Proxmox Mail Gateway: Administration Guide

Proxmox Mail Gateway
Administration Guide
8/22/2016
MailGatewayAdminGuide-V3.4.docx
Proxmox Server Solutions GmbH

Bruhausgasse 37 A-1050 Vienna office@proxmox.com www.proxmox.com
Proxmox Server Solutions GmbH reserves the right to make changes to this document and to the
products described herein without notice. Before installing and using the software, please review the
latest version of this document, which is available from http://www.proxmox.com.
NOTE: All prices are one year subscription licenses. After expiration, Email flow continues but Spamand AV checks are not working anymore (Exception: ClamAV will continue working).
All other product or company names different from Proxmox may be trademarks or registered
trademarks of their owners.
Copyright 2005 - 2016 Proxmox Server Solutions GmbH. All rights reserved. No part of this
publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the
express prior written consent of Proxmox.
22.08.2016 Proxmox Server Solutions GmbH
2 | 55

Table of Contents
1
What is Proxmox Mail Gateway? .......................................................................................... 6
Quick start guide ..................................................................................................................... 7
Planning for deployment ....................................................................................................... 8

3.1
Easy integration into existing e-mail server architecture ................................................................ 8
3.1.1 Filtering outgoing e-mails ................................................................................................................... 9
3.2
Firewall settings ......................................................................................................................................... 9
3.3
System requirements ............................................................................................................................... 9
3.3.1 Minimum system requirements...................................................................................................... 10
3.3.2 Recommended system requirements ........................................................................................... 10
3.4
Compare the Proxmox Mail Gateway editions ................................................................................ 10
3.4.1 Proxmox Mail Gateway Free version ............................................................................................. 10
3.4.2 Proxmox Mail Gateway Standard versions ................................................................................... 10
3.4.3 Proxmox Mail Gateway Professional ............................................................................................. 11
3.4.4 Proxmox Mail Gateway HA Cluster................................................................................................. 11
3.4.5 EDU, GOV and non-profit organization licensing ........................................................................ 11
Installing Proxmox Mail Gateway ....................................................................................... 12

4.1
Complete installation in 3 to 5 minutes ............................................................................................. 12
4.2
Software RAID .......................................................................................................................................... 12
4.2.1 Differences between RAID systems ............................................................................................... 12
Getting started with Mail Gateway ..................................................................................... 14

5.1
Web interface ........................................................................................................................................... 14
5.2
Upload license file ................................................................................................................................... 15
5.3
Configuration ........................................................................................................................................... 15
5.3.1 System................................................................................................................................................... 16
5.3.2 Mail proxy ............................................................................................................................................. 17
5.3.3 Spam detector .................................................................................................................................... 20
5.3.4 Virus detector ...................................................................................................................................... 22
5.3.5 User management ............................................................................................................................. 23
5.3.6 Cluster ................................................................................................................................................... 23
5.3.7 License .................................................................................................................................................. 23
5.4
Mail filter ................................................................................................................................................... 23
5.4.1 Rules ...................................................................................................................................................... 24
5.4.2 Actions .................................................................................................................................................. 24
5.4.3 Who ....................................................................................................................................................... 26
5.4.4 What ...................................................................................................................................................... 26
5.4.5 When ..................................................................................................................................................... 27
5.5
Administration ......................................................................................................................................... 27
5.5.1 Server .................................................................................................................................................... 27
5.5.2 Statistic.................................................................................................................................................. 28
5.5.3 Quarantine ........................................................................................................................................... 28
5.5.4 Tracking center ................................................................................................................................... 31
3 | 55

5.5.4.2 Real-time ..................................................................................................................................... 33

5.5.4.3 Greylist log .................................................................................................................................. 33
5.5.5 Queues ................................................................................................................................................. 34
LDAP integration (professional version or LDAP option) ................................................ 35

6.1
Creating a new LDAP profile ................................................................................................................. 35
6.2
LDAP queries............................................................................................................................................ 36
6.3
Sample LDAP rules ................................................................................................................................. 37
Example mail server configuration (outgoing mails) ....................................................... 38

7.1
Configuration for Microsoft Exchange ............................................................................................... 38
7.2
Configuration for Postfix ....................................................................................................................... 40
Example rules ........................................................................................................................ 41
Redundant servers and load balancing............................................................................. 42

9.1
Hot standby with backup MX records ................................................................................................ 42
9.2
Load balancing with MX records ......................................................................................................... 42
9.3
Other ways................................................................................................................................................ 43
9.3.1 Multiple address records.................................................................................................................. 43
9.3.2 Using firewall features ....................................................................................................................... 43
10 Proxmox Mail Gateway HA cluster ..................................................................................... 44

10.1
Hardware requirements ........................................................................................................................ 45
10.2
Required licenses .................................................................................................................................... 45
10.3
Load balancing ........................................................................................................................................ 45
10.4 Cluster administration ........................................................................................................................... 45

10.4.1
Creating a cluster ........................................................................................................................... 45
10.4.2
List cluster status ........................................................................................................................... 45
10.4.3
Adding cluster nodes .................................................................................................................... 45
10.4.4
Deleting nodes ............................................................................................................................... 46
10.5 Disaster recovery .................................................................................................................................... 46
10.5.1
Single node failure ......................................................................................................................... 46
10.5.2
Master failure .................................................................................................................................. 46
10.5.3
Total cluster failure ........................................................................................................................ 46
11 Troubleshooting and technical support ............................................................................ 47

11.1
Console login ........................................................................................................................................... 47
12 Table of figures ..................................................................................................................... 48

13 Appendix ................................................................................................................................ 49
13.1
Available macros for rule system ........................................................................................................ 49
13.2
Individual SpamAssassin configuration ............................................................................................. 49
13.3
Customized daily spam reports ........................................................................................................... 49
13.4 Using regular expressions .................................................................................................................... 50

13.4.1
Simple regular expressions ......................................................................................................... 50
13.4.2
Metacharacters .............................................................................................................................. 50
13.4.3
References ....................................................................................................................................... 51
13.5
Managing software RAID ....................................................................................................................... 51
4 | 55

13.6 Backup considerations .......................................................................................................................... 52

13.6.1
Scheduled backup ......................................................................................................................... 52
13.6.2
Backup via console ........................................................................................................................ 53
13.6.3
Restore via console ....................................................................................................................... 53
13.7
Avira SAV antivirus integration ............................................................................................................. 53
13.8
SSL certificate ........................................................................................................................................... 53
13.9
Port scans (nmap) ................................................................................................................................... 54
13.10
Create bootable USB stick ................................................................................................................ 54
13.10.1 Instructions for Windows ............................................................................................................. 54
13.10.2 Instructions for Linux (and OSX)................................................................................................. 55
13.10.3 Boot your server from USB media ............................................................................................. 55
5 | 55

1 What is Proxmox Mail Gateway?

E-mail security begins at the gateway by controlling all incoming and outgoing e-mail messages.
Proxmox Mail Gateway addresses the full spectrum of unwanted e-mail traffic, focusing spam and
virus detection. Proxmox Mail Gateway provides a powerful and affordable server solution to
eliminate spam, viruses and blocking undesirable content from your e-mail system. All products are
self-installing and can be used without deep knowledge of Linux.
Figure 1-1 Processing of incoming e-mail traffic
6 | 55

2 Quick start guide

Experienced users can use this guide for a quick installation. For detailed instructions please read the
whole documentation.
1.
2.
3.
Burn the downloaded ISO image to a CD or create a USB stick

