1. Introduction

1.1. What is Proxmox Mail Gateway?

Email security begins at the gateway, by controlling all incoming and outgoing email messages. Proxmox Mail Gateway addresses the full spectrum of unwanted email traffic, focusing on spam and virus detection. Proxmox Mail Gateway provides a powerful and affordable server solution to eliminate spam and viruses, and block undesirable content from your email system. All products are self-installing and can be used without deep knowledge of Linux.

images/Proxmox_Mail_Gateway_Mailprocessing_final_1024.png

1.2. Features

1.2.1. Spam detection

Proxmox Mail Gateway uses a wide variety of local and network tests to identify spam mail. Here is a short list of used filtering methods:

Receiver Verification

Many of the junk messages reaching your network are emails to non-existent users. Proxmox Mail Gateway detects these emails on the SMTP level, before they are transferred to your network. This reduces the traffic to be analyzed for spam and viruses by up to 90% and reduces the working load on your mail servers and scanners.

Sender policy framework (SPF)

Sender Policy Framework (SPF) is an open standard for validating emails and preventing sender IP address forgery. SPF allows the administrator of an internet domain to specify which computers are authorized to send emails with a given domain, by creating a specific SPF record in the Domain Name System (DNS).

DNS-based Blackhole List

A DNS-based Blackhole List (DNSBL) is a means by which an internet site may publish a list of IP addresses, in a format which can be easily queried by computer programs on the Internet. The technology is built on top of the Domain Name System. DNSBLs are used to publish lists of addresses linked to spamming.

SMTP Whitelist

Exclude senders from SMTP blocking. To prevent all SMTP checks (Greylisting, Receiver Verification, SPF and DNSBL) and accept all emails for analysis in the filter rule system, you can add the following to this list: Domains (Sender/Receiver), Mail address (Sender/Receiver), Regular Expression (Sender/Receiver), IP address (Sender), IP network (Sender).

Bayesian Filter - Automatically trained statistical filters

Certain words have a higher probability of occurring in spam emails than in legitimate emails. By being trained to recognize those words, the Bayesian filter checks every email and adjusts the probabilities of it being a spam word or not in its database. This is done automatically.

Black- and Whitelists

Black- and Whitelists are an access control mechanism to accept, block, or quarantine emails to recipients. This allows you to tune the rule-system by applying different objects like domains, email address, regular expression, IP Network, LDAP Group, and others.

Auto-learning algorithm

Proxmox Mail Gateway gathers statistical information about spam emails. This information is used by an auto-learning algorithm, meaning the system becomes smarter over time.

Spam URI Real-time Block List (SURBL)

SURBLs are used to detect spam, based on the URIs in the message body (usually websites). This makes them different from most other Real-time Blocklists, because SURBLs are not used to block spam senders. SURBLs allow you to block messages that have spam hosts which are mentioned in message bodies.

Greylisting

Greylisting an email means that unknown senders are intentionally temporarily rejected. Since temporary failures are part of the specifications for mail delivery, a legitimate server will try to resend the email later on. Spammers, on the other hand, do not queue and reattempt mail delivery. A greylisted email never reaches your mail server and thus your mail server will not send useless "Non Delivery Reports" to spammers. Additionally, greylisted mail is not analyzed by the antivirus and spam-detector engines, which saves resources.

A mail is greylisted if it is the first mail from a sender to a receiver coming from a particular IP network. You can configure which IP addresses belong to the same network, by setting an appropriate netmask for greylisting.

SMTP Protocol Tests

Postfix is able to do some sophisticated SMTP protocol tests (see man postscreen). Most spam is sent out by zombies (malware on compromised end-user computers), and those zombies often try to maximize the amount of mails delivered. In order to do that, many of them violate the SMTP protocol specification and thus can be detected by these tests.

Before and After Queue Filtering

Proxmox Mail Gateway can be configured to either accept the mail, by sending a response of 250 OK, and scan it afterwards, or alternatively inspect the mail directly after it has the content and respond with a reject 554 if the mail is blocked by the rule system. These options are known as After Queue and Before Queue filtering respectively (see Before and After Queue Scanning).

Configurable NDR policy

In certain environments, it can be unacceptable to discard an email, without informing the sender about that decision. You can decide whether you want to inform the senders of blocked emails or not.

1.2.2. Virus detection

Proxmox Mail Gateway integrates ClamAV®, which is an open-source (GPL) antivirus engine, designed for detecting Trojans, viruses, malware, and other malicious threats.

It provides a high performance, multi-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates.

1.2.3. Object-Oriented Rule System

The object-oriented rule system enables custom rules for your domains. It’s an easy but very powerful way to define filter rules by user, domains, time frame, content type and resulting action. Proxmox Mail Gateway offers a lot of powerful objects to configure your own custom system.

WHO - objects

Who is the sender or receiver of the email?

