocking certain types of e-mails and generating notifications.

1.2.4. Spam Quarantine

Identified Spam mails can be stored to the user accessible Spam quarantine. Thus users can view and manage there Spam mails by themselves.

1.2.5. Tracking and Logging

The innovative Proxmox Message Tracking Center tracks and summarizes all available logs. With the web-based and user friendly management interface, the IT admins can easily overview and control all functions from a single screen.

The Message Tracking Center is very fast and powerful, tested on Proxmox Mail Gateway sites processing over a million emails per day. All different log files from the last 7 days can be queried and the results are summarized by an intelligent algorithm.

  • Arrival of the email

  • Proxmox filtering processing with results

  • Internal queue to your email server

  • Status of final delivery

1.2.6. High Availability with Proxmox HA Cluster

To provide a 100% secure email system for your business, we developed Proxmox High Availability (HA) Cluster. The Proxmox HA Cluster uses a unique application level clustering scheme, which provides extremely good performance. Fast set-up within minutes and a simple, intuitive management keep resource needs low. After temporary failures, nodes automatically reintegrate without any operator interaction.

1.2.7. LDAP integration

It is possible to query user and group data from LDAP servers. This may be used to build special filter rules, or just to provide authentication services for the Spam quarantine GUI.

1.2.8. Fetchmail integration

Proxmox Mail Gateway allows you to fetch mail from other IMAP or POP3 servers.

1.2.9. Flexible User Management

The administration interface uses a role based access control scheme, using the following roles:

Superuser

This role is allowed to do everything (reserved for user root).

Administrator

Full access to mail filter setup, but not allowed to change network setup.

Quarantine Manager

Is able to view and manage the Spam Quarantine.

Auditor

Has read-only access to the whole configuration, can access logs and view statistics.

1.3. Your benefit with Proxmox Mail Gateway

  • Open source software

  • No vendor lock-in

  • Linux kernel

  • Fast installation and easy-to-use

  • Web-based management interface

  • REST API

  • Huge active community

  • Low administration costs and simple deployment

1.4. Getting Help

1.4.1. Community Support Forum

Proxmox Mail Gateway itself is fully open source, so we always encourage our users to discuss and share their knowledge using the Proxmox Community Forum. The forum is fully moderated by the Proxmox support team, and has a quite large user base around the whole world. Needless to say that such a large forum is a great place to get information.

1.4.2. Commercial Support

Proxmox Server Solutions Gmbh also offers commercial Proxmox Mail Gateway Subscription Service Plans. System Administrators with a standard subscription plan can access a dedicated support portal with guaranteed reponse time, where Proxmox Mail Gateway developers help them should an issue appear. Please contact the Proxmox sales team for more information or volume discounts.

1.4.3. Bug Tracker

We also run a public bug tracker at https://bugzilla.proxmox.com. If you ever detect a bug, you can file an bug entry there. This makes it easy to track the bug status, and you will get notified as soon as the bug is fixed.

2. Planning for Deployment

2.1. Easy integration into existing e-mail server architecture

In this sample configuration, your e-mail traffic (SMTP) arrives on the firewall and will be directly forwarded to your e-mail server.

images/2018_IT_infrastructure_without_Proxmox_Mail_Gateway_final_1024.png

By using the Proxmox Mail Gateway, all your e-mail traffic is forwarded to the Proxmox Mail Gateway, which filters the whole e-mail traffic and removes unwanted e-mails. You can manage incoming and outgoing mail traffic.

images/2018_IT_infrastructure_with_Proxmox_Mail_Gateway_final_1024.png

2.2. Filtering outgoing e-mails

Many e-mail filter solutions do not scan outgoing mails. Opposed to that Proxmox Mail Gateway is designed to scan both incoming and outgoing e-mails. This has two major advantages:

  1. Proxmox Mail Gateway is able to detect viruses sent from an internal host. In many countries you are liable for sending viruses to other people. The Proxmox Mail Gateway outgoing e-mail scanning feature is an additional protection to avoid that.

  2. Proxmox Mail Gateway can gather statistics about outgoing e-mails too. Statistics about incoming e-mails looks nice, but they are quite useless. Consider two users, user-1 receives 10 e-mails from news portals and wrote 1 e-mail to a person you never heard from. While user-2 receives 5 e-mails from a customer and sent 5 e-mails back. Which user do you consider more active? I am sure it’s user-2, because he communicates with your customers. Proxmox Mail Gateway advanced address statistics can show you this important information. A solution which does not scan outgoing e-mail cannot do that.

To enable outgoing e-mail filtering you just need to send all outgoing "smarthost" on your e-mail server.

2.3. Firewall settings

In order to pass e-mail traffic to the Proxmox Mail Gateway you need to allow traffic on the SMTP the port. Our servers use the Network Time Protocol (NTP) for time synchronization, RAZOR, DNS, SSH, HTTP and port 8006 for the web based management interface.

Service Port Protocol From To

SMTP

25

TCP

Proxmox

Internet

SMTP

25

TCP

Internet

Proxmox

SMTP

26

TCP

Mailserver

Proxmox

NTP

123

TCP/UDP

Proxmox

Internet

RAZOR

2703

TCP

Proxmox

Internet

DNS

53

TCP/UDP

Proxmox

DNS Server

HTTP

80

TCP

Proxmox

Internet

GUI/API

8006

TCP

Intranet

Proxmox

Caution It is advisable to restrict access to the GUI/API port as far as possible.

