pmgproxy - Proxmox Mail Gateway API Proxy Daemon



pmgproxy help [OPTIONS]

Get help about specified command.

--extra-args <array>

Shows help for a specific command

--verbose <boolean>

Verbose output format.

pmgproxy restart

Restart the daemon (or start if not running).

pmgproxy start [OPTIONS]

Start the daemon.

--debug <boolean> (default = 0)

Debug mode - stay in foreground

pmgproxy status

Get daemon status.

pmgproxy stop

Stop the daemon.


This daemon exposes the whole Proxmox Mail Gateway API on TCP port 8006 using HTTPS. It runs as user www-data and has very limited permissions. Operations requiring more permissions are forwarded to the local pmgdaemon.

Requests targeted for other nodes are automatically forwarded to those nodes. This means that you can manage your whole cluster by connecting to a single Proxmox Mail Gateway node.

Alternative HTTPS certificate

By default, pmgproxy uses the certificate /etc/pmg/pmg-api.pem for HTTPS connections. This certificate is self signed, and therefore not trusted by browsers and operating systems by default. You can simply replace this certificate with your own (please include the key inside the .pem file).

Host based Access Control

It is possible to configure “apache2”-like access control lists. Values are read from file /etc/default/pmgproxy. For example:


IP addresses can be specified using any syntax understood by Net::IP. The name all is an alias for 0/0.

The default policy is allow.

Match POLICY=deny POLICY=allow

Match Allow only



Match Deny only



No match



Match Both Allow & Deny



SSL Cipher Suite

You can define the cipher list in /etc/default/pmgproxy, for example


Above is the default. See the ciphers(1) man page from the openssl package for a list of all available options.

Additionally you can define that the client choses the used cipher in /etc/default/pmgproxy (default is the first cipher in the list available to both client and pmgproxy):


Diffie-Hellman Parameters

You can define the used Diffie-Hellman parameters in /etc/default/pmgproxy by setting DHPARAMS to the path of a file containing DH parameters in PEM format, for example


If this option is not set, the built-in skip2048 parameters will be used.

Note DH parameters are only used if a cipher suite utilizing the DH key exchange algorithm is negotiated.


By default pmgproxy uses gzip HTTP-level compression for compressible content, if the client supports it. This can disabled in /etc/default/pmgproxy


Copyright © 2007-2020 Proxmox Server Solutions GmbH

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see