Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Administration Guide
8/22/2016
MailGatewayAdminGuide-V3.4.docx
Proxmox Server Solutions GmbH reserves the right to make changes to this document and to the
products described herein without notice. Before installing and using the software, please review the
latest version of this document, which is available from http://www.proxmox.com.
NOTE: All prices are one year subscription licenses. After expiration, Email flow continues but Spamand AV checks are not working anymore (Exception: ClamAV will continue working).
All other product or company names different from Proxmox may be trademarks or registered
trademarks of their owners.
Copyright 2005 - 2016 Proxmox Server Solutions GmbH. All rights reserved. No part of this
publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the
express prior written consent of Proxmox.
2 | 55
Table of Contents
1
3.3
System requirements ............................................................................................................................... 9
3.3.1 Minimum system requirements...................................................................................................... 10
3.3.2 Recommended system requirements ........................................................................................... 10
3.4
Compare the Proxmox Mail Gateway editions ................................................................................ 10
3.4.1 Proxmox Mail Gateway Free version ............................................................................................. 10
3.4.2 Proxmox Mail Gateway Standard versions ................................................................................... 10
3.4.3 Proxmox Mail Gateway Professional ............................................................................................. 11
3.4.4 Proxmox Mail Gateway HA Cluster................................................................................................. 11
3.4.5 EDU, GOV and non-profit organization licensing ........................................................................ 11
4.2
Software RAID .......................................................................................................................................... 12
4.2.1 Differences between RAID systems ............................................................................................... 12
5.2
5.3
Configuration ........................................................................................................................................... 15
5.3.1 System................................................................................................................................................... 16
5.3.2 Mail proxy ............................................................................................................................................. 17
5.3.3 Spam detector .................................................................................................................................... 20
5.3.4 Virus detector ...................................................................................................................................... 22
5.3.5 User management ............................................................................................................................. 23
5.3.6 Cluster ................................................................................................................................................... 23
5.3.7 License .................................................................................................................................................. 23
5.4
Mail filter ................................................................................................................................................... 23
5.4.1 Rules ...................................................................................................................................................... 24
5.4.2 Actions .................................................................................................................................................. 24
5.4.3 Who ....................................................................................................................................................... 26
5.4.4 What ...................................................................................................................................................... 26
5.4.5 When ..................................................................................................................................................... 27
5.5
Administration ......................................................................................................................................... 27
5.5.1 Server .................................................................................................................................................... 27
5.5.2 Statistic.................................................................................................................................................. 28
5.5.3 Quarantine ........................................................................................................................................... 28
5.5.4 Tracking center ................................................................................................................................... 31
22.08.2016 Proxmox Server Solutions GmbH
3 | 55
6.2
LDAP queries............................................................................................................................................ 36
6.3
7.2
9.2
9.3
Other ways................................................................................................................................................ 43
9.3.1 Multiple address records.................................................................................................................. 43
9.3.2 Using firewall features ....................................................................................................................... 43
10.2
10.3
13.2
13.3
4 | 55
13.8
13.9
13.10
Create bootable USB stick ................................................................................................................ 54
13.10.1 Instructions for Windows ............................................................................................................. 54
13.10.2 Instructions for Linux (and OSX)................................................................................................. 55
13.10.3 Boot your server from USB media ............................................................................................. 55
5 | 55
6 | 55
7 | 55
In this sample configuration, your e-mail traffic (SMTP) arrives on the firewall and will be directly
forwarded to your e-mail server.
8 | 55
3.1.1
Many e-mail filter solutions do not scan outgoing mails. Opposed to that Proxmox Mail Gateway is
designed to scan both incoming and outgoing e-mails. This has two major advantages:
1.
2.
Proxmox Mail Gateway is able to detect viruses sent from an internal host. In many countries
you are liable for not sending viruses to other people. Proxmox Mail Gateway outgoing e-mail
scanning feature is an additional protection to avoid that.
Proxmox Mail Gateway can gather statistics about outgoing e-mails too. Statistics about
incoming e-mails looks nice, but they are quite useless. Consider two users, user-1 receives
10 e-mails from news portals and wrote 1 e-mail to a person you never heard from. While
user-2 receives 5 e-mails from a customer and sent 5 e-mails back. Which user do you
consider more active? I am sure its user-2, because he communicates with your customers.
Proxmox Mail Gateway advanced address statistics can show you this important information.
Solution which does not scan outgoing e-mail cant do that.
To enable outgoing e-mail filtering you just need to send all outgoing e-mails through your Proxmox
Mail Gateway (usually by specifying Proxmox as smarthost on your e-mail server- see chapter 7
Example mail server configuration (outgoing mails).