Boot from this CD/USB stick on your dedicated hardware - see 3.3 System requirements
Follow the instructions on the graphical screen all existing data on your hard disk will be
lost!
4. After reboot, go to your desktop PC and point your browser to the given IP address.
5. Upload license file and change the root password
6. Check the IP configuration and hostname
7. Select Time Zone and save
8. Check your Firewall settings see 3.2 Firewall settings
9. Configure Proxmox Mail Gateway to forward the incoming SMTP traffic to your Mail server
(Configuration/Mail Proxy/Default Relay), Default Relay is your e-mail server
10. Configure your e-mail server to send all outgoing messages through your Proxmox (Smart
Host, port 26) see 3.1.1 Filtering outgoing e-mails
For detailed deployment scenarios see the Proxmox Mail Gateway Deployment Guide.
There is one ISO image for download covering all versions, features depends on the uploaded license
file.
If the installation succeeds you have to route all your incoming and outgoing e-mail traffic to the Mail
Gateway. For incoming traffic you have to configure your firewall, for outgoing traffic your existing email server configuration.
Download from http://www.proxmox.com
7 | 55

3 Planning for deployment

3.1
Easy integration into existing e-mail server architecture
In this sample configuration, your e-mail traffic (SMTP) arrives on the firewall and will be directly
forwarded to your e-mail server.
Figure 3-1 Infrastructure without Proxmox Mail Gateway

By using the Proxmox Mail Gateway, all your e-mail traffic is forwarded to the Proxmox Mail Gateway,
which filters the whole e-mail traffic and removes unwanted e-mails. You can manage incoming and
outgoing mail traffic.
Figure 3-2 Infrastructure with integrated Proxmox Mail Gateway
8 | 55

3.1.1
Filtering outgoing e-mails
Many e-mail filter solutions do not scan outgoing mails. Opposed to that Proxmox Mail Gateway is
designed to scan both incoming and outgoing e-mails. This has two major advantages:
1.
2.
Proxmox Mail Gateway is able to detect viruses sent from an internal host. In many countries
you are liable for not sending viruses to other people. Proxmox Mail Gateway outgoing e-mail
scanning feature is an additional protection to avoid that.
Proxmox Mail Gateway can gather statistics about outgoing e-mails too. Statistics about
incoming e-mails looks nice, but they are quite useless. Consider two users, user-1 receives
10 e-mails from news portals and wrote 1 e-mail to a person you never heard from. While
user-2 receives 5 e-mails from a customer and sent 5 e-mails back. Which user do you
consider more active? I am sure its user-2, because he communicates with your customers.
Proxmox Mail Gateway advanced address statistics can show you this important information.
Solution which does not scan outgoing e-mail cant do that.
To enable outgoing e-mail filtering you just need to send all outgoing e-mails through your Proxmox
Mail Gateway (usually by specifying Proxmox as smarthost on your e-mail server- see chapter 7
Example mail server configuration (outgoing mails).
3.2
Firewall settings
In order to pass e-mail traffic to the Proxmox Mail Gateway you need to enable SMTP the port. Our
servers use the Network Time Protocol (NTP) for time synchronization, RAZOR, DNS and HTTP(S).
Service
SMTP
SMTP
NTP
RAZOR
DNS
HTTP
HTTPS (optional)
Port
25
25
123
2703
53
80
443
Protocol
TCP
TCP
TCP/UDP
TCP
TCP/UDP
TCP
TCP
From
Proxmox
Internet
Proxmox
Proxmox
Proxmox
Proxmox
Internet
To
Internet
Proxmox
Internet
Internet
DNS Server
Internet
Proxmox
The outgoing HTTP connection is mainly used by virus pattern updates, and can be configured to use
a proxy instead of a direct internet connection.
You can use the nmap utility to test your firewall settings (see chapter 13.9).
3.3
System requirements
Proxmox Mail Gateway needs dedicated server hardware but can also run as a Virtual Appliance:
Proxmox VE (KVM)
Vmware vSphere (open-vm tools are integrated in the ISO)
Hyper-V (Hyper-V Linux integration tools are integrated in the ISO)
KVM (virtio drivers are integrated, great performance)
Virtual box
Citrix XenServer
Please see http://www.proxmox.com for details.
9 | 55

Please check our website for a list of certified hardware.

In order to get a benchmark from your hardware, just run proxperf after installation.
Note:
3.3.1
3.3.2
3.4
All existing data on the hard disk will be lost during the installation!
Minimum system requirements

CPU: 64bit (Intel EMT64 or AMD64)
1024 MB RAM
bootable CD-ROM-drive or USB boot support
1024x768 capable VGA/Monitor for Installer
Hard disk 8 GB - ATA/SATA/SCSI
10/100 MBps Network interface card
Recommended system requirements

Multicore CPU: 64bit (Intel EMT64 or AMD64)
4096 MB RAM
bootable CD-ROM-drive or USB boot support
1024x768 capable VGA/Monitor for Installer
1 GBps Network interface card
Hardware RAID1 or RAID10, Raid Controllers need write cache with batteries backup module
for best performance
Enterprise class SSD with power loss protection (e.g. Intel SSD DC 35xx/36xx/37xx)
Compare the Proxmox Mail Gateway editions
Proxmox Mail Gateway must be licensed for the number of relaying domains. For example, if you run
a mail server receiving e-mails for three domains (e.g. domain.net, domain.com, domain.at), then you
need the three domain version. All Editions are for unlimited users only the optional Avira SAV is
licensed per user.
Note:
Please see www.proxmox.com for details
If you like more features as offered with your license, you can always upgrade by buying another
license without reinstallation.
3.4.1
Proxmox Mail Gateway Free version
The free version is discontinued with V3.0 and later and is not available anymore (due to license
restriction from third party tools).
3.4.2
Proxmox Mail Gateway Standard versions
Standard versions are available for one, three, five and unlimited domains.
If you need to query MS Active Directory, an optional LDAP connector for one, three and five domains
can be purchased.
10 | 55

3.4.3
Proxmox Mail Gateway Professional
This edition is intended to meet the demands of complex and high performance installations. This
license provides the highest flexibility and performance (Relayed domains can be edited on the web
interface, LDAP integration, etc.).
3.4.4
Proxmox Mail Gateway HA Cluster
The Proxmox HA Cluster consists of a master and several nodes (minimum one node). Configuration
is done on the master. Configuration and all data are synchronized to all cluster nodes over a VPN
tunnel. This provides the following advantages:
centralized configuration management

fully redundant data storage without the need of expensive SAN
high availability
high performance
runs also in virtualization environments
The Proxmox Mail Gateway HA Cluster uses a unique application level clustering scheme, which
provides extremely good performance. Special considerations where taken to make management as
easy as possible. Complete Cluster setup is done within minutes, and nodes automatically reintegrate
after temporary failures without any operator interaction.
3.4.5
EDU, GOV and non-profit organization licensing
To purchase Proxmox Mail Gateway EDU/GOV/Non-Profit licenses, Proxmox must have proof of
eligible status. Please attach information regarding your eligibility to an email and send it to
office@proxmox.com. Once the information is validated, we will reply as soon as possible.
Organization qualified:
Universities, Schools, Governmental Organizations, NGO, etc.
Currently, the following license is available for a reduced price:
Proxmox Mail Gateway Professional

Proxmox Mail Gateway HA Cluster
11 | 55

4 Installing Proxmox Mail Gateway

4.1
Complete installation in 3 to 5 minutes
The installer boots from CD or USB stick and detects your hardware without interaction. All Proxmox
products are based on Linux packages and most amd64 based PC and server hardware will work.
4.2
Download ISO image and burn it on a CD or create bootable USB stick

