Getting started with Proxmox Mail Gateway
Introduction
Proxmox Mail Gateway provides a comprehensive enterprise email security solution, which can be comfortably configured via the Graphical User Interface.
This article is aimed at providing descriptions and links to best-practices that have emerged in the Proxmox Mail Gateway community.
The goal is to present a small set of adaptations, which dramatically improve the detection accuracy and user experience of your Proxmox Mail Gateway.
It is not meant to display every single possible potential improvement.
If you run into any issues, please try finding a solution in the reference documentation, which is shipped with every Proxmox Mail Gateway installation and will always provide the most up to date information.
Searching the Community Forum, or posting your question there can also provide helpful pointers from our involved and knowledgeable community.
Installation
An overview of the Proxmox Mail Gateway installation can be found on the Proxmox Mail Gateway homepage
The reference documentation provides a detailed description of the various install methods.
Additionally you can learn about the installation process from our video tutorials
Operations/Maintenance
Changing Hostname or IP
see Change FQDN
Configuring Outbound Scanning
Proxmox Mail Gateway accepts email from internal servers on the internal port (default: 26). The distinction on which port email arrives is used for the distinction which rules to apply to an email, and whether to relay an email to a foreign domain.
You should take care not to accept mail from the public internet on your internal port, but only from trusted internal systems.
It can be difficult to configure certain mailservers (for example Microsoft Exchange) to relay email through a different port than port 25. In those situations you can swap the internal and external ports of the Proxmox Mail Gateway to use port 25 as internal port and configure a port-redirection on your firewall to redirect traffic from the public internet on port 25 to port 26 on your Proxmox Mail Gateway.
For a rationale behind scanning outbound mail check the community post from the Proxmox Mail Gateway's beginnings
Improving Spam Detection
One of the most effective means to combat spam nowadays is the use of DNS based Blackhole lists (DNSBL).
Proxmox Mail Gateway offers two places where it can check information against DNSBLs:
- during the SMTP dialog within the Mail Proxy - here only the connecting IP can be checked against the DNSBLs configured in GUI -> Configuration -> Mail Proxy -> Options -> DNSBL Sites
- by the Spam Detector (SpamAssassin) - here the complete content of the mail (including potentially malicious URLs) is checked against a set of predefined lists
DNSBLs have different acceptable use policies, including offering free service for non-commercial use, a limit on the number of queries, or a required registration. Make sure to check that your use-case is allowed by the providers of the list. Since the service provided by the DNSBL operators is very valuable for the functioning of the email ecosystem you could consider supporting the providers, if possible.
Basic set of DNSBLs for the Mail Proxy
The following list offers quite good results in practice:
- zen.spamhaus.org Acceptable Use Policy
- b.barracudacentral.org Acceptable Use Policy
Dedicated DNS Resolver on Proxmox Mail Gateway
Since DNSBLs transport information via DNS, having a working DNS Setup is essential to good anti-spam results.
Running a dedicated recursive DNS Server on your Proxmox Mail Gateway can help avoid running into rate limits:
URIBL custom datafeed
For sites where the email volume is so high that even a dedicated DNS server reaches URIBL's rate limit you can consider purchasing a custom DNS datafeed from URIBL:
Improving Antivirus Accuracy
Second virus scanner
Installing a second Antivirus engine can help improving the Antivirus detection rate:
see Install Avast
Let's Encrypt- a free, automated and open certificate authority
Proxmox Mail Gateway has built-in support for ACME certificate authorities like Let's Encrypt since version 6.4, see the Certificate Management documentation.
To configure a globally trusted certificate using Let's Encrypt in older Proxmox Mail Gateway versions follow the thread in our forum
End user quarantine access
Quarantine Web Interface via 443
By redirecting your Quarantine links to a Proxy on port 443 you can restrict access to the admin interface to certain IPs and present your users with a globally trusted certificate:
see Quarantine Web Interface Via Nginx Proxy
Load Balancing
Load balancing SMTP is most easily achieved using DNS.
Since Proxmox Mail Gateway is a proxy which does not store mail permanently you can simply configure multiple MX records with the same priority for your domains, or multiple A records for the DNS name, which you use as MX record.
See the HA Cluster tab on the Proxmox Mail Gateway feature page and the thread in our community forum.