https://pmg.proxmox.com/wiki/api.php?action=feedcontributions&user=Martin&feedformat=atomProxmox Mail Gateway - User contributions [en]2024-03-29T14:57:29ZUser contributionsMediaWiki 1.35.11https://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=125Main Page2023-06-29T08:57:20Z<p>Martin: /* Installation */</p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[https://www.proxmox.com/downloads Download] the latest ISO image files.<br />
<br />
Alternate download: https://enterprise.proxmox.com/iso<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operating system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
[[Getting started with Proxmox Mail Gateway]]<br />
<br />
= Upgrading Proxmox Mail Gateway =<br />
System software updates are downloaded from the [https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_package_repositories Package Repositories] and should be applied frequently to receive the most recent bug/security fixes and to obtain the newest features.<br />
<br />
You can also upgrade existing Proxmox Mail Gateway installations to the next major release:<br />
<br />
* [[Upgrade from 7 to 8|Upgrade from Proxmox Mail Gateway 7 to 8]]<br />
* [[:Category:Upgrade|Upgrade Guides for older Releases]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]. You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
The developer documentation explains how to get involved in the development process of the Proxmox Mail Gateway, see [[Developer Documentation]]<br />
<br />
=Release History and Roadmap=<br />
Take a look on the [[Roadmap]] for existing and upcoming features.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway-Statistics.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=112Main Page2023-03-28T09:28:56Z<p>Martin: </p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[https://www.proxmox.com/downloads Download] the latest ISO image files.<br />
<br />
Alternate download: https://enterprise.proxmox.com/iso<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operation system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
[[Getting started with Proxmox Mail Gateway]]<br />
<br />
'''Upgrading'''<br />
<br />
[[Upgrade_from_5.x_to_6.0|Upgrade from Proxmox Mail Gateway 5.x to 6.0]]<br />
<br />
[[Upgrade_from_6.x_to_7.0|Upgrade from Proxmox Mail Gateway 6.x to 7.0]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]. You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
The developer documentation explains how to get involved in the development process of the Proxmox Mail Gateway, see [[Developer Documentation]]<br />
<br />
=Release History and Roadmap=<br />
Take a look on the [[Roadmap]] for existing and upcoming features.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway-Statistics.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=111Roadmap2023-03-28T09:23:13Z<p>Martin: /* Proxmox Mail Gateway 7.3 */</p>
<hr />
<div><div class="toclimit-3">__TOC__</div><br />
<br />
=Roadmap=<br />
*<s>SpamAssassin 4</s> done<br />
*Continuous security and bug fix updates<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
== Proxmox Mail Gateway 7.3 ==<br />
'''Released 28. March 2023'''<br />
* Based on Debian Bullseye (11.6)<br />
* Latest 5.15 Kernel as stable default<br />
* Newer 6.2 kernel as opt-in<br />
* ZFS 2.1.9<br />
* SpamAssassin 4.0.0 (new major version)<br />
* PostgreSQL 13.10<br />
<br />
=== Highlights ===<br />
<br />
* Proxmox Mail Gateway now provides a dark theme for the administrative and quarantine web interfaces.<br />
* SpamAssassin 4.0.0 was integrated, along with many of its new capabilities, like (optionally) scanning document contents (docx, pdf, images,...), or resolving URLs from url-shorteners.<br />
<br />
=== Changelog Overview ===<br />
<br />
==== Enhancements in the Rule System ====<br />
* New major release SpamAssassin 4.0.0, with many new features: <br />
** Detection of spam inside of attachments. This is implemented for the file types <code>.pdf</code>, <code>.odt</code>, <code>.docx</code>, <code>.doc</code>, <code>.rtf</code>, as well as images (through OCR).<br />
*:: Attachment scanning can be enabled using the Web UI (<code>Spam Detector</code> -> <code>Options</code>), which sets the <code>extract_text</code> option in the <code>spam</code> section of <code>/etc/pmg/pmg.conf</code>.<br />
*:: The dependencies required for attachment scanning are marked as optional, but recommended dependency for the <code>pmg-api</code> package.<br />
*:: This means that on systems that did not change the apt preference the new dependencies should be pulled in automatically on upgrade, otherwise you might need to manually install them.<br />
*: Note that attachment scanning, and OCR in particular, increases CPU time spent per mail. Depending on email volume and available CPU power, you may see a significant increase in load.<br />
** Follow and analyze URL-shortener links.<br />
** Improved support for using information from DMARC-policies.<br />
** Improved handling of internationalized (IDN) domain names.<br />
* Adaptation of the SpamAssassin integration for version 4.0.0:<br />
: The SpamAssassin configuration files shipped with the <code>pmg-api</code> package were adapted to the new features.<br />
: <code>extract_text</code> was added as new option for the spam detector to disable content scanning, while most other new options are triggered with the <code>use_rbl</code> option.<br />
: On deployments with modified templates, the upgrade process will ask how changes should be merged. This provides an opportunity to re-evaluate which modifications are still needed.<br />
* Support enforcing TLS-only connections for mails from certain domains:<br />
: It is now possible to enforce TLS encryption for inbound mail, complementing the already-present TLS policy functionality for outbound mail.<br />
* Improved handling of SMTPUTF8:<br />
: Based on the user feedback on UTF-8 support for the rule system introduced in Proxmox Mail Gateway 7.2, it is now possible to disable SMTPUTF8 through the API and GUI.<br />
: The detection for SMTPUTF8 was aligned with the implementation in <code>postfix</code>.<br />
* The What objects "Match Archive Filename" now also use the optional filename from the GZIP header for matching.<br />
* Support trusted network entries with host bits set in the CIDR:<br />
: Quite a few deployments did use a CIDR with host-bits set, for example 192.0.2.5/24 instead of 192.0.2.0/24. This is now translated internally and handled correctly.<br />
* Ordering of multiple rules with the same priority is now stable, despite not being a recommended setup.<br />
<br />
==== Enhancements in the Web Interface (GUI) ====<br />
<br />
* Add a fully-integrated "Proxmox Dark" color theme variant of the long-time Crisp light theme.<br />
: By default, the <code>prefers-color-scheme</code> media query from the Browser/OS will be used to decide the default color scheme.<br />
: Users can override the theme via a newly added <code>Color Theme</code> menu in the user menu.<br />
* Add "Proxmox Dark" color theme to the Proxmox Mail Gateway reference documentation.<br />
: The <code>prefers-color-scheme</code> media query from the Browser/OS will be used to decide if the light or dark color scheme should be used.<br />
: The new dark theme is also available in the [https://pmg.proxmox.com/pmg-docs/api-viewer/index.html#/nodes/{node}/version Proxmox Mail Gateway API Viewer].<br />
* Task logs can now be downloaded directly as text files for further inspection.<br />
* The language chooser now displays, for each available language, both its native name as well as its name translated to the currently active language.<br />
* HTML-encode API results before rendering as additional hardening against XSS.<br />
* Automatically redirect HTTP requests to HTTPS for convenience.<br />
: This avoids "Connection reset" browser errors that can be confusing, especially after setting up a Proxmox Mail Gateway host the first time.<br />
* Invalid entries in advanced fields now cause the advanced panel to unfold, providing direct feedback.<br />
* Improved translations, among others:<br />
** Arabic<br />
** French<br />
** German<br />
** Italian<br />
** Japanese<br />
** Russian<br />
** Slovenian<br />
** Simplified Chinese<br />
<br />
==== Notable General Improvements and Bug Fixes ====<br />
* The documentation has now a chapter describing the statistics part of the GUI and API.<br />
* Mail delivery from quarantine uses new code for sending locally generated mail, with the following improvements:<br />
** support for IPv6-only deployments and delivery status notifications.<br />
** Correct decoding of addresses containing UTF-8.<br />
* The cleanup before restoring the configuration from a backup was improved, preventing issues when restoring without rebooting the system.<br />
* Logging of errors when sending locally generated mail was improved.<br />
* Errors in files related to TLS-policy are now also reported in the syslog.<br />
* The output of <code>pmgdb dump</code> is now able to handle UTF-8 characters in rule names, object names, and comments.<br />
<br />
==== Installation ISO ====<br />
<br />
* the version of BusyBox shipped with the ISO was updated to version 1.36.0.<br />
* The EFI System Partition (ESP) defaults to 1 GiB of size if the root disk partition (<code>hdsize</code>) is bigger than 100 GB.<br />
* UTC can now be selected as timezone during installation.<br />
<br />
<div id="7.3-known-issues"></div><br />
<br />
=== Known Issues & Breaking Changes ===<br />
<br />
* The ISO does not ship the optional dependencies for extracting text from attachments - If you installed from the ISO and want to use the feature, you can simply install them manually<br />
apt install antiword docx2txt odt2txt poppler-utils tesseract-ocr unrtf<br />
<br />
== Proxmox Mail Gateway 7.2 ==<br />
'''Released 30. November 2022'''<br />
<br />
* Based on Debian Bullseye (11.5)<br />
* Latest 5.15 Kernel as stable default (5.15.74)<br />
* Newer 5.19 kernel as opt-in<br />
* ZFS 2.1.6<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.8<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the Rule system:<br />
** Improved handling of international emails<br />
*** Support for UTF-8 characters in the rule system (e.g. matching non-ASCII subjects).<br />
*** Better handling of [https://www.rfc-editor.org/rfc/rfc6531 SMTPUTF8 emails] (the smtp-dialogue already contains non-ASCII data, the headers contain UTF-8 data without MIME encoding).<br />
** Proper encoding for template-variable information in the Notifications and Modify Field actions.<br />
** MatchField now matches all occurrences of a header - not only the first one - especially relevant for <code>Received</code> headers.<br />
** Deprecated the <code>Attach</code>, <code>Counter</code> and <code>ReportSpam</code> Actions.<br />
*: While they were present in the code of Proxmox Mail Gateway, they were never exposed in the GUI or API.<br />
*: All three have now been deprecated and will be removed with version 8.0.<br />
<br />
* Improved Quarantine UX:<br />
** Quarantine interface for Administrators: many of the recent features for end-users in the Spam Quarantine have been ported to the administrator view:<br />
*** Allow selection of multiple mails.<br />
*** Context menu in the mail-listing.<br />
*** Display the Receiver information in the Attachment and Virus quarantines and the Mail Info widget.<br />
** Augmented the information visualization in the Spam information grid.<br />
*** The weight (number of points) and the type of impact (positive or negative) of SpamAssassin rules is now shown with colors and font-weights to make them easier to grasp. <br />
*** The rule IDs and scores are using a monospaced font for better comparison of values.<br />
** Colorized <code>Deliver</code> and <code>Delete</code> actions improves intuitive handling of the common actions.<br />
** Display of attachments in the Spam and Virus quarantines (for a more complete overview of the mail).<br />
** Attachment and Virus quarantines can now optionally be filtered by Receiver - especially helpful in larger deployments.<br />
** Display of descriptions for locally defined SpamAssassin rules.<br />
** Fix displaying the quarantine interface on narrow screens: Part of the action buttons were cut off and not reachable through scrolling.<br />
<br />
* Enhancements in the web interface (GUI):<br />
** The Postfix queue interface now displays the mail's headers in a decoded way - so that you see it as in your mail user agent.<br />
** The Statistic time selector now does not show non-existent day/month combinations (e.g. the 31. Day of February).<br />
** Better spacing of the Field labels in the rule object edit windows.<br />
** Improved translations, among others:<br />
*** Dutch<br />
*** German<br />
*** Italian<br />
*** Polish<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Support Proxmox Offline Mirroring & Subscription Handling<br />
** Proxmox Offline Mirror: The tool supports subscriptions and repository mirrors for air-gapped systems. The newly added [https://pom.proxmox.com proxmox-offline-mirror] utility can now be used to keep Proxmox Mail Gateway hosts, without access to the public internet up-to-date and running with a valid subscription.<br />
<br />
* Notable General Improvements and Bugfixes:<br />
** Add IP networks uniquely to template variables (<code>postfix.mynetworks</code>)<br />
*: If you had multiple entries in your transport directory, all pointing to the same host, they were added multiple times to the variable used in the configuration system.<br />
** Support for Proxmox Backup Server Namespaces.<br />
** Spam report emails now correctly display the <code>From</code> header, even if it contains a comma (e.g. <code>"Lastname, Firstname" <firstname.lastname@domain.example></code>).<br />
** The left-over config file <code>/etc/apt/apt.conf.d/75pmgconf</code> was removed, enabling the automatic removal of obsolete kernel packages, which can take up significant amounts of space.<br />
** SpamAssassin updates now handle updates to multiple channels correctly on the first run.<br />
** Improved parsing of email attributes from LDAP profiles.<br />
** Changing the directory to '/' before running <code>psql</code> as <code>postgres</code>user - preventing the printing of harmless but confusing warnings with various Proxmox Mail Gateway CLI utilities.<br />
** Support disabling TLS 1.2 and configuring TLS 1.3 ciphers for <code>pmgproxy</code> - following the change for <code>pveproxy</code> in Proxmox VE.<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
== Proxmox Mail Gateway 7.1 ==<br />
'''Released 30. November 2021'''<br />
* Based on Debian Bullseye (11.1)<br />
* Kernel 5.13<br />
* ZFS 2.1<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.5<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Improved configuration editing of LDAP backends: Changes can now be applied without having to specify a password.<br />
** The APT repository configuration, rather than being restricted to 'root', is now visible and editable by all users with 'Administrator' privileges.<br />
** Improved translations, among others:<br />
*** Arabic<br />
*** Basque<br />
*** Brazilian Portuguese<br />
*** French<br />
*** German<br />
*** Simplified Chinese<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Two-Factor Authentication<br />
** Two-factor authentication (TFA) for the web interface. Shares the TFA implementation from Proxmox Backup Server, written in rust.<br />
** Support for multiple types of second factors:<br />
*** WebAuthn, which supports a wide range of security devices, like hardware keys or trusted platform modules.<br />
*** Time-based One-Time Password (TOTP), a short code derived from a shared secret and the current time, it changes every 30 seconds. <br />
*** Single use Recovery Keys.<br />
<br />
* Backend and API<br />
** Improved support for setups using DHCP for their network configuration:<br />
*: While email still requires working DNS records, you can now manage and configure the IP of your Proxmox Mail Gateway in your DHCP configuration.<br />
** When adding a new entry to a Who object, a duplicate check is performed before saving.<br />
** Better handling of trailing dot in domain-names:<br />
*: Proxmox Mail Gateway uses the first search domain from <code>/etc/resolv.conf</code> as domain name - it can now handle entries with a trailing dot.<br />
** Delivery status notification (DSN, RFC 3461) support for outbound email with enabled before-queue filtering.<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
== Proxmox Mail Gateway 7.0 ==<br />
'''Released 15. July 2021'''<br />
* Based on Debian Bullseye (11)<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* Kernel 5.11<br />
* PostgreSQL 13<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Make dashboard status panel more detailed, showing, among other things, uptime, kernel version, CPU info and a high level repository status overview.<br />
** New APT repository management panel in the <code>Administration</code> tab shows an in-depth status and a list of all configured repositories.<br />
**: Basic repository management, for example, activating or deactivating a repository, is also supported.<br />
** Updated ExtJS JavaScript framework to latest GPL release 7.0<br />
** Added advanced task-log filtering<br />
** Improved translations, including:<br />
*** Arabic<br />
*** French<br />
*** German<br />
*** Japanese<br />
*** Polish<br />
*** Turkish<br />
<br />
* ACME/Let's Encrypt<br />
** Support the use of wildcard domains with the DNS plugins<br />
** API: nodeconfig: validate ACME config before writing<br />
<br />
* API<br />
** pmgproxy: allow setting LISTEN_IP parameter<br />
** The "Authentication mode" setting of <code>LDAP</code> for the quarantine interface no longer contains the ticket-link in the report-mails - thus, quarantine users need to provide their LDAP credentials to access the quarantine.<br />
<br />
* Installer:<br />
** Rework the installer environment to use <code>switch_root</code> instead of <code>chroot</code>, when transitioning from initrd to the actual installer.<br />
**: This improves module and firmware loading, and slightly reduces memory usage during installation.<br />
** Automatically detect HiDPI screens, and increase console font and GUI scaling accordingly. This improves UX for workstations with Proxmox VE (for example, for passthrough).<br />
** Improve ISO detection:<br />
*** Support ISOs backed by devices using USB Attached SCSI (UAS), which modern USB3 flash drives often do.<br />
*** Linearly increase the delay of subsequent scans for a device with an ISO image, bringing the total check time from 20s to 45s. This allows for the detection of very slow devices, while continuing faster in general.<br />
** Use <code>zstd</code> compression for the initrd image and the squashfs images.<br />
** Update to busybox 1.33.1 as the core-utils provider.<br />
<br />
* libarchive-perl<br />
** The perl-bindings to <code>libarchive</code> have been updated to match <code>libarchive</code> version 3.4.3 (shipped in Debian Bullseye) - the library interface was kept backwards-compatible<br />
<br />
* libxdgmime-perl<br />
** The perl-bindings to [https://gitlab.freedesktop.org/xdg/xdgmime xdgmime] have been updated to match current upstream - the library interface was kept backwards-compatible<br />
<br />
<div id="7.0-breaking-changes"></div><br />
'''Breaking Changes'''<br />
* New default bind address for pmgproxy, unifying the default behavior with Proxmox VE and Proxmox Backup Server<br />
** In making the LISTEN_IP configurable, the daemon now binds to both wildcard addresses (IPv4 <code>0.0.0.0:8006</code> and IPv6 <code>[::]:8006</code>) by default.<br />
*: Should you wish to prevent it from listening on IPv6, simply configure the IPv4 wildcard as LISTEN_IP in <code>/etc/default/pmgproxy</code>:<br />
*: <code>LISTEN_IP="0.0.0.0"</code><br />
** Additionally, the logged IP address format changed for IPv4 in pmgproxy's access log (<code>/var/log/pmgproxy/pmgproxy.log</code>). They are now logged as IPv4-mapped IPv6 addresses. Instead of:<br />
*: <code>192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*: the line now looks like:<br />
*: <code>::ffff:192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*:If you want to restore the old logging format, also set <code>LISTEN_IP="0.0.0.0"</code><br />
<br />
* ClamAV has [https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html deprecated the SafeBrowsing feature]:<br />
** These options have been removed from the shipped <code>freshclam.conf.in</code> template.<br />
** The <code>safebrowsing</code> config key in <code>/etc/pmg/pmg.conf</code> is currently ignored and will be dropped at some point in the future.<br />
<br />
* Changes to the database layout:<br />
** The <code>host</code> column of the <code>cgreylist</code> table, which has not been used since Proxmox Mailgateway 6.2, has been dropped from the schema and will be dropped from existing databases during the upgrade.<br />
<br />
* API deprecations, moves and removals<br />
** The <code>upgrade</code> parameter of the <code>/nodes/{node}/termproxy</code> API method has been replaced by providing <code>upgrade</code> as <code>cmd</code> parameter.<br />
** The <code>domain</code> parameter of the <code>/config/tlspolicy</code> API method has been replaced by the <code>destination</code> parameter.<br />
** The <code>/quarantine/whitelist/{address}</code> and <code>/quarantine/blacklist/{address}</code> API methods, that take the address as part of the path, have been deprecated in favor of explicitly providing the parameter in the request to <code>/quarantine/whitelist</code> and <code>/quarantine/blacklist</code> respectively.<br />
** The API methods for detailed statistics per e-mail address, which take the address as part of the path (<code>/statistics/contact/{contact}</code>, <code>/statistics/sender/{sender}</code> and <code>/statistics/receiver/{receiver}</code> have been deprecated in favor of <code>/statistics/detail</code>, which takes the address as an explicit parameter.<br />
<br />
<div id="7.0-known-issues"></div><br />
'''Known Issues'''<br />
* '''Network''': Due to the updated systemd version, and for most upgrades, the newer kernel version (5.4 to 5.11), some network interfaces might change upon reboot:<br />
** Some may change their name. For example, due to newly supported functions, a change from <code>enp33s0f0</code> to <code>enp33s0f0np0</code> could occur.<br />
**: We observed such changes with high-speed Mellanox models.<br />
** [https://sources.debian.org/src/bridge-utils/1.7-1/debian/NEWS/#L3-L23 Bridge MAC address selection has changed in Debian Bullseye] - it is now generated based on the interface name and the <code>machine-id (5)</code> of the system.<br />
**: Note that by default, Proxmox Mail Gateway does not use a Linux Bridge for networking, so most setups are unaffected.<br />
* '''Machine-id''': Systems installed using the Proxmox Mail Gateway 5.0 to 5.4 ISO may have a non-unique machine-id. These systems will have their machine-id re-generated automatically on upgrade, to avoid a potentially duplicated bridge MAC and other issues.<br />
: If you do the upgrade remotely, make sure you have a backup method of connecting to the host (for example, IPMI/iKVM, tiny-pilot, another network accessible by a cluster node, or physical access), in case the network used for SSH access becomes unreachable, due to the network failing to come up after a reboot.<br />
<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
==Proxmox Mail Gateway 6.4==<br />
'''Released 30. March 2021'''<br />
* Based on Debian Buster (10.9)<br />
* SpamAssassin 3.4.5 (with update ruleset)<br />
* Kernel 5.4.106<br />
* ACME integration<br />
** Proxmox Mail Gateway now offers full integration of the ACME protocol via the GUI, enabling administrators to create valid and trusted certificates for their domains with the Let's Encrypt certificate authority, in the same way as with Proxmox VE.<br />
** Full support for the <code>http-01</code> and <code>dns-01</code> challenges, with all plugins from [https://github.com/acmesh-official/acme.sh acme.sh].<br />
** Easily configurable from the GUI.<br />
* General Certificate Management via the GUI<br />
** It is now possible to upload custom certificates from the web interface, or set up a cluster-wide ACME account to automatically get and renew certificates from an ACME provider.<br />
* Support for external SpamAssassin update channels (regular automated updates).<br />
** By providing a short configuration file containing a SpamAssassin rule channel's URL and GPG key, Proxmox Mail Gateway will now fetch verified updates from that channel, along with the updates from updates.spamassassin.org.<br />
** The KAM ruleset channel is now available, and a suitable configuration file is shipped with <code>proxmox-spamassassin</code>.<br />
* Improved Quarantine Management<br />
** The admin view of the Spam Quarantine can now display quarantined mail of all users at once.<br />
** All Quarantine views (admin and user) allow you to filter for subject or sender.<br />
** The spam quarantine can now process huge amounts of mails at once (> 3200).<br />
* TLS-logging improvements to the Tracking Center<br />
** The Tracking Center now shows when an outbound connection is established over TLS.<br />
* Enhancements to the Integration of Proxmox Backup Server<br />
** It is now possible to get notified about the result of a scheduled backup to a configured Proxmox Backup Server Remote.<br />
** Inclusion of the (potentially large) statistics database is now configurable per Remote.<br />
* Notable Bugfixes:<br />
** Support for '/' in the local part of an e-mail address (quarantine and statistics view).<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05. October 2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23. January 2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=110Roadmap2023-03-28T09:22:41Z<p>Martin: </p>
<hr />
<div><div class="toclimit-3">__TOC__</div><br />
<br />
=Roadmap=<br />
*<s>SpamAssassin 4</s> done<br />
*Continuous security and bug fix updates<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
== Proxmox Mail Gateway 7.3 ==<br />
Released 28. March 2023<br />
* Based on Debian Bullseye (11.6)<br />
* Latest 5.15 Kernel as stable default<br />
* Newer 6.2 kernel as opt-in<br />
* ZFS 2.1.9<br />
* SpamAssassin 4.0.0 (new major version)<br />
* PostgreSQL 13.10<br />
<br />
=== Highlights ===<br />
<br />
* Proxmox Mail Gateway now provides a dark theme for the administrative and quarantine web interfaces.<br />
* SpamAssassin 4.0.0 was integrated, along with many of its new capabilities, like (optionally) scanning document contents (docx, pdf, images,...), or resolving URLs from url-shorteners.<br />
<br />
=== Changelog Overview ===<br />
<br />
==== Enhancements in the Rule System ====<br />
* New major release SpamAssassin 4.0.0, with many new features: <br />
** Detection of spam inside of attachments. This is implemented for the file types <code>.pdf</code>, <code>.odt</code>, <code>.docx</code>, <code>.doc</code>, <code>.rtf</code>, as well as images (through OCR).<br />
*:: Attachment scanning can be enabled using the Web UI (<code>Spam Detector</code> -> <code>Options</code>), which sets the <code>extract_text</code> option in the <code>spam</code> section of <code>/etc/pmg/pmg.conf</code>.<br />
*:: The dependencies required for attachment scanning are marked as optional, but recommended dependency for the <code>pmg-api</code> package.<br />
*:: This means that on systems that did not change the apt preference the new dependencies should be pulled in automatically on upgrade, otherwise you might need to manually install them.<br />
*: Note that attachment scanning, and OCR in particular, increases CPU time spent per mail. Depending on email volume and available CPU power, you may see a significant increase in load.<br />
** Follow and analyze URL-shortener links.<br />
** Improved support for using information from DMARC-policies.<br />
** Improved handling of internationalized (IDN) domain names.<br />
* Adaptation of the SpamAssassin integration for version 4.0.0:<br />
: The SpamAssassin configuration files shipped with the <code>pmg-api</code> package were adapted to the new features.<br />
: <code>extract_text</code> was added as new option for the spam detector to disable content scanning, while most other new options are triggered with the <code>use_rbl</code> option.<br />
: On deployments with modified templates, the upgrade process will ask how changes should be merged. This provides an opportunity to re-evaluate which modifications are still needed.<br />