Boot from CD/USB stick and start the automatic installer on your dedicated hardware
Request a trial license or buy one
Configure the Proxmox Mail Gateway via web interface
Software RAID
The installer supports hardware RAID and software RAID (mirroring with mdraid). Please see chapter
13.5 Managing software RAID for details.
Requirements: two identical hard drives
Note:
4.2.1
If you have a hardware RAID controller, this option is NOT available.
Differences between RAID systems
Hardware RAID
Description
Hardware RAID
Hardware XOR engine, integrated

memory, high-performance bus,
optional battery backup and audio
alarm, Hot-swap drive support, Easy of
management and monitoring
Write cache with batteries backup
Mirroring is done from the operating
system
Software RAID
HostRAID
(integrated in the
main board)
It is NOT hardware RAID, do not

activate this in the bios use Proxmox
Mail Gateway Software RAID instead
Examples
Supported from the Proxmox Mail

Gateway operation system
LSI Logic MegaRAID

HP Smart Array SCSI/SAS
Adaptec
Intel ICH7, ICH8, ICH9,

ICH10
HP embedded SATA
LSI Logic integrated SATA
RAID
Nvidia RAID
12 | 55

Figure 4-1 Selecting Software RAID during installation
13 | 55

5 Getting started with Mail Gateway

5.1
Web interface
After successful installation point your web browser to the IP address.

Web interface: https://youripaddress/
Default user:
root
Default password:
admin
Note:
Please change the default password after successful log in!
Figure 5-1 Login page Proxmox Mail Gateway
14 | 55

5.2
Upload license file
There are several types of licenses:
Trial version (30 day functional, including full installation support)

Standard Edition (for one, three, five, and unlimited mail domains)
Professional Edition (unlimited domains with host locked license model)
HA Cluster (unlimited domains with host locked license model)
Note: To determine which license meets your requirements, check chapter 3.4 Compare the
Proxmox Mail Gateway editions
Please visit www.proxmox.com to get a license. Without a valid subscription license, the Proxmox
Mail Gateway will not process any e-mail. All prices are one year subscription licenses. After
expiration, e-mail flow continues but Spam- and AV checks are not working anymore (Exception:
ClamAV will continue working)
5.3
Configuration
Figure 5-2 Start page Proxmox Mail Gateway after log in
Note:
By clicking these symbols
on the configuration interface a dropdown menu is available
15 | 55

5.3.1
System
Network
Review your IP configuration and complete all settings
Time
Review or update your NTP server settings and time zone

Check if your firewall enables you access to the NTP server
Backup
Backup your system configuration and rule database to a file (a few Kbytes)
statistical data will not be saved via web interface, only via scheduled backup!
Configure Scheduled Backups to FTP or Windows Share.
Note:
Restore
see chapter 13.6 Backup considerations
Reset your rule settings to factory defaults.

Restore your system settings and rules from a valid backup. Backup/Restore
is only working between the same versions. (e.g. You cannot restore a backup
form a 2.5 to a 2.6)
Note:
Reports
Restoring 2.6 to 3.0 is possible and the recommended upgrade path
Enable or disable daily reports to the given e-mail address

Enable or disable Advanced Statistic Filter (default is disabled)
Note:
Advanced Statistic Filter only works if you filter outgoing emails
If you enable Advanced Statistics, the Statistics/Domain-Address/Receivers

page shows only receivers who sent emails within the last 3 months (so only
active receivers are displayed).
The Statistics/Domain-Address/Contacts page shows only recipients where
internal users have sent one or more emails within the last 3 months. See:
3.1.1 Filtering outgoing e-mails
Syslog Lifetime
Define the lifetime of historical syslog data (maximum is 31 days). The syslog
is the basis for the message tracking center.
Syslog Server
Define a remote syslog server (sending Syslog entries to a centralized server)
Language (Currently we support: English, German, Japanese,
Portuguese (Brazilian), Italian, French, Romanian)
Spanish,
16 | 55

Define the default language for the web interface and the daily reports
SSH Access
SSH access is restricted for external networks by default to increase the

security.
Note: for remote support, all SSH connections from proxmox.com and
maurer-it.com are allowed but you still need to open your firewall and
provide password
5.3.2
Mail proxy
Relaying
IP address (or FQDN) and SMTP port of your existing e-mail server
Relayed domains: list of relayed mail domains (displayed information from
the uploaded license file)
If you need more mail domains, upgrade your license
Note:
Ports
If you use a Professional or HA License, you can edit this list
Review external (default 25) and internal (default 26) SMTP port
Check these settings with your firewall and existing e-mail server.
Options
Set maximum message size for e-mails in bytes

Reject Unknown Clients: Reject the SMTP request when
1) the client IP address->name mapping fails,
2) the name->address mapping fails, or
3) the name->address mapping does not match the client IP
address.
Reject Unknown Senders: Reject the request when the MAIL FROM
address has no DNS A or MX record.
Note: If you enable these features, a lot of misconfigured mail servers
cannot send mails anymore to your system please use with care.
SMTP HELO checks

The following checks are performed:
smtpd_helo_required
17 | 55

Require that a remote SMTP client introduces itself at the beginning of an

SMTP session with the HELO or EHLO command.
reject_non_fqdn_hostname
Reject the request when the HELO or EHLO hostname is not in fullyqualified domain form, as required by the RFC.
reject_invalid_hostname
Reject the request when the HELO or EHLO hostname syntax is invalid.
Use RBL checks
Use real time black lists checks on SMTP level.
Verify Receivers
select Yes or No (450 for temporary rejects or 550 for final rejects)
Note: You have to reconfigure your internal mail server if you use YES.
For details see the Proxmox Mail Gateway Deployment Guide in the latest
release.
Enable or disable Greylisting, default enabled

Enable or disable SPF (Sender Policy Framework), default enabled
Delay Warning Time (4 hours default)
Client Connection Count Limit (50 is default): How many simultaneous
connections any client is allowed to make to the SMTP service. To disable
this feature, specify a limit of 0.
Client Connection Rate Limit: The maximal number of connection attempts
any client is allowed to make to this service per minute. To disable this
feature, specify a limit of 0.
Client Message Rate Limit: The maximal number of message delivery
requests that any client is allowed to make to this service per minute. To
disable this feature, specify a limit of 0.
SMTPD Banner
Type your custom SMTP Banner
Smarthost: Use this option if you want to send all outgoing mails via
another proxy (smarthost). You can use IP addresses or DNS names with
an optional port specification, for example:
192.168.2.1
18 | 55

Transports
192.168.2.1:25
outproxy.domain.tld:26
You can use Proxmox Mail Gateway sending e-mails to different internal email servers. For example you can send e-mails addressed to domain.com
to
your
first
e-mail
server,
and
e-mails
addressed
to
subdomain.domain.com to a second one.
Note: you need for each domain an appropriate license, otherwise it will
not work!
Add the IP addresses, hostname and SMTP ports and mail domains (or just
single email addresses) of your additional e-mail servers.
Networks
Add Internal (trusted) IP Networks or Hosts

All hosts in this list are allowed to relay.
Note: Hosts in the same subnet with Proxmox can relay by default and
its not needed to add them in this list.
TLS
TLS support
Transport Layer Security (TLS) provides certificate-based authentication
and encrypted sessions. An encrypted session protects the information
that is transmitted with SMTP mail. When you activate TLS, Proxmox Mail
Gateway automatically generates a new self signed certificate for you.
Proxmox Mail Gateway uses opportunistic TLS encryption. The SMTP
transaction is encrypted if the STARTTLS ESMTP feature is supported by
the server. Otherwise, messages are sent in the clear.
Enable TLS logging
To get additional information about SMTP TLS activity you can enable TLS
logging. That way information about TLS sessions and used certificates is
logged via syslog.
Add TLS received header
Set this option to include information about the protocol and cipher used
as well as the client and issuer CommonName into the "Received:"
message header.
Whitelist
(formerly
Greylist excl.)
SMTP whitelist: All SMTP checks are disabled for those entries (e. g.
Greylisting, SPF, RBL, )
Note: If you use a backup-MX server (e.g. your ISP offers this service for
you) you should always add those servers.
19 | 55

5.3.3
Spam detector
Proxmox Mail Gateway uses a wide variety of local and network tests to identify spam signatures. This
makes it harder for spammers to identify one aspect which they can craft their messages to work
around.
Every single e-mail will be analyzed and get a spam score assigned. The systems attempt to optimize
the efficiency of the rules that are run in terms of minimizing the number of false positives and false
negatives.
Note:
For detailed spam configuration, see also chapter 5.4 Mail filter.
Options
Use auto-whitelists
Use Bayesian filter
Use RBL checks
Enabling All give best results but could be performance bottleneck for
high volume sites. In this case use Commtouch (fast) only.
Use OCR
Use image recognition to detect spam messages inside images. OCR is
CPU intensive, please do not activate is your server is already under heavy
load.
By default, all features are enabled except OCR.
Max Spam Size (bytes)
Specify the maximum size of a single email targeted for spam analysis. Emails bigger than this are not scanned for spam.
Bulk Message Score
Set the spam score for Commtouch Bulk Message detection (Default is 3).
Languages
Quarantine
By default, all languages are enabled.