WHAT - objects

What is in the email?

WHEN - objects

When was the email received by Proxmox Mail Gateway?

ACTIONS - objects

Defines the final actions.

Every rule has five categories FROM, TO, WHEN, WHAT and ACTION. Each of these categories can contain several objects and a direction (in, out or both).

Options range from simple spam and virus filter setups to sophisticated, highly customized configurations, blocking certain types of emails and generating notifications.

1.2.4. Web-based Management Interface

Proxmox Mail Gateway makes email security and filtering simple to manage. The web-based management interface allows you to set up and maintain even a complex mail system with ease.

pmg-gui-dashboard.png

There is no need to install a separate management tool. Any modern internet browser is sufficient.

1.2.5. Spam Quarantine

Identified spam mails can be stored in the user-accessible Spam Quarantine. Thus, users can view and manage their spam mails by themselves.

1.2.6. Tracking and Logging

The innovative Proxmox Message Tracking Center tracks and summarizes all available logs. With the web-based and user-friendly management interface, IT admins can easily view and control all functions from a single screen.

The Message Tracking Center is fast and powerful. It has been tested on Proxmox Mail Gateway sites which process over a million emails per day. All log files from the last 7 days can be queried, and the results are summarized by an intelligent algorithm.

The logged information includes:

  • Arrival of the email

  • Proxmox filter processing with results

  • Internal queue to your email server

  • Status of final delivery

1.2.7. DKIM Signing

Proxmox Mail Gateway offers the possibility to optionally sign outgoing emails with DKIM.

1.2.8. High Availability with Proxmox HA Cluster

To provide a 100% secure email system for your business, we developed Proxmox High Availability (HA) Cluster. The Proxmox HA Cluster uses a unique application-level clustering scheme, which provides extremely good performance. It is quick to set-up and the simple, intuitive management interface keeps resource requirements low. After temporary failures, nodes automatically reintegrate without any operator interaction.

1.2.9. LDAP Integration

It is possible to query user and group data from LDAP servers. This may be used to build special filter rules, or simply to provide authentication services for the Spam Quarantine GUI.

1.2.10. Fetchmail Integration

Proxmox Mail Gateway allows you to fetch mail from other IMAP or POP3 servers.

1.2.11. Flexible User Management

The administration interface uses a role-based access control scheme, using the following roles:

Superuser

This role is allowed to do everything (reserved for user root).

Administrator

Full access to the mail filter setup, but not allowed to alter the network setup.

Quarantine Manager

Is able to view and manage the Spam Quarantine.

Auditor

Has read-only access to the whole configuration, can access logs and view statistics.

Helpdesk

Combines permissions of the Auditor and the Quarantine Manager role.

1.3. Your benefit with Proxmox Mail Gateway

  • Open-source software

  • No vendor lock-in

  • Linux kernel

  • Fast installation and easy-to-use

  • Web-based management interface

  • REST API

  • Huge, active community

  • Low administration costs and simple deployment

1.4. Getting Help

1.4.1. Community Support Forum

Proxmox Mail Gateway itself is fully open source, so we always encourage our users to discuss and share their knowledge using the Proxmox Community Forum. The forum is moderated by the Proxmox support team, and has a large user base around the world. Needless to say, such a large forum is a great place to get information.

1.4.2. Commercial Support

Proxmox Server Solutions GmbH also offers commercial Proxmox Mail Gateway Subscription Service Plans. Users with a Basic subscription or above have access to a dedicated support portal with guaranteed response times, where Proxmox Mail Gateway developers can help them, should an issue appear. Please contact the Proxmox sales team for more information or volume discounts.

1.4.3. Bug Tracker

We also run a public bug tracker at https://bugzilla.proxmox.com. If you ever detect a bug, you can file a bug entry there. This makes it easy to track the bug’s status and get notified as soon as the bug is fixed.

2. Planning for Deployment

2.1. Easy Integration into Existing Email Server Architecture

In this sample configuration, your email traffic (SMTP) arrives on the firewall and will be directly forwarded to your email server.

images/2018_IT_infrastructure_without_Proxmox_Mail_Gateway_final_1024.png

By using Proxmox Mail Gateway, all your email traffic is forwarded to the Proxmox Mail Gateway instance, which filters the email traffic and removes unwanted emails. This allows you to manage incoming and outgoing mail traffic.

images/2018_IT_infrastructure_with_Proxmox_Mail_Gateway_final_1024.png

2.2. Filtering Outgoing Emails

Many email filtering solutions do not scan outgoing mails. In contrast, Proxmox Mail Gateway is designed to scan both incoming and outgoing emails. This has two major advantages:

  1. Proxmox Mail Gateway is able to detect viruses sent from an internal host. In many countries, you are liable for sending viruses to other people. The outgoing email scanning feature is an additional protection to avoid that.