* Support enforcing TLS-only connections for mails from certain domains:<br />
: It is now possible to enforce TLS encryption for inbound mail, complementing the already-present TLS policy functionality for outbound mail.<br />
* Improved handling of SMTPUTF8:<br />
: Based on the user feedback on UTF-8 support for the rule system introduced in Proxmox Mail Gateway 7.2, it is now possible to disable SMTPUTF8 through the API and GUI.<br />
: The detection for SMTPUTF8 was aligned with the implementation in <code>postfix</code>.<br />
* The What objects "Match Archive Filename" now also use the optional filename from the GZIP header for matching.<br />
* Support trusted network entries with host bits set in the CIDR:<br />
: Quite a few deployments did use a CIDR with host-bits set, for example 192.0.2.5/24 instead of 192.0.2.0/24. This is now translated internally and handled correctly.<br />
* Ordering of multiple rules with the same priority is now stable, despite not being a recommended setup.<br />
<br />
==== Enhancements in the Web Interface (GUI) ====<br />
<br />
* Add a fully-integrated "Proxmox Dark" color theme variant of the long-time Crisp light theme.<br />
: By default, the <code>prefers-color-scheme</code> media query from the Browser/OS will be used to decide the default color scheme.<br />
: Users can override the theme via a newly added <code>Color Theme</code> menu in the user menu.<br />
* Add "Proxmox Dark" color theme to the Proxmox Mail Gateway reference documentation.<br />
: The <code>prefers-color-scheme</code> media query from the Browser/OS will be used to decide if the light or dark color scheme should be used.<br />
: The new dark theme is also available in the [https://pmg.proxmox.com/pmg-docs/api-viewer/index.html#/nodes/{node}/version Proxmox Mail Gateway API Viewer].<br />
* Task logs can now be downloaded directly as text files for further inspection.<br />
* The language chooser now displays, for each available language, both its native name as well as its name translated to the currently active language.<br />
* HTML-encode API results before rendering as additional hardening against XSS.<br />
* Automatically redirect HTTP requests to HTTPS for convenience.<br />
: This avoids "Connection reset" browser errors that can be confusing, especially after setting up a Proxmox Mail Gateway host the first time.<br />
* Invalid entries in advanced fields now cause the advanced panel to unfold, providing direct feedback.<br />
* Improved translations, among others:<br />
** Arabic<br />
** French<br />
** German<br />
** Italian<br />
** Japanese<br />
** Russian<br />
** Slovenian<br />
** Simplified Chinese<br />
<br />
==== Notable General Improvements and Bug Fixes ====<br />
* The documentation has now a chapter describing the statistics part of the GUI and API.<br />
* Mail delivery from quarantine uses new code for sending locally generated mail, with the following improvements:<br />
** support for IPv6-only deployments and delivery status notifications.<br />
** Correct decoding of addresses containing UTF-8.<br />
* The cleanup before restoring the configuration from a backup was improved, preventing issues when restoring without rebooting the system.<br />
* Logging of errors when sending locally generated mail was improved.<br />
* Errors in files related to TLS-policy are now also reported in the syslog.<br />
* The output of <code>pmgdb dump</code> is now able to handle UTF-8 characters in rule names, object names, and comments.<br />
<br />
==== Installation ISO ====<br />
<br />
* the version of BusyBox shipped with the ISO was updated to version 1.36.0.<br />
* The EFI System Partition (ESP) defaults to 1 GiB of size if the root disk partition (<code>hdsize</code>) is bigger than 100 GB.<br />
* UTC can now be selected as timezone during installation.<br />
<br />
<div id="7.3-known-issues"></div><br />
<br />
=== Known Issues & Breaking Changes ===<br />
<br />
* The ISO does not ship the optional dependencies for extracting text from attachments - If you installed from the ISO and want to use the feature, you can simply install them manually<br />
apt install antiword docx2txt odt2txt poppler-utils tesseract-ocr unrtf<br />
== Proxmox Mail Gateway 7.2 ==<br />
'''Released 30. November 2022'''<br />
<br />
* Based on Debian Bullseye (11.5)<br />
* Latest 5.15 Kernel as stable default (5.15.74)<br />
* Newer 5.19 kernel as opt-in<br />
* ZFS 2.1.6<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.8<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the Rule system:<br />
** Improved handling of international emails<br />
*** Support for UTF-8 characters in the rule system (e.g. matching non-ASCII subjects).<br />
*** Better handling of [https://www.rfc-editor.org/rfc/rfc6531 SMTPUTF8 emails] (the smtp-dialogue already contains non-ASCII data, the headers contain UTF-8 data without MIME encoding).<br />
** Proper encoding for template-variable information in the Notifications and Modify Field actions.<br />
** MatchField now matches all occurrences of a header - not only the first one - especially relevant for <code>Received</code> headers.<br />
** Deprecated the <code>Attach</code>, <code>Counter</code> and <code>ReportSpam</code> Actions.<br />
*: While they were present in the code of Proxmox Mail Gateway, they were never exposed in the GUI or API.<br />
*: All three have now been deprecated and will be removed with version 8.0.<br />
<br />
* Improved Quarantine UX:<br />
** Quarantine interface for Administrators: many of the recent features for end-users in the Spam Quarantine have been ported to the administrator view:<br />
*** Allow selection of multiple mails.<br />
*** Context menu in the mail-listing.<br />
*** Display the Receiver information in the Attachment and Virus quarantines and the Mail Info widget.<br />
** Augmented the information visualization in the Spam information grid.<br />
*** The weight (number of points) and the type of impact (positive or negative) of SpamAssassin rules is now shown with colors and font-weights to make them easier to grasp. <br />
*** The rule IDs and scores are using a monospaced font for better comparison of values.<br />
** Colorized <code>Deliver</code> and <code>Delete</code> actions improves intuitive handling of the common actions.<br />
** Display of attachments in the Spam and Virus quarantines (for a more complete overview of the mail).<br />
** Attachment and Virus quarantines can now optionally be filtered by Receiver - especially helpful in larger deployments.<br />
** Display of descriptions for locally defined SpamAssassin rules.<br />
** Fix displaying the quarantine interface on narrow screens: Part of the action buttons were cut off and not reachable through scrolling.<br />
<br />
* Enhancements in the web interface (GUI):<br />
** The Postfix queue interface now displays the mail's headers in a decoded way - so that you see it as in your mail user agent.<br />
** The Statistic time selector now does not show non-existent day/month combinations (e.g. the 31. Day of February).<br />
** Better spacing of the Field labels in the rule object edit windows.<br />
** Improved translations, among others:<br />
*** Dutch<br />
*** German<br />
*** Italian<br />
*** Polish<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Support Proxmox Offline Mirroring & Subscription Handling<br />
** Proxmox Offline Mirror: The tool supports subscriptions and repository mirrors for air-gapped systems. The newly added [https://pom.proxmox.com proxmox-offline-mirror] utility can now be used to keep Proxmox Mail Gateway hosts, without access to the public internet up-to-date and running with a valid subscription.<br />
<br />
* Notable General Improvements and Bugfixes:<br />
** Add IP networks uniquely to template variables (<code>postfix.mynetworks</code>)<br />
*: If you had multiple entries in your transport directory, all pointing to the same host, they were added multiple times to the variable used in the configuration system.<br />
** Support for Proxmox Backup Server Namespaces.<br />
** Spam report emails now correctly display the <code>From</code> header, even if it contains a comma (e.g. <code>"Lastname, Firstname" <firstname.lastname@domain.example></code>).<br />
** The left-over config file <code>/etc/apt/apt.conf.d/75pmgconf</code> was removed, enabling the automatic removal of obsolete kernel packages, which can take up significant amounts of space.<br />
** SpamAssassin updates now handle updates to multiple channels correctly on the first run.<br />
** Improved parsing of email attributes from LDAP profiles.<br />
** Changing the directory to '/' before running <code>psql</code> as <code>postgres</code>user - preventing the printing of harmless but confusing warnings with various Proxmox Mail Gateway CLI utilities.<br />
** Support disabling TLS 1.2 and configuring TLS 1.3 ciphers for <code>pmgproxy</code> - following the change for <code>pveproxy</code> in Proxmox VE.<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
== Proxmox Mail Gateway 7.1 ==<br />
'''Released 30. November 2021'''<br />
* Based on Debian Bullseye (11.1)<br />
* Kernel 5.13<br />
* ZFS 2.1<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.5<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Improved configuration editing of LDAP backends: Changes can now be applied without having to specify a password.<br />
** The APT repository configuration, rather than being restricted to 'root', is now visible and editable by all users with 'Administrator' privileges.<br />
** Improved translations, among others:<br />
*** Arabic<br />
*** Basque<br />
*** Brazilian Portuguese<br />
*** French<br />
*** German<br />
*** Simplified Chinese<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Two-Factor Authentication<br />
** Two-factor authentication (TFA) for the web interface. Shares the TFA implementation from Proxmox Backup Server, written in rust.<br />
** Support for multiple types of second factors:<br />
*** WebAuthn, which supports a wide range of security devices, like hardware keys or trusted platform modules.<br />
*** Time-based One-Time Password (TOTP), a short code derived from a shared secret and the current time, it changes every 30 seconds. <br />
*** Single use Recovery Keys.<br />
<br />
* Backend and API<br />
** Improved support for setups using DHCP for their network configuration:<br />
*: While email still requires working DNS records, you can now manage and configure the IP of your Proxmox Mail Gateway in your DHCP configuration.<br />
** When adding a new entry to a Who object, a duplicate check is performed before saving.<br />
** Better handling of trailing dot in domain-names:<br />
*: Proxmox Mail Gateway uses the first search domain from <code>/etc/resolv.conf</code> as domain name - it can now handle entries with a trailing dot.<br />
** Delivery status notification (DSN, RFC 3461) support for outbound email with enabled before-queue filtering.<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
== Proxmox Mail Gateway 7.0 ==<br />
'''Released 15. July 2021'''<br />
* Based on Debian Bullseye (11)<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* Kernel 5.11<br />
* PostgreSQL 13<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Make dashboard status panel more detailed, showing, among other things, uptime, kernel version, CPU info and a high level repository status overview.<br />
** New APT repository management panel in the <code>Administration</code> tab shows an in-depth status and a list of all configured repositories.<br />
**: Basic repository management, for example, activating or deactivating a repository, is also supported.<br />
** Updated ExtJS JavaScript framework to latest GPL release 7.0<br />
** Added advanced task-log filtering<br />
** Improved translations, including:<br />
*** Arabic<br />
*** French<br />
*** German<br />
*** Japanese<br />
*** Polish<br />
*** Turkish<br />
<br />
* ACME/Let's Encrypt<br />
** Support the use of wildcard domains with the DNS plugins<br />
** API: nodeconfig: validate ACME config before writing<br />
<br />
* API<br />
** pmgproxy: allow setting LISTEN_IP parameter<br />
** The "Authentication mode" setting of <code>LDAP</code> for the quarantine interface no longer contains the ticket-link in the report-mails - thus, quarantine users need to provide their LDAP credentials to access the quarantine.<br />
<br />
* Installer:<br />
** Rework the installer environment to use <code>switch_root</code> instead of <code>chroot</code>, when transitioning from initrd to the actual installer.<br />
**: This improves module and firmware loading, and slightly reduces memory usage during installation.<br />
** Automatically detect HiDPI screens, and increase console font and GUI scaling accordingly. This improves UX for workstations with Proxmox VE (for example, for passthrough).<br />
** Improve ISO detection:<br />
*** Support ISOs backed by devices using USB Attached SCSI (UAS), which modern USB3 flash drives often do.<br />
*** Linearly increase the delay of subsequent scans for a device with an ISO image, bringing the total check time from 20s to 45s. This allows for the detection of very slow devices, while continuing faster in general.<br />
** Use <code>zstd</code> compression for the initrd image and the squashfs images.<br />
** Update to busybox 1.33.1 as the core-utils provider.<br />
<br />
* libarchive-perl<br />
** The perl-bindings to <code>libarchive</code> have been updated to match <code>libarchive</code> version 3.4.3 (shipped in Debian Bullseye) - the library interface was kept backwards-compatible<br />
<br />
* libxdgmime-perl<br />
** The perl-bindings to [https://gitlab.freedesktop.org/xdg/xdgmime xdgmime] have been updated to match current upstream - the library interface was kept backwards-compatible<br />
<br />
<div id="7.0-breaking-changes"></div><br />
'''Breaking Changes'''<br />
* New default bind address for pmgproxy, unifying the default behavior with Proxmox VE and Proxmox Backup Server<br />
** In making the LISTEN_IP configurable, the daemon now binds to both wildcard addresses (IPv4 <code>0.0.0.0:8006</code> and IPv6 <code>[::]:8006</code>) by default.<br />
*: Should you wish to prevent it from listening on IPv6, simply configure the IPv4 wildcard as LISTEN_IP in <code>/etc/default/pmgproxy</code>:<br />
*: <code>LISTEN_IP="0.0.0.0"</code><br />
** Additionally, the logged IP address format changed for IPv4 in pmgproxy's access log (<code>/var/log/pmgproxy/pmgproxy.log</code>). They are now logged as IPv4-mapped IPv6 addresses. Instead of:<br />
*: <code>192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*: the line now looks like:<br />
*: <code>::ffff:192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*:If you want to restore the old logging format, also set <code>LISTEN_IP="0.0.0.0"</code><br />
<br />
* ClamAV has [https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html deprecated the SafeBrowsing feature]:<br />
** These options have been removed from the shipped <code>freshclam.conf.in</code> template.<br />
** The <code>safebrowsing</code> config key in <code>/etc/pmg/pmg.conf</code> is currently ignored and will be dropped at some point in the future.<br />
<br />
* Changes to the database layout:<br />
** The <code>host</code> column of the <code>cgreylist</code> table, which has not been used since Proxmox Mailgateway 6.2, has been dropped from the schema and will be dropped from existing databases during the upgrade.<br />
<br />
* API deprecations, moves and removals<br />
** The <code>upgrade</code> parameter of the <code>/nodes/{node}/termproxy</code> API method has been replaced by providing <code>upgrade</code> as <code>cmd</code> parameter.<br />
** The <code>domain</code> parameter of the <code>/config/tlspolicy</code> API method has been replaced by the <code>destination</code> parameter.<br />
** The <code>/quarantine/whitelist/{address}</code> and <code>/quarantine/blacklist/{address}</code> API methods, that take the address as part of the path, have been deprecated in favor of explicitly providing the parameter in the request to <code>/quarantine/whitelist</code> and <code>/quarantine/blacklist</code> respectively.<br />
** The API methods for detailed statistics per e-mail address, which take the address as part of the path (<code>/statistics/contact/{contact}</code>, <code>/statistics/sender/{sender}</code> and <code>/statistics/receiver/{receiver}</code> have been deprecated in favor of <code>/statistics/detail</code>, which takes the address as an explicit parameter.<br />
<br />
<div id="7.0-known-issues"></div><br />
'''Known Issues'''<br />
* '''Network''': Due to the updated systemd version, and for most upgrades, the newer kernel version (5.4 to 5.11), some network interfaces might change upon reboot:<br />
** Some may change their name. For example, due to newly supported functions, a change from <code>enp33s0f0</code> to <code>enp33s0f0np0</code> could occur.<br />
**: We observed such changes with high-speed Mellanox models.<br />
** [https://sources.debian.org/src/bridge-utils/1.7-1/debian/NEWS/#L3-L23 Bridge MAC address selection has changed in Debian Bullseye] - it is now generated based on the interface name and the <code>machine-id (5)</code> of the system.<br />
**: Note that by default, Proxmox Mail Gateway does not use a Linux Bridge for networking, so most setups are unaffected.<br />
* '''Machine-id''': Systems installed using the Proxmox Mail Gateway 5.0 to 5.4 ISO may have a non-unique machine-id. These systems will have their machine-id re-generated automatically on upgrade, to avoid a potentially duplicated bridge MAC and other issues.<br />
: If you do the upgrade remotely, make sure you have a backup method of connecting to the host (for example, IPMI/iKVM, tiny-pilot, another network accessible by a cluster node, or physical access), in case the network used for SSH access becomes unreachable, due to the network failing to come up after a reboot.<br />
<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
==Proxmox Mail Gateway 6.4==<br />
'''Released 30. March 2021'''<br />
* Based on Debian Buster (10.9)<br />
* SpamAssassin 3.4.5 (with update ruleset)<br />
* Kernel 5.4.106<br />
* ACME integration<br />
** Proxmox Mail Gateway now offers full integration of the ACME protocol via the GUI, enabling administrators to create valid and trusted certificates for their domains with the Let's Encrypt certificate authority, in the same way as with Proxmox VE.<br />
** Full support for the <code>http-01</code> and <code>dns-01</code> challenges, with all plugins from [https://github.com/acmesh-official/acme.sh acme.sh].<br />
** Easily configurable from the GUI.<br />
* General Certificate Management via the GUI<br />
** It is now possible to upload custom certificates from the web interface, or set up a cluster-wide ACME account to automatically get and renew certificates from an ACME provider.<br />
* Support for external SpamAssassin update channels (regular automated updates).<br />
** By providing a short configuration file containing a SpamAssassin rule channel's URL and GPG key, Proxmox Mail Gateway will now fetch verified updates from that channel, along with the updates from updates.spamassassin.org.<br />
** The KAM ruleset channel is now available, and a suitable configuration file is shipped with <code>proxmox-spamassassin</code>.<br />
* Improved Quarantine Management<br />
** The admin view of the Spam Quarantine can now display quarantined mail of all users at once.<br />
** All Quarantine views (admin and user) allow you to filter for subject or sender.<br />
** The spam quarantine can now process huge amounts of mails at once (> 3200).<br />
* TLS-logging improvements to the Tracking Center<br />
** The Tracking Center now shows when an outbound connection is established over TLS.<br />
* Enhancements to the Integration of Proxmox Backup Server<br />
** It is now possible to get notified about the result of a scheduled backup to a configured Proxmox Backup Server Remote.<br />
** Inclusion of the (potentially large) statistics database is now configurable per Remote.<br />
* Notable Bugfixes:<br />
** Support for '/' in the local part of an e-mail address (quarantine and statistics view).<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05. October 2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23. January 2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=109Main Page2023-03-28T09:21:23Z<p>Martin: /* Download */</p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[https://www.proxmox.com/downloads Download] the latest ISO image files.<br />
<br />
Alternate download: https://enterprise.proxmox.com/iso<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operation system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
[[Getting started with Proxmox Mail Gateway]]<br />
<br />
'''Upgrading'''<br />
<br />
[[Upgrade_from_5.x_to_6.0|Upgrade from Proxmox Mail Gateway 5.x to 6.0]]<br />
<br />
[[Upgrade_from_6.x_to_7.0|Upgrade from Proxmox Mail Gateway 6.x to 7.0]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]. You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
The developer documentation explains how to get involved in the development process of the Proxmox Mail Gateway, see [[Developer Documentation]]<br />
<br />
=Release History and Roadmap=<br />
Take a look on the [[Roadmap]] for existing and upcoming features.<br />
<br />
=Video Tutorials=<br />
To get an overview of the Proxmox Mail Gateway, we regularly publish video tutorials on our website, see https://www.proxmox.com/training/video-tutorials.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway-Statistics.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=107Main Page2023-03-28T09:20:44Z<p>Martin: /* Download */</p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[https://www.proxmox.com/downloads Download] the latest ISO image files.<br />
<br />
Alternate download:https://enterprise.proxmox.com/iso<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operation system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
[[Getting started with Proxmox Mail Gateway]]<br />
<br />
'''Upgrading'''<br />
<br />
[[Upgrade_from_5.x_to_6.0|Upgrade from Proxmox Mail Gateway 5.x to 6.0]]<br />
<br />
[[Upgrade_from_6.x_to_7.0|Upgrade from Proxmox Mail Gateway 6.x to 7.0]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]. You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
The developer documentation explains how to get involved in the development process of the Proxmox Mail Gateway, see [[Developer Documentation]]<br />
<br />
=Release History and Roadmap=<br />
Take a look on the [[Roadmap]] for existing and upcoming features.<br />
<br />
=Video Tutorials=<br />
To get an overview of the Proxmox Mail Gateway, we regularly publish video tutorials on our website, see https://www.proxmox.com/training/video-tutorials.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway-Statistics.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=103Roadmap2023-03-28T09:10:41Z<p>Martin: Proxmox Mail Gateway 7.3 release</p>
<hr />
<div><div class="toclimit-2">__TOC__</div><br />
=Roadmap=<br />
*<s>SpamAssassin 4</s> done<br />
*Continuous security and bug fix updates<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
== Proxmox Mail Gateway 7.3 ==<br />
Released 28. March 2023: See [[Downloads]]<br />
* Based on Debian Bullseye (11.6)<br />
* Latest 5.15 Kernel as stable default<br />
* Newer 6.2 kernel as opt-in<br />
* ZFS 2.1.9<br />
* SpamAssassin 4.0.0 (new major version)<br />
* PostgreSQL 13.10<br />
<br />
=== Highlights ===<br />
<br />
* Proxmox Mail Gateway now provides a dark theme for the administrative and quarantine web interfaces.<br />
* SpamAssassin 4.0.0 was integrated, along with many of its new capabilities, like (optionally) scanning document contents (docx, pdf, images,...), or resolving URLs from url-shorteners.<br />
<br />
=== Changelog Overview ===<br />
<br />
==== Enhancements in the Rule System ====<br />
* New major release SpamAssassin 4.0.0, with many new features: <br />
** Detection of spam inside of attachments. This is implemented for the file types <code>.pdf</code>, <code>.odt</code>, <code>.docx</code>, <code>.doc</code>, <code>.rtf</code>, as well as images (through OCR).<br />
*:: Attachment scanning can be enabled using the Web UI (<code>Spam Detector</code> -> <code>Options</code>), which sets the <code>extract_text</code> option in the <code>spam</code> section of <code>/etc/pmg/pmg.conf</code>.<br />
*:: The dependencies required for attachment scanning are marked as optional, but recommended dependency for the <code>pmg-api</code> package.<br />
*:: This means that on systems that did not change the apt preference the new dependencies should be pulled in automatically on upgrade, otherwise you might need to manually install them.<br />
*: Note that attachment scanning, and OCR in particular, increases CPU time spent per mail. Depending on email volume and available CPU power, you may see a significant increase in load.<br />
** Follow and analyze URL-shortener links.<br />
** Improved support for using information from DMARC-policies.<br />
** Improved handling of internationalized (IDN) domain names.<br />
* Adaptation of the SpamAssassin integration for version 4.0.0:<br />
: The SpamAssassin configuration files shipped with the <code>pmg-api</code> package were adapted to the new features.<br />
: <code>extract_text</code> was added as new option for the spam detector to disable content scanning, while most other new options are triggered with the <code>use_rbl</code> option.<br />
: On deployments with modified templates, the upgrade process will ask how changes should be merged. This provides an opportunity to re-evaluate which modifications are still needed.<br />
* Support enforcing TLS-only connections for mails from certain domains:<br />
: It is now possible to enforce TLS encryption for inbound mail, complementing the already-present TLS policy functionality for outbound mail.<br />
* Improved handling of SMTPUTF8:<br />
: Based on the user feedback on UTF-8 support for the rule system introduced in Proxmox Mail Gateway 7.2, it is now possible to disable SMTPUTF8 through the API and GUI.<br />
: The detection for SMTPUTF8 was aligned with the implementation in <code>postfix</code>.<br />
* The What objects "Match Archive Filename" now also use the optional filename from the GZIP header for matching.<br />
* Support trusted network entries with host bits set in the CIDR:<br />
: Quite a few deployments did use a CIDR with host-bits set, for example 192.0.2.5/24 instead of 192.0.2.0/24. This is now translated internally and handled correctly.<br />
* Ordering of multiple rules with the same priority is now stable, despite not being a recommended setup.<br />
<br />
==== Enhancements in the Web Interface (GUI) ====<br />
<br />
* Add a fully-integrated "Proxmox Dark" color theme variant of the long-time Crisp light theme.<br />
: By default, the <code>prefers-color-scheme</code> media query from the Browser/OS will be used to decide the default color scheme.<br />
: Users can override the theme via a newly added <code>Color Theme</code> menu in the user menu.<br />
* Add "Proxmox Dark" color theme to the Proxmox Mail Gateway reference documentation.<br />
: The <code>prefers-color-scheme</code> media query from the Browser/OS will be used to decide if the light or dark color scheme should be used.<br />
: The new dark theme is also available in the [https://pmg.proxmox.com/pmg-docs/api-viewer/index.html#/nodes/{node}/version Proxmox Mail Gateway API Viewer].<br />
* Task logs can now be downloaded directly as text files for further inspection.<br />
* The language chooser now displays, for each available language, both its native name as well as its name translated to the currently active language.<br />
* HTML-encode API results before rendering as additional hardening against XSS.<br />
* Automatically redirect HTTP requests to HTTPS for convenience.<br />
: This avoids "Connection reset" browser errors that can be confusing, especially after setting up a Proxmox Mail Gateway host the first time.<br />
* Invalid entries in advanced fields now cause the advanced panel to unfold, providing direct feedback.<br />
* Improved translations, among others:<br />
** Arabic<br />
** French<br />
** German<br />
** Italian<br />
** Japanese<br />
** Russian<br />
** Slovenian<br />
** Simplified Chinese<br />
<br />
==== Notable General Improvements and Bug Fixes ====<br />
* The documentation has now a chapter describing the statistics part of the GUI and API.<br />
* Mail delivery from quarantine uses new code for sending locally generated mail, with the following improvements:<br />