Selecting languages means you will prefer this one.
E-mails in unwanted languages get a higher spam score.
Lifetime (days)
Specify the lifetime of quarantined e-mails
Authentication mode
Choose how users access their spam quarantine. Ticket is default. If you
select LDAP, make sure you have a license for LDAP and a configured
LDAP profile (connection to MS Active Directory)
20 | 55

Report style
Verbose
Verbose (Outlook 2007)
Short
Custom (see 13.3 Customized daily spam reports)
No reports
Allow access via http

Enables access to the spam quarantine via http. If you do not select this,
access is only via https.
Note: If you use https, consider uploading a valid certificate, see chapter
13.8 SSL certificate
Quarantine Host (optional)

This name will be used for the links to the quarantine
EMail 'From:' (optional)
Default value:
Proxmox Mail Gateway <postmaster@yourdomain.tld>
Please enter only values in the following format:
Name <youremail@yourdomain.com>
Mail preview settings
View images
Enable images in the preview (disable to speed up the system)
Allow HREFs
Enables links in the mail preview (disable to get a more secure preview)
Backscatter
What are backscatter emails?

When spammers or worms send emails with forged sender addresses,
sites are flooded with undeliverable mail notifications. These emails are
called backscatter emails.
Bounce message score (0 means disabled)
Define the spam score for detected backscatters
Whitelist bounce relays
Add your valid bounce relays
Note: Please test your settings and review your quarantine to check
false positives
Theme
Customize the end user quarantine interface, upload a custom logo.
21 | 55

The theme is only for visible on this part "Configuration/Spam

Detector/Theme" and for the end users spam quarantine web interface. It
does not change the style of the admin interface.
Note: If you change anything, please reload the site in the browser to
see the changes
5.3.4
Virus detector
Proxmox Mail Gateway uses the following antivirus engines Dual Scanning in all versions:
ClamAV, no additional license required

Commtouch Zero-Hour Virus Outbreak Protection, no additional license required
Avira SAV: You need to purchase Avira SAV per user subscription license for the Proxmox
Mail Gateway, contact your Proxmox Partner for details.
ClamAV
Review the database update server. Click update now and check the
output log file. The database will be regularly updated (several times a day)
you dont have to configure the update schedule.
CYREN
Enabled and active by default no configuration here.
Avira SAV
Click update now and check the output log file.

Note: You need to purchase Avira SAV per user subscription license for
the Proxmox Mail Gateway, contact your Proxmox Partner for details.
Options
Review the settings for dealing with archives (e.g. zip files)
If you have no direct connection to the web for updates, you can configure
your proxy server to get antivirus database updates.
Max credit card numbers (new data loss prevention DLP)
Detect credit card numbers (a reasonable setting is 3, 0 means disabled). If
an email contains 3 credit card numbers it gets detected.
HTTP Proxy Settings
Configure a http proxy for accessing the internet for signature updates
Quarantine
Lifetime (days)
Specify the lifetime of quarantined virus e-mails
Mail preview settings:
View images
Enable images in the preview (if you uncheck this, images are not
downloaded and displayed)
Allow HREFs
22 | 55

Enables links in the mail preview (disable to get a more secure preview)
5.3.5
User management
Local
Local User Database: Default is the root (super user) account

Enable SSH login (insert allowed SSH public keys)
Note:
A Restore Job does not change (restore) the password!
The root users can add local users

Following roles can be assigned:
Administrator (full access to the web interface)
Quarantine Manager (Access to Spam and Virus quarantine)
Audit (Read only)
LDAP
POP
5.3.6
LDAP Integration: See chapter 6 LDAP integration (professional version or

LDAP option)
POP3 support. Messaged fetched from those POP3 accounts are injected
into the filter system.
Cluster
Status
See status of all nodes.

For Cluster configuration details see chapter 10 Proxmox Mail Gateway HA
cluster
5.3.7
License
Check your license information or upload a new license file.

Displayed information:
License Nr.
Company
Name
Product
Expires
5.4
Mail filter
The following default settings are available. You can add or edit custom settings by clicking on the
symbols.
Note:
See also the Deployment Guide
23 | 55

5.4.1
Rules
The object-oriented rule system enables custom rules for your domains. Its an easy but very flexible
way to define filter rules by user, domains, time frame, content type and resulting action.
Who object
for TO and/or FROM Category
Example: Mail object Who is the sender or receiver of the e-mail?
When object
Example: When is the e-mail received by Proxmox Mail Gateway?
What object
Example: Does the e-mail contain spam?
Action object
Example: Mark e-mail with SPAM: in the subject.
Every rule has got 5 categories (FROM, TO, WHEN, WHAT, ACTION) which can contain several objects.
For example a virus protection looks like this:
FROM: Anybody
TO:
Anybody
WHEN: Always
WHAT: Virus
ACTION:
Block
Active Rules
Currently active rules
Inactive Rules
Not active. New rules are always inactive, you have to set it active
manually by clicking the symbol
Priority
Set processing order between 1 and 100. The highest priority is

100.
Direction
Set the processing direction.

In
Out
In & Out
5.4.2
Rule applies for all incoming e-mails

Rule applies for all outgoing e-mails
Rule applies for both directions
Actions
Accept
Accept mail for Delivery (Final action, no following rule will trigger)
24 | 55

Block
Block mail (Final action, no following rule will trigger)
Quarantine
Notify Admin
Move to quarantine (virus mails are moved to the virus

quarantine, other mails are moved to spam quarantine); (Final
action, no following rule will trigger)
Send notification to admin
Sample content:
Proxmox Notification:
Sender: __SENDER__
Receiver: __RECEIVERS__
Targets: __TARGETS__
Subject: __SUBJECT__
Matching Rule: __RULE__
__RULE_INFO__
__VIRUS_INFO__
__SPAM_INFO__
Notify Sender
Send notification to sender

Sample content:
Proxmox Notification:
Sender: __SENDER__
Receiver: __RECEIVERS__
Targets: __TARGETS__
Subject: __SUBJECT__
Matching Rule: __RULE__
__RULE_INFO__
__VIRUS_INFO__
__SPAM_INFO__
Modify Spam Level
Mark mail as spam by adding a header tag.

Sample content:
Fieldname: X-SPAM-LEVEL
Value: __SPAMLEVEL__, hits=__SPAM_HITS__
New in 2.0: use this instead of (__SPAMLEVEL__, hits=__SPAM_HITS__)
Value: __SPAM_INFO__
This shows detailed scores
25 | 55

Modify Spam Subject
Mark mail as spam by modifying the subject.

