Getting started with Proxmox Mail Gateway

From Proxmox Mail Gateway
Revision as of 12:04, 3 June 2020 by Stoiko Ivanov (talk | contribs) (change quarantine proxy link to internal)
Jump to navigation Jump to search

Introduction

Proxmox Mail Gateway provides a comprehensive enterprise email security solution, which can be comfortably configured via the Graphical User Interface.

This article is aimed at providing descriptions and links to best-practices that have emerged in the Proxmox Mail Gateway community.

The goal is to present a small set of adaptations, which dramatically improve the detection accuracy and user experience of your Proxmox Mail Gateway.

It is not meant to display every single possible potential improvement.

If you run into any issues, please try finding a solution in the reference documentation, which is shipped with every Proxmox Mail Gateway installation and will always provide the most up to date information.

Searching the Community Forum, or posting your question there can also provide helpful pointers from our involved and knowledgeable community.

Installation

An overview of the Proxmox Mail Gateway installation can be found on the Proxmox Mail Gateway homepage

The reference documentation provides a detailed description of the various install methods.

Additionally you can learn about the installation process from our video tutorials

Operations/Maintenance

Changing Hostname or IP

see Change FQDN

Configuring Outbound Scanning

Proxmox Mail Gateway accepts email from internal servers on the internal port (default: 26). The distinction on which port email arrives is used for the distinction which rules to apply to an email, and whether to relay an email to a foreign domain.

You should take care not to accept mail from the public internet on your internal port, but only from trusted internal systems.

It can be difficult to configure certain mailservers (for example Microsoft Exchange) to relay email through a different port than port 25. In those situations you can swap the internal and external ports of the Proxmox Mail Gateway to use port 25 as internal port and configure a port-redirection on your firewall to redirect traffic from the public internet on port 25 to port 26 on your Proxmox Mail Gateway.

For a rationale behind scanning outbound mail check the community post from the Proxmox Mail Gateway's beginnings

Improving Spam Detection

One of the most effective means to combat spam nowadays is the use of DNS based Blackhole lists (DNSBL).

Proxmox Mail Gateway offers two places where it can check information against DNSBLs:

  • during the SMTP dialog within the Mail Proxy - here only the connecting IP can be checked against the DNSBLs configured in GUI -> Configuration -> Mail Proxy -> Options -> DNSBL Sites
  • by the Spam Detector (SpamAssassin) - here the complete content of the mail (including potentially malicious URLs) is checked against a set of predefined lists

DNSBLs have different acceptable use policies, including offering free service for non-commercial use, a limit on the number of queries, or a required registration. Make sure to check that your use-case is allowed by the providers of the list. Since the service provided by the DNSBL operators is very valuable for the functioning of the email ecosystem you could consider supporting the providers, if possible.

Basic set of DNSBLs for the Mail Proxy

The following list offers quite good results in practice:

Dedicated DNS Resolver on Proxmox Mail Gateway

Since DNSBLs transport information via DNS, having a working DNS Setup is essential to good anti-spam results.

Running a dedicated recursive DNS Server on your Proxmox Mail Gateway can help avoid running into rate limits:

URIBL custom datafeed

For sites where the email volume is so high that even a dedicated DNS server reaches URIBL's rate limit you can consider purchasing a custom DNS datafeed from URIBL:

see URIBL Datafeed over DNS

Improving Antivirus Accuracy

Second virus scanner

Installing a second Antivirus engine can help improving the Antivirus detection rate:

see Install Avast

Let's Encrypt- a free, automated and open certificate authority

To configure a globally trusted certificate using Let's Encrypt follow the thread in our forum

End user quarantine access

Quarantine Web Interface via 443

By redirecting your Quarantine links to a Proxy on port 443 you can restrict access to the admin interface to certain IPs and present your users with a globally trusted certificate:

see Quarantine Web Interface Via Nginx Proxy

Load Balancing

Load balancing SMTP is most easily achieved using DNS.

Since Proxmox Mail Gateway is a proxy which does not store mail permanently you can simply configure multiple MX records with the same priority for your domains, or multiple A records for the DNS name, which you use as MX record.

See the HA Cluster tab on the Proxmox Mail Gateway feature page and the thread in our community forum.

Retrieved from "https://pmg.proxmox.com/wiki/index.php?title=Getting_started_with_Proxmox_Mail_Gateway&oldid=49"