  2. Proxmox Mail Gateway can gather statistics about outgoing emails too. Statistics about incoming emails may look nice, but they aren’t necessarily helpful. Consider two users; user-1 receives 10 emails from news portals and writes 1 email to an unknown individual, while user-2 receives 5 emails from customers and sends 5 emails in return. With this information, user-2 can be considered as the more active user, because they communicate more with your customers. Proxmox Mail Gateway advanced address statistics can show you this important information, whereas a solution which does not scan outgoing email cannot do this.

To enable outgoing email filtering, you simply need to send all outgoing emails through your Proxmox Mail Gateway (usually by specifying Proxmox Mail Gateway as "smarthost" on your email server).

2.3. Firewall Settings

In order to pass email traffic to Proxmox Mail Gateway, you need to allow traffic on the SMTP port. Our software uses the Network Time Protocol (NTP), RAZOR, DNS, SSH, and HTTP, as well as port 8006 for the web-based management interface.

Service Port Protocol From To

SMTP

25

TCP

Proxmox

Internet

SMTP

25

TCP

Internet

Proxmox

SMTP

26

TCP

Mailserver

Proxmox

NTP

123

TCP/UDP

Proxmox

Internet

RAZOR

2703

TCP

Proxmox

Internet

DNS

53

TCP/UDP

Proxmox

DNS Server

HTTP

80

TCP

Proxmox

Internet

GUI/API

8006

TCP

Intranet

Proxmox

Caution It is recommended to restrict access to the GUI/API port as far as possible.

The outgoing HTTP connection is mainly used by virus pattern updates, and can be configured to use a proxy instead of a direct internet connection.

You can use the nmap utility to test your firewall settings (see section port scans).

2.4. System Requirements

Proxmox Mail Gateway can run on dedicated server hardware or inside a virtual machine on any of the following platforms:

  • Proxmox VE (KVM)

  • VMWare vSphere™ (open-vm tools are integrated in the ISO)

  • Hyper-V™ (Hyper-V Linux integration tools are integrated in the ISO)

  • KVM (virtio drivers are integrated, great performance)

  • VirtualBox™

  • Citrix Hypervisor™ (former XenServer™)

  • LXC container

  • and others that support Debian Linux as a guest OS

Please see https://www.proxmox.com for details.

To benchmark your hardware, run pmgperf after installation.

2.4.1. Minimum System Requirements

  • CPU: 64bit (Intel EMT64 or AMD64)

  • 2 GB RAM

  • Bootable CD-ROM-drive or USB boot support

  • Monitor with a minimum resolution of 1024x768 for the installation

  • Hard disk with at least 8 GB of disk space

  • Ethernet network interface card (NIC)

  • Multi-core CPU: 64bit (Intel EMT64 or AMD64),

    • for use in a virtual machine, activate Intel VT/AMD-V CPU flag

  • 4 GB RAM

  • Bootable CD-ROM-drive or USB boot support

  • Monitor with a minimum resolution of 1024x768 for the installation

  • 1 Gbps Ethernet network interface card (NIC)

  • Storage: at least 8 GB free disk space, best set up with redundancy, using a hardware RAID controller with battery backed write cache (“BBU”) or ZFS. ZFS is not compatible with hardware RAID controllers. For best performance, use enterprise-class SSDs with power loss protection.

2.4.3. Supported web browsers for accessing the web interface

To use the web interface, you need a modern browser. This includes:

  • Firefox, a release from the current year, or the latest Extended Support Release

  • Chrome, a release from the current year

  • Microsoft’s currently supported version of Edge

  • Safari, a release from the current year

3. Installation

Proxmox Mail Gateway is based on Debian. This is why the install disk images (ISO files) provided by Proxmox include a complete Debian system as well as all necessary Proxmox Mail Gateway packages.

Tip See the support table in the FAQ for the relationship between Proxmox Mail Gateway releases and Debian releases.

The installer will guide you through the setup, allowing you to partition the local disk(s), apply basic system configurations (for example, timezone, language, network) and install all required packages. This process should not take more than a few minutes. Installing with the provided ISO is the recommended method for new and existing users.

Alternatively, Proxmox Mail Gateway can be installed on top of an existing Debian system. This option is only recommended for advanced users because detailed knowledge about Proxmox Mail Gateway is required.

3.1. Prepare Installation Media

The Proxmox Mail Gateway installation media is a hybrid ISO image. It works in two ways:

  • An ISO image file ready to burn to a CD or DVD.

  • A raw sector (IMG) image file ready to copy to a USB flash drive (USB stick).

Using a USB flash drive to install Proxmox Mail Gateway is the recommended way, because it is the faster option.

3.1.1. Prepare a USB Flash Drive as an Installation Medium

The flash drive needs to have at least 1 GB of storage available.