Sample content:
Fieldname: subject
Value: SPAM: __SUBJECT__
Remove all
attachments
Remove attachments
You can edit the text replacement

Remove matching attachments
Disclaimer
You can edit the text replacement

Add Disclaimer
5.4.3
Remove all attachments
Who
Blacklist
Global Blacklist
Whitelist
Global Whitelist
User defined
Define custom WHO objects, possible values:

Add Domain
Add Mail address
Add Regular Expression
Add IP Address
Add IP Network
Add LDAP Group: See chapter 6 LDAP integration
(professional version or LDAP option)
Add LDAP User: See chapter 6 LDAP integration
(professional version or LDAP option)
5.4.4
What
Dangerous Content
executable files and partial messages

The default list contains most common known dangerous
attachments.
Images
All kinds of graphic files
Multimedia
Audio and video files
Office Files
Common Office files
Spam
Matches possible spam mail

Spam Filter Settings
26 | 55

Spam Level: 3 (default)
Note:
Start with the default level.
Virus
Matches virus infected mail
Custom
You can define custom what objects by adding the following items:
Add Spam Filter
Specify a specific spam level
Add Virus Filter
Detect viruses
Add ContentType Filter
Match attachments (eg. images, videos, )
Add Archive Filter
Match content types (attachments) in archive files (eg. detect exe
files in zip archives)
Add Match Field
Match for mail header fields (eg. Subject:, From:, )
Add Match Filename
Match filenames, eg. *.exe, *.bat,
5.4.5
When
Office Hours
Usual office hours
Note:
5.5
5.5.1
valid all days (7 days a week)
Administration
Server
Services
Displays running services

If necessary you can reboot and shutdown the Proxmox Mail Gateway server.
Updates
Upload Proxmox Mail Gateway service packs and hotfixes.

Check http://www.proxmox.com for available updates and make sure you
follow the update instructions in the release notes of each service pack or
hotfix.
27 | 55

5.5.2
Statistic
Those pages displays statistical data concerning e-mail traffic on the Proxmox Mail Gateway.
5.5.3
Quarantine
Manage Spam and Virus quarantine.

Note: Default, quarantine is activated
Spam
Status
Displays statistical data about your quarantine
Archive
By specifying an e-mail address, you can access the quarantine section for this
user
Blacklist
View and edit personal blacklist
Whitelist
View and edit personal whitelist
Virus
Status
Displays statistical date about your quarantine
Archive
By specifying an e-mail address, you can access the quarantine section for this
user
28 | 55

Figure 5-3 Preview of a quarantined Spam e-mail
Figure 5-4 Preview of a quarantined Spam e-mail with spam info

29 | 55

Figure 5-5 Preview of a quarantined Phishing e-mail
30 | 55

5.5.4
Tracking center
5.5.4.1 Message Tracking Center

Introduced in Proxmox Mail Gateway 2.1, the message tracking center simplifies the search for
emails dramatically.
All log files from the last 7 days can be queried and the results are summarized by an intelligent
algorithm. The message tracking center is very fast and powerful, tested on Proxmox sites processing
1 million emails per day.
All corresponding log files are displayed:
Arrival of the email

Proxmox filtering processing with results
Internal queue to your email server
Status of final delivery
Status description:
Status
Accepted/delivered
Accepted/deferred
Accepted/bounced
Quarantine
Blocked
Rejected
Greylisted
Queued/delivered
Queued/deferred
Queued/bounced
Description
Email arrived, filtered, and successfully delivered to email server
Email arrived, filtered, but not delivered (still trying to deliver)
Email arrived, filtered, but not accepted by your email server (e. g. user
unknown)
Email arrived, filtered, and moved to Proxmox Quarantine
Email arrived, but blocked by a filter rule.
Email rejected on SMTP level (e.g. sender IP is listed on a CYREN
blacklist)
Email greylisted on SMTP level
Internal Emails from Proxmox, successfully delivered to email server
(e.g. Daily spam report, Notifications, Admin report, BCC emails, )
Internal Emails from Proxmox, not yet delivered
Internal Emails from Proxmox, but not accepted by the email server (e.
g. user unknown)
31 | 55

Figure 5-6 Message Tracking Center
32 | 55

5.5.4.2
Real-time
The real-time syslog shows the last 100 lines, the output can be filtered by selecting the log files from
a service or by entering an individual search string.
Figure 5-7 Real time log
5.5.4.3
Greylist log
Displays the greylist log. For message tracking issues use the search function in the message tracking
center.
33 | 55

5.5.5
Queues
Mail
Display the mail queue

You can flush or delete the queue. By clicking on a recipient domain you will see
details about the queue status.
Figure 5-8 Display Mail Queue
34 | 55

6 LDAP integration (professional version or LDAP

option)
The Proxmox Mail Gateway can query existing LDAP directories (MS ADS only) for Users, Groups and
e-mail addresses. Proxmox Mail Gateway uses a unique approach to cache LDAP data. That way,
LDAP data is always available, even when the LDAP servers are temporarily unavailable.
LDAP hierarchies can be complex, and it is quite usual to have more than one server. Proxmox
supports such infrastructure by having multiple LDAP profiles. Each profile has its own settings, and
you can query either a selected profile, or simple search all profiles. LDAP queries are using the local
cache, so they are extremely fast, even when you query multiple servers.
You first need to create one or more LDAP profiles in order to use LDAP queries inside the rule
system.
Proxmox Mail Gateway supports Windows 2003/2008/2008 and 2008r2 Active Directory, with
Exchange 2000, 2003, 2007 and 2010.
6.1
Creating a new LDAP profile
LDAP profiles are created on the Configuration/System/LDAP page. Please select Create new LDAP
profile on the menu:
Figure 6-1 LDAP Server settings: Create new LDAP Profile 1

First, you now need to choose a profile name. Profile names may contain alphanumeric characters,
underscores and white spaces. Other characters are not allowed. A reasonable naming scheme is to
use the domain name separated by underscores (example.com example_com).
Now add the IP address of your LDAP server. You can also add a second IP address if you have a
backup/fallback server. That second server is used when the first server is not reachable.
We currently use the unencrypted LDAP protocol as default, but LDAPS is recommend for security
reasons. So please use LDAPS (secure LDAP) if available.
The last required setting is a username and password used to connect to the LDAP server. We
recommend using an unprivileged user who does not have any other right than querying the LDAP
database. Active Directory uses names like domain\user or email style usernames like
user@domain.tld.
35 | 55

Although not strictly required, we recommend specifying the LDAP BaseDN.

Press save when you are finished.
Figure 6-2 LDAP Server settings: Create new LDAP Profile 2

Proxmox now tries to connect to the server. On success it will display the number of found user,
groups and email addresses.
Figure 6-3 LDAP Server settings: Three profiles configured
6.2
LDAP queries
The object-oriented rule system enables LDAP based Who objects. There are two different kinds
of LDAP objects:
36 | 55

LDAP user
Can be used to test if an email address belongs to a specific LDAP user (One LDAP user can have
more than one email address).
LDAP group
Used to test if an email address belongs to a user in the specified group.
Both Objects refer to LDAP profiles. That way you can query individual servers.
The LDAP group object has 2 additional selections Existing Users and Unknown Users. Those
objects can be used to test if a user (e-mail address) exists or not.
6.3
Note:
Sample LDAP rules

Please refer to the Proxmox Mail Gateway Deployment Guide for sample rules.
37 | 55

7 Example mail server configuration (outgoing mails)

The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and port 26 for
outgoing e-mails.
Outgoing Mails:
Configure your mail server to send all e-mails to the Proxmox Mail Gateway, port 26.
Incoming Mails: see 3.2 Firewall settings
Please see the Proxmox Mail Gateway Deployment Guide for all scenarios.
7.1
Configuration for Microsoft Exchange
The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and port 26 for
outgoing e-mails.
With MS Exchange SMTP connectors you can't use port 26 for outgoing (as this conflicts with MS
Exchange internal replication mechanism) so you have to switch these two values (25 and 26). In the
end you have to use port 25 for outgoing and port 26 for incoming mails.
Figure 7-1 MS Exchange: Port settings for use with MS Exchange
IMPORTANT NOTE:
To receive e-mails from the Internet you have to do port forwarding at your Firewall. So that youre
external IP and Port 25 shows to the Proxmox Mail Gateway IP and port 26.
38 | 55