** support for IPv6-only deployments and delivery status notifications.<br />
** Correct decoding of addresses containing UTF-8.<br />
* The cleanup before restoring the configuration from a backup was improved, preventing issues when restoring without rebooting the system.<br />
* Logging of errors when sending locally generated mail was improved.<br />
* Errors in files related to TLS-policy are now also reported in the syslog.<br />
* The output of <code>pmgdb dump</code> is now able to handle UTF-8 characters in rule names, object names, and comments.<br />
<br />
==== Installation ISO ====<br />
<br />
* the version of BusyBox shipped with the ISO was updated to version 1.36.0.<br />
* The EFI System Partition (ESP) defaults to 1 GiB of size if the root disk partition (<code>hdsize</code>) is bigger than 100 GB.<br />
* UTC can now be selected as timezone during installation.<br />
<br />
<div id="7.3-known-issues"></div><br />
<br />
=== Known Issues & Breaking Changes ===<br />
<br />
* The ISO does not ship the optional dependencies for extracting text from attachments - If you installed from the ISO and want to use the feature, you can simply install them manually<br />
apt install antiword docx2txt odt2txt poppler-utils tesseract-ocr unrtf<br />
== Proxmox Mail Gateway 7.2 ==<br />
'''Released 30. November 2022'''<br />
<br />
* Based on Debian Bullseye (11.5)<br />
* Latest 5.15 Kernel as stable default (5.15.74)<br />
* Newer 5.19 kernel as opt-in<br />
* ZFS 2.1.6<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.8<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the Rule system:<br />
** Improved handling of international emails<br />
*** Support for UTF-8 characters in the rule system (e.g. matching non-ASCII subjects).<br />
*** Better handling of [https://www.rfc-editor.org/rfc/rfc6531 SMTPUTF8 emails] (the smtp-dialogue already contains non-ASCII data, the headers contain UTF-8 data without MIME encoding).<br />
** Proper encoding for template-variable information in the Notifications and Modify Field actions.<br />
** MatchField now matches all occurrences of a header - not only the first one - especially relevant for <code>Received</code> headers.<br />
** Deprecated the <code>Attach</code>, <code>Counter</code> and <code>ReportSpam</code> Actions.<br />
*: While they were present in the code of Proxmox Mail Gateway, they were never exposed in the GUI or API.<br />
*: All three have now been deprecated and will be removed with version 8.0.<br />
<br />
* Improved Quarantine UX:<br />
** Quarantine interface for Administrators: many of the recent features for end-users in the Spam Quarantine have been ported to the administrator view:<br />
*** Allow selection of multiple mails.<br />
*** Context menu in the mail-listing.<br />
*** Display the Receiver information in the Attachment and Virus quarantines and the Mail Info widget.<br />
** Augmented the information visualization in the Spam information grid.<br />
*** The weight (number of points) and the type of impact (positive or negative) of SpamAssassin rules is now shown with colors and font-weights to make them easier to grasp. <br />
*** The rule IDs and scores are using a monospaced font for better comparison of values.<br />
** Colorized <code>Deliver</code> and <code>Delete</code> actions improves intuitive handling of the common actions.<br />
** Display of attachments in the Spam and Virus quarantines (for a more complete overview of the mail).<br />
** Attachment and Virus quarantines can now optionally be filtered by Receiver - especially helpful in larger deployments.<br />
** Display of descriptions for locally defined SpamAssassin rules.<br />
** Fix displaying the quarantine interface on narrow screens: Part of the action buttons were cut off and not reachable through scrolling.<br />
<br />
* Enhancements in the web interface (GUI):<br />
** The Postfix queue interface now displays the mail's headers in a decoded way - so that you see it as in your mail user agent.<br />
** The Statistic time selector now does not show non-existent day/month combinations (e.g. the 31. Day of February).<br />
** Better spacing of the Field labels in the rule object edit windows.<br />
** Improved translations, among others:<br />
*** Dutch<br />
*** German<br />
*** Italian<br />
*** Polish<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Support Proxmox Offline Mirroring & Subscription Handling<br />
** Proxmox Offline Mirror: The tool supports subscriptions and repository mirrors for air-gapped systems. The newly added [https://pom.proxmox.com proxmox-offline-mirror] utility can now be used to keep Proxmox Mail Gateway hosts, without access to the public internet up-to-date and running with a valid subscription.<br />
<br />
* Notable General Improvements and Bugfixes:<br />
** Add IP networks uniquely to template variables (<code>postfix.mynetworks</code>)<br />
*: If you had multiple entries in your transport directory, all pointing to the same host, they were added multiple times to the variable used in the configuration system.<br />
** Support for Proxmox Backup Server Namespaces.<br />
** Spam report emails now correctly display the <code>From</code> header, even if it contains a comma (e.g. <code>"Lastname, Firstname" <firstname.lastname@domain.example></code>).<br />
** The left-over config file <code>/etc/apt/apt.conf.d/75pmgconf</code> was removed, enabling the automatic removal of obsolete kernel packages, which can take up significant amounts of space.<br />
** SpamAssassin updates now handle updates to multiple channels correctly on the first run.<br />
** Improved parsing of email attributes from LDAP profiles.<br />
** Changing the directory to '/' before running <code>psql</code> as <code>postgres</code>user - preventing the printing of harmless but confusing warnings with various Proxmox Mail Gateway CLI utilities.<br />
** Support disabling TLS 1.2 and configuring TLS 1.3 ciphers for <code>pmgproxy</code> - following the change for <code>pveproxy</code> in Proxmox VE.<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
== Proxmox Mail Gateway 7.1 ==<br />
'''Released 30. November 2021'''<br />
* Based on Debian Bullseye (11.1)<br />
* Kernel 5.13<br />
* ZFS 2.1<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.5<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Improved configuration editing of LDAP backends: Changes can now be applied without having to specify a password.<br />
** The APT repository configuration, rather than being restricted to 'root', is now visible and editable by all users with 'Administrator' privileges.<br />
** Improved translations, among others:<br />
*** Arabic<br />
*** Basque<br />
*** Brazilian Portuguese<br />
*** French<br />
*** German<br />
*** Simplified Chinese<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Two-Factor Authentication<br />
** Two-factor authentication (TFA) for the web interface. Shares the TFA implementation from Proxmox Backup Server, written in rust.<br />
** Support for multiple types of second factors:<br />
*** WebAuthn, which supports a wide range of security devices, like hardware keys or trusted platform modules.<br />
*** Time-based One-Time Password (TOTP), a short code derived from a shared secret and the current time, it changes every 30 seconds. <br />
*** Single use Recovery Keys.<br />
<br />
* Backend and API<br />
** Improved support for setups using DHCP for their network configuration:<br />
*: While email still requires working DNS records, you can now manage and configure the IP of your Proxmox Mail Gateway in your DHCP configuration.<br />
** When adding a new entry to a Who object, a duplicate check is performed before saving.<br />
** Better handling of trailing dot in domain-names:<br />
*: Proxmox Mail Gateway uses the first search domain from <code>/etc/resolv.conf</code> as domain name - it can now handle entries with a trailing dot.<br />
** Delivery status notification (DSN, RFC 3461) support for outbound email with enabled before-queue filtering.<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
== Proxmox Mail Gateway 7.0 ==<br />
'''Released 15. July 2021'''<br />
* Based on Debian Bullseye (11)<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* Kernel 5.11<br />
* PostgreSQL 13<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Make dashboard status panel more detailed, showing, among other things, uptime, kernel version, CPU info and a high level repository status overview.<br />
** New APT repository management panel in the <code>Administration</code> tab shows an in-depth status and a list of all configured repositories.<br />
**: Basic repository management, for example, activating or deactivating a repository, is also supported.<br />
** Updated ExtJS JavaScript framework to latest GPL release 7.0<br />
** Added advanced task-log filtering<br />
** Improved translations, including:<br />
*** Arabic<br />
*** French<br />
*** German<br />
*** Japanese<br />
*** Polish<br />
*** Turkish<br />
<br />
* ACME/Let's Encrypt<br />
** Support the use of wildcard domains with the DNS plugins<br />
** API: nodeconfig: validate ACME config before writing<br />
<br />
* API<br />
** pmgproxy: allow setting LISTEN_IP parameter<br />
** The "Authentication mode" setting of <code>LDAP</code> for the quarantine interface no longer contains the ticket-link in the report-mails - thus, quarantine users need to provide their LDAP credentials to access the quarantine.<br />
<br />
* Installer:<br />
** Rework the installer environment to use <code>switch_root</code> instead of <code>chroot</code>, when transitioning from initrd to the actual installer.<br />
**: This improves module and firmware loading, and slightly reduces memory usage during installation.<br />
** Automatically detect HiDPI screens, and increase console font and GUI scaling accordingly. This improves UX for workstations with Proxmox VE (for example, for passthrough).<br />
** Improve ISO detection:<br />
*** Support ISOs backed by devices using USB Attached SCSI (UAS), which modern USB3 flash drives often do.<br />
*** Linearly increase the delay of subsequent scans for a device with an ISO image, bringing the total check time from 20s to 45s. This allows for the detection of very slow devices, while continuing faster in general.<br />
** Use <code>zstd</code> compression for the initrd image and the squashfs images.<br />
** Update to busybox 1.33.1 as the core-utils provider.<br />
<br />
* libarchive-perl<br />
** The perl-bindings to <code>libarchive</code> have been updated to match <code>libarchive</code> version 3.4.3 (shipped in Debian Bullseye) - the library interface was kept backwards-compatible<br />
<br />
* libxdgmime-perl<br />
** The perl-bindings to [https://gitlab.freedesktop.org/xdg/xdgmime xdgmime] have been updated to match current upstream - the library interface was kept backwards-compatible<br />
<br />
<div id="7.0-breaking-changes"></div><br />
'''Breaking Changes'''<br />
* New default bind address for pmgproxy, unifying the default behavior with Proxmox VE and Proxmox Backup Server<br />
** In making the LISTEN_IP configurable, the daemon now binds to both wildcard addresses (IPv4 <code>0.0.0.0:8006</code> and IPv6 <code>[::]:8006</code>) by default.<br />
*: Should you wish to prevent it from listening on IPv6, simply configure the IPv4 wildcard as LISTEN_IP in <code>/etc/default/pmgproxy</code>:<br />
*: <code>LISTEN_IP="0.0.0.0"</code><br />
** Additionally, the logged IP address format changed for IPv4 in pmgproxy's access log (<code>/var/log/pmgproxy/pmgproxy.log</code>). They are now logged as IPv4-mapped IPv6 addresses. Instead of:<br />
*: <code>192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*: the line now looks like:<br />
*: <code>::ffff:192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*:If you want to restore the old logging format, also set <code>LISTEN_IP="0.0.0.0"</code><br />
<br />
* ClamAV has [https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html deprecated the SafeBrowsing feature]:<br />
** These options have been removed from the shipped <code>freshclam.conf.in</code> template.<br />
** The <code>safebrowsing</code> config key in <code>/etc/pmg/pmg.conf</code> is currently ignored and will be dropped at some point in the future.<br />
<br />
* Changes to the database layout:<br />
** The <code>host</code> column of the <code>cgreylist</code> table, which has not been used since Proxmox Mailgateway 6.2, has been dropped from the schema and will be dropped from existing databases during the upgrade.<br />
<br />
* API deprecations, moves and removals<br />
** The <code>upgrade</code> parameter of the <code>/nodes/{node}/termproxy</code> API method has been replaced by providing <code>upgrade</code> as <code>cmd</code> parameter.<br />
** The <code>domain</code> parameter of the <code>/config/tlspolicy</code> API method has been replaced by the <code>destination</code> parameter.<br />
** The <code>/quarantine/whitelist/{address}</code> and <code>/quarantine/blacklist/{address}</code> API methods, that take the address as part of the path, have been deprecated in favor of explicitly providing the parameter in the request to <code>/quarantine/whitelist</code> and <code>/quarantine/blacklist</code> respectively.<br />
** The API methods for detailed statistics per e-mail address, which take the address as part of the path (<code>/statistics/contact/{contact}</code>, <code>/statistics/sender/{sender}</code> and <code>/statistics/receiver/{receiver}</code> have been deprecated in favor of <code>/statistics/detail</code>, which takes the address as an explicit parameter.<br />
<br />
<div id="7.0-known-issues"></div><br />
'''Known Issues'''<br />
* '''Network''': Due to the updated systemd version, and for most upgrades, the newer kernel version (5.4 to 5.11), some network interfaces might change upon reboot:<br />
** Some may change their name. For example, due to newly supported functions, a change from <code>enp33s0f0</code> to <code>enp33s0f0np0</code> could occur.<br />
**: We observed such changes with high-speed Mellanox models.<br />
** [https://sources.debian.org/src/bridge-utils/1.7-1/debian/NEWS/#L3-L23 Bridge MAC address selection has changed in Debian Bullseye] - it is now generated based on the interface name and the <code>machine-id (5)</code> of the system.<br />
**: Note that by default, Proxmox Mail Gateway does not use a Linux Bridge for networking, so most setups are unaffected.<br />
* '''Machine-id''': Systems installed using the Proxmox Mail Gateway 5.0 to 5.4 ISO may have a non-unique machine-id. These systems will have their machine-id re-generated automatically on upgrade, to avoid a potentially duplicated bridge MAC and other issues.<br />
: If you do the upgrade remotely, make sure you have a backup method of connecting to the host (for example, IPMI/iKVM, tiny-pilot, another network accessible by a cluster node, or physical access), in case the network used for SSH access becomes unreachable, due to the network failing to come up after a reboot.<br />
<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
==Proxmox Mail Gateway 6.4==<br />
'''Released 30. March 2021'''<br />
* Based on Debian Buster (10.9)<br />
* SpamAssassin 3.4.5 (with update ruleset)<br />
* Kernel 5.4.106<br />
* ACME integration<br />
** Proxmox Mail Gateway now offers full integration of the ACME protocol via the GUI, enabling administrators to create valid and trusted certificates for their domains with the Let's Encrypt certificate authority, in the same way as with Proxmox VE.<br />
** Full support for the <code>http-01</code> and <code>dns-01</code> challenges, with all plugins from [https://github.com/acmesh-official/acme.sh acme.sh].<br />
** Easily configurable from the GUI.<br />
* General Certificate Management via the GUI<br />
** It is now possible to upload custom certificates from the web interface, or set up a cluster-wide ACME account to automatically get and renew certificates from an ACME provider.<br />
* Support for external SpamAssassin update channels (regular automated updates).<br />
** By providing a short configuration file containing a SpamAssassin rule channel's URL and GPG key, Proxmox Mail Gateway will now fetch verified updates from that channel, along with the updates from updates.spamassassin.org.<br />
** The KAM ruleset channel is now available, and a suitable configuration file is shipped with <code>proxmox-spamassassin</code>.<br />
* Improved Quarantine Management<br />
** The admin view of the Spam Quarantine can now display quarantined mail of all users at once.<br />
** All Quarantine views (admin and user) allow you to filter for subject or sender.<br />
** The spam quarantine can now process huge amounts of mails at once (> 3200).<br />
* TLS-logging improvements to the Tracking Center<br />
** The Tracking Center now shows when an outbound connection is established over TLS.<br />
* Enhancements to the Integration of Proxmox Backup Server<br />
** It is now possible to get notified about the result of a scheduled backup to a configured Proxmox Backup Server Remote.<br />
** Inclusion of the (potentially large) statistics database is now configurable per Remote.<br />
* Notable Bugfixes:<br />
** Support for '/' in the local part of an e-mail address (quarantine and statistics view).<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05. October 2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23. January 2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=101Roadmap2022-11-30T10:28:19Z<p>Martin: </p>
<hr />
<div>=Roadmap=<br />
*SpamAssassin 4<br />
*Continuous security and bug fix updates<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
== Proxmox Mail Gateway 7.2 ==<br />
'''Released 30. November 2022'''<br />
<br />
* Based on Debian Bullseye (11.5)<br />
* Latest 5.15 Kernel as stable default (5.15.74)<br />
* Newer 5.19 kernel as opt-in<br />
* ZFS 2.1.6<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.8<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the Rule system:<br />
** Improved handling of international emails<br />
*** Support for UTF-8 characters in the rule system (e.g. matching non-ASCII subjects).<br />
*** Better handling of [https://www.rfc-editor.org/rfc/rfc6531 SMTPUTF8 emails] (the smtp-dialogue already contains non-ASCII data, the headers contain UTF-8 data without MIME encoding).<br />
** Proper encoding for template-variable information in the Notifications and Modify Field actions.<br />
** MatchField now matches all occurrences of a header - not only the first one - especially relevant for <code>Received</code> headers.<br />
** Deprecated the <code>Attach</code>, <code>Counter</code> and <code>ReportSpam</code> Actions.<br />
*: While they were present in the code of Proxmox Mail Gateway, they were never exposed in the GUI or API.<br />
*: All three have now been deprecated and will be removed with version 8.0.<br />
<br />
* Improved Quarantine UX:<br />
** Quarantine interface for Administrators: many of the recent features for end-users in the Spam Quarantine have been ported to the administrator view:<br />
*** Allow selection of multiple mails.<br />
*** Context menu in the mail-listing.<br />
*** Display the Receiver information in the Attachment and Virus quarantines and the Mail Info widget.<br />
** Augmented the information visualization in the Spam information grid.<br />
*** The weight (number of points) and the type of impact (positive or negative) of SpamAssassin rules is now shown with colors and font-weights to make them easier to grasp. <br />
*** The rule IDs and scores are using a monospaced font for better comparison of values.<br />
** Colorized <code>Deliver</code> and <code>Delete</code> actions improves intuitive handling of the common actions.<br />
** Display of attachments in the Spam and Virus quarantines (for a more complete overview of the mail).<br />
** Attachment and Virus quarantines can now optionally be filtered by Receiver - especially helpful in larger deployments.<br />
** Display of descriptions for locally defined SpamAssassin rules.<br />
** Fix displaying the quarantine interface on narrow screens: Part of the action buttons were cut off and not reachable through scrolling.<br />
<br />
* Enhancements in the web interface (GUI):<br />
** The Postfix queue interface now displays the mail's headers in a decoded way - so that you see it as in your mail user agent.<br />
** The Statistic time selector now does not show non-existent day/month combinations (e.g. the 31. Day of February).<br />
** Better spacing of the Field labels in the rule object edit windows.<br />
** Improved translations, among others:<br />
*** Dutch<br />
*** German<br />
*** Italian<br />
*** Polish<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Support Proxmox Offline Mirroring & Subscription Handling<br />
** Proxmox Offline Mirror: The tool supports subscriptions and repository mirrors for air-gapped systems. The newly added [https://pom.proxmox.com proxmox-offline-mirror] utility can now be used to keep Proxmox Mail Gateway hosts, without access to the public internet up-to-date and running with a valid subscription.<br />
<br />
* Notable General Improvements and Bugfixes:<br />
** Add IP networks uniquely to template variables (<code>postfix.mynetworks</code>)<br />
*: If you had multiple entries in your transport directory, all pointing to the same host, they were added multiple times to the variable used in the configuration system.<br />
** Support for Proxmox Backup Server Namespaces.<br />
** Spam report emails now correctly display the <code>From</code> header, even if it contains a comma (e.g. <code>"Lastname, Firstname" <firstname.lastname@domain.example></code>).<br />
** The left-over config file <code>/etc/apt/apt.conf.d/75pmgconf</code> was removed, enabling the automatic removal of obsolete kernel packages, which can take up significant amounts of space.<br />
** SpamAssassin updates now handle updates to multiple channels correctly on the first run.<br />
** Improved parsing of email attributes from LDAP profiles.<br />
** Changing the directory to '/' before running <code>psql</code> as <code>postgres</code>user - preventing the printing of harmless but confusing warnings with various Proxmox Mail Gateway CLI utilities.<br />
** Support disabling TLS 1.2 and configuring TLS 1.3 ciphers for <code>pmgproxy</code> - following the change for <code>pveproxy</code> in Proxmox VE.<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
== Proxmox Mail Gateway 7.1 ==<br />
'''Released 30. November 2021'''<br />
* Based on Debian Bullseye (11.1)<br />
* Kernel 5.13<br />
* ZFS 2.1<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.5<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Improved configuration editing of LDAP backends: Changes can now be applied without having to specify a password.<br />
** The APT repository configuration, rather than being restricted to 'root', is now visible and editable by all users with 'Administrator' privileges.<br />
** Improved translations, among others:<br />
*** Arabic<br />
*** Basque<br />
*** Brazilian Portuguese<br />
*** French<br />
*** German<br />
*** Simplified Chinese<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Two-Factor Authentication<br />
** Two-factor authentication (TFA) for the web interface. Shares the TFA implementation from Proxmox Backup Server, written in rust.<br />
** Support for multiple types of second factors:<br />
*** WebAuthn, which supports a wide range of security devices, like hardware keys or trusted platform modules.<br />
*** Time-based One-Time Password (TOTP), a short code derived from a shared secret and the current time, it changes every 30 seconds. <br />
*** Single use Recovery Keys.<br />
<br />
* Backend and API<br />
** Improved support for setups using DHCP for their network configuration:<br />
*: While email still requires working DNS records, you can now manage and configure the IP of your Proxmox Mail Gateway in your DHCP configuration.<br />
** When adding a new entry to a Who object, a duplicate check is performed before saving.<br />
** Better handling of trailing dot in domain-names:<br />
*: Proxmox Mail Gateway uses the first search domain from <code>/etc/resolv.conf</code> as domain name - it can now handle entries with a trailing dot.<br />
** Delivery status notification (DSN, RFC 3461) support for outbound email with enabled before-queue filtering.<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
== Proxmox Mail Gateway 7.0 ==<br />
'''Released 15. July 2021'''<br />
* Based on Debian Bullseye (11)<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* Kernel 5.11<br />
* PostgreSQL 13<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Make dashboard status panel more detailed, showing, among other things, uptime, kernel version, CPU info and a high level repository status overview.<br />
** New APT repository management panel in the <code>Administration</code> tab shows an in-depth status and a list of all configured repositories.<br />
**: Basic repository management, for example, activating or deactivating a repository, is also supported.<br />
** Updated ExtJS JavaScript framework to latest GPL release 7.0<br />
** Added advanced task-log filtering<br />
** Improved translations, including:<br />
*** Arabic<br />
*** French<br />
*** German<br />
*** Japanese<br />
*** Polish<br />
*** Turkish<br />
<br />
* ACME/Let's Encrypt<br />
** Support the use of wildcard domains with the DNS plugins<br />
** API: nodeconfig: validate ACME config before writing<br />
<br />
* API<br />
** pmgproxy: allow setting LISTEN_IP parameter<br />
** The "Authentication mode" setting of <code>LDAP</code> for the quarantine interface no longer contains the ticket-link in the report-mails - thus, quarantine users need to provide their LDAP credentials to access the quarantine.<br />
<br />
* Installer:<br />
** Rework the installer environment to use <code>switch_root</code> instead of <code>chroot</code>, when transitioning from initrd to the actual installer.<br />
**: This improves module and firmware loading, and slightly reduces memory usage during installation.<br />
** Automatically detect HiDPI screens, and increase console font and GUI scaling accordingly. This improves UX for workstations with Proxmox VE (for example, for passthrough).<br />
** Improve ISO detection:<br />
*** Support ISOs backed by devices using USB Attached SCSI (UAS), which modern USB3 flash drives often do.<br />
*** Linearly increase the delay of subsequent scans for a device with an ISO image, bringing the total check time from 20s to 45s. This allows for the detection of very slow devices, while continuing faster in general.<br />
** Use <code>zstd</code> compression for the initrd image and the squashfs images.<br />
** Update to busybox 1.33.1 as the core-utils provider.<br />
<br />
* libarchive-perl<br />
** The perl-bindings to <code>libarchive</code> have been updated to match <code>libarchive</code> version 3.4.3 (shipped in Debian Bullseye) - the library interface was kept backwards-compatible<br />
<br />
* libxdgmime-perl<br />
** The perl-bindings to [https://gitlab.freedesktop.org/xdg/xdgmime xdgmime] have been updated to match current upstream - the library interface was kept backwards-compatible<br />
<br />
<div id="7.0-breaking-changes"></div><br />
'''Breaking Changes'''<br />
* New default bind address for pmgproxy, unifying the default behavior with Proxmox VE and Proxmox Backup Server<br />
** In making the LISTEN_IP configurable, the daemon now binds to both wildcard addresses (IPv4 <code>0.0.0.0:8006</code> and IPv6 <code>[::]:8006</code>) by default.<br />
*: Should you wish to prevent it from listening on IPv6, simply configure the IPv4 wildcard as LISTEN_IP in <code>/etc/default/pmgproxy</code>:<br />
*: <code>LISTEN_IP="0.0.0.0"</code><br />
** Additionally, the logged IP address format changed for IPv4 in pmgproxy's access log (<code>/var/log/pmgproxy/pmgproxy.log</code>). They are now logged as IPv4-mapped IPv6 addresses. Instead of:<br />
*: <code>192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*: the line now looks like:<br />
*: <code>::ffff:192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*:If you want to restore the old logging format, also set <code>LISTEN_IP="0.0.0.0"</code><br />
<br />
* ClamAV has [https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html deprecated the SafeBrowsing feature]:<br />
** These options have been removed from the shipped <code>freshclam.conf.in</code> template.<br />
** The <code>safebrowsing</code> config key in <code>/etc/pmg/pmg.conf</code> is currently ignored and will be dropped at some point in the future.<br />
<br />
* Changes to the database layout:<br />