Note Do not use UNetbootin. It does not work with the Proxmox Mail Gateway installation image.
Important Make sure that the USB flash drive is not mounted and does not contain any important data.

3.1.2. Instructions for GNU/Linux

On a Unix-like operating system, you can use the dd command to copy the ISO image to the USB flash drive. To do this, find the device name of the USB flash drive (see below), then run the dd command.

# dd bs=1M conv=fdatasync if=./proxmox-mailgateway_*.iso of=/dev/XYZ
Note Be sure to replace /dev/XYZ with the correct device name and adapt the input filename (if) path.
Caution Be very careful, and do not overwrite the wrong disk!
Find the USB Device Name

There are multiple ways to find out the name of the USB flash drive. One is to compare the last lines of the dmesg command output before and after plugging in the flash drive. Another way is to compare the output of the lsblk command. Open a terminal and run:

# lsblk

Then plug in your USB flash drive and run the command again:

# lsblk

A new device will appear. This is the one you want to use. As an additional precaution, check that the reported size matches your USB flash drive.

3.1.3. Instructions for macOS

Open the terminal (query Terminal in Spotlight).

Convert the .iso file to .img using the convert option of hdiutil, for example:

# hdiutil convert -format UDRW -o proxmox-mailgateway_*.dmg proxmox-ve_*.iso
Tip macOS tends to automatically add .dmg to the output filename.

To get the current list of devices, run the command:

# diskutil list

Now insert the USB flash drive and run this command again to determine which device node has been assigned to it. (e.g., /dev/diskX).

# diskutil list
# diskutil unmountDisk /dev/diskX
Note replace X with the disk number from the last command.
# sudo dd if=proxmox-mailgateway_*.dmg of=/dev/rdiskX bs=1m
Note rdiskX, instead of diskX, in the last command is intended. This will increase the write speed.

3.1.4. Instructions for Windows

Using Etcher

Etcher works out of the box. Download Etcher from https://etcher.io. It will guide you through the process of selecting the ISO and your USB drive.

Using Rufus

Rufus is a more lightweight alternative, but you need to use the DD mode to make it work. Download Rufus from https://rufus.ie/. Either install it or use the portable version. Select the destination drive and the Proxmox Mail Gateway ISO file.

Important After you Start, you have to click No on the dialog asking to download a different version of GRUB. In the next dialog select the DD mode.

3.2. Using the Proxmox Mail Gateway Installation CD-ROM

The installer ISO image includes the following:

  • Complete operating system (Debian Linux, 64-bit)

  • The Proxmox Mail Gateway installer, which partitions the hard drive(s) with ext4, XFS or ZFS and installs the operating system

  • Linux kernel

  • Postfix MTA, ClamAV, Spamassassin and the Proxmox Mail Gateway toolset

  • Web-based management interface for using the toolset

Please insert the prepared installation media (for example, USB flash drive or CD-ROM) and boot from it.

Tip Make sure that booting from the installation medium (for example, USB) is enabled in your servers firmware settings.

After choosing the correct entry (for example, Boot from USB) the Proxmox Mail Gateway menu will be displayed, and one of the following options can be selected:

images/installer/pmg-grub-menu.png
Install Proxmox Mail Gateway

Start normal installation.

Install Proxmox Mail Gateway (Debug mode)

Start installation in debug mode. This opens a shell console at various stages throughout the installation, so that you can debug issues, if something goes wrong. You can press CTRL-D to exit the debug console and continue the installation. This option is mostly for developers and not meant for general use.

Rescue Boot

This option allows you to boot an existing installation. It searches all attached hard disks and, if it finds an existing installation, boots directly into that disk using the existing Linux kernel. This can be useful if there are problems with the boot block (grub), or the BIOS is unable to read the boot block from the disk.

Test Memory

Runs memtest86+. This is useful to check if your memory is functional and error free.

You normally select Install Proxmox Mail Gateway to start the installation.

images/installer/pmg-select-target-disk.png

The first step is to read our EULA (End User License Agreement). Following this, you can select the target hard disk(s) for the installation.

Caution By default, the whole server is used and all existing data is removed. Make sure there is no important data on the server before proceeding with the installation.

The Options button lets you select the target file system, which defaults to ext4. The installer uses LVM if you select ext4 or xfs as a file system, and offers additional options to restrict LVM space (see below)

If you have more than one disk, you can also use ZFS as a file system. ZFS supports several software RAID levels, which is particularly useful if you do not have a hardware RAID controller. The Options button lets you choose the ZFS RAID level and select which disks will be used.

images/installer/pmg-select-location.png

The next page asks for basic configuration options like your location, timezone, and keyboard layout. The location is used to select a nearby download server, in order to increase the speed of updates. The installer is usually able to auto-detect these settings, so you only need to change them in rare situations when auto-detection fails, or when you want to use a keyboard layout not commonly used in your country.