Figure 7-2 MS Exchange 2003: SMTP Connector (Define smart host: Proxmox Mail Gateway)
39 | 55

Figure 7-3 MS Exchange 2003: SMTP connector Address space
7.2
Configuration for Postfix
Just add a default_transport entry to your Postfix main configuration file (usually /etc/postfix/main.cf),
for example if you mail gateway uses address 1.2.3.4 add the line:
default_transport = smtp:1.2.3.4:26
40 | 55

8 Example rules
Proxmox uses a powerful rule system to handle e-mail traffic. The default setting is ready for use in
the first run.
Note:
Please refer to the Proxmox Mail Gateway Deployment Guide for sample rules.
41 | 55

9 Redundant servers and load balancing

The normal mail delivery process looks up DNS Mail Exchange (MX) records to determine the
destination host. A MX record tells the sending system where to deliver mail for a certain domain. It is
also possible to have several MX records for a single domain, they can have different priorities. For
example, our MX record looks like that:
> dig -t mx proxmox.com
;; ANSWER SECTION:
proxmox.com.
22879
IN
MX
10 mail.proxmox.com.
;; ADDITIONAL SECTION:
mail.proxmox.com.
22879
IN
213.129.239.114
Please notice that there is one single MX record for the Domain proxmox.com, pointing to
mail.proxmox.com. The dig command automatically puts out the corresponding address record if it
exists. In our case it points to 213.129.239.114. The priority of our MX record is set to 10 (preferred
default value).
9.1
Hot standby with backup MX records
Many people do not want to install two redundant mail proxies, instead they use the mail proxy of
their ISP as fall-back. This is simply done by adding an additional MX Record with a lower priority
(higher number). With the example above this looks like that:
proxmox.com.
22879
IN
MX
100 mail.provider.tld.
Sure, your provider must accept mails for your domain and forward received mails to you.
You will never lose mails with such a setup, because the sending Mail Transport Agent (MTA) will
simply deliver the mail to the backup server (mail.provider.tld) if the primary server
(mail.proxmox.com) is not available.
9.2
Load balancing with MX records
Using your ISPs mail server is not always a good idea, because many ISPs do not use advanced spam
prevention techniques like Greylisting. It is often better to run a second server yourself to avoid lower
spam detection rates.
Anyways, its quite simple to set up a high performance load balanced mail cluster using MX records.
You just need to define two MX records with the same priority. I will explain this using a complete
example to make it clearer.
First, you need to have at least 2 working Proxmox mail gateways (mail1.example.com and
mail2.example.com) setup as cluster (see chapter 10 Proxmox Mail Gateway HA cluster), each having
its own IP address. Let us assume the following addresses (DNS address records):
mail1.example.com.
mail2.example.com.
22879
22879
IN
IN
A
A
1.2.3.4
1.2.3.5
Btw, it is always a good idea to add reverse lookup entries (PTR records) for those hosts. Many email
systems nowadays reject mails from hosts without valid PTR records.
42 | 55

Then you need to define your MX records:

example.com.
example.com.
22879
22879
IN
IN
MX
MX
10 mail1.example.com.
10 mail2.example.com.
This is all you need. You will receive mails on both hosts, more or less load-balanced using roundrobin scheduling. If one host fails the other is used.
9.3
9.3.1
Other ways
Multiple address records
Using several DNS MX record is sometime clumsy if you have many domains. It is also possible to use
one MX record per domain, but multiple address records:
example.com.
mail.example.com.
mail.example.com.
9.3.2
22879
22879
22879
IN
IN
IN
MX
A
A
10 mail.example.com.
1.2.3.4
1.2.3.5
Using firewall features
Many firewalls can do some kind of RR-Scheduling (round-robin) when using DNAT. See your firewall
manual for more details.
43 | 55

10 Proxmox Mail Gateway HA cluster

We are living in a world where email becomes more and more important - failures in email systems
are just not acceptable. To meet these requirements we developed the Proxmox HA (High
Availability) Cluster.
The Proxmox Mail Gateway HA Cluster consists of a master and several nodes (minimum one node).
Configuration is done on the master. Configuration and data is synchronized to all cluster nodes over
a VPN tunnel. This provides the following advantages:
centralized configuration management

fully redundant data storage
high availability
high performance
We use a unique application level clustering scheme, which provides extremely good performance.
Special considerations where taken to make management as easy as possible. Complete Cluster
setup is done within minutes, and nodes automatically reintegrate after temporary failures without
any operator interaction.
Figure 10-1 Proxmox Mail Gateway HA Cluster
44 | 55

10.1
Hardware requirements
There are no special hardware requirements, although it is highly recommended to use fast and
reliable server with redundant disks on all cluster nodes (Hardware RAID with BBU and write cache
enabled).
The HA Cluster can also run in virtualized environments.
10.2
Required licenses
Each host in a Cluster needs its own Cluster Subscription License file. Please upload the license file
before adding a node to the cluster.
10.3
Load balancing
You can use one of the mechanism described in chapter 9 if you want to distribute mail traffic among
the cluster nodes. Please note that this is not always required, because it is also reasonable to use
only one node to handle SMTP traffic. The second node is used as quarantine host (provide the web
interface to user quarantine).
10.4
Cluster administration
Cluster administration is done with a single command line utility called proxca. So you need to login
via ssh to manage the cluster setup.
Note: Always setup the IP configuration before adding a node to the cluster. IP address, network
mask, gateway address and hostname cant be changed later.
10.4.1
Creating a cluster
You can create a cluster from any existing Proxmox host. All data is preserved.
upload a cluster licence

make sure you have the right IP configuration (IP/MASK/GATEWAY/HOSTNAME), because you
cannot changed that later
run: proxca c
10.4.2
List cluster status
Run: proxca -l
10.4.3
Adding cluster nodes
When you add a new node to a cluster (join) all data on that node is destroyed. The whole database
is initialized with cluster data from the master.
Upload a cluster license to the node

make sure you have the right IP configuration
run (on new node): proxca a h $MASTERIP
You need to enter the root password of the master host when asked for a password.
Attention:
Node initialization deletes all existing databases, stops and then restarts all services
accessing the database. So do not add nodes which are already active and receive mails.
45 | 55

Also, joining a cluster can take several minutes, because the new node needs to synchronize all data
from the master (although this is done in the background).
Note: If you join a new node, existing quarantined items from the other nodes are not
synchronized to the new node.
10.4.4
Deleting nodes
Run (on master): proxca d CID

CID (Cluster ID) is the unique ID displayed by proxca -l
10.5
Disaster recovery
It is highly recommended to use redundant disks on all cluster nodes (RAID). So in almost any
circumstances you just need to replace the damaged Hardware or Disk. Proxmox Mail Gateway uses
an asynchronous clustering algorithm, so you just need to reboot the repaired node, and everything
will work again transparently.
The following scenarios only apply when you really loose the contents of the hard disk.
10.5.1
delete failed node on master: proxca d CID

add (re-join) a new node:
proxca a h $MASTERIP
10.5.2
Master failure
force another node to be master:

tell other nodes that master has changed:
10.5.3
Single node failure
proxca m
proxca s h $MASTERIP
Total cluster failure
restore backup (Cluster and node information is not restored, you have to recreate master
and nodes)
tell it to become master:
proxca c
add new nodes:
proxca a h $MASTERIP
46 | 55