** The <code>host</code> column of the <code>cgreylist</code> table, which has not been used since Proxmox Mailgateway 6.2, has been dropped from the schema and will be dropped from existing databases during the upgrade.<br />
<br />
* API deprecations, moves and removals<br />
** The <code>upgrade</code> parameter of the <code>/nodes/{node}/termproxy</code> API method has been replaced by providing <code>upgrade</code> as <code>cmd</code> parameter.<br />
** The <code>domain</code> parameter of the <code>/config/tlspolicy</code> API method has been replaced by the <code>destination</code> parameter.<br />
** The <code>/quarantine/whitelist/{address}</code> and <code>/quarantine/blacklist/{address}</code> API methods, that take the address as part of the path, have been deprecated in favor of explicitly providing the parameter in the request to <code>/quarantine/whitelist</code> and <code>/quarantine/blacklist</code> respectively.<br />
** The API methods for detailed statistics per e-mail address, which take the address as part of the path (<code>/statistics/contact/{contact}</code>, <code>/statistics/sender/{sender}</code> and <code>/statistics/receiver/{receiver}</code> have been deprecated in favor of <code>/statistics/detail</code>, which takes the address as an explicit parameter.<br />
<br />
<div id="7.0-known-issues"></div><br />
'''Known Issues'''<br />
* '''Network''': Due to the updated systemd version, and for most upgrades, the newer kernel version (5.4 to 5.11), some network interfaces might change upon reboot:<br />
** Some may change their name. For example, due to newly supported functions, a change from <code>enp33s0f0</code> to <code>enp33s0f0np0</code> could occur.<br />
**: We observed such changes with high-speed Mellanox models.<br />
** [https://sources.debian.org/src/bridge-utils/1.7-1/debian/NEWS/#L3-L23 Bridge MAC address selection has changed in Debian Bullseye] - it is now generated based on the interface name and the <code>machine-id (5)</code> of the system.<br />
**: Note that by default, Proxmox Mail Gateway does not use a Linux Bridge for networking, so most setups are unaffected.<br />
* '''Machine-id''': Systems installed using the Proxmox Mail Gateway 5.0 to 5.4 ISO may have a non-unique machine-id. These systems will have their machine-id re-generated automatically on upgrade, to avoid a potentially duplicated bridge MAC and other issues.<br />
: If you do the upgrade remotely, make sure you have a backup method of connecting to the host (for example, IPMI/iKVM, tiny-pilot, another network accessible by a cluster node, or physical access), in case the network used for SSH access becomes unreachable, due to the network failing to come up after a reboot.<br />
<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
==Proxmox Mail Gateway 6.4==<br />
'''Released 30. March 2021'''<br />
* Based on Debian Buster (10.9)<br />
* SpamAssassin 3.4.5 (with update ruleset)<br />
* Kernel 5.4.106<br />
* ACME integration<br />
** Proxmox Mail Gateway now offers full integration of the ACME protocol via the GUI, enabling administrators to create valid and trusted certificates for their domains with the Let's Encrypt certificate authority, in the same way as with Proxmox VE.<br />
** Full support for the <code>http-01</code> and <code>dns-01</code> challenges, with all plugins from [https://github.com/acmesh-official/acme.sh acme.sh].<br />
** Easily configurable from the GUI.<br />
* General Certificate Management via the GUI<br />
** It is now possible to upload custom certificates from the web interface, or set up a cluster-wide ACME account to automatically get and renew certificates from an ACME provider.<br />
* Support for external SpamAssassin update channels (regular automated updates).<br />
** By providing a short configuration file containing a SpamAssassin rule channel's URL and GPG key, Proxmox Mail Gateway will now fetch verified updates from that channel, along with the updates from updates.spamassassin.org.<br />
** The KAM ruleset channel is now available, and a suitable configuration file is shipped with <code>proxmox-spamassassin</code>.<br />
* Improved Quarantine Management<br />
** The admin view of the Spam Quarantine can now display quarantined mail of all users at once.<br />
** All Quarantine views (admin and user) allow you to filter for subject or sender.<br />
** The spam quarantine can now process huge amounts of mails at once (> 3200).<br />
* TLS-logging improvements to the Tracking Center<br />
** The Tracking Center now shows when an outbound connection is established over TLS.<br />
* Enhancements to the Integration of Proxmox Backup Server<br />
** It is now possible to get notified about the result of a scheduled backup to a configured Proxmox Backup Server Remote.<br />
** Inclusion of the (potentially large) statistics database is now configurable per Remote.<br />
* Notable Bugfixes:<br />
** Support for '/' in the local part of an e-mail address (quarantine and statistics view).<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05. October 2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23. January 2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=100Roadmap2022-11-30T10:20:43Z<p>Martin: Proxmox Mail Gateway 7.2 release</p>
<hr />
<div>=Roadmap=<br />
*SpamAssassin 4<br />
*Continuous security and bug fix updates<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
== Proxmox Mail Gateway 7.2 ==<br />
'''Released 30. November 2022'''<br />
<br />
* Based on Debian Bullseye (11.5)<br />
* Latest 5.15 Kernel as stable default (5.15.74)<br />
* Newer 5.19 kernel as opt-in<br />
* ZFS 2.1.6<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.8<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the Rule system:<br />
** Improved handling of international emails<br />
*** Support for UTF-8 characters in the rule system (e.g. matching non-ASCII subjects).<br />
*** Better handling of [https://www.rfc-editor.org/rfc/rfc6531 SMTPUTF8 emails] (the smtp-dialogue already contains non-ASCII data, the headers contain UTF-8 data without MIME encoding).<br />
** Proper encoding for template-variable information in the Notifications and Modify Field actions.<br />
** MatchField now matches all occurrences of a header - not only the first one - especially relevant for <code>Received</code> headers.<br />
** Deprecated the <code>Attach</code>, <code>Counter</code> and <code>ReportSpam</code> Actions.<br />
*: While they were present in the code of Proxmox Mail Gateway, they were never exposed in the GUI or API.<br />
*: All three have now been deprecated and will be removed with version 8.0.<br />
<br />
* Improved Quarantine UX:<br />
** Quarantine interface for Administrators: many of the recent features for end-users in the Spam Quarantine have been ported to the administrator view:<br />
*** Allow selection of multiple mails.<br />
*** Context menu in the mail-listing.<br />
*** Display the Receiver information in the Attachment and Virus quarantines and the Mail Info widget.<br />
** Augmented the information visualization in the Spam information grid.<br />
*** The weight (number of points) and the type of impact (positive or negative) of SpamAssassin rules is now shown with colors and font-weights to make them easier to grasp. <br />
*** The rule IDs and scores are using a monospaced font for better comparison of values.<br />
** Colorized <code>Deliver</code> and <code>Delete</code> actions improves intuitive handling of the common actions.<br />
** Display of attachments in the Spam and Virus quarantines (for a more complete overview of the mail).<br />
** Attachment and Virus quarantines can now optionally be filtered by Receiver - especially helpful in larger deployments.<br />
** Display of descriptions for locally defined SpamAssassin rules.<br />
** Fix displaying the quarantine interface on narrow screens: Part of the action buttons were cut off and not reachable through scrolling.<br />
<br />
* Enhancements in the web interface (GUI):<br />
** The Postfix queue interface now displays the mail's headers in a decoded way - so that you see it as in your mail user agent.<br />
** The Statistic time selector now does not show non-existent day/month combinations (e.g. the 31. Day of February).<br />
** Better spacing of the Field labels in the rule object edit windows.<br />
** Improved translations, among others:<br />
*** Dutch<br />
*** German<br />
*** Italian<br />
*** Polish<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Support Proxmox Offline Mirroring & Subscription Handling<br />
** Proxmox Offline Mirror: The tool supports subscriptions and repository mirrors for air-gapped systems. The newly added [https://pom.proxmox.com proxmox-offline-mirror] utility can now be used to keep Proxmox Mail Gateway hosts, without access to the public internet up-to-date and running with a valid subscription.<br />
<br />
* Notable General Improvements and Bugfixes:<br />
** Add IP networks uniquely to template variables (<code>postfix.mynetworks</code>)<br />
*: If you had multiple entries in your transport directory, all pointing to the same host, they were added multiple times to the variable used in the configuration system.<br />
** Support for Proxmox Backup Server Namespaces.<br />
** Spam report emails now correctly display the <code>From</code> header, even if it contains a comma (e.g. <code>"Lastname, Firstname" <firstname.lastname@domain.example></code>).<br />
** The left-over config file <code>/etc/apt/apt.conf.d/75pmgconf</code> was removed, enabling the automatic removal of obsolete kernel packages, which can take up significant amounts of space.<br />
** SpamAssassin updates now handle updates to multiple channels correctly on the first run.<br />
** Improved parsing of email attributes from LDAP profiles.<br />
** Changing the directory to '/' before running <code>psql</code> as <code>postgres</code>user - preventing the printing of harmless but confusing warnings with various Proxmox Mail Gateway CLI utilities.<br />
** Support disabling TLS 1.2 and configuring TLS 1.3 ciphers for <code>pmgproxy</code> - following the change for <code>pveproxy</code> in Proxmox VE.<br />
<br />
== Proxmox Mail Gateway 7.1 ==<br />
'''Released 30. November 2021'''<br />
* Based on Debian Bullseye (11.1)<br />
* Kernel 5.13<br />
* ZFS 2.1<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.5<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Improved configuration editing of LDAP backends: Changes can now be applied without having to specify a password.<br />
** The APT repository configuration, rather than being restricted to 'root', is now visible and editable by all users with 'Administrator' privileges.<br />
** Improved translations, among others:<br />
*** Arabic<br />
*** Basque<br />
*** Brazilian Portuguese<br />
*** French<br />
*** German<br />
*** Simplified Chinese<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Two-Factor Authentication<br />
** Two-factor authentication (TFA) for the web interface. Shares the TFA implementation from Proxmox Backup Server, written in rust.<br />
** Support for multiple types of second factors:<br />
*** WebAuthn, which supports a wide range of security devices, like hardware keys or trusted platform modules.<br />
*** Time-based One-Time Password (TOTP), a short code derived from a shared secret and the current time, it changes every 30 seconds. <br />
*** Single use Recovery Keys.<br />
<br />
* Backend and API<br />
** Improved support for setups using DHCP for their network configuration:<br />
*: While email still requires working DNS records, you can now manage and configure the IP of your Proxmox Mail Gateway in your DHCP configuration.<br />
** When adding a new entry to a Who object, a duplicate check is performed before saving.<br />
** Better handling of trailing dot in domain-names:<br />
*: Proxmox Mail Gateway uses the first search domain from <code>/etc/resolv.conf</code> as domain name - it can now handle entries with a trailing dot.<br />
** Delivery status notification (DSN, RFC 3461) support for outbound email with enabled before-queue filtering.<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
== Proxmox Mail Gateway 7.0 ==<br />
'''Released 15. July 2021'''<br />
* Based on Debian Bullseye (11)<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* Kernel 5.11<br />
* PostgreSQL 13<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Make dashboard status panel more detailed, showing, among other things, uptime, kernel version, CPU info and a high level repository status overview.<br />
** New APT repository management panel in the <code>Administration</code> tab shows an in-depth status and a list of all configured repositories.<br />
**: Basic repository management, for example, activating or deactivating a repository, is also supported.<br />
** Updated ExtJS JavaScript framework to latest GPL release 7.0<br />
** Added advanced task-log filtering<br />
** Improved translations, including:<br />
*** Arabic<br />
*** French<br />
*** German<br />
*** Japanese<br />
*** Polish<br />
*** Turkish<br />
<br />
* ACME/Let's Encrypt<br />
** Support the use of wildcard domains with the DNS plugins<br />
** API: nodeconfig: validate ACME config before writing<br />
<br />
* API<br />
** pmgproxy: allow setting LISTEN_IP parameter<br />
** The "Authentication mode" setting of <code>LDAP</code> for the quarantine interface no longer contains the ticket-link in the report-mails - thus, quarantine users need to provide their LDAP credentials to access the quarantine.<br />
<br />
* Installer:<br />
** Rework the installer environment to use <code>switch_root</code> instead of <code>chroot</code>, when transitioning from initrd to the actual installer.<br />
**: This improves module and firmware loading, and slightly reduces memory usage during installation.<br />
** Automatically detect HiDPI screens, and increase console font and GUI scaling accordingly. This improves UX for workstations with Proxmox VE (for example, for passthrough).<br />
** Improve ISO detection:<br />
*** Support ISOs backed by devices using USB Attached SCSI (UAS), which modern USB3 flash drives often do.<br />
*** Linearly increase the delay of subsequent scans for a device with an ISO image, bringing the total check time from 20s to 45s. This allows for the detection of very slow devices, while continuing faster in general.<br />
** Use <code>zstd</code> compression for the initrd image and the squashfs images.<br />
** Update to busybox 1.33.1 as the core-utils provider.<br />
<br />
* libarchive-perl<br />
** The perl-bindings to <code>libarchive</code> have been updated to match <code>libarchive</code> version 3.4.3 (shipped in Debian Bullseye) - the library interface was kept backwards-compatible<br />
<br />
* libxdgmime-perl<br />
** The perl-bindings to [https://gitlab.freedesktop.org/xdg/xdgmime xdgmime] have been updated to match current upstream - the library interface was kept backwards-compatible<br />
<br />
<div id="7.0-breaking-changes"></div><br />
'''Breaking Changes'''<br />
* New default bind address for pmgproxy, unifying the default behavior with Proxmox VE and Proxmox Backup Server<br />
** In making the LISTEN_IP configurable, the daemon now binds to both wildcard addresses (IPv4 <code>0.0.0.0:8006</code> and IPv6 <code>[::]:8006</code>) by default.<br />
*: Should you wish to prevent it from listening on IPv6, simply configure the IPv4 wildcard as LISTEN_IP in <code>/etc/default/pmgproxy</code>:<br />
*: <code>LISTEN_IP="0.0.0.0"</code><br />
** Additionally, the logged IP address format changed for IPv4 in pmgproxy's access log (<code>/var/log/pmgproxy/pmgproxy.log</code>). They are now logged as IPv4-mapped IPv6 addresses. Instead of:<br />
*: <code>192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*: the line now looks like:<br />
*: <code>::ffff:192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*:If you want to restore the old logging format, also set <code>LISTEN_IP="0.0.0.0"</code><br />
<br />
* ClamAV has [https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html deprecated the SafeBrowsing feature]:<br />
** These options have been removed from the shipped <code>freshclam.conf.in</code> template.<br />
** The <code>safebrowsing</code> config key in <code>/etc/pmg/pmg.conf</code> is currently ignored and will be dropped at some point in the future.<br />
<br />
* Changes to the database layout:<br />
** The <code>host</code> column of the <code>cgreylist</code> table, which has not been used since Proxmox Mailgateway 6.2, has been dropped from the schema and will be dropped from existing databases during the upgrade.<br />
<br />
* API deprecations, moves and removals<br />
** The <code>upgrade</code> parameter of the <code>/nodes/{node}/termproxy</code> API method has been replaced by providing <code>upgrade</code> as <code>cmd</code> parameter.<br />
** The <code>domain</code> parameter of the <code>/config/tlspolicy</code> API method has been replaced by the <code>destination</code> parameter.<br />
** The <code>/quarantine/whitelist/{address}</code> and <code>/quarantine/blacklist/{address}</code> API methods, that take the address as part of the path, have been deprecated in favor of explicitly providing the parameter in the request to <code>/quarantine/whitelist</code> and <code>/quarantine/blacklist</code> respectively.<br />
** The API methods for detailed statistics per e-mail address, which take the address as part of the path (<code>/statistics/contact/{contact}</code>, <code>/statistics/sender/{sender}</code> and <code>/statistics/receiver/{receiver}</code> have been deprecated in favor of <code>/statistics/detail</code>, which takes the address as an explicit parameter.<br />
<br />
<div id="7.0-known-issues"></div><br />
'''Known Issues'''<br />
* '''Network''': Due to the updated systemd version, and for most upgrades, the newer kernel version (5.4 to 5.11), some network interfaces might change upon reboot:<br />
** Some may change their name. For example, due to newly supported functions, a change from <code>enp33s0f0</code> to <code>enp33s0f0np0</code> could occur.<br />
**: We observed such changes with high-speed Mellanox models.<br />
** [https://sources.debian.org/src/bridge-utils/1.7-1/debian/NEWS/#L3-L23 Bridge MAC address selection has changed in Debian Bullseye] - it is now generated based on the interface name and the <code>machine-id (5)</code> of the system.<br />
**: Note that by default, Proxmox Mail Gateway does not use a Linux Bridge for networking, so most setups are unaffected.<br />
* '''Machine-id''': Systems installed using the Proxmox Mail Gateway 5.0 to 5.4 ISO may have a non-unique machine-id. These systems will have their machine-id re-generated automatically on upgrade, to avoid a potentially duplicated bridge MAC and other issues.<br />
: If you do the upgrade remotely, make sure you have a backup method of connecting to the host (for example, IPMI/iKVM, tiny-pilot, another network accessible by a cluster node, or physical access), in case the network used for SSH access becomes unreachable, due to the network failing to come up after a reboot.<br />
<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
==Proxmox Mail Gateway 6.4==<br />
'''Released 30. March 2021'''<br />
* Based on Debian Buster (10.9)<br />
* SpamAssassin 3.4.5 (with update ruleset)<br />
* Kernel 5.4.106<br />
* ACME integration<br />
** Proxmox Mail Gateway now offers full integration of the ACME protocol via the GUI, enabling administrators to create valid and trusted certificates for their domains with the Let's Encrypt certificate authority, in the same way as with Proxmox VE.<br />
** Full support for the <code>http-01</code> and <code>dns-01</code> challenges, with all plugins from [https://github.com/acmesh-official/acme.sh acme.sh].<br />
** Easily configurable from the GUI.<br />
* General Certificate Management via the GUI<br />
** It is now possible to upload custom certificates from the web interface, or set up a cluster-wide ACME account to automatically get and renew certificates from an ACME provider.<br />
* Support for external SpamAssassin update channels (regular automated updates).<br />
** By providing a short configuration file containing a SpamAssassin rule channel's URL and GPG key, Proxmox Mail Gateway will now fetch verified updates from that channel, along with the updates from updates.spamassassin.org.<br />
** The KAM ruleset channel is now available, and a suitable configuration file is shipped with <code>proxmox-spamassassin</code>.<br />
* Improved Quarantine Management<br />
** The admin view of the Spam Quarantine can now display quarantined mail of all users at once.<br />
** All Quarantine views (admin and user) allow you to filter for subject or sender.<br />
** The spam quarantine can now process huge amounts of mails at once (> 3200).<br />
* TLS-logging improvements to the Tracking Center<br />
** The Tracking Center now shows when an outbound connection is established over TLS.<br />
* Enhancements to the Integration of Proxmox Backup Server<br />
** It is now possible to get notified about the result of a scheduled backup to a configured Proxmox Backup Server Remote.<br />
** Inclusion of the (potentially large) statistics database is now configurable per Remote.<br />
* Notable Bugfixes:<br />
** Support for '/' in the local part of an e-mail address (quarantine and statistics view).<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05. October 2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23. January 2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=99Roadmap2022-11-30T09:56:17Z<p>Martin: /* Roadmap */</p>
<hr />
<div>=Roadmap=<br />
*SpamAssassin 4<br />
*Continuous security and bug fix updates<br />
<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
<br />
== Proxmox Mail Gateway 7.1 ==<br />
'''Released 30. November 2021'''<br />
* Based on Debian Bullseye (11.1)<br />
* Kernel 5.13<br />
* ZFS 2.1<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.5<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Improved configuration editing of LDAP backends: Changes can now be applied without having to specify a password.<br />
** The APT repository configuration, rather than being restricted to 'root', is now visible and editable by all users with 'Administrator' privileges.<br />
** Improved translations, among others:<br />
*** Arabic<br />
*** Basque<br />
*** Brazilian Portuguese<br />
*** French<br />
*** German<br />
*** Simplified Chinese<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Two-Factor Authentication<br />
** Two-factor authentication (TFA) for the web interface. Shares the TFA implementation from Proxmox Backup Server, written in rust.<br />
** Support for multiple types of second factors:<br />
*** WebAuthn, which supports a wide range of security devices, like hardware keys or trusted platform modules.<br />
*** Time-based One-Time Password (TOTP), a short code derived from a shared secret and the current time, it changes every 30 seconds. <br />
*** Single use Recovery Keys.<br />
<br />
* Backend and API<br />
** Improved support for setups using DHCP for their network configuration:<br />
*: While email still requires working DNS records, you can now manage and configure the IP of your Proxmox Mail Gateway in your DHCP configuration.<br />
** When adding a new entry to a Who object, a duplicate check is performed before saving.<br />
** Better handling of trailing dot in domain-names:<br />
*: Proxmox Mail Gateway uses the first search domain from <code>/etc/resolv.conf</code> as domain name - it can now handle entries with a trailing dot.<br />
** Delivery status notification (DSN, RFC 3461) support for outbound email with enabled before-queue filtering.<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
== Proxmox Mail Gateway 7.0 ==<br />
'''Released 15. July 2021'''<br />
* Based on Debian Bullseye (11)<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* Kernel 5.11<br />
* PostgreSQL 13<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Make dashboard status panel more detailed, showing, among other things, uptime, kernel version, CPU info and a high level repository status overview.<br />
** New APT repository management panel in the <code>Administration</code> tab shows an in-depth status and a list of all configured repositories.<br />
**: Basic repository management, for example, activating or deactivating a repository, is also supported.<br />
** Updated ExtJS JavaScript framework to latest GPL release 7.0<br />
** Added advanced task-log filtering<br />
** Improved translations, including:<br />
*** Arabic<br />
*** French<br />
*** German<br />
*** Japanese<br />
*** Polish<br />
*** Turkish<br />
<br />
* ACME/Let's Encrypt<br />
** Support the use of wildcard domains with the DNS plugins<br />
** API: nodeconfig: validate ACME config before writing<br />
<br />
* API<br />
** pmgproxy: allow setting LISTEN_IP parameter<br />
** The "Authentication mode" setting of <code>LDAP</code> for the quarantine interface no longer contains the ticket-link in the report-mails - thus, quarantine users need to provide their LDAP credentials to access the quarantine.<br />
<br />
* Installer:<br />
** Rework the installer environment to use <code>switch_root</code> instead of <code>chroot</code>, when transitioning from initrd to the actual installer.<br />
**: This improves module and firmware loading, and slightly reduces memory usage during installation.<br />
** Automatically detect HiDPI screens, and increase console font and GUI scaling accordingly. This improves UX for workstations with Proxmox VE (for example, for passthrough).<br />
** Improve ISO detection:<br />
*** Support ISOs backed by devices using USB Attached SCSI (UAS), which modern USB3 flash drives often do.<br />
*** Linearly increase the delay of subsequent scans for a device with an ISO image, bringing the total check time from 20s to 45s. This allows for the detection of very slow devices, while continuing faster in general.<br />
** Use <code>zstd</code> compression for the initrd image and the squashfs images.<br />
** Update to busybox 1.33.1 as the core-utils provider.<br />
<br />
* libarchive-perl<br />
** The perl-bindings to <code>libarchive</code> have been updated to match <code>libarchive</code> version 3.4.3 (shipped in Debian Bullseye) - the library interface was kept backwards-compatible<br />
<br />
* libxdgmime-perl<br />
** The perl-bindings to [https://gitlab.freedesktop.org/xdg/xdgmime xdgmime] have been updated to match current upstream - the library interface was kept backwards-compatible<br />
<br />
<div id="7.0-breaking-changes"></div><br />
'''Breaking Changes'''<br />
* New default bind address for pmgproxy, unifying the default behavior with Proxmox VE and Proxmox Backup Server<br />
** In making the LISTEN_IP configurable, the daemon now binds to both wildcard addresses (IPv4 <code>0.0.0.0:8006</code> and IPv6 <code>[::]:8006</code>) by default.<br />
*: Should you wish to prevent it from listening on IPv6, simply configure the IPv4 wildcard as LISTEN_IP in <code>/etc/default/pmgproxy</code>:<br />
*: <code>LISTEN_IP="0.0.0.0"</code><br />
** Additionally, the logged IP address format changed for IPv4 in pmgproxy's access log (<code>/var/log/pmgproxy/pmgproxy.log</code>). They are now logged as IPv4-mapped IPv6 addresses. Instead of:<br />
*: <code>192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*: the line now looks like:<br />
*: <code>::ffff:192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*:If you want to restore the old logging format, also set <code>LISTEN_IP="0.0.0.0"</code><br />
<br />
* ClamAV has [https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html deprecated the SafeBrowsing feature]:<br />
** These options have been removed from the shipped <code>freshclam.conf.in</code> template.<br />
** The <code>safebrowsing</code> config key in <code>/etc/pmg/pmg.conf</code> is currently ignored and will be dropped at some point in the future.<br />
<br />
* Changes to the database layout:<br />
** The <code>host</code> column of the <code>cgreylist</code> table, which has not been used since Proxmox Mailgateway 6.2, has been dropped from the schema and will be dropped from existing databases during the upgrade.<br />
<br />
* API deprecations, moves and removals<br />
** The <code>upgrade</code> parameter of the <code>/nodes/{node}/termproxy</code> API method has been replaced by providing <code>upgrade</code> as <code>cmd</code> parameter.<br />
** The <code>domain</code> parameter of the <code>/config/tlspolicy</code> API method has been replaced by the <code>destination</code> parameter.<br />
** The <code>/quarantine/whitelist/{address}</code> and <code>/quarantine/blacklist/{address}</code> API methods, that take the address as part of the path, have been deprecated in favor of explicitly providing the parameter in the request to <code>/quarantine/whitelist</code> and <code>/quarantine/blacklist</code> respectively.<br />
** The API methods for detailed statistics per e-mail address, which take the address as part of the path (<code>/statistics/contact/{contact}</code>, <code>/statistics/sender/{sender}</code> and <code>/statistics/receiver/{receiver}</code> have been deprecated in favor of <code>/statistics/detail</code>, which takes the address as an explicit parameter.<br />
<br />