The outgoing HTTP connection is mainly used by virus pattern updates, and can be configured to use a proxy instead of a direct internet connection.

You can use the nmap utility to test your firewall settings (see section port scans).

2.4. System Requirements

The Proxmox Mail Gateway can run on dedicated server hardware or inside a virtual machine on any of the following plattforms:

  • Proxmox VE (KVM)

  • VMWare vSphere™ (open-vm tools are integrated in the ISO)

  • Hyper-V™ (Hyper-V Linux integration tools are integrated in the ISO)

  • KVM (virtio drivers are integrated, great performance)

  • Virtual box™

  • Citrix Hypervisor™ (former XenServer™)

  • LXC container

  • and others supporting Debian Linux as guest OS

Please see http://www.proxmox.com for details.

In order to get a benchmark from your hardware, just run pmgperf after installation.

2.4.1. Minimum System Requirements

  • CPU: 64bit (Intel EMT64 or AMD64)

  • 2 GB RAM

  • bootable CD-ROM-drive or USB boot support

  • Monitor with a resolution of 1024x768 for the installation

  • Hard disk with at least 8 GB of disk space

  • Ethernet network interface card

  • Multicore CPU: 64bit (Intel EMT64 or AMD64),
    for use as virtual machine activate Intel VT/AMD-V CPU flag

  • 4 GB RAM

  • bootable CD-ROM-drive or USB boot support

  • Monitor with a resolution of 1024x768 for the installation

  • 1 Gbps Ethernet network interface card

  • Storage: at least 8 GB free disk space, best setup with redundancy, use hardware RAID controller with battery backed write cache (“BBU”) or ZFS. ZFS is not compatible with a hardware RAID controller. For best performance use Enterprise class SSD with power loss protection.

3. Installation

Proxmox Mail Gateway is based on Debian and comes with an installation CD-ROM which includes a complete Debian ("stretch" for version 5.x) system as well as all necessary Proxmox Mail Gateway packages.

The installer just asks you a few questions, then partitions the local disk(s), installs all required packages, and configures the system including a basic network setup. You can get a fully functional system within a few minutes. This is the preferred and recommended installation method.

Alternatively, Proxmox Mail Gateway can be installed on top of an existing Debian system. This option is only recommended for advanced users since it requires more detailed knowledge about Proxmox Mail Gateway and Debian.

3.1. Using the Proxmox Mail Gateway Installation CD-ROM

You can download the ISO from http://www.proxmox.com. It includes the following:

  • Complete operating system (Debian Linux, 64-bit)

  • The Proxmox Mail Gateway installer, which partitions the hard drive(s) with ext4, ext3, xfs or ZFS and installs the operating system.

  • Linux kernel

  • Postfix MTA, ClamAV, Spamassassin and the Proxmox Mail Gateway toolset

  • Web based management interface for using the toolset

Please burn the downloaded ISO image to a CD or create a bootable USB stick.

Then insert the installation CD-ROM on the physical host where you want to install Proxmox Mail Gateway and boot from that drive. Immediately afterwards you can choose the following menu options:

images/installer/pmg-grub-menu.png
Install Proxmox Mail Gateway

Start normal installation.

Install Proxmox Mail Gateway (Debug mode)

Start installation in debug mode. It opens a shell console at several installation steps, so that you can debug things if something goes wrong. Please press CTRL-D to exit those debug consoles and continue installation. This option is mostly for developers and not meant for general use.

Rescue Boot

This option allows you to boot an existing installation. It searches all attached hard disks and, if it finds an existing installation, boots directly into that disk using the existing Linux kernel. This can be useful if there are problems with the boot block (grub), or the BIOS is unable to read the boot block from the disk.

Test Memory

Runs memtest86+. This is useful to check if your memory is functional and error free.

You normally select Install Proxmox Mail Gateway to start the installation.

images/installer/pmg-select-target-disk.png

First step ist to read our EULA (End User License Agreement). After that you get prompted to select the target hard disk(s).

Note By default, the complete server is used and all existing data is removed.

The Options button lets you select the target file system, which defaults to ext4. The installer uses LVM if you select ext3, ext4 or xfs as file system, and offers additional option to restrict LVM space (see below)

If you have more than one disk, you can also use ZFS as file system. ZFS supports several software RAID levels, so this is specially useful if you do not have a hardware RAID controller. The Options button lets you select the ZFS RAID level, and you can choose disks there.

images/installer/pmg-select-location.png

The next page just ask for basic configuration options like your location, the time zone and keyboard layout. The location is used to select a download server near you to speedup updates. The installer is usually able to auto detect those setting, so you only need to change them in rare situations when auto detection fails, or when you want to use some special keyboard layout not commonly used in your country.

images/installer/pmg-set-password.png

You then need to specify an email address and the superuser (root) password. The password must have at least 5 characters, but we highly recommend to use stronger passwords - here are some guidelines:

  • Use a minimum password length of 12 to 14 characters.

  • Include lowercase and uppercase alphabetic characters, numbers and symbols.

  • Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past) and biographical information (e.g., ID numbers, ancestors' names or dates).

It is sometimes necessary to send notification to the system administrator, for example:

  • Information about available package updates.

  • Error messages from periodic CRON jobs.

All those notification mails will be sent to the specified email address.