11 Troubleshooting and technical support

Use the moderated Proxmox support forum or contact a Proxmox partner for their support
offerings.
All information:
http://www.proxmox.com
Proxmox Customer Portal:
https://my.proxmox.com
11.1
Console login
Advanced users can use the console or SSH login. For normal operation, this is never necessary.
Default user:
Default password:
Note:
root
admin (the same as for the web interface!)
Its not recommended to change settings via the console.
47 | 55

12 Table of figures
Figure 1-1 Processing of incoming e-mail traffic................................................................................................. 6
Figure 3-1 Infrastructure without Proxmox Mail Gateway ............................................................................... 8
Figure 3-2 Infrastructure with integrated Proxmox Mail Gateway ................................................................. 8
Figure 4-1 Selecting Software RAID during installation ................................................................................... 13
Figure 5-1 Login page Proxmox Mail Gateway .................................................................................................. 14
Figure 5-2 Start page Proxmox Mail Gateway after log in .............................................................................. 15
Figure 5-3 Preview of a quarantined Spam e-mail ........................................................................................... 29
Figure 5-4 Preview of a quarantined Spam e-mail with spam info ............................................................... 29
Figure 5-5 Preview of a quarantined Phishing e-mail ...................................................................................... 30
Figure 5-6 Message Tracking Center ................................................................................................................... 32
Figure 5-7 Real time log .......................................................................................................................................... 33
Figure 5-8 Display Mail Queue .............................................................................................................................. 34
Figure 6-1 LDAP Server settings: Create new LDAP Profile 1 ........................................................................ 35
Figure 6-2 LDAP Server settings: Create new LDAP Profile 2 ........................................................................ 36
Figure 6-3 LDAP Server settings: Three profiles configured .......................................................................... 36
Figure 7-1 MS Exchange: Port settings for use with MS Exchange .............................................................. 38
Figure 7-2 MS Exchange 2003: SMTP Connector (Define smart host: Proxmox Mail Gateway)............ 39
Figure 7-3 MS Exchange 2003: SMTP connector Address space .............................................................. 40
Figure 10-1 Proxmox Mail Gateway HA Cluster ................................................................................................ 44
Figure 13-1 Configure scheduled backup Windows share ......................................................................... 52
48 | 55

13 Appendix
13.1
Available macros for rule system
It is possible to use macros inside most fields of action objects. That way it is possible to access and
include data contained in the original mail, get envelope sender and receivers addresses or include
additional information about Viruses and Spam. Currently the following macros are defined:
Macro
__SENDER__
__RECEIVERS__
__ADMIN__
__TARGETS__
__SUBJECT__
__MSGID__
__RULE__
__RULE_INFO__
__VIRUS_INFO__
__SPAMLEVEL__
__SPAM_INFO__
__SENDER_IP__
__VERSION__
__FILENAME__
__SPAMSTARS__
Comment
(envelope) sender mail address
(envelope) receiver mail address list
Email address of the administrator
Subset of receivers matched by the rule
Subject of the message
The message ID
Name of the matching rule
Additional information about the matching rule
Additional information about detected viruses
Computed spam level
Additional information why message is spam
IP address of sending host
The current software version (proxmox mail gateway)
Attachment file name
A series of "*" charactes where each one represents a full score
(__SPAMLEVEL__) point
A simple example is the Modify Spam Subject action which adds SPAM: to the original message
subject. To achieve this just use SPAM: __SUBJECT__ as value for that action object.
13.2
Individual SpamAssassin configuration
This is only for advanced users. To add/change configuration of the Proxmox SpamAssassin please
login to the console via SSH. Go to /etc/mail/spamassasin/. In this directory there are two files
(init.pre, local.cf) do not change this. To add your special configuration, you have to create a new file
and name it custom.cf (in this directory). Now you can add your configuration to custom.cf, be aware
to use the SpamAssassin syntax. For more information see http://spamassassin.apache.org/
The custom.cf file is also synchronized in a HA Cluster environment.
13.3
Customized daily spam reports
Its possible to customize the daily spam reports. The report generator uses a simple HTML template
file which may contain macros. To activate customized reports you need to generate such template
file and copy it to /etc/proxmox/spamreport.tmpl. Two examples can be found in
/var/lib/proxmox/templates/spamreport-verbose.tmpl
or
/var/lib/proxmox/templates/spamreport-short.tmpl those templates are actually
used to generate the default spam reports. You also need to select the Custom report style on the
web interface to use the custom template (Configuration/Spam/Quarantine/ReportStyle).
The following macros are currently defined:
49 | 55

Macro
__SENDER__
__RECEIVER__
__SUBJECT__
__FROM__
__DATE__
__TIME__
__TICKET__
__BYTES__
__SPAMLEVEL__
__SPAMINFO__
__PMAIL__
__HREF__
__WLHREF__
__BLHREF__
__DELETEHREF__
__DELIVERHREF__
__PROTOCOL__
__FQDN__
__HOSTNAME__
__DOMAIN__
__ACTIONHREF__
__MAILCOUNT__
__MSG_XXXX__
global
No
No
No
No
Yes
No
Yes
No
No
No
Yes
No
NO
NO
NO
NO
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Comment
(envelope) sender mail address
(envelope) receiver mail address
subject of the message
from field
message arrival date or report date
message arrival time
authorization ticket
message size
spam level of message
additional information about why it is spam
primary mail address of receiver
href to view message
href to whitelist sender
href to blacklist sender
href to delete message
href to deliver message
selected protocol (http or https)
fully qualified domain name of quarantine host
quarantine host hostname
quarantine host domain
href to perform various actions
number of mails
Standard messages use by standard reports (translated to
various languages)
A detailed report usually displays information about each mail. Inside the template everything
between  and  is repeated for every mail. Most macros
are only defined inside those marks. Only the global macros are available outside those marks.
Note: A template has to be correct html. You can use any html editor for easy and fast editing.
13.4
Using regular expressions
A regular expression is a string of characters which tells us which string you are looking for. The
following is a short introduction in the syntax of regular expressions linked to editing Who Objects. If
you are familiar with Perl, you already know the syntax.
13.4.1
Simple regular expressions
In its simplest form, a regular expression is just a word or phrase to search for.
Mail would match the string Mail. The search is case sensitive so MAIL, Mail, mail would
not be matched.
13.4.2
Metacharacters
Some characters have a special meaning. These characters are called metacharacters.
The Period (.) is a commonly used metacharacter. It matches exactly one character, regardless of
what the character is.
e.mail would match either e-mail or e-mail or e2mail but not e-some-mail.
50 | 55

The question mark (?) indicates that the character immediately preceding it either zero times ore one
time.
e?mail would match either email or mail but not e-mail
Another metacharacter is the star (*). This indicates that the character immediately to its left may
repeated any number of times, including zero.
e*mail would match either email or mail or eeemail.
The plus (+) metacharacter does the same as the star (*) excluding zero.
So e+mail do not match mail.
Metacharacters may be combined. A common combination includes the period and star
metacharacters, with the star immediately following the period. This is used to match an arbitrary
string of any length, including the null string. For example:
.*company.* matches company@domain.com or company@domain.co.uk or
department.company@domain.com.
For more information take a look at the references
13.4.3
References
Mastering Regular Expressions

Powerful Techniques for Perl and Other Tools
By Jeffrey E. F. Friedl
First Edition Januar 1997
ISBN 1-56592-257-3
13.5
Managing software RAID
Software RAID is managed on the console with the unix command mdadm. Please see the manual
pages for more information (man mdadm).
To view the RAID status use:
mdadm --detail /dev/md0
cat /proc/mdstat
And
To add a new disk after a crash:

(Assuming /dev/sdb2 is the newly created partition on a new disk, please use fdisk to partition
harddisks)):
mdadm --manage /dev/md0 -add /dev/sdb2
After success, update bootloader on all hard disks (example):
update-grub
grub-install /dev/sda
grub-install /dev/sdb
To initialize the swap partitions, type:
mkswap /dev/sda1 (assuming that sda1 is a swap)
51 | 55

mkswap /dev/sdb1 (assuming that sdb1 is a swap)

swapon a
Finally reboot the machine and check all services.
13.6
Backup considerations
13.6.1
Scheduled backup
Scheduled backups can be configured to store the backup data to a FTP host or Windows share. Old
backup files can be deleted automatically.
The following data will be stored via scheduled backups:
System configuration
Rule configuration
Statistic database
License
Log files and quarantined emails are never in the backup. A backup can only restored to an identical
version of Proxmox.
Figure 13-1 Configure scheduled backup Windows share
52 | 55

13.6.2
Backup via console
You can use the command line utility proxbackup to backup the whole database including statistical
data:
proxbackup -s full-backup.tgz
Please see the manual page for more information (man proxbackup).
13.6.3
Restore via console
In order to restore system configuration, rules database and statistical data you need to restore on
the console.
proxbackup -c d -s -r full-backup.tgz
After restore you need to reboot to activate changes.
13.7
Avira SAV antivirus integration
Proxmox supports Avira SAV engine as

http://www.proxmox.com for details and pricing.
13.8
an
additional
virus
scanner.
Please
check
SSL certificate
Access to the administration web interface is always done via https. The default certificate is never
valid for your browser and you get always warnings. You can safely ignore these warnings.
If you want to get rid of these warnings, you have to generate a valid certificate for your server.
Login to your Proxmox via ssh or use the console:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -out req.pem
Follow the instructions on the screen, see this example:
Country Name (2 letter code) [AU]: AT

State or Province Name (full name) [Some-State]:Vienna
Locality Name (eg, city) []:Vienna
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Proxmox GmbH
Organizational Unit Name (eg, section) []:Proxmox Mail Gateway
Common Name (eg, YOUR name) []: yourproxmox.yourdomain.com
Email Address []:support@yourdomain.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: not necessary
An optional company name []: not necessary
After you finished this certificate request you have to send the file req.pem to your CA (Certification
Authority). The CA will issue the certificate (BASE64 encoded) based on your request save this file as
cert.pem to your Proxmox.
53 | 55

To activate the new certificate, do the following on your Proxmox:
cat key.pem cert.pem >/etc/apache2/apache.pem
/etc/init.d/apache2 restart
Test your new certificate by using your browser.
Note: To transfer files from and to your Proxmox, you can use secure copy: If you desktop is Linux,
you can use scp if your desktop PC is windows, please use a scp client like WinSCP (see
http://winscp.net/)
13.9
Port scans (nmap)
Nmap is designed to allow system administrators to scan large networks to determine which hosts
are up and what services they are offering. You can use nmap to test your firewall setting, for example
to see if the required ports are open.
Test Razor port (tcp port 2703):
nmap -P0 -sS -p 2703 c301.cloudmark.com
Starting Nmap 5.00 ( http://nmap.org ) at 2012-07-31 11:10 CEST
Interesting ports on c301.cloudmark.com (208.83.137.114):
PORT
STATE SERVICE
2703/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
See the manual page (man nmap) for more information about nmap.
13.10 Create bootable USB stick

The installation media is a hybrid ISO image, working in two ways:
An ISO image file ready to burn on CD

A raw sector (IMG) image file ready to directly dd to flash media (USB Stick)
Using USB sticks is faster and more environmental friendly and therefore the recommended way to
install Proxmox Mail Gateway.
In order to boot the installation media you need to copy the ISO image to your USB media. You need
at least a 1024 mb USB stick.
13.10.1 Instructions for Windows

Make sure that your USB media is not mounted and does not contain any data.
Download ImageUSB (http://www.osforensics.com/tools/write-usb-images.html) tool and copy the
Proxmox Mail Gateway ISO image to your USB media.
54 | 55

13.10.2 Instructions for Linux (and OSX)

You can simply use dd on unix like systems. First download the iso image, the plug in the USB stick
(you need to find out what device name gets assigned to the usb stick).
dd if= proxmox-mailgateway*.iso of=/dev/XYZ bs=1M
Be sure to replace /dev/XYZ with the correct device name (be careful, and do not overwrite your hard
disk!)
13.10.3 Boot your server from USB media

Connect your USB media to your server and make sure that the server boots from USB - and follow
the installation wizard.
- End of document -
55 | 55

Proxmox Mail Gateway: Administration Guide

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Proxmox Mail Gateway: Administration Guide

Caricato da

Copyright:

Formati disponibili

Proxmox Mail Gateway

Proxmox Server Solutions GmbH

22.08.2016 Proxmox Server Solutions GmbH

Proxmox Server Solutions GmbH

What is Proxmox Mail Gateway? .......................................................................................... 6

Quick start guide ..................................................................................................................... 7

Planning for deployment ....................................................................................................... 8

Firewall settings ......................................................................................................................................... 9

Installing Proxmox Mail Gateway ....................................................................................... 12

Complete installation in 3 to 5 minutes ............................................................................................. 12

Getting started with Mail Gateway ..................................................................................... 14

Web interface ........................................................................................................................................... 14

Upload license file ................................................................................................................................... 15

Proxmox Server Solutions GmbH

5.5.4.2 Real-time ..................................................................................................................................... 33

LDAP integration (professional version or LDAP option) ................................................ 35

Creating a new LDAP profile ................................................................................................................. 35

Sample LDAP rules ................................................................................................................................. 37

Example mail server configuration (outgoing mails) ....................................................... 38

Configuration for Microsoft Exchange ............................................................................................... 38

Configuration for Postfix ....................................................................................................................... 40

Example rules ........................................................................................................................ 41

Redundant servers and load balancing............................................................................. 42

Hot standby with backup MX records ................................................................................................ 42

Load balancing with MX records ......................................................................................................... 42

10 Proxmox Mail Gateway HA cluster ..................................................................................... 44

Hardware requirements ........................................................................................................................ 45

Required licenses .................................................................................................................................... 45

Load balancing ........................................................................................................................................ 45

10.4 Cluster administration ........................................................................................................................... 45

11 Troubleshooting and technical support ............................................................................ 47

Console login ........................................................................................................................................... 47

12 Table of figures ..................................................................................................................... 48

Available macros for rule system ........................................................................................................ 49

Individual SpamAssassin configuration ............................................................................................. 49

Customized daily spam reports ........................................................................................................... 49

13.4 Using regular expressions .................................................................................................................... 50

Managing software RAID ....................................................................................................................... 51

22.08.2016 Proxmox Server Solutions GmbH

Proxmox Server Solutions GmbH

13.6 Backup considerations .......................................................................................................................... 52

Avira SAV antivirus integration ............................................................................................................. 53

SSL certificate ........................................................................................................................................... 53

Port scans (nmap) ................................................................................................................................... 54

22.08.2016 Proxmox Server Solutions GmbH

Proxmox Server Solutions GmbH

1 What is Proxmox Mail Gateway?

Figure 1-1 Processing of incoming e-mail traffic

22.08.2016 Proxmox Server Solutions GmbH

Proxmox Server Solutions GmbH

2 Quick start guide

Burn the downloaded ISO image to a CD or create a USB stick

22.08.2016 Proxmox Server Solutions GmbH

Proxmox Server Solutions GmbH

3 Planning for deployment

Easy integration into existing e-mail server architecture

Figure 3-1 Infrastructure without Proxmox Mail Gateway

Figure 3-2 Infrastructure with integrated Proxmox Mail Gateway

22.08.2016 Proxmox Server Solutions GmbH

Proxmox Server Solutions GmbH

Filtering outgoing e-mails

Please see http://www.proxmox.com for details.

22.08.2016 Proxmox Server Solutions GmbH