<div id="7.0-known-issues"></div><br />
'''Known Issues'''<br />
* '''Network''': Due to the updated systemd version, and for most upgrades, the newer kernel version (5.4 to 5.11), some network interfaces might change upon reboot:<br />
** Some may change their name. For example, due to newly supported functions, a change from <code>enp33s0f0</code> to <code>enp33s0f0np0</code> could occur.<br />
**: We observed such changes with high-speed Mellanox models.<br />
** [https://sources.debian.org/src/bridge-utils/1.7-1/debian/NEWS/#L3-L23 Bridge MAC address selection has changed in Debian Bullseye] - it is now generated based on the interface name and the <code>machine-id (5)</code> of the system.<br />
**: Note that by default, Proxmox Mail Gateway does not use a Linux Bridge for networking, so most setups are unaffected.<br />
* '''Machine-id''': Systems installed using the Proxmox Mail Gateway 5.0 to 5.4 ISO may have a non-unique machine-id. These systems will have their machine-id re-generated automatically on upgrade, to avoid a potentially duplicated bridge MAC and other issues.<br />
: If you do the upgrade remotely, make sure you have a backup method of connecting to the host (for example, IPMI/iKVM, tiny-pilot, another network accessible by a cluster node, or physical access), in case the network used for SSH access becomes unreachable, due to the network failing to come up after a reboot.<br />
<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
==Proxmox Mail Gateway 6.4==<br />
'''Released 30. March 2021'''<br />
* Based on Debian Buster (10.9)<br />
* SpamAssassin 3.4.5 (with update ruleset)<br />
* Kernel 5.4.106<br />
* ACME integration<br />
** Proxmox Mail Gateway now offers full integration of the ACME protocol via the GUI, enabling administrators to create valid and trusted certificates for their domains with the Let's Encrypt certificate authority, in the same way as with Proxmox VE.<br />
** Full support for the <code>http-01</code> and <code>dns-01</code> challenges, with all plugins from [https://github.com/acmesh-official/acme.sh acme.sh].<br />
** Easily configurable from the GUI.<br />
* General Certificate Management via the GUI<br />
** It is now possible to upload custom certificates from the web interface, or set up a cluster-wide ACME account to automatically get and renew certificates from an ACME provider.<br />
* Support for external SpamAssassin update channels (regular automated updates).<br />
** By providing a short configuration file containing a SpamAssassin rule channel's URL and GPG key, Proxmox Mail Gateway will now fetch verified updates from that channel, along with the updates from updates.spamassassin.org.<br />
** The KAM ruleset channel is now available, and a suitable configuration file is shipped with <code>proxmox-spamassassin</code>.<br />
* Improved Quarantine Management<br />
** The admin view of the Spam Quarantine can now display quarantined mail of all users at once.<br />
** All Quarantine views (admin and user) allow you to filter for subject or sender.<br />
** The spam quarantine can now process huge amounts of mails at once (> 3200).<br />
* TLS-logging improvements to the Tracking Center<br />
** The Tracking Center now shows when an outbound connection is established over TLS.<br />
* Enhancements to the Integration of Proxmox Backup Server<br />
** It is now possible to get notified about the result of a scheduled backup to a configured Proxmox Backup Server Remote.<br />
** Inclusion of the (potentially large) statistics database is now configurable per Remote.<br />
* Notable Bugfixes:<br />
** Support for '/' in the local part of an e-mail address (quarantine and statistics view).<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05. October 2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23. January 2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=File:Proxmox-Mail-Gateway-Statistics.png&diff=90File:Proxmox-Mail-Gateway-Statistics.png2021-11-30T10:15:36Z<p>Martin: Martin uploaded a new version of File:Proxmox-Mail-Gateway-Statistics.png</p>
<hr />
<div></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=89Roadmap2021-11-30T09:30:04Z<p>Martin: Proxmox Mail Gateway 7.1 release</p>
<hr />
<div>=Roadmap=<br />
<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
<br />
== Proxmox Mail Gateway 7.1 ==<br />
'''Released 30. November 2021'''<br />
* Based on Debian Bullseye (11.1)<br />
* Kernel 5.13<br />
* ZFS 2.1<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* PostgreSQL 13.5<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Improved configuration editing of LDAP backends: Changes can now be applied without having to specify a password.<br />
** The APT repository configuration, rather than being restricted to 'root', is now visible and editable by all users with 'Administrator' privileges.<br />
** Improved translations, among others:<br />
*** Arabic<br />
*** Basque<br />
*** Brazilian Portuguese<br />
*** French<br />
*** German<br />
*** Simplified Chinese<br />
*** Traditional Chinese<br />
*** Turkish<br />
<br />
* Two Factor Authentication<br />
** Two-factor authentication (TFA) for the web interface. Shares the TFA implementation from Proxmox Backup Server, written in rust.<br />
** Support for multiple types of second factors:<br />
*** WebAuthn, which supports a wide range of security devices, like hardware keys or trusted platform modules.<br />
*** Time-based One-Time Password (TOTP), a short code derived from a shared secret and the current time, it changes every 30 seconds. <br />
*** Single use Recovery Keys.<br />
<br />
* API<br />
** Support for IP configuration via DHCP:<br />
*: While email still requires working DNS records, you can now manage and configure the IP of your Proxmox Mail Gateway in your DHCP configuration.<br />
** When adding a new entry to a Who object, a duplicate check is performed before saving.<br />
** Better handling of trailing dot in domain-names:<br />
*: Proxmox Mail Gateway uses the first search domain from <code>/etc/resolv.conf</code> as domain name - it can now handle entries with a trailing dot.<br />
** Delivery status notification (DSN, RFC 3461) support for outbound email with enabled before-queue filtering.<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
== Proxmox Mail Gateway 7.0 ==<br />
'''Released 15. July 2021'''<br />
* Based on Debian Bullseye (11)<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* Kernel 5.11<br />
* PostgreSQL 13<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Make dashboard status panel more detailed, showing, among other things, uptime, kernel version, CPU info and a high level repository status overview.<br />
** New APT repository management panel in the <code>Administration</code> tab shows an in-depth status and a list of all configured repositories.<br />
**: Basic repository management, for example, activating or deactivating a repository, is also supported.<br />
** Updated ExtJS JavaScript framework to latest GPL release 7.0<br />
** Added advanced task-log filtering<br />
** Improved translations, including:<br />
*** Arabic<br />
*** French<br />
*** German<br />
*** Japanese<br />
*** Polish<br />
*** Turkish<br />
<br />
* ACME/Let's Encrypt<br />
** Support the use of wildcard domains with the DNS plugins<br />
** API: nodeconfig: validate ACME config before writing<br />
<br />
* API<br />
** pmgproxy: allow setting LISTEN_IP parameter<br />
** The "Authentication mode" setting of <code>LDAP</code> for the quarantine interface no longer contains the ticket-link in the report-mails - thus, quarantine users need to provide their LDAP credentials to access the quarantine.<br />
<br />
* Installer:<br />
** Rework the installer environment to use <code>switch_root</code> instead of <code>chroot</code>, when transitioning from initrd to the actual installer.<br />
**: This improves module and firmware loading, and slightly reduces memory usage during installation.<br />
** Automatically detect HiDPI screens, and increase console font and GUI scaling accordingly. This improves UX for workstations with Proxmox VE (for example, for passthrough).<br />
** Improve ISO detection:<br />
*** Support ISOs backed by devices using USB Attached SCSI (UAS), which modern USB3 flash drives often do.<br />
*** Linearly increase the delay of subsequent scans for a device with an ISO image, bringing the total check time from 20s to 45s. This allows for the detection of very slow devices, while continuing faster in general.<br />
** Use <code>zstd</code> compression for the initrd image and the squashfs images.<br />
** Update to busybox 1.33.1 as the core-utils provider.<br />
<br />
* libarchive-perl<br />
** The perl-bindings to <code>libarchive</code> have been updated to match <code>libarchive</code> version 3.4.3 (shipped in Debian Bullseye) - the library interface was kept backwards-compatible<br />
<br />
* libxdgmime-perl<br />
** The perl-bindings to [https://gitlab.freedesktop.org/xdg/xdgmime xdgmime] have been updated to match current upstream - the library interface was kept backwards-compatible<br />
<br />
<div id="7.0-breaking-changes"></div><br />
'''Breaking Changes'''<br />
* New default bind address for pmgproxy, unifying the default behavior with Proxmox VE and Proxmox Backup Server<br />
** In making the LISTEN_IP configurable, the daemon now binds to both wildcard addresses (IPv4 <code>0.0.0.0:8006</code> and IPv6 <code>[::]:8006</code>) by default.<br />
*: Should you wish to prevent it from listening on IPv6, simply configure the IPv4 wildcard as LISTEN_IP in <code>/etc/default/pmgproxy</code>:<br />
*: <code>LISTEN_IP="0.0.0.0"</code><br />
** Additionally, the logged IP address format changed for IPv4 in pmgproxy's access log (<code>/var/log/pmgproxy/pmgproxy.log</code>). They are now logged as IPv4-mapped IPv6 addresses. Instead of:<br />
*: <code>192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*: the line now looks like:<br />
*: <code>::ffff:192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*:If you want to restore the old logging format, also set <code>LISTEN_IP="0.0.0.0"</code><br />
<br />
* ClamAV has [https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html deprecated the SafeBrowsing feature]:<br />
** These options have been removed from the shipped <code>freshclam.conf.in</code> template.<br />
** The <code>safebrowsing</code> config key in <code>/etc/pmg/pmg.conf</code> is currently ignored and will be dropped at some point in the future.<br />
<br />
* Changes to the database layout:<br />
** The <code>host</code> column of the <code>cgreylist</code> table, which has not been used since Proxmox Mailgateway 6.2, has been dropped from the schema and will be dropped from existing databases during the upgrade.<br />
<br />
* API deprecations, moves and removals<br />
** The <code>upgrade</code> parameter of the <code>/nodes/{node}/termproxy</code> API method has been replaced by providing <code>upgrade</code> as <code>cmd</code> parameter.<br />
** The <code>domain</code> parameter of the <code>/config/tlspolicy</code> API method has been replaced by the <code>destination</code> parameter.<br />
** The <code>/quarantine/whitelist/{address}</code> and <code>/quarantine/blacklist/{address}</code> API methods, that take the address as part of the path, have been deprecated in favor of explicitly providing the parameter in the request to <code>/quarantine/whitelist</code> and <code>/quarantine/blacklist</code> respectively.<br />
** The API methods for detailed statistics per e-mail address, which take the address as part of the path (<code>/statistics/contact/{contact}</code>, <code>/statistics/sender/{sender}</code> and <code>/statistics/receiver/{receiver}</code> have been deprecated in favor of <code>/statistics/detail</code>, which takes the address as an explicit parameter.<br />
<br />
<div id="7.0-known-issues"></div><br />
'''Known Issues'''<br />
* '''Network''': Due to the updated systemd version, and for most upgrades, the newer kernel version (5.4 to 5.11), some network interfaces might change upon reboot:<br />
** Some may change their name. For example, due to newly supported functions, a change from <code>enp33s0f0</code> to <code>enp33s0f0np0</code> could occur.<br />
**: We observed such changes with high-speed Mellanox models.<br />
** [https://sources.debian.org/src/bridge-utils/1.7-1/debian/NEWS/#L3-L23 Bridge MAC address selection has changed in Debian Bullseye] - it is now generated based on the interface name and the <code>machine-id (5)</code> of the system.<br />
**: Note that by default, Proxmox Mail Gateway does not use a Linux Bridge for networking, so most setups are unaffected.<br />
* '''Machine-id''': Systems installed using the Proxmox Mail Gateway 5.0 to 5.4 ISO may have a non-unique machine-id. These systems will have their machine-id re-generated automatically on upgrade, to avoid a potentially duplicated bridge MAC and other issues.<br />
: If you do the upgrade remotely, make sure you have a backup method of connecting to the host (for example, IPMI/iKVM, tiny-pilot, another network accessible by a cluster node, or physical access), in case the network used for SSH access becomes unreachable, due to the network failing to come up after a reboot.<br />
<br />
'''Upgrade from 6.4'''<br />
<br />
See [[Upgrade from 6.x to 7.0]]<br />
<br />
==Proxmox Mail Gateway 6.4==<br />
'''Released 30. March 2021'''<br />
* Based on Debian Buster (10.9)<br />
* SpamAssassin 3.4.5 (with update ruleset)<br />
* Kernel 5.4.106<br />
* ACME integration<br />
** Proxmox Mail Gateway now offers full integration of the ACME protocol via the GUI, enabling administrators to create valid and trusted certificates for their domains with the Let's Encrypt certificate authority, in the same way as with Proxmox VE.<br />
** Full support for the <code>http-01</code> and <code>dns-01</code> challenges, with all plugins from [https://github.com/acmesh-official/acme.sh acme.sh].<br />
** Easily configurable from the GUI.<br />
* General Certificate Management via the GUI<br />
** It is now possible to upload custom certificates from the web interface, or set up a cluster-wide ACME account to automatically get and renew certificates from an ACME provider.<br />
* Support for external SpamAssassin update channels (regular automated updates).<br />
** By providing a short configuration file containing a SpamAssassin rule channel's URL and GPG key, Proxmox Mail Gateway will now fetch verified updates from that channel, along with the updates from updates.spamassassin.org.<br />
** The KAM ruleset channel is now available, and a suitable configuration file is shipped with <code>proxmox-spamassassin</code>.<br />
* Improved Quarantine Management<br />
** The admin view of the Spam Quarantine can now display quarantined mail of all users at once.<br />
** All Quarantine views (admin and user) allow you to filter for subject or sender.<br />
** The spam quarantine can now process huge amounts of mails at once (> 3200).<br />
* TLS-logging improvements to the Tracking Center<br />
** The Tracking Center now shows when an outbound connection is established over TLS.<br />
* Enhancements to the Integration of Proxmox Backup Server<br />
** It is now possible to get notified about the result of a scheduled backup to a configured Proxmox Backup Server Remote.<br />
** Inclusion of the (potentially large) statistics database is now configurable per Remote.<br />
* Notable Bugfixes:<br />
** Support for '/' in the local part of an e-mail address (quarantine and statistics view).<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05. October 2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23. January 2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=MediaWiki:Sidebar&diff=81MediaWiki:Sidebar2021-07-15T09:23:33Z<p>Martin: </p>
<hr />
<div><br />
* navigation<br />
** mainpage|Proxmox Mail Gateway<br />
** https://pmg.proxmox.com/pmg-docs/|Documentation (current)<br />
** https://pmg.proxmox.com/pmg-docs-6/|Documentation (6.x)<br />
** https://www.proxmox.com/en/proxmox-mail-gateway/support|Get support<br />
<br />
* Sites<br />
** https://www.proxmox.com|proxmox.com<br />
** https://forum.proxmox.com|Support forum<br />
** https://bugzilla.proxmox.com|Bugtracker<br />
** https://git.proxmox.com|Source code</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=80Roadmap2021-07-15T08:38:14Z<p>Martin: Proxmox Mail Gateway 7.0 release</p>
<hr />
<div>=Roadmap=<br />
<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
<br />
== Proxmox Mail Gateway 7.0 ==<br />
'''Released 15. July 2021'''<br />
* Based on Debian Bullseye (11)<br />
* SpamAssassin 3.4.6 (with updated rule-set)<br />
* Kernel 5.11<br />
* PostgreSQL 13<br />
<br />
'''Changelog Overview'''<br />
<br />
* Enhancements in the web interface (GUI)<br />
** Make dashboard status panel more detailed, showing, among other things, uptime, kernel version, CPU info and a high level repository status overview.<br />
** New APT repository management panel in the <code>Administration</code> tab shows an in-depth status and a list of all configured repositories.<br />
**: Basic repository management, for example, activating or deactivating a repository, is also supported.<br />
** Updated ExtJS JavaScript framework to latest GPL release 7.0<br />
** Added advanced task-log filtering<br />
** Improved translations, including:<br />
*** Arabic<br />
*** French<br />
*** German<br />
*** Japanese<br />
*** Polish<br />
*** Turkish<br />
<br />
* ACME/Let's Encrypt<br />
** Support the use of wildcard domains with the DNS plugins<br />
** API: nodeconfig: validate ACME config before writing<br />
<br />
* API<br />
** pmgproxy: allow setting LISTEN_IP parameter<br />
** The "Authentication mode" setting of <code>LDAP</code> for the quarantine interface no longer contains the ticket-link in the report-mails - thus, quarantine users need to provide their LDAP credentials to access the quarantine.<br />
<br />
* Installer:<br />
** Rework the installer environment to use <code>switch_root</code> instead of <code>chroot</code>, when transitioning from initrd to the actual installer.<br />
**: This improves module and firmware loading, and slightly reduces memory usage during installation.<br />
** Automatically detect HiDPI screens, and increase console font and GUI scaling accordingly. This improves UX for workstations with Proxmox VE (for example, for passthrough).<br />
** Improve ISO detection:<br />
*** Support ISOs backed by devices using USB Attached SCSI (UAS), which modern USB3 flash drives often do.<br />
*** Linearly increase the delay of subsequent scans for a device with an ISO image, bringing the total check time from 20s to 45s. This allows for the detection of very slow devices, while continuing faster in general.<br />
** Use <code>zstd</code> compression for the initrd image and the squashfs images.<br />
** Update to busybox 1.33.1 as the core-utils provider.<br />
<br />
* libarchive-perl<br />
** The perl-bindings to <code>libarchive</code> have been updated to match <code>libarchive</code> version 3.4.3 (shipped in Debian Bullseye) - the library interface was kept backwards-compatible<br />
<br />
* libxdgmime-perl<br />
** The perl-bindings to [https://gitlab.freedesktop.org/xdg/xdgmime xdgmime] have been updated to match current upstream - the library interface was kept backwards-compatible<br />
<br />
<div id="7.0-breaking-changes"></div><br />
'''Breaking Changes'''<br />
* New default bind address for pmgproxy, unifying the default behavior with Proxmox VE and Proxmox Backup Server<br />
** In making the LISTEN_IP configurable, the daemon now binds to both wildcard addresses (IPv4 <code>0.0.0.0:8006</code> and IPv6 <code>[::]:8006</code>) by default.<br />
*: Should you wish to prevent it from listening on IPv6, simply configure the IPv4 wildcard as LISTEN_IP in <code>/etc/default/pmgproxy</code>:<br />
*: <code>LISTEN_IP="0.0.0.0"</code><br />
** Additionally, the logged IP address format changed for IPv4 in pmgproxy's access log (<code>/var/log/pmgproxy/pmgproxy.log</code>). They are now logged as IPv4-mapped IPv6 addresses. Instead of:<br />
*: <code>192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*: the line now looks like:<br />
*: <code>::ffff:192.0.2.1- root@pam [01/06/2021:01:19:03 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*:If you want to restore the old logging format, also set <code>LISTEN_IP="0.0.0.0"</code><br />
<br />
* ClamAV has [https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html deprecated the SafeBrowsing feature]:<br />
** These options have been removed from the shipped <code>freshclam.conf.in</code> template.<br />
** The <code>safebrowsing</code> config key in <code>/etc/pmg/pmg.conf</code> is currently ignored and will be dropped at some point in the future.<br />
<br />
* Changes to the database layout:<br />
** The <code>host</code> column of the <code>cgreylist</code> table, which has not been used since Proxmox Mailgateway 6.2, has been dropped from the schema and will be dropped from existing databases during the upgrade.<br />
<br />
* API deprecations, moves and removals<br />
** The <code>upgrade</code> parameter of the <code>/nodes/{node}/termproxy</code> API method has been replaced by providing <code>upgrade</code> as <code>cmd</code> parameter.<br />
** The <code>domain</code> parameter of the <code>/config/tlspolicy</code> API method has been replaced by the <code>destination</code> parameter.<br />
** The <code>/quarantine/whitelist/{address}</code> and <code>/quarantine/blacklist/{address}</code> API methods, that take the address as part of the path, have been deprecated in favor of explicitly providing the parameter in the request to <code>/quarantine/whitelist</code> and <code>/quarantine/blacklist</code> respectively.<br />
** The API methods for detailed statistics per e-mail address, which take the address as part of the path (<code>/statistics/contact/{contact}</code>, <code>/statistics/sender/{sender}</code> and <code>/statistics/receiver/{receiver}</code> have been deprecated in favor of <code>/statistics/detail</code>, which takes the address as an explicit parameter.<br />
<br />
<div id="7.0-known-issues"></div><br />
'''Known Issues'''<br />
* '''Network''': Due to the updated systemd version, and for most upgrades, the newer kernel version (5.4 to 5.11), some network interfaces might change upon reboot:<br />
** Some may change their name. For example, due to newly supported functions, a change from <code>enp33s0f0</code> to <code>enp33s0f0np0</code> could occur.<br />
**: We observed such changes with high-speed Mellanox models.<br />
** [https://sources.debian.org/src/bridge-utils/1.7-1/debian/NEWS/#L3-L23 Bridge MAC address selection has changed in Debian Bullseye] - it is now generated based on the interface name and the <code>machine-id (5)</code> of the system.<br />
**: Note that by default, Proxmox Mail Gateway does not use a Linux Bridge for networking, so most setups are unaffected.<br />
* '''Machine-id''': Systems installed using the Proxmox Mail Gateway 5.0 to 5.4 ISO may have a non-unique machine-id. These systems will have their machine-id re-generated automatically on upgrade, to avoid a potentially duplicated bridge MAC and other issues.<br />
: If you do the upgrade remotely, make sure you have a backup method of connecting to the host (for example, IPMI/iKVM, tiny-pilot, another network accessible by a cluster node, or physical access), in case the network used for SSH access becomes unreachable, due to the network failing to come up after a reboot.<br />
<br />
==Proxmox Mail Gateway 6.4==<br />
'''Released 30. March 2021'''<br />
* Based on Debian Buster (10.9)<br />
* SpamAssassin 3.4.5 (with update ruleset)<br />
* Kernel 5.4.106<br />
* ACME integration<br />
** Proxmox Mail Gateway now offers full integration of the ACME protocol via the GUI, enabling administrators to create valid and trusted certificates for their domains with the Let's Encrypt certificate authority, in the same way as with Proxmox VE.<br />
** Full support for the <code>http-01</code> and <code>dns-01</code> challenges, with all plugins from [https://github.com/acmesh-official/acme.sh acme.sh].<br />
** Easily configurable from the GUI.<br />
* General Certificate Management via the GUI<br />
** It is now possible to upload custom certificates from the web interface, or set up a cluster-wide ACME account to automatically get and renew certificates from an ACME provider.<br />
* Support for external SpamAssassin update channels (regular automated updates).<br />
** By providing a short configuration file containing a SpamAssassin rule channel's URL and GPG key, Proxmox Mail Gateway will now fetch verified updates from that channel, along with the updates from updates.spamassassin.org.<br />
** The KAM ruleset channel is now available, and a suitable configuration file is shipped with <code>proxmox-spamassassin</code>.<br />
* Improved Quarantine Management<br />
** The admin view of the Spam Quarantine can now display quarantined mail of all users at once.<br />
** All Quarantine views (admin and user) allow you to filter for subject or sender.<br />
** The spam quarantine can now process huge amounts of mails at once (> 3200).<br />
* TLS-logging improvements to the Tracking Center<br />
** The Tracking Center now shows when an outbound connection is established over TLS.<br />
* Enhancements to the Integration of Proxmox Backup Server<br />
** It is now possible to get notified about the result of a scheduled backup to a configured Proxmox Backup Server Remote.<br />
** Inclusion of the (potentially large) statistics database is now configurable per Remote.<br />
* Notable Bugfixes:<br />
** Support for '/' in the local part of an e-mail address (quarantine and statistics view).<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05. October 2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23. January 2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Upgrade_from_6.x_to_7.0&diff=79Upgrade from 6.x to 7.02021-07-15T08:35:24Z<p>Martin: Proxmox Mail Gateway 7.0 release</p>
<hr />
<div>= Introduction =<br />
Proxmox Mail Gateway 7.x is based on the new major version of Debian (Bullseye). Carefully plan the upgrade, '''make and verify backups''' before beginning, and test extensively. Depending on the existing configuration, several manual steps — including some downtime — may be required.<br />
<br />
'''Note:''' A valid and tested backup is ''always'' required, before starting the upgrade process. Test the backup beforehand in a test lab setup.<br />
<br />
In case the system is customized and/or uses additional packages or any other third party repositories/packages, ensure those packages are also upgraded to and compatible with Debian Bullseye.<br />
<br />
In general, there are two ways to upgrade a Proxmox Mail Gateway 6.x system to Proxmox Mail Gateway 7.0:<br />
<br />
* A new installation (restoring the configuration and database from the backup)<br />
* An in-place upgrade via apt (step-by-step)<br />
<br />
In both cases, emptying the browser cache and reloading the GUI is required after the upgrade.<br />
<br />
= New Installation =<br />
<br />
* Install Proxmox Mail Gateway in one of the following three ways:<br />
** As a [https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_install_on_debian_container container on top of Debian Bullseye]<br />
** [https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_install_on_debian On top of Debian Bullseye]<br />
** By using the [https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_install_iso ISO image]<br />
* Restore the backup which you made before the upgrade.<br />
* Change the IP address and hostname.<br />
* For '''clustered setups''': <br />
** On the master, remove all nodes from the cluster<br />
** Upgrade the master<br />
** Set the nodes up fresh, then join them to the upgraded master-node (recreate the cluster).<br />
<br />
= In-Place Upgrade =<br />
== Preconditions ==<br />
<br />
The following actions need to be carried out from the command line.<br />
<br />
Perform the actions via console or SSH. If you use SSH you should use a terminal multiplexer (for example, tmux or screen) to ensure the upgrade can continue even if the SSH connection gets interrupted.<br />
<br />
'''Do not carry out the upgrade via the web-interface (GUI) console, as that will get interrupted during the upgrade!'''<br />
<br />
* Upgrade to the latest version of Proxmox Mail Gateway 6.4 first.<br />
apt update<br />
apt dist-upgrade<br />
<br />
* Make a valid and tested backup of Proxmox Mail Gateway. Either create and download it from the web interface, store it on your Proxmox Backup Server or create it from the CLI with:<br />
pmgbackup backup<br />
<br />
* At least 4 GiB free disk space on root mount point.<br />
* Check [[Upgrade_from_6.x_to_7.0#Potential_issues|known upgrade issues]]<br />
<br />
In-place upgrades are carried out using APT. '''Familiarity with APT is required to proceed with this upgrade mechanism. '''<br />
<br />
== Actions step-by-step ==<br />
<br />
Please first ensure that your Mail Gateway 6 system is up-to-date and that a valid backup has been created before starting the upgrade process.<br />
If you need to adapt the configuration, do this now. In case you have a cluster, wait for all config-changes to be synced to all nodes before continuing.<br />
<br />
=== For clusters ===<br />
* If you have a '''cluster''', stop and mask all cluster-daemons '''on all nodes''' before you start the upgrade of the first node.<br />
*:<pre><br />
*:: systemctl stop pmgmirror pmgtunnel<br />
*:: systemctl mask pmgmirror pmgtunnel<br />
*:</pre><br />
* Then proceed by upgrading all nodes sequentially.<br />
* The Mail Gateway service will be provided by the other nodes, which aren't currently being upgraded.<br />
* Certain operations (for example config changes) will only work once all nodes have been upgraded.<br />
<br />
=== Update the configured APT repositories ===<br />
Change the apt sources to Bullseye - see [https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_package_repositories Package Repositories]<br />
Update all Debian repository entries to Bullseye.<br />
<br />
sed -i 's/buster\/updates/bullseye-security/g;s/buster/bullseye/g' /etc/apt/sources.list<br />
<br />
Note that for Bullseye, Debian changed its security update repository from <code>deb http://security.debian.org buster/updates main</code> to <code>deb http://security.debian.org bullseye-security main</code> for more consistency.<br />
The above command accounts for this change already.<br />
<br />
Update the enterprise repository to Bullseye:<br />
<br />
echo "deb https://enterprise.proxmox.com/debian/pmg bullseye pmg-enterprise" > /etc/apt/sources.list.d/pmg-enterprise.list<br />
<br />
Make sure to also update any extra files that you added to <code>/etc/apt/sources.list.d/</code> to Bullseye accordingly.<br />
<br />
=== Stop and mask services before upgrade ===<br />
<br />
This is necessary to prevent changes to the database before and during the upgrade.<br />
<br />
* Stop postfix and all Proxmox Mail Gateway services (emails will be queued by the servers trying to contact the Proxmox Mail Gateway)<br />
systemctl stop postfix pmg-smtp-filter pmgpolicy pmgdaemon pmgproxy pmgmirror pmgtunnel<br />
* Mask postfix and all Proxmox Mailgateway services to prevent them from starting during the upgrade<br />
systemctl mask postfix pmg-smtp-filter pmgpolicy pmgdaemon pmgproxy pmgmirror pmgtunnel<br />
<br />
=== Upgrade the system ===<br />
<br />
apt update<br />
apt dist-upgrade<br />
<br />
It is not necessary to reboot yet.<br />
<br />
=== Upgrade the PostgreSQL database ===<br />
<br />
* Before upgrading the postgres main cluster, you need to remove the automatically created cluster in the new version.<br />
pg_dropcluster --stop 13 main<br />
* Upgrade the postgres main cluster from 11 to 13, using <code>pg_upgradecluster</code><br />
** This step will need some '''time''' and enough '''free diskspace''' as it will create another database containing your rules, statistics, and quarantine information.<br />
** If possible, use the default setting of dumping the old databases and restoring them, to avoid problems.<br />
pg_upgradecluster -v 13 11 main<br />
<br />
* Unmask postfix and all '''non-cluster''' Proxmox Mail Gateway services to enable them again.<br />
systemctl unmask postfix pmg-smtp-filter pmgpolicy pmgdaemon pmgproxy<br />
* Reboot and then check the journal to ensure that everything is running correctly again.<br />
<br />
reboot<br />
<br />
* Remove the old postgres version and its data:<br />
apt purge postgresql-11 postgresql-client-11<br />
<br />
== After the Proxmox Mail Gateway upgrade ==<br />
<br />
After upgrading, unmask and start all cluster-daemons on '''all nodes'''. This applies to upgrades of a single node, as well as to upgrades of all nodes in a clustered setup:<br />
systemctl unmask pmgmirror pmgtunnel<br />
systemctl start pmgmirror pmgtunnel<br />
<br />
= Known issues and deprecations =<br />
<br />
* New default bind address for pmgproxy, unifying the default behavior with Proxmox Backup Server and Proxmox VE<br />
** In making the LISTEN_IP configurable, the daemon now binds to both wildcard addresses (IPv4 <code>0.0.0.0:8006</code> and IPv6 <code>[::]:8006</code>) by default.<br />
*: Should you wish to prevent it from listening on IPv6, simply configure the IPv4 wildcard as LISTEN_IP in <code>/etc/default/pmgproxy</code>:<br />
*: <code>LISTEN_IP="0.0.0.0"</code><br />
** Additionally, the logged IP address format changed for IPv4 in pmgproxy's access log (<code>/var/log/pmgproxy/pmgproxy.log</code>). They are now logged as IPv4-mapped IPv6 addresses, so instead of:<br />
*: <code>192.168.16.68 - root@pam [10/04/2021:12:35:11 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*: the line now looks like:<br />
*: <code>::ffff:192.168.16.68 - root@pam [10/04/2021:12:35:11 +0200] "GET /api2/json/config/ruledb/digest HTTP/1.1" 200 51</code><br />
*:If you want to restore the old logging format, also set <code>LISTEN_IP="0.0.0.0"</code><br />
<br />
* The ClamAV SafeBrowsing feature has [https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html been deprecated upstream some time ago]<br />
** The config option in <code>pmg.conf</code> is now considered deprecated and will be dropped with PMG 8.0.<br />
** The configuration template <code>freshclam.conf.in</code> has the relevant sections removed (rendering the configuration option useless).<br />
** If you've set the option (<code>grep safebrowsing /etc/pmg/pmg.conf</code> produces output) - please remove it.<br />
<br />
= Potential issues =<br />
<br />
== General ==<br />
<br />
As a Debian based Distribution, Proxmox Mail Gateway is affected by most issues and changes affecting Debian.<br />
Thus, ensure to read the [https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html upgrade specific issues for Bullseye].<br />
<br />
== non-usr-merged layouts ==<br />
Most Proxmox Mail Gateway installations still have /bin and /usr/bin as separate directories - this is deprecated as of Debian Bullseye/11 and will become unsupported in Debian Bookworm/12.<br />
<br />
See [https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#deprecated-components Deprecated Components] for migration instructions.<br />
<br />
Usually creating a backup of the system and installing the <code>usrmerge</code> package is all that is needed.<br />
<br />
== External links ==<br />
<br />
[https://www.debian.org/releases/bullseye/amd64/release-notes/ Release Notes for Debian 11.0 (bullseye), 64-bit PC]</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=78Main Page2021-07-15T08:33:41Z<p>Martin: /* Installation */</p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[https://www.proxmox.com/downloads Download] the latest ISO image files.<br />
<br />
Alternate download:http://download.proxmox.com/iso<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operation system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
[[Getting started with Proxmox Mail Gateway]]<br />
<br />
'''Upgrading'''<br />
<br />
[[Upgrade_from_5.x_to_6.0|Upgrade from Proxmox Mail Gateway 5.x to 6.0]]<br />
<br />
[[Upgrade_from_6.x_to_7.0|Upgrade from Proxmox Mail Gateway 6.x to 7.0]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]. You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
The developer documentation explains how to get involved in the development process of the Proxmox Mail Gateway, see [[Developer Documentation]]<br />
<br />
=Release History and Roadmap=<br />
Take a look on the [[Roadmap]] for existing and upcoming features.<br />
<br />
=Video Tutorials=<br />
To get an overview of the Proxmox Mail Gateway, we regularly publish video tutorials on our website, see https://www.proxmox.com/training/video-tutorials.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway-Statistics.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=File:Proxmox-Mail-Gateway-Statistics.png&diff=77File:Proxmox-Mail-Gateway-Statistics.png2021-07-15T08:31:54Z<p>Martin: Martin uploaded a new version of File:Proxmox-Mail-Gateway-Statistics.png</p>
<hr />
<div></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=70Roadmap2021-03-30T08:06:23Z<p>Martin: 6.4 release</p>
<hr />
<div>=Roadmap=<br />
<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
<br />
==Proxmox Mail Gateway 6.4==<br />
'''Released 30. March 2021'''<br />
* Based on Debian Buster (10.9)<br />
* SpamAssassin 3.4.5 (with update ruleset)<br />
* Kernel 5.4.106<br />
* ACME integration<br />
** Proxmox Mail Gateway now offers full integration of the ACME protocol via the GUI, enabling administrators to create valid and trusted certificates for their domains with the Let's Encrypt certificate authority, in the same way as with Proxmox VE.<br />
** Full support for the <code>http-01</code> and <code>dns-01</code> challenges, with all plugins from [https://github.com/acmesh-official/acme.sh acme.sh].<br />
** Easily configurable from the GUI.<br />
* General Certificate Management via the GUI<br />
** It is now possible to upload custom certificates from the web interface, or set up a cluster-wide ACME account to automatically get and renew certificates from an ACME provider.<br />
* Support for external SpamAssassin update channels (regular automated updates).<br />
** By providing a short configuration file containing a SpamAssassin rule channel's URL and GPG key, Proxmox Mail Gateway will now fetch verified updates from that channel, along with the updates from updates.spamassassin.org.<br />
** The KAM ruleset channel is now available, and a suitable configuration file is shipped with <code>proxmox-spamassassin</code>.<br />
* Improved Quarantine Management<br />
** The admin view of the Spam Quarantine can now display quarantined mail of all users at once.<br />
** All Quarantine views (admin and user) allow you to filter for subject or sender.<br />
** The spam quarantine can now process huge amounts of mails at once (> 3200).<br />
* TLS-logging improvements to the Tracking Center<br />
** The Tracking Center now shows when an outbound connection is established over TLS.<br />
* Enhancements to the Integration of Proxmox Backup Server<br />
** It is now possible to get notified about the result of a scheduled backup to a configured Proxmox Backup Server Remote.<br />
** Inclusion of the (potentially large) statistics database is now configurable per Remote.<br />
* Notable Bugfixes:<br />
** Support for '/' in the local part of an e-mail address (quarantine and statistics view).<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05. October 2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23. January 2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=File:Proxmox-Mail-Gateway-Statistics.png&diff=69File:Proxmox-Mail-Gateway-Statistics.png2020-11-19T10:34:00Z<p>Martin: </p>
<hr />
<div></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=68Main Page2020-11-19T10:33:26Z<p>Martin: </p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[https://www.proxmox.com/downloads Download] the latest ISO image files.<br />
<br />
Alternate download:http://download.proxmox.com/iso<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operation system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
[[Getting started with Proxmox Mail Gateway]]<br />
<br />
'''Upgrading'''<br />
<br />
[[Upgrade_from_5.x_to_6.0|Upgrade from Proxmox Mail Gateway 5.x to 6.0]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]. You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
The developer documentation explains how to get involved in the development process of the Proxmox Mail Gateway, see [[Developer Documentation]]<br />
<br />
=Release History and Roadmap=<br />
Take a look on the [[Roadmap]] for existing and upcoming features.<br />
<br />
=Video Tutorials=<br />
To get an overview of the Proxmox Mail Gateway, we regularly publish video tutorials on our website, see https://www.proxmox.com/training/video-tutorials.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway-Statistics.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=File:Proxmox-Mail-Gateway.png&diff=67File:Proxmox-Mail-Gateway.png2020-11-19T10:32:06Z<p>Martin: </p>
<hr />
<div></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=66Main Page2020-11-19T10:31:41Z<p>Martin: </p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[https://www.proxmox.com/downloads Download] the latest ISO image files.<br />
<br />
Alternate download:http://download.proxmox.com/iso<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operation system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
[[Getting started with Proxmox Mail Gateway]]<br />
<br />
'''Upgrading'''<br />
<br />
[[Upgrade_from_5.x_to_6.0|Upgrade from Proxmox Mail Gateway 5.x to 6.0]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]. You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
The developer documentation explains how to get involved in the development process of the Proxmox Mail Gateway, see [[Developer Documentation]]<br />
<br />
=Release History and Roadmap=<br />
Take a look on the [[Roadmap]] for existing and upcoming features.<br />
<br />
=Video Tutorials=<br />
To get an overview of the Proxmox Mail Gateway, we regularly publish video tutorials on our website, see https://www.proxmox.com/training/video-tutorials.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=65Roadmap2020-11-19T10:09:58Z<p>Martin: /* Proxmox Mail Gateway 5.0 */</p>
<hr />
<div>=Roadmap=<br />
<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05. October 2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23. January 2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=64Roadmap2020-11-19T10:09:46Z<p>Martin: /* Proxmox Mail Gateway 5.1 */</p>
<hr />
<div>=Roadmap=<br />
<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05. October 2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23.01.2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=63Roadmap2020-11-19T10:09:34Z<p>Martin: /* Proxmox Mail Gateway 5.2 */</p>
<hr />
<div>=Roadmap=<br />
<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20. March 2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05.10.2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23.01.2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=62Roadmap2020-11-19T10:09:25Z<p>Martin: /* Proxmox Mail Gateway 6.1 */</p>
<hr />
<div>=Roadmap=<br />
<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27. November 2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20.03.2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05.10.2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23.01.2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=61Roadmap2020-11-19T10:06:07Z<p>Martin: Proxmox Mail Gateway 6.3 release</p>
<hr />
<div>=Roadmap=<br />
<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
<br />
==Proxmox Mail Gateway 6.3==<br />
'''Released 19. November 2020'''<br />
<br />
* Based on Debian Buster (10.6)<br />
* Updated SpamAssassin rules<br />
* Kernel 5.4.73<br />
* Proxmox Backup Server Integration<br/>Proxmox Mail Gateway is fully supported by the new Proxmox Backup Server 1.0, released on November 11, 2020:<br />
** Backing up to multiple remote backup servers: You can define multiple remote instances of Proxmox Backup Server to store backups on. In case of a large-scale disaster, they can be quickly restored.<br />
** Scheduled Backups: You can schedule regular backups via the GUI, which will then be automatically triggered by a systemd-timer unit. This removes the need for manual backup creation and individual, scripted solutions.<br />
* Quarantine Link via login-page<br />Users can request mails containing a link to their quarantineview, if enabled by the Admin. This enables users to edit their individual blocklists, even if no mails are in their quarantine. Until now this was only possible for sites using LDAP.<br />
* Improvements to the Tracking Center<br />To further improve user experience in the tracking center, pmg-log-tracker handles certain cases better:<br />
** The case sensitivity has been removed from the search box.<br />
** In case the pmg-smtp-filter fails to process emails due to misconfiguration, they are now marked as rejected.<br />
* Notable Bugfixes:<br />
** DKIM signing now uses the longest matching domain for the 'd=' tag.<br />
** Mails held in the Attachment Quarantine are assigned a new Message-ID - fixing interoperability with certain downstream servers (for example, MS Exchange), which silently discard messages with duplicate Message-IDs.<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28. April 2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27.11.2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27. August 2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20.03.2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05.10.2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23.01.2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=60Main Page2020-10-29T10:31:11Z<p>Martin: /* Documentation */</p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[https://www.proxmox.com/downloads Download] the latest ISO image files.<br />
<br />
Alternate download:http://download.proxmox.com/iso<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operation system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
[[Getting started with Proxmox Mail Gateway]]<br />
<br />
'''Upgrading'''<br />
<br />
[[Upgrade_from_5.x_to_6.0|Upgrade from Proxmox Mail Gateway 5.x to 6.0]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]. You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
The developer documentation explains how to get involved in the development process of the Proxmox Mail Gateway, see [[Developer Documentation]]<br />
<br />
=Release History and Roadmap=<br />
Take a look on the [[Roadmap]] for existing and upcoming features.<br />
<br />
=Video Tutorials=<br />
To get an overview of the Proxmox Mail Gateway, we regularly publish video tutorials on our website, see https://www.proxmox.com/training/video-tutorials.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway-5-2-stats.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Developer_Documentation&diff=59Developer Documentation2020-10-29T10:28:53Z<p>Martin: page created</p>
<hr />
<div>== Introduction ==<br />
<br />
Please communicate you plans with us, before starting any development. It is important to have a common view of the problem and corresponding solution, in order to avoid duplicated work and unnecessary efforts.<br />
<br />
Our source code repository is read-only. To contribute code, send it as a patch (git diff) to the pmg-devel mailing list. We will review your patch and apply it (and possible corrections/additions) if the review is successful. Note that we will only include code that meets our quality criteria. <br />
<br />
== Mailing List ==<br />
<br />
This is the primary communication channel for developers to discuss new features and implementation details. If you are a developer and you want to develop additional features, this is the place to start.<br />
<br />
PMG Development List: https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel<br />
<br />
Archive: https://lists.proxmox.com/pipermail/pmg-devel/<br />
<br />
== Access to Code Repository (git) ==<br />
<br />
You can find all of our project repositories at the link below.<br />
<br />
https://git.proxmox.com<br />
<br />
== Build instructions ==<br />
<br />
*TODO*<br />
<br />
== Development Package Repository ==<br />
<br />
Some packages required for development can only be found in the ''devel'' repository. <br />
This is a cross-project repository and may be used for all Proxmox projects.<br />
<br />
Add the following to the <code>/etc/apt/sources.list</code> file:<br />
<br />
deb http://download.proxmox.com/debian/devel/ buster main<br />
<br />
== Checking out a git repository ==<br />
<br />
To clone a repository, run 'git clone' with the repository name prefixed with the common URL: <nowiki>git://git.proxmox.com/git/</nowiki><br />
<br />
<source lang="bash"><br />
# git clone git://git.proxmox.com/git/proxmox-mailgateway.git<br />
</source><br />
<br />
To update an already cloned project to the current version use:<br />
<br />
<source lang="bash"><br />
# git pull<br />
</source><br />
<br />
== Working on the code ==<br />
<br />
=== Coding guidelines ===<br />
<br />
The codebase is mostly Perl, with JavaScript for the web-interface.<br />
<br />
We use the ExtJS framework for the GUI components; its API documentation can be found [http://docs.sencha.com/extjs/6.0.1/index.html here.]<br />
<br />
=== Using git ===<br />
<br />
If you are not familiar with git, it's worth having a look at this interactive tutorial:<br />
https://try.github.io, and reading the brief introduction chapter from the official git documentation: https://git-scm.com/docs/gittutorial<br />
to gain basic knowledge on it.<br />
<br />
First, configure your ''real'' name and email address for git, if not done already:<br />
<br />
<source lang="bash"><br />
$ git config --global user.name "John Doe"<br />
$ git config --global user.email john@example.com<br />
</source><br />
<br />
This will be used to sign off commits as your work.<br />
<br />
We recommend that you start a feature branch before working on the code locally:<br />
<br />
<source lang="bash"><br />
# git checkout -b my_branch master<br />
</source><br />
<br />
After this, you can start working on your improvements. You can compare your changes to the current PMG master branch with:<br />
<br />
<source lang="bash"><br />
# git diff master..my_branch<br />
</source><br />
<br />
==== Commits and Commit Messages ====<br />
<br />
After making changes, commit them (try to make small, self-contained commits) with a sign-off line included (-s).<br />
<br />
* Make sure the line length of the commit's message is '''not longer than 70 characters'''. HTTPS links are an exception and should not be split.<br />
* If it fixes a bug, start with that information, in the form: <code>fix #1234: summary here</code><br />
* If it implements a feature tracked on Bugzilla, use: <code>close #1234: summary here</code>, albeit <code>fix #1234:</code> is commonly used and also fine.<br />
* Add a tag to the beginning, if an obvious choice exists. For example, if you made a change to the user-configuration API, a possible tag could be <code>api: user-config: summary here</code><br />
: However, do '''not''' just paste the changed file, including path and file ending as a tag. This has no use and makes it harder to read.<br />
<br />
The following command will take all the changes in tracked files and commit them:<br />
<br />
<source lang="bash"><br />
# git commit -s -a<br />
</source><br />
<br />
New files won't get added automatically with this command. To stage new or altered files for a commit, use:<br />
<br />
<source lang="bash"><br />
# git add newfile1.pm file2.pm<br />
</source><br />
<br />
You can always look at what will be committed with:<br />
<br />
<source lang="bash"><br />
# git diff --staged<br />
</source><br />
<br />
== Preparing Patches ==<br />
<br />
{{note| We need a valid [[#Software License and Copyright|CLA]] to include your changes|reminder}}<br />
<br />
Since we have several projects in our git repository that use the pmg-devel mailing list,<br />
we ask you to clarify which repository your patches are meant for,<br />
by specifying it in the subject prefix, for example, 'pmg-api' or 'pmg-gui'.<br />
<br />
Example: Creating the raw patch series for the <tt>pmg-api</tt> package:<br />
<br />
<source lang="bash"><br />
# rm -rf my-patches/ # to clean left-overs<br />
# git format-patch -o my-patches/ --subject-prefix="PATCH pmg-api" master..my_branch --cover-letter<br />
</source><br />
<br />
Explain in the cover letter the aim of your patches:<br />
<br />
<source lang="bash"><br />
edit my-patches/0000-cover-letter.patch<br />
</source><br />
<br />
Sending patches:<br />
<br />
<source lang="bash"><br />
# git send-email --to=pmg-devel@lists.proxmox.com my-patches/00*.patch<br />
# rm -rf my-patches/ # to clean left-overs<br />
</source><br />
<br />
If you wish to write comments for individual patches, you can do that either in<br />
the cover-letter, or in the patch's ''commit summary section'' (between the line<br />
consisting of 3 consecutive dashes ending your commit message and before the<br />
list of files with their change-counts).<br />
<br />
Example:<br />
<br />
<pre><br />
From 12345abcde Mon Sep 12 00:00:00 2001<br />
From: Git Committer <some email address><br />
Date: Fri, 7 Oct 2020 08:30:17 +0200<br />
Subject: [PATCH pmg-api 1/2] Fix #1013: this and that<br />
<br />
Here is your commit message.<br />
It explains the bugfix and ends after this line.<br />
<br />
Signed-off-by: Firstname Lastname <firstname@lastname.email><br />
---<br />
***HERE*** you can write your comments.<br />
If this is a new version of an old patch, explain your changes here<br />
<br />
src/PMG/Config.pm | 2 +-<br />
<br />
diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm<br />
(...)<br />
</pre><br />
<br />
If you want to send several related patches that contain changes to different repositories, you can first iterate over all involved repositories, save the patches into one directory and then do a single git send-email over all generated patches. For example, lets go to a few repos and format the most recent commit as a patch to /tmp/patchq, then send it:<br />
<br />
<source lang="bash"><br />
# cd pmg-api; git format-patch -s -o /tmp/patchq -1 <br />
# cd ../pmg-gui; git format-patch -s -o /tmp/patchq -1 <br />
# git send-email --compose --to=pmg-devel@lists.proxmox.com /tmp/patchq/*<br />
</source><br />
<br />
Using "start-number" and the likes can improve this further, but this is a good start.<br />
<br />
=== Versioned Patches ===<br />
<br />
If an updated version of your patch series is called for, it should be sent<br />
as a new series, rather than as a reply to the old series.<br />
Always send the entire series, with all patches showing the same version.<br />
Please mark your versions in the subject prefix, with a small 'v', followed by<br />
the version number, like this:<br />
<br />
<source lang="bash"><br />
# git format-patch -o my-patches/ --subject-prefix="PATCH v2 pmg-api" master..my_branch<br />
</source><br />
<br />
Please list all the changes to the previous versions in the ''commit summary<br />
section'' as shown in the above example.<br />
For patches with no changes to the previous version, you should mention that there were no<br />
changes in the summary section.<br />
<br />
If your series has a cover letter, summarize all changes in it as well.<br />
<br />
=== Reviewing patches ===<br />
<br />
After reviewing patches which affect a subsystem you maintain, you can notify<br />
committers that you have reviewed the patch and are OK with the changes, with: <br />
<br />
<pre><br />
Acked-by: name / email address<br />
</pre><br />
<br />
=== Convenience Settings ===<br />
<br />
For convenience, you can store the pmg-devel email address and the repository's<br />
default subject prefixes in your repository clones' configurations as follows:<br />
<br />
<source lang="bash"><br />
$ git config --local sendemail.to pmg-devel@lists.proxmox.com<br />
$ git config --local format.subjectprefix 'PATCH pmg-gui'<br />
$ git config --local format.signoff true <br />
</source><br />
<br />
Now the commands to create and send patches become:<br />
<br />
<source lang="bash"><br />
# git format-patch -o my-patches/ master..my_branch<br />
# git send-email --compose my-patches/00*.patch<br />
</source><br />
<br />
== Sending Patches ==<br />
<br />
Always use <code>git send-email</code> to send out patches, otherwise the indentation and formatting will get mangled and the patch cannot be applied anymore.<br />
<br />
=== Tutorial ===<br />
<br />
See https://git-send-email.io/ for an interactive tutorial on setting up <code>git send-email</code>.<br />
<br />
=== Using Authenticated SMTP Server ===<br />
<br />
<code>git send-email</code> can be instructed to use a specific SMTP server for sending. The following shows an anonymized config section example:<br />
<br />
[sendemail]<br />
smtpencryption = tls<br />
smtpserver = webmail.example.com<br />
smtpserverport = 587<br />
smtpuser = j.smith@example.com<br />
smtpsslcertpath =<br />
confirm = always<br />
<br />
Add this to your global user <code>~/.gitconfig</code> or to the per project <code>.git/config</code>.<br />
<code>git send-email</code> will then use these settings by default and ask you once for the password when sending.<br />
<br />
== Bugtracker (Bugzilla) ==<br />
<br />
We use Bugzilla to track bugs and feature requests for our products.<br />
<br />
https://bugzilla.proxmox.com<br />
<br />
== Software License and Copyright ==<br />
<br />
We only include code licensed under GNU Affero General Public License, version 3 http://www.gnu.org/licenses/agpl-3.0.html.<br />
<br />
Additionally, we ask contributors to send us a contributor license agreement form by email. This agreement establishes a relationship between us and the contributor, gives details on what it means when the contributor grants permission for their work to be included in a project, and enables us to better maintain these projects.<br />
<br />
With the contributor agreement chosen by Proxmox, the [http://www.harmonyagreements.org Harmony CLA], the contributor gives Proxmox a license to use their contributions. The contributor continues to own the copyright in the contribution, with full rights to re-use, re-distribute, and continue modifying the contributed code, allowing them to also share that contribution with other projects.<br />
<br />
We've tried to keep the agreement as simple and comprehensible as possible. It comes in two flavors:<br />
* one for [http://www.proxmox.com/downloads/item/proxmox-individual-contributor-license-agreement individual contributors]<br />
* and one for [http://www.proxmox.com/downloads/item/proxmox-entity-contributor-assignment-agreement entities contributors] (companies, foundations, or other organizations).<br />
<br />
If you are making a contribution that is not your own work (for example, a patch or library written by someone else), please contact office@proxmox.com for guidance on whether any additional steps are needed.<br />
<br />
== See Also ==<br />
<br />
* [https://git-scm.com/documentation Git Documentation]</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Template:Note&diff=58Template:Note2020-10-29T10:28:09Z<p>Martin: page created</p>
<hr />
<div><noinclude>This template is used to visually mark out some important note in the text.<br />
</noinclude>{| class="mbox" style="border: 1px solid #7dae96; border-left: 5px solid #7dae96; background: #f7f9fa; margin: 1.5em"<br />
| class="mbox-text" width=100% | '''Note''': {{{1}}}<br />
|}<noinclude><br />
<br />
== Usage ==<br />
Put the following code to your page:<br />
<br />
<code><nowiki>{{Note|Some text.}}</nowiki></code><br />
<br />
The result will look like this:<br />
{{Note|Some text.}}<br />
</noinclude></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Roadmap&diff=54Roadmap2020-07-09T09:55:51Z<p>Martin: page created</p>
<hr />
<div>=Roadmap=<br />
<br />
=Release History=<br />
See also [https://forum.proxmox.com/forums/announcements.7/ Announcement forum]<br />
<br />
==Proxmox Mail Gateway 6.2==<br />
'''Released 28.04.2020'''<br />
<br />
* Based on Debian Buster (10.3)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.3 (Buster).<br />
* SpamAssassin 3.4.4<br />
** Proxmox ships the latest upstream release of Apache SpamAssassin with a updated and enhance ruleset (KAM rules added)<br />
* Kernel 5.4<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.4 series from Ubuntu 20.04<br />
* pmg-log-tracker in Rust<br />
** <code>pmg-log-tracker</code> has been extended and reimplemented in the Rust programming language. <code>pmg-log-tracker</code> is the binary at the core of the Message Tracking Center, providing live searchable and grouped logs in the GUI.<br />
** The new <code>pmg-log-tracker</code> has support for parsing and grouping logs in before-queue filtering mode.<br />
** The refresh of the code base of <code>pmg-log-tracker</code> provides an optimized performance and more stability.<br />
<br />
* Support for before-queue filtering in the GUI<br />
** With the added support for displaying before-queue filtering logs in the GUI and fixing some minor glitches in that area, the before-queue filtering can now be comfortably enabled in the GUI.<br />
<br />
* Improved IPv6 support<br />
** The Mail Proxy's SPF checker also verifies SPF records for those remote mail servers connecting via IPv6. <br />
** Greylisting support for IPv6 addresses (with variable netmask, defaulting to '/64') - needs to be explicitly enabled.<br />
** Who-objects containing IPv6 literal address work now.<br />
<br />
* Customizable netmask length for greylist matching<br />
** Instead of fixing a greylist network to a '/24' the administrator can now configure which hosts should be considered as belonging to the same network by setting a larger (or smaller) prefix.<br />
** This can help with receiving mail from some cloud-providers, who send out one mail from different ip addresses within a large network, which usually leads to a rather long delay and sometimes even to a legitimate mail being rejected.<br />
** Due to the changed database layout partial upgrades of clusters will prevent nodes running the older version from syncing the greylist database until they are upgraded.<br />
<br />
* Better UX for the User Spam Quarantine interface<br />
** If selected in the Quarantine view, the From header and the Subject are now displayed on top of the mail body.<br />
** It is now possible to delete mail addresses containing certain special characters (for example '/') from a users' black- or whitelist.<br />
** Users can set their preferred language directly in the quarantine interface instead of having to log out to change the setting.<br />
** Fixed a bug in the selection of multiple e-mails.<br />
<br />
* Handling of changes to overridden templates with <code>ucf</code><br />
** Starting with this release all service configuration templates, copied and modified in <code>/etc/pmg/templates</code> get registered with <code>ucf</code>. Should a overridden template change with a new package version the administrator is asked and can accept or reject the changes.<br />
** All users who have templates in <code>/etc/pmg/templates</code> will be asked about the current changes for the initial registration.<br />
<br />
* New What Object: 'Match Archive Filename'<br />
** In addition to match files in archives (zip, tar.gz, rar,...) based on the file's content-type, it is also possible to look for particular filename patterns inside of archives.<br />
** This completes the feature matrix of matching files based on content-type or filename, as plain attachments, or inside archives.<br />
<br />
* Support for downstream LMTP servers<br />
** In certain setups there is no advantage in having a dedicated SMTP server for receiving e-mails from Proxmox Mail Gateway, since all used functionality is provided by a MTA, which speaks IMAP and LMTP (e.g., Dovecot).<br />
** It is now possible to configure Proxmox Mail Gateway to send e-mails directly to a LMTP relay, both as default transport and only as transport for certain domains.<br />
<br />
* Improvements to recently added features<br />
** Before-queue filtering and DKIM signing, both implemented with Proxmox Mail Gateway 6.1, have a better user experience and are considered stable now.<br />
** Some remaining glitches and bugs fixed for both. <br />
** DKIM selector handling can handle the existence of multiple selectors and in the GUI, users can comfortably switch between the active selector.<br />
<br />
* TLS policy selection for internal downstream servers<br />
** It is now possible to specify a desired level of encryption and authentication for the opportunistic TLS-encryption (STARTTLS) for downstream servers entered in your transports.<br />
** This can help to ensure that your internal communication is not sent in the clear over the network. It can also be used to work around broken TLS implementations in legacy downstream servers.<br />
<br />
* Improvements to general usability<br />
** The unbounded growth of the Quarantine disk usage for non-master nodes in clustered setups is fixed.<br />
** It's now possible to switch to incremental updates of the AV signatures for ClamAV via GUI, alleviating the problem that both methods fail in certain cases for some users.<br />
==Proxmox Mail Gateway 6.1==<br />
'''Released 27.11.2019'''<br />
<br />
* Based on Debian Buster (10.2)<br />
** Proxmox Mail Gateway is based on the latest stable release of Debian 10.2 (Buster).<br />
* Updated SpamAssassin rules<br />
* Kernel 5.3<br />
** Proxmox Mail Gateway shares the kernel with Proxmox VE and is based on the 5.3 series from Ubuntu 19.10<br />
<br />
* DKIM-Signing<br />
** Support for adding DomainKeys Identified Mail (DKIM) Signatures (RFC 6376) to outbound emails<br />
** Configuration via GUI<br />
** Signing happens after processing the email with the rule system, thus ensuring that it leaves the Proxmox Mail Gateway with a valid signature<br />
** Flexible control of which domains should get signed with sensible defaults (the relay domains)<br />
** Inside a cluster, one common selector minimizes the overhead for adding required DNS entries<br />
<br />
* Attachment Quarantine<br />
** The <code>Remove Attachments</code> action can now optionally deliver the complete email to the Attachment Quarantine<br />
** The Attachment Quarantine offers a comfortable GUI for selectively downloading parts of the email for further analysis, or delivering the mail to the original recipient<br />
** Accessible only by the administrators, it offers safety from accidentally open malicious executables, doc-files, and other attachments infected with malware<br />
<br />
* Adjustable SpamAssassin Rule Scores via GUI<br />
** Adapt the scores of individual SpamAssassin rules directly in the GUI<br />
** Enables you to adapt the scoring to your environment, thus achieving better ham/spam detection rates<br />
** Mostly for adding a bit of weight to rules, which are good indicators for Spam in your environment<br />
** Selectively disable Rules, which cause false positives for your environment<br />
<br />
* Improved handling of Configuration and Rule changes in clustered environments<br />
** The Filtering Engine gets notified about a range of configuration changes which require a reload<br />
** The notification is propagated during the cluster sync<br />
** This reduces the situations where you had to manually restart <code>pmg-smtp-filter</code><br />
<br />
* Experimental Support for Before Queue filtering<br />
** Proxmox Mail Gateway can now optionally reject an email during the SMTP dialogue, instead of accepting it and silently discarding unwanted email<br />
** This is a requirement in certain situations<br />
** By answering with a permanent failure code (<code>554</code>), there is no need to generate a Non-Delivery Report, which could cause your system to get blacklisted, due to Backscatter<br />
** Currently incompatible with the Tracking Center, thus needs to be explicitly enabled in <code>/etc/pmg/pmg.conf</code><br />
<br />
* Improvements to general usability<br />
** Clarification of ambiguously used terms in the GUI and documentation<br />
** More detailed documentation of the Service Configuration Templates<br />
** Downloading of emails larger than 2 MB as <nowiki>eml</nowiki> from the Spam Quarantine now works<br />
** API-Viewer now usable from inside every running PMG installation at https://pmg.local:8006/api-viewer/index.html or just online via https://pmg.proxmox.com/pmg-docs/api-viewer/index.html<br />
<br />
==Proxmox Mail Gateway 6.0==<br />
'''Released 27.08.2019'''<br />
<br />
*Proxmox Mail Gateway is based on the latest stable release of Debian 10.0 (Buster)<br />
*This major version update provides an easy to follow step-by-step upgrade path - https://pmg.proxmox.com/wiki/index.php/Upgrade_from_5.x_to_6.0<br />
*Rule name logging - each final action now logs the name of the rule which triggered it to the system log<br />
*The system logs get displayed faster in the GUI because they now use the Proxmox `mini-journalreader` instead of `journalctl`<br />
*ClamAV 0.101.4 (fix for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359)<br />
*Postgres 11 (new major version backing the rule system)<br />
*OpenSSL 1.1.1c with support for TLS 1.3<br />
*Updated shipped SpamAssassin Ruleset<br />
*Countless bugfixes and improvements in the GUI labels<br />
<br />
==Proxmox Mail Gateway 5.2==<br />
'''Released 20.03.2019'''<br />
<br />
*Mobile Quarantine Interface<br />
**based on the small and modern framework7<br />
**Deliver/Delete/Whitelist/Blacklist mails in your Quarantine from your mobile device<br />
*Improvements in the LDAP integration<br />
**allow the use of FQDNs instead of IPs in the WebUI<br />
**add support for certificate verification (and enable it for new deployments)<br />
**add support for LDAP+starttls<br />
*PMG-Appliance template<br />
**Install PMG as a (unprivileged) Linux Container (e.g. in PVE)<br />
**Introduces the new 'proxmox-mailgateway-container' metapackage, which does not depend on a kernel, and results in a vastly reduced size (and fewer updates)<br />
*Improvements in Logging<br />
**pmg-smtp-filter now logs each SA-Rules score in addition to the rule names - simplifying the analysis of the spam filter's performance without the need to access the mail's source<br />
*Improvements in the WebUI's TLS configuration<br />
*pmgproxy can now be configured via '/etc/default/pmgproxy' to disable/enable certain ciphers, compression, cipher selection preference.<br />
*new command: `pmg-system-report`<br />
**Provides a overview of key characteristics of PMG's setup and performance<br />
**Improves the initial diagnosis for our Enterprise support<br />
*.eml download from the (non-mobile) Quarantine Interface<br />
**Lets you download the complete source of a quarantined message in .eml format for further analysis<br />
*Add support for custom checks<br />
**Enable users to integrate their own custom check logic by providing a defined interface, which can optionally be enabled, and runs a custom check before the mail gets handed to the virus scanner and rule system.<br />
*Improvements of Blacklist/Whitelist handling in the Quarantine Interface<br />
**multiselect for removing multiple entries at once<br />
*proxmox-spamassassin<br />
**Update the shipped rulesets<br />
*PMG-Cluster: full IPv6 support<br />
*ISO works on Citrix XenServer<br />
*Documentation available via https://pmg.proxmox.com/pmg-docs<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.1==<br />
'''Released 05.10.2018'''<br />
<br />
*Allow to configure TLS policy via GUI<br />
*New 'helpdesk' role<br />
*Support SMTPUTF8 protocol feature<br />
*GUI improvements<br />
*Update Debian Stretch 9.5<br />
*Update kernel to 4.15<br />
*Bugfixes<br />
<br />
==Proxmox Mail Gateway 5.0==<br />
'''Released 23.01.2018'''<br />
<br />
*Fully licensed under the open source license AGPL<br />
*Based on Debian Stretch 9.3 with a 4.13.13 kernel<br />
*ISO installer supports all ZFS raid levels<br />
*ExtJS based user interface<br />
*New API<br />
*Integrated documentation<br />
*Subscription-based enterprise support options (similar to the Proxmox VE support subscription model)<br />
*Bug fixes<br />
<br />
== Old Releases ==<br />
*Proxmox Mail Gateway 4.1<br />
*Proxmox Mail Gateway 4.0<br />
*Proxmox Mail Gateway 3.1<br />
*Proxmox Mail Gateway 3.0<br />
*Proxmox Mail Gateway 2.6<br />
*Proxmox Mail Gateway 2.5<br />
*Proxmox Mail Gateway 2.4<br />
*Proxmox Mail Gateway 2.3<br />
*Proxmox Mail Gateway 2.2<br />
*Proxmox Mail Gateway 2.1<br />
*Proxmox Mail Gateway 2.0<br />
*Proxmox Mail Gateway 1.7<br />
*Proxmox Mail Gateway 1.6<br />
*Proxmox Mail Gateway 1.5<br />
*Proxmox Mail Gateway 1.4<br />
*Proxmox Mail Gateway 1.3<br />
*Proxmox Mail Gateway 1.2<br />
*Proxmox Mail Gateway 1.1<br />
*Proxmox Mail Gateway 1.0 (April 2005)</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=53Main Page2020-07-09T09:54:44Z<p>Martin: /* Release History */</p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[https://www.proxmox.com/downloads Download] the latest ISO image files.<br />
<br />
Alternate download:http://download.proxmox.com/iso<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operation system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
[[Getting started with Proxmox Mail Gateway]]<br />
<br />
'''Upgrading'''<br />
<br />
[[Upgrade_from_5.x_to_6.0|Upgrade from Proxmox Mail Gateway 5.x to 6.0]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]<br />
<br />
You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
=Release History and Roadmap=<br />
Take a look on the [[Roadmap]] for existing and upcoming features.<br />
<br />
=Video Tutorials=<br />
To get an overview of the Proxmox Mail Gateway, we regularly publish video tutorials on our website, see https://www.proxmox.com/training/video-tutorials.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway-5-2-stats.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=MediaWiki:Sidebar&diff=52MediaWiki:Sidebar2020-07-08T09:05:09Z<p>Martin: </p>
<hr />
<div><br />
* navigation<br />
** mainpage|Proxmox Mail Gateway<br />
** https://pmg.proxmox.com/pmg-docs/|Documentation<br />
** https://www.proxmox.com/en/proxmox-mail-gateway/support|Get support<br />
<br />
* Sites<br />
** https://www.proxmox.com|proxmox.com<br />
** https://forum.proxmox.com|Support forum<br />
** https://bugzilla.proxmox.com|Bugtracker<br />
** https://git.proxmox.com|Source code</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=48Main Page2020-06-03T11:27:40Z<p>Martin: /* Installation */</p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[https://www.proxmox.com/downloads Download] the latest ISO image files.<br />
<br />
Alternate download:http://download.proxmox.com/iso<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operation system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
[[Getting started with Proxmox Mail Gateway]]<br />
<br />
'''Upgrading'''<br />
<br />
[[Upgrade_from_5.x_to_6.0|Upgrade from Proxmox Mail Gateway 5.x to 6.0]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]<br />
<br />
You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
=Release History=<br />
[[Release History]]<br />
<br />
=Video Tutorials=<br />
To get an overview of the Proxmox Mail Gateway, we regularly publish video tutorials on our website, see https://www.proxmox.com/training/video-tutorials.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway-5-2-stats.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Getting_started_with_Proxmox_Mail_Gateway&diff=47Getting started with Proxmox Mail Gateway2020-06-03T11:25:54Z<p>Martin: page created</p>
<hr />
<div>== Introduction ==<br />
Proxmox Mail Gateway provides a comprehensive enterprise email security solution, which can be comfortably configured via the Graphical User Interface.<br />
<br />
This article is aimed at providing descriptions and links to best-practices that have emerged in the Proxmox Mail Gateway community.<br />
<br />
The goal is to present a small set of adaptations, which dramatically improve the detection accuracy and user experience of your<br />
Proxmox Mail Gateway.<br />
<br />
It is not meant to display every single possible potential improvement.<br />
<br />
If you run into any issues, please try finding a solution in the [https://pmg.proxmox.com/pmg-docs reference documentation],<br />
which is shipped with every Proxmox Mail Gateway installation and will always provide the most up to date information.<br />
<br />
Searching the [https://forum.proxmox.com Community Forum], or posting your question there can also provide helpful pointers from<br />
our involved and knowledgeable community.<br />
<br />
== Installation ==<br />
<br />
An overview of the Proxmox Mail Gateway installation can be found on [https://www.proxmox.com/en/proxmox-mail-gateway/get-started the Proxmox Mail Gateway homepage]<br />
<br />
The [https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation reference documentation] provides a detailed description of the various install methods.<br />
<br />
Additionally you can learn about the installation process from our [https://forum.proxmox.com/threads/installation-tutorials.40827/ video tutorials]<br />
<br />
== Operations/Maintenance ==<br />
<br />
=== Changing Hostname or IP ===<br />
<br />
see [[Change FQDN]]<br />
<br />
=== Configuring Outbound Scanning ===<br />
<br />
Proxmox Mail Gateway accepts email from internal servers on the internal port (default: 26).<br />
The distinction on which port email arrives is used for the distinction which rules to apply<br />
to an email, and whether to relay an email to a foreign domain.<br />
<br />
You should take care not to accept mail from the public internet on your internal port, but<br />
only from trusted internal systems.<br />
<br />
It can be difficult to configure certain mailservers (for example Microsoft Exchange) to relay email through a different port than port 25.<br />
In those situations you can swap the internal and external ports of the Proxmox Mail Gateway to use port 25 as internal port and <br />
configure a port-redirection on your<br />
firewall to redirect traffic from the public internet on port 25 to port 26 on your Proxmox Mail Gateway.<br />
<br />
For a rationale behind scanning outbound mail check the [https://forum.proxmox.com/threads/filtering-outgoing-mails.78/ community post from the Proxmox Mail Gateway's beginnings]<br />
<br />
== Improving Spam Detection ==<br />
<br />
One of the most effective means to combat spam nowadays is the use of [https://en.wikipedia.org/wiki/Domain_Name_System-based_Blackhole_List DNS based Blackhole lists (DNSBL)].<br />
<br />
Proxmox Mail Gateway offers two places where it can check information against DNSBLs:<br />
* during the SMTP dialog within the Mail Proxy - here only the connecting IP can be checked against the DNSBLs configured in GUI -> Configuration -> Mail Proxy -> Options -> DNSBL Sites<br />
* by the Spam Detector (SpamAssassin) - here the complete content of the mail (including potentially malicious URLs) is checked against a set of [https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists predefined lists]<br />
<br />
DNSBLs have different acceptable use policies, including offering free service for non-commercial use, a limit on the number of queries, or a required registration. Make sure to check that your use-case is allowed by the providers of the list.<br />
Since the service provided by the DNSBL operators is very valuable for the functioning of the email ecosystem you could consider supporting the providers, if possible.<br />
<br />
=== Basic set of DNSBLs for the Mail Proxy ===<br />
<br />
The following list offers quite good results in practice:<br />
* zen.spamhaus.org [https://www.spamhaus.org/organization/dnsblusage/ Acceptable Use Policy]<br />
* b.barracudacentral.org [https://www.barracudacentral.org/rbl Acceptable Use Policy]<br />
<br />
=== Dedicated DNS Resolver on Proxmox Mail Gateway ===<br />
<br />
Since DNSBLs transport information via DNS, having a working DNS Setup is essential to good anti-spam results.<br />
<br />
Running a [https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway dedicated recursive DNS Server] on your Proxmox Mail Gateway can help avoid running into rate limits:<br />
<br />
=== URIBL custom datafeed ===<br />
For sites where the email volume is so high that even a dedicated DNS server reaches URIBL's rate limit you can consider purchasing a custom DNS datafeed from URIBL:<br />
<br />
see [[URIBL Datafeed over DNS]]<br />
<br />
== Improving Antivirus Accuracy ==<br />
<br />
=== Second virus scanner ===<br />
<br />
Installing a second Antivirus engine can help improving the Antivirus detection rate:<br />
<br />
see [[Install Avast]]<br />
<br />
== Let's Encrypt- a free, automated and open certificate authority ==<br />
To configure a globally trusted certificate using Let's Encrypt follow the <br />
[https://forum.proxmox.com/threads/how-to-lets-encrypt-and-pmg.41493/ thread in our forum]<br />
<br />
== End user quarantine access ==<br />
<br />
=== Quarantine Web Interface via 443 ===<br />
By redirecting your Quarantine links to a Proxy on port 443 you can restrict access to the admin interface to certain IPs and present your users with a globally trusted certificate:<br />
<br />
see [https://pmg.proxmox.com/wiki/index.php/Quarantine_Web_Interface_Via_Nginx_Proxy Quarantine Web Interface via Nginx Proxy]<br />
<br />
== Load Balancing ==<br />
<br />
Load balancing SMTP is most easily achieved using DNS.<br />
<br />
Since Proxmox Mail Gateway is a proxy which does not store mail permanently you can simply configure multiple MX records with the same priority for your domains,<br />
or multiple A records for the DNS name, which you use as MX record.<br />
<br />
See the ''HA Cluster'' tab on the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox Mail Gateway feature page] and the [https://forum.proxmox.com/threads/redundant-servers-and-load-balancing-using-mx-records.73/ thread in our community forum].</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=URIBL_Datafeed_over_DNS&diff=46URIBL Datafeed over DNS2020-06-03T11:22:45Z<p>Martin: page created</p>
<hr />
<div>== Introduction ==<br />
<br />
Certain DNSBLs are run as a "free for most" model, meaning that most users can use their service without payment.<br />
<br />
Usually there is a limit on the number of queries you can run against their service, before you get blocked.<br />
<br />
The very effective DNSBL [http://urbil.com uribl] indicates that you have reached the rate-limit by creating SpamAssassin hits on <code>URIBL_BLOCKED</code>, which show up in your mail logs.<br />
<br />
Reaching the limit means your Proxmox Mail Gateway will not get correct answers from uribl, which reduces the spamdetection accuracy dramatically.<br />
<br />
The first mitigation you should consider is making sure that you have a working and correct DNS setup for your Proxmox Mail Gateway, for example by<br />
installing a [https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway dedicated recursive DNS server].<br />
<br />
Should you still reach the query limit, you should consider subscribing to a dedicated [http://uribl.com/datafeed.shtml datafeed via DNS], which <br />
removes the query limit for you, and is priced based on your number of queries.<br />
<br />
Once you have subscribed you will receive an email with detailed instructions, which should give you a good overview of the features offered<br />
by the datafeed service.<br />
<br />
This HOWTO provides the necessary steps to integrate your custom DNS datafeed in your Promox Mail Gateway installation, based off the<br />
[http://uribl.com/datafeed_dns.txt configuration howto from uribl.com].<br />
<br />
Depending on whether you have a dedicated DNS server used by your Proxmox Mail Gateway or not you can follow two<br />
ways to use your custom datafeed.<br />
<br />
== Configuration with a dedicated DNS Server ==<br />
If you have one or two dedicated IP Networks under your control, where your DNS Servers are located, you can simply<br />
[https://admin.uribl.com/?section=lookup;method=dologin login to uribl] and add those 2 networks as registered with your datafeed.<br />
<br />
Your DNS requests will come from one of the whitelisted IPs and will not be blocked due to ratelimiting<br />
<br />
''' This method is only applicable if you run a recursive DNS server, where you know who is allowed to ask queries there.'''<br />
<br />
Do not whitelist shared DNS servers provided by your ISP, or globally (8.8.8.8, 9.9.9.9, 1.1.1.1) - since else all requests<br />
being relayed via those IPs will be billed to your account.<br />
<br />
== Configuration by adapting SpamAssassin Configuration ==<br />
<br />
If your setup needs to use a shared DNS server and you cannot control who can use it for URIBL queries you will have<br />
to configure SpamAssassin within your Proxmox Mail Gateway to use the custom query host provided with your datafeed.<br />
<br />
The correct way to change the [https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_custom_spamassassin_configuration SpamAssassin configuration in a Proxmox Mail Gateway installation] is by using the <br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine templating system].<br />
<br />
Just add the adapted example configuration provided by uribl to your <code>/etc/mail/spamassassin/custom.cf</code> - this will also ensure that it gets synchronized to all nodes, if you have a clustered setup.<br />
<br />
Make sure to replace <code>_CUSTID</code> by your custom datafeed id, which you received in the mail from uribl.com<br />
<br />
The following minimal config enables your custom datafeed for the regular DNSBLs (URIBL_BLACK, URIBL_GREY, URIBL_RED):<br />
<br />
<nowiki><br />
urirhssub URIBL_BLOCKED _CUSTID.df.uribl.com. A 1<br />
urirhssub URIBL_BLACK _CUSTID.df.uribl.com. A 2<br />
urirhssub URIBL_GREY _CUSTID.df.uribl.com. A 4<br />
urirhssub URIBL_RED _CUSTID.df.uribl.com. A 8<br />
</nowiki><br />
<br />
As suggested in the uribl guide you can check the workings by running: <code> echo -e "Subject: test\n\nhttp://uribl.asia\n\n" | spamassassin -D 2>&1 | grep URIBL_BLACK</code><br />
Your custom datafeed id should be present in the output.<br />
<br />
<br />
Should you need further help, consider getting a [https://www.proxmox.com/en/proxmox-mail-gateway/pricing enterprise support subscription]</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Install_Avast&diff=45Install Avast2020-06-03T11:21:09Z<p>Martin: page created</p>
<hr />
<div>== Introduction ==<br />
<br />
Proxmox Mail Gateway ships and uses the open source [https://www.clamav.net/ ClamAV] antivirus engine in its default installation.<br />
<br />
Certain environments have the need for a better virus detection rate than the one achieved by ClamAV.<br />
<br />
For these setups Proxmox Mail Gateway offers an integration with the [https://www.avast.com/en-us/business/products/antivirus-for-linux Avast Antivirus for Linux].<br />
<br />
Avast Antivirus for Linux is commercial software and you will need to purchase a license in order to use it.<br />
<br />
The following facts are why it can be integrated with Proxmox Mail Gateway as an alternative to ClamAV:<br />
<br />
* The licensing is based on the number of installations instead of other licensing schemes such as the number of processed mails or mailboxes.<br />
* The software runs daemonized and thus reads and caches the AV definitions once upon startup instead of each time a file is scanned<br />
<br />
The following HOWTO provides the necessary steps to install and configure Avast within a Proxmox Mail Gateway installation.<br />
<br />
== Installing Avast Antivirus for Linux ==<br />
<br />
Proxmox Mail Gateway is based on Debian GNU/Linux - thus you need to follow the installation instruction for Debian systems.<br />
<br />
To configure the Avast repository and install the software:<br />
<br />
# Create the appropriate [https://manpages.debian.org/apt/sources.list.5.en.html sources.list] entry:<br />
#:<code>echo "deb http://deb.avast.com/lin/repo debian-buster release" > /etc/apt/sources.list.d/avast.list</code><br />
# Verify the signing key for the repository from Avast:<br />
#* Get the key<br />
#*:<code>wget https://files.avast.com/files/resellers/linux/avast.gpg</code><br />
#*Read the checksum<br />
#*:<code>sha512sum avast.gpg</code><br />
#* The result should be<br />
#*:<code>d9bb45d67664ad86f8d91a8f98657554b0550a8e467a5d6a3132de5d214b072470bf793ced9e3f13f774b5bfd061ce0ce7b192bf450bb68fc988072af17fb229 avast.gpg</code><br />
#* Add the GPG key<br />
#*:<code>apt-key add avast.gpg</code><br />
# Update the apt package information and install the software<br />
#:<code>apt update</code><br />
#:<code>apt install avast</code><br />
<br />
== Registering license ==<br />
<br />
Follow the [https://support.avast.com/en-eu/article/131/ instructions provided by Avast] to activate your purchased license.<br />
<br />
After enabling your license you need to restart the <code>avast.service</code><br />
systemctl restart avast.service<br />
<br />
== Integration with Proxmox Mail Gateway ==<br />
<br />
Enabling the Avast scanner in Proxmox Mail Gateway is achieved by editing the [https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_configuration_file Promox Mail Gateway's configuration file]<br />
<code>/etc/pmg/pmg.conf</code> and adding the line <code>avast 1</code> to the <code>admin</code> section:<br />
<br />
section: admin<br />
avast 1<br />
email admin@pmg.example<br />
<br />
Finally you need to restart the <code>pmg-smtp-filter</code> service, or reboot your Promox Mail Gateway:<br />
systemctl restart pmg-smtp-filter<br />
<br />
<br />
Should you need further help, consider getting a [https://www.proxmox.com/en/proxmox-mail-gateway/pricing enterprise support subscription]</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Change_FQDN&diff=44Change FQDN2020-06-03T11:19:46Z<p>Martin: page created</p>
<hr />
<div>== Introduction ==<br />
<br />
Changing the fully qualified domain name (FQDN) or IP address of a Proxmox Mail Gateway installation is basically done like on any other GNU/Linux system.<br />
However, there are a few config files on which Proxmox Mail Gateway relies to get its configuration right.<br />
<br />
In most situations, you will need to make changes to your domain records to reflect the change of hostname and/or IP address since email delivery relies on correct DNS records.<br />
<br />
This short article will walk you through all the necessary places in which you might need to adapt the configuration.<br />
<br />
For the remainder we assume that:<br />
* we want to change the FQDN of our installation to <code>pmgchanged.proxmox.com</code> <br />
* we want to change the IP address and network to <code>192.0.2.72/24</code><br />
* the Gateway in our network is <code>192.0.2.1</code><br />
* the DNS server in our network is <code>192.0.2.53</code><br />
<br />
== Adapting the FQDN on the Proxmox Mail Gateway ==<br />
This needs to happen in 3 places:<br />
* <code>/etc/hostname</code> - the short hostname (<code>pmgchanged</code>, the part before the first <code>.</code>,) needs to be entered there.<br />
* <code>/etc/hosts</code> - there needs to be an entry with the main IP pointing to the short hostname and FQDN:<br />
<nowiki><br />
127.0.0.1 localhost.localdomain localhost<br />
192.0.2.72 pmgchanged.proxmox.com pmgchanged<br />
# leave remaining /etc/hosts untouched<br />
</nowiki><br />
<br />
* <code>/etc/resolv.conf</code> - needs to contain the domain name part as <code>search</code> - This can also be accomplished in the GUI (on the main Configuration Menu entry):<br />
<nowiki><br />
search proxmox.com<br />
nameserver 192.0.2.53<br />
</nowiki><br />
<br />
== Changing the IP configuration ==<br />
<br />
Adapt the <code>/etc/network/interfaces</code> file with the new IP<br />
<br />
<nowiki><br />
# comments<br />
auto lo<br />
iface lo inet loopback<br />
<br />
auto ens18<br />
iface ens18 inet static<br />
address 192.0.2.72/20<br />
gateway 192.0.2.1<br />
</nowiki><br />
== Consideration for clustered setups ==<br />
If you run a Proxmox Mail Gateway cluster, you will need to adapt <code>/etc/pmg/cluster.conf</code> with the changed IP addresses and hostnames and make sure that passwordless SSH authentication is still working between the nodes in the cluster.<br />
<br />
Additionally check all other nodes' <code>/etc/hosts</code> files to make sure that the old IP address and FQDN are replaced there as well.<br />
<br />
== Updating the IP and or FQDN on all relevant internal systems ==<br />
Change the internal systems which use the Proxmox Mail Gateway to the new IP or FQDN. This can be the mailserver which relays mails via the Proxmox Mail Gateway.<br />
<br />
== Changing all relevant DNS records ==<br />
Email relies on DNS records for its operation.<br />
* If you change the FQDN of your Proxmox Mail Gateway installation, make sure to update the MX records of all domains for which it relays email to the new FQDN.<br />
* Add or Update the A record of the FQDN to point to the current IP address of your Proxmox Mail Gateway<br />
* Update the reverse Pointer (PTR record) of the IP address to point to the new FQDN of your Proxmox Mail Gateway</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Quarantine_Web_Interface_Via_Nginx_Proxy&diff=43Quarantine Web Interface Via Nginx Proxy2020-05-05T10:26:18Z<p>Martin: </p>
<hr />
<div>== Introduction ==<br />
<br />
Proxmox Mail Gateway can be configured to quarantine mail, instead of delivering potentially dangerous content to users directly.<br />
If a mail is detected as spam users themselves can decide whether they want to keep or delete it in the user quarantine interface.<br />
(for dangerous content, as mail containing viruses, or potentially dangerous attachments, the administrator needs to decide whether<br />
to pass the mail on or delete it).<br />
<br />
In certain environments it is desired to provide the user quarantine interface at a specific host and port, <br />
e.g. in order to only allow access to the interface from outside on port 443, or to provide a different and <br />
trusted certificate to your users.<br />
<br />
The following Howto describes a small nginx configuration, which only exposes the paths necessary for user quarantine interface access,<br />
while preventing access to other parts of the API.<br />
<br />
Keep in mind that this provides mostly cosmetic protection, since all paths in the Proxmox Mail Gateway API, apart from the login path<br />
are only available to authenticated users anyways. The unprotected login path needs to be forwarded for the quarantine access as well.<br />
<br />
For creating a general reverse proxy for the complete web interface refer to the [https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy Howto in the Proxmox VE wiki].<br />
<br />
== Installing nginx ==<br />
<br />
The Howto creates a configuration suitable for nginx. You can install nginx on your Proxmox Mail Gateway using <nowiki>apt</nowiki><br />
apt install nginx<br />
<br />
== Creating a site to proxy requests for quarantine ==<br />
<br />
The following configuration is a minimal working nginx-site to proxy all requests necessary for accessing the quarantine interface for users.<br />
You should adapt it to your site's requirements. This includes:<br />
* changing the path to the used certificates<br />
* setting the proper <nowiki>server_name</nowiki><br />
* adapting the ssl-configuration parameters to current best practices<br />
* if the proxy server is running on another host adapting the url for the <nowiki>proxy_pass</nowiki> directives<br />
<br />
<br />
To get the site running write the config to <nowiki>/etc/nginx/sites-available/pmg-quarantine.conf</nowiki> and symlink it to <nowiki>/etc/nginx/sites-enabled</nowiki>:<br />
ln -rs /etc/nginx/sites-available/pmg-quarantine.conf /etc/nginx/sites-enabled/<br />
<br />
<br />
<nowiki><br />
server {<br />
listen 80 default_server;<br />
rewrite ^(.*) https://$host$1 permanent;<br />
}<br />
<br />
server {<br />
listen 443;<br />
server_name _;<br />
ssl on;<br />
ssl_certificate /etc/pmg/pmg-api.pem;<br />
ssl_certificate_key /etc/pmg/pmg-api.pem;<br />
proxy_redirect off;<br />
<br />
proxy_set_header Upgrade $http_upgrade;<br />
proxy_set_header Connection "upgrade"; <br />
proxy_set_header PVEClientIP $remote_addr; <br />
proxy_buffering off;<br />
client_max_body_size 0;<br />
proxy_connect_timeout 3600s;<br />
proxy_read_timeout 3600s;<br />
proxy_send_timeout 3600s;<br />
send_timeout 3600s;<br />
# proxy requests for static components<br />
location ~ /proxmoxlib.js$|/favicon.ico$|/pve2/|/fontawesome/|/framework7/|/pwt/css/ {<br />
proxy_pass https://localhost:8006;<br />
}<br />
location /quarantine {<br />
proxy_pass https://localhost:8006;<br />
}<br />
<br />
location /api2 {<br />
location ~ /api2/(extjs|json|htmlmail)/(access/ticket$|version$) {<br />
proxy_pass https://localhost:8006;<br />
}<br />
location ~ /api2/(extjs|json|htmlmail)/nodes/.+/subscription$ {<br />
proxy_pass https://localhost:8006;<br />
}<br />
location ~ /api2/(extjs|json|htmlmail)/quarantine {<br />
proxy_pass https://localhost:8006;<br />
}<br />
return 403;<br />
}<br />
<br />
location / {<br />
return 403;<br />
}<br />
}<br />
</nowiki></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=File:Proxmox-Mail-Gateway-5-2-stats.png&diff=41File:Proxmox-Mail-Gateway-5-2-stats.png2020-04-28T10:09:55Z<p>Martin: Martin uploaded a new version of File:Proxmox-Mail-Gateway-5-2-stats.png</p>
<hr />
<div></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=DNS_server_on_Proxmox_Mail_Gateway&diff=39DNS server on Proxmox Mail Gateway2020-01-14T15:07:50Z<p>Martin: page created</p>
<hr />
<div>== Introduction ==<br />
<br />
One of the most effective means to detecting spam currently is the use of [https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists DnsBlocklists].<br />
These lists are used to query the IP of the connecting SMTP server, or IPs and hostnames occurring in the mail body.<br />
<br />
Some of the DNS Blocklists used by SpamAssassin (and thus also Proxmox Mail Gateway) allow only a certain number of requests per DNS server and don't respond once your DNS server has reached it's quota.<br />
This is reflected in the mail logs and SpamAssassin hits of a mail. If you see 'URIBL_BLOCKED', 'RCVD_IN_DNSWL_BLOCKED' or 'SURBL_BLOCKED' in your mail logs or the mail headers, this is an indication that your system has reached the quota.<br />
<br />
If you're using a shared DNS server (e.g. your ISPs, or a publicly available one like 9.9.9.9, 1.1.1.1, 8.8.8.8) it is quite likely that the Mail Gateway's requests will be blocked.<br />
<br />
Installing a dedicated DNS server on the Proxmox Mail Gateway can help in such situations.<br />
<br />
Keep in mind that the DNS Blocklists can only count the requests per public IP, i.e. if you have both your internal DNS and Proxmox Mail Gateway natted to the same public IP setting up a recursive DNS server will not help.<br />
<br />
If you keep reaching the limit despite having a dedicated recursive server for your Proxmox Mail Gateway you should consider getting a dedicated feed, which is provided by most DNS Blocklist providers for a fee. This also helps keeping this important infrastructure up and running.<br />
<br />
We will use the [https://nlnetlabs.nl/projects/unbound/about/ Unbound] recursive DNS server.<br />
<br />
== Installing and using unbound ==<br />
<br />
Simply run<br />
apt install unbound dnsutils<br />
<br />
to install the <code>unbound</code> server - the <code>dnsutils</code> package contains <code>dig</code>, which can be used for testing.<br />
<br />
Check that unbound is indeed listening on port 53:<br />
# ss -tulnp | grep :53<br />
udp UNCONN 0 0 127.0.0.1:53 0.0.0.0:* users:(("unbound",pid=137,fd=5))<br />
udp UNCONN 0 0 [::1]:53 [::]:* users:(("unbound",pid=137,fd=3))<br />
tcp LISTEN 0 128 127.0.0.1:53 0.0.0.0:* users:(("unbound",pid=137,fd=6))<br />
tcp LISTEN 0 128 [::1]:53 [::]:* users:(("unbound",pid=137,fd=4))<br />
<br />
You can verify that DNS resolution works by using the <code>dig</code> utility<br />
# dig a proxmox.com @127.0.0.1 +short <br />
79.133.36.244<br />
<br />
Afterwards you need to configure your Proxmox Mail Gateway installation to use the local dns-server listening on <code>127.0.0.1</code> (or optionally <code>::1</code>) as resolver.<br />
In the following article we assume that your domain is <code>yourdomain.example</code> - you need to adapt the posted configuration.<br />
On a standard installation this is done by simply placing:<br />
nameserver 127.0.0.1<br />
search yourdomain.example<br />
<br />
in <code>/etc/resolv.conf</code>.<br />
<br />
When Proxmox Mail Gateway is running as a Container on Proxmox VE, then you need to edit the container's DNS Settings to use <code>127.0.0.1</code> as DNS Server (and adapt your search domain to <code>yourdomain.example</code>)<br />
<br />
If you have installed the resolvconf package you should not need to change everything, since the unbound package in Debian brings integration with <code>resolvconf</code><br />
<br />
Should your system use <code>systemd-resolved</code> make sure that<br />
resolvectl status<br />
<br />
indicates that <code>127.0.0.1</code> is listed as <code>Current DNS Server</code><br />
<br />
Alternatively you can simply disable and stop the service<br />
systemctl disable systemd-resolved<br />
systemctl stop systemd-resolved<br />
<br />
After installing you can either reboot you Proxmox Mail Gateway, or restart the services relevant for mail-processing:<br />
systemctl restart pmg-smtp-filter pmgpolicy postfix<br />
<br />
== Forwarding requests for your internal zone to your internal DNS ==<br />
<br />
In some environments the internally used DNS has all knowledge about your domain, and should be consulted for it, instead of unbound getting the publicly available data via DNS delegation from the root-servers.<br />
<br />
You can configure unbound to ask your internal DNS-server (for this example the internal DNS-server has the IP 192.0.2.53) for your internal domains (yourdomain.example and yourseconddomain.example).<br />
Create a dedicated config-snippet <code>/etc/unbound/unbound.conf.d/local-stub.conf</code>:<br />
<br />
stub-zone:<br />
name: "yourdomain.example"<br />
stub-addr: 192.0.2.53<br />
<br />
stub-zone:<br />
name: "yourseconddomain.example"<br />
stub-addr: 192.0.2.53<br />
<br />
<br />
Afterwards restart unbound and verify that DNS-requests for yourdomain.example are delegated to 192.0.2.53 (by checking the DNS logs there):<br />
systemctl restart unbound<br />
dig test.yourdomain.example @127.0.0.1<br />
<br />
<br />
== Optional: Using the local unbound only for DNS Blocklist requests ==<br />
<br />
Should your environment require you to use an internal DNS server for all requests, because you have a very modified setup or are employing some other blocking for regulatory reasons you can also try to forward all other requests to your internal DNS Server and only ask the DNS Blocklist zones recursively.<br />
<br />
This setup is '''not recommended for general use''', since it increases the complexity and makes debugging harder.<br />
<br />
In the example we will use recursive queries for the following domains and forward all other requests to 192.0.2.53:<br />
* mailspike.net<br />
* dnsbl.sorbs.net<br />
* rhsbl.sorbs.net<br />
* bl.spamcop.net<br />
* spamhaus.org<br />
* surbl.org<br />
* uribl.com<br />
* dnswl.org<br />
<br />
The list is taken from the [https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists Spam Assassin Entry on DNS Blocklists].<br />
You should enhance the list by all domains you are using in your setup (especially the one's configured for <code>postscreen</code>)<br />
<br />
Since unbound cannot do recursive lookups for specific zones if it is forwarding all other requests we will configure 2 unbound instances:<br />
* one listening on port <code>5003</code> for recursive lookups - the DNSBL instance<br />
* one forwarding requests for the DNSBL domains to port 5003, and all other requests to your internal DNS Server.<br />
<br />
For the DNSBL instance - create a config-file which does only include the necessary config-options <code>/etc/unbound/unbound-dnsbl.conf</code>:<br />
#unbound instance listening on port 5003 for DNSBL lookups<br />
include: "/etc/unbound/unbound.conf.d/qname-minimisation.conf"<br />
include: "/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf"<br />
<br />
port: 5003<br />
remote-control:<br />
control-port: 8954<br />
<br />
Additionally you need to create a systemd-unit (<code>/etc/systemd/system/unbound-rbl.service</code><br />
<br />
[Unit]<br />
Description=Unbound DNS server for DNSBL lookups<br />
Documentation=man:unbound(8)<br />
After=network.target<br />
Before=nss-lookup.target<br />
Wants=nss-lookup.target<br />
<br />
[Service]<br />
Type=simple<br />
Restart=on-failure<br />
EnvironmentFile=-/etc/default/unbound<br />
EnvironmentFile=-/etc/default/unbound-rbl<br />
ExecStartPre=-/usr/lib/unbound/package-helper chroot_setup<br />
ExecStartPre=-/usr/lib/unbound/package-helper root_trust_anchor_update<br />
ExecStart=/usr/sbin/unbound -c /etc/unbound/unbound-rbl.conf -d $DAEMON_OPTS<br />
ExecReload=/usr/sbin/unbound-control -c /etc/unbound/unbound-rbl.conf reload<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
<br />
<br />
and enable it with<br />
systemctl enable unbound-rbl<br />
systemctl start unbound-rbl<br />
<br />
<br />
For the instance listening on port 53 you need to create a config-snippet in <code>/etc/unbound/unbound.conf.d/pmg-dnsbl.conf</code>:<br />
server:<br />
do-not-query-localhost: no<br />
# depending on your internal DNS-servers capabilities these options might be necessary<br />
# harden-dnssec-stripped: no <br />
# module-config: "iterator"<br />
<br />
forward-zone:<br />
name: "uceprotect.net"<br />
forward-addr: 127.0.0.1@5003<br />
<br />
forward-zone:<br />
name: "mailspike.net"<br />
forward-addr: 127.0.0.1@5003<br />
<br />
forward-zone:<br />
name: "sorbs.net"<br />
forward-addr: 127.0.0.1@5003<br />
<br />
forward-zone:<br />
name: "bl.spamcop.net"<br />
forward-addr: 127.0.0.1@5003<br />
<br />
forward-zone:<br />
name: "spamhaus.org"<br />
forward-addr: 127.0.0.1@5003<br />
<br />
forward-zone:<br />
name: "surbl.org"<br />
forward-addr: 127.0.0.1@5003<br />
<br />
forward-zone:<br />
name: "uribl.com"<br />
forward-addr: 127.0.0.1@5003<br />
<br />
forward-zone:<br />
name: "dnswl.org"<br />
forward-addr: 127.0.0.1@5003<br />
<br />
forward-zone:<br />
name: "."<br />
forward-addr: 192.0.2.53<br />
<br />
Test the setup by doing lookups to:<br />
* a testpoint of a DNSBL and verify that the query does not arrive at your internal server<br />
* a testpoint of an arbitrary address (which should arrive at your internal server):<br />
<br />
# dig any test.uribl.com.multi.uribl.com @127.0.0.1 +short # should not show up as query on 192.0.2.53<br />
127.0.0.14<br />
"permanent testpoint"<br />
# dig a proxmox.com @127.0.0.1 +short #should show up as query on 192.0.2.53<br />
79.133.36.244</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=File:Proxmox-Mail-Gateway-5-2-stats.png&diff=38File:Proxmox-Mail-Gateway-5-2-stats.png2019-11-27T09:54:05Z<p>Martin: Martin uploaded a new version of File:Proxmox-Mail-Gateway-5-2-stats.png</p>
<hr />
<div></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Proxmox_Mail_Gateway:General_disclaimer&diff=28Proxmox Mail Gateway:General disclaimer2019-08-28T10:01:39Z<p>Martin: page created</p>
<hr />
<div>The Proxmox Mail Gateway site contains links to other web sites. Proxmox is not responsible for the content or privacy practices of those sites.</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=27Main Page2019-08-27T12:15:41Z<p>Martin: </p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[https://www.proxmox.com/downloads Download] the latest ISO image files.<br />
<br />
Alternate download:http://download.proxmox.com/iso<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operation system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
'''Upgrading'''<br />
<br />
[[Upgrade_from_5.x_to_6.0|Upgrade from Proxmox Mail Gateway 5.x to 6.0]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]<br />
<br />
You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
=Release History=<br />
[[Release History]]<br />
<br />
=Video Tutorials=<br />
To get an overview of the Proxmox Mail Gateway, we regularly publish video tutorials on our website, see https://www.proxmox.com/training/video-tutorials.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway-5-2-stats.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Main_Page&diff=26Main Page2019-08-27T11:09:11Z<p>Martin: </p>
<hr />
<div>__NOTOC__<br />
<TABLE><br />
<tr valign=top><br />
<td><br />
<br />
'''Proxmox Mail Gateway''' is an open-source email security platform based on Debian GNU/Linux. It protects your mail server from spam, viruses, trojans and phishing emails. The full featured mail proxy is deployed between the firewall and the internal mail server and allows to control all incoming and outgoing email traffic from a single platform with a central web-based management interface. Proxmox Mail Gateway is open-source software, licensed under the GNU AGPL, v3. <br />
<br />
The project is developed and maintained by [https://www.proxmox.com/en/ Proxmox Server Solutions GmbH].<br />
<br />
For an overview of the Proxmox Mail Gateway key features see the [https://www.proxmox.com/en/proxmox-mail-gateway/features Proxmox website].<br />
<br />
=Download=<br />
[http://download.proxmox.com/iso Download] the latest ISO image files.<br />
<br />
=Installation=<br />
<br />
The installation medium (CD or USB) is a complete operation system, including everything you need to install and run Proxmox Mail Gateway in only a few minutes. It can be installed bare-metal on dedicated hardware or in a virtual machine on all leading virtualization platforms. You can also install it on top of an existing Debian installation.<br />
<br />
'''Installing'''<br />
<br />
[https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_installation Installation of Proxmox Mail Gateway]<br />
<br />
'''Upgrading'''<br />
<br />
[[Upgrade_from_5.x_to_6.0|Upgrade from Proxmox Mail Gateway 5.x to 6.0]]<br />
<br />
=Documentation=<br />
The Proxmox Mail Gateway documentation is freely available in different formats such as HTML, PDF or EPUB, see [https://pmg.proxmox.com/pmg-docs/ Proxmox Mail Gateway Reference Documentation]<br />
<br />
You can also access the documentation via the management interface of your Proxmox Mail Gateway installation by clicking on the contextual help buttons.<br />
<br />
=Release History=<br />
[[Release History]]<br />
<br />
=Video Tutorials=<br />
To get an overview of the Proxmox Mail Gateway, we regularly publish video tutorials on our website, see https://www.proxmox.com/training/video-tutorials.<br />
<br />
</td><br />
<td><br />
[[Image:Proxmox-Mail-Gateway-5-2-stats.png|thumb|300px|rightthumb|Proxmox Mail Gateway Statistics]]<br />
</td><br />
</tr><br />
</TABLE><br />
<br />
<!-- T.r.a.p <a href="mailto:user2@test.proxmox.org">do not use this address</a> --></div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Proxmox_Mail_Gateway:Privacy_policy&diff=21Proxmox Mail Gateway:Privacy policy2019-08-26T12:19:49Z<p>Martin: Created page with "We at Proxmox are committed to respecting your online privacy and recognize your need for appropriate protection and management of any personally identifiable information ("pe..."</p>
<hr />
<div>We at Proxmox are committed to respecting your online privacy and recognize your need for appropriate protection and management of any personally identifiable information ("personal information") you share with us.<br />
<br />
See [https://www.proxmox.com/en/privacy-policy Proxmox privacy policy]</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=Proxmox_Mail_Gateway:About&diff=20Proxmox Mail Gateway:About2019-08-26T12:17:24Z<p>Martin: Created page with "Proxmox Mail Gateway is an open source project, developed and maintained by Proxmox Server Solutions GmbH."</p>
<hr />
<div>Proxmox Mail Gateway is an open source project, developed and maintained by Proxmox Server Solutions GmbH.</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=MediaWiki:Sidebar&diff=18MediaWiki:Sidebar2019-08-20T14:23:56Z<p>Martin: </p>
<hr />
<div><br />
* navigation<br />
** mainpage|Proxmox Mail Gateway<br />
** https://www.proxmox.com/en/proxmox-mail-gateway/support|Get support<br />
<br />
* Sites<br />
** https://www.proxmox.com|proxmox.com<br />
** https://forum.proxmox.com|Support forum<br />
** https://bugzilla.proxmox.com|Bugtracker<br />
** https://git.proxmox.com|Source code</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=MediaWiki:Sidebar&diff=17MediaWiki:Sidebar2019-08-20T14:21:17Z<p>Martin: </p>
<hr />
<div><br />
* navigation<br />
** mainpage|Proxmox Mail Gateway<br />
** Get support|Get support<br />
<br />
* Sites<br />
** https://www.proxmox.com|proxmox.com<br />
** https://forum.proxmox.com|Support forum<br />
** https://bugzilla.proxmox.com|Bugtracker<br />
** https://git.proxmox.com|Source code</div>Martinhttps://pmg.proxmox.com/wiki/index.php?title=MediaWiki:Sidebar&diff=16MediaWiki:Sidebar2019-08-20T14:20:35Z<p>Martin: Created page with " * navigation ** mainpage|Proxmox Mail Gateway ** Get support|Get support * Sites ** https://www.proxmox.com|proxmox.com ** https://forum.proxmox.com|Support forum ** https:/..."</p>
<hr />
<div><br />
* navigation<br />
** mainpage|Proxmox Mail Gateway<br />
** Get support|Get support<br />
<br />
* Sites<br />
** https://www.proxmox.com|proxmox.com<br />
** https://forum.proxmox.com|Support forum<br />
** https://bugzilla.proxmox.com|Bugtracker<br />
** https://git.proxmox.com|Source code<br />
<br />
** recentchanges-url|recentchanges<br />
** randompage-url|randompage<br />
** helppage|help-mediawiki<br />
* SEARCH<br />
* TOOLBOX<br />
* LANGUAGES</div>Martin