3.2
Firewall settings
In order to pass e-mail traffic to the Proxmox Mail Gateway you need to enable SMTP the port. Our
servers use the Network Time Protocol (NTP) for time synchronization, RAZOR, DNS and HTTP(S).
Service
SMTP
SMTP
NTP
RAZOR
DNS
HTTP
HTTPS (optional)
Port
25
25
123
2703
53
80
443
Protocol
TCP
TCP
TCP/UDP
TCP
TCP/UDP
TCP
TCP
From
Proxmox
Internet
Proxmox
Proxmox
Proxmox
Proxmox
Internet
To
Internet
Proxmox
Internet
Internet
DNS Server
Internet
Proxmox
The outgoing HTTP connection is mainly used by virus pattern updates, and can be configured to use
a proxy instead of a direct internet connection.
You can use the nmap utility to test your firewall settings (see chapter 13.9).
3.3
System requirements
Proxmox Mail Gateway needs dedicated server hardware but can also run as a Virtual Appliance:
Proxmox VE (KVM)
Vmware vSphere (open-vm tools are integrated in the ISO)
Hyper-V (Hyper-V Linux integration tools are integrated in the ISO)
KVM (virtio drivers are integrated, great performance)
Virtual box
Citrix XenServer
9 | 55
Note:
3.3.1
3.3.2
3.4
All existing data on the hard disk will be lost during the installation!
Proxmox Mail Gateway must be licensed for the number of relaying domains. For example, if you run
a mail server receiving e-mails for three domains (e.g. domain.net, domain.com, domain.at), then you
need the three domain version. All Editions are for unlimited users only the optional Avira SAV is
licensed per user.
Note:
If you like more features as offered with your license, you can always upgrade by buying another
license without reinstallation.
3.4.1
The free version is discontinued with V3.0 and later and is not available anymore (due to license
restriction from third party tools).
3.4.2
Standard versions are available for one, three, five and unlimited domains.
If you need to query MS Active Directory, an optional LDAP connector for one, three and five domains
can be purchased.
10 | 55
3.4.3
This edition is intended to meet the demands of complex and high performance installations. This
license provides the highest flexibility and performance (Relayed domains can be edited on the web
interface, LDAP integration, etc.).
3.4.4
The Proxmox HA Cluster consists of a master and several nodes (minimum one node). Configuration
is done on the master. Configuration and all data are synchronized to all cluster nodes over a VPN
tunnel. This provides the following advantages:
The Proxmox Mail Gateway HA Cluster uses a unique application level clustering scheme, which
provides extremely good performance. Special considerations where taken to make management as
easy as possible. Complete Cluster setup is done within minutes, and nodes automatically reintegrate
after temporary failures without any operator interaction.
3.4.5
To purchase Proxmox Mail Gateway EDU/GOV/Non-Profit licenses, Proxmox must have proof of
eligible status. Please attach information regarding your eligibility to an email and send it to
office@proxmox.com. Once the information is validated, we will reply as soon as possible.
Organization qualified:
Universities, Schools, Governmental Organizations, NGO, etc.
Currently, the following license is available for a reduced price:
11 | 55
The installer boots from CD or USB stick and detects your hardware without interaction. All Proxmox
products are based on Linux packages and most amd64 based PC and server hardware will work.
4.2
Software RAID
The installer supports hardware RAID and software RAID (mirroring with mdraid). Please see chapter
13.5 Managing software RAID for details.
Requirements: two identical hard drives
Note:
4.2.1
Hardware RAID
Description
Hardware RAID
Software RAID
HostRAID
(integrated in the
main board)
Examples
12 | 55
13 | 55
Web interface
14 | 55
5.2
Note: To determine which license meets your requirements, check chapter 3.4 Compare the
Proxmox Mail Gateway editions
Please visit www.proxmox.com to get a license. Without a valid subscription license, the Proxmox
Mail Gateway will not process any e-mail. All prices are one year subscription licenses. After
expiration, e-mail flow continues but Spam- and AV checks are not working anymore (Exception:
ClamAV will continue working)
5.3
Configuration
Note:
15 | 55
5.3.1
System
Network
Time
Backup
Backup your system configuration and rule database to a file (a few Kbytes)
statistical data will not be saved via web interface, only via scheduled backup!
Configure Scheduled Backups to FTP or Windows Share.
Note:
Restore
Note:
Reports
Spanish,
16 | 55
Define the default language for the web interface and the daily reports
SSH Access
5.3.2
Mail proxy
Relaying
IP address (or FQDN) and SMTP port of your existing e-mail server
Relayed domains: list of relayed mail domains (displayed information from
the uploaded license file)
If you need more mail domains, upgrade your license
Note:
Ports
Review external (default 25) and internal (default 26) SMTP port
Check these settings with your firewall and existing e-mail server.
Options
17 | 55
Note: You have to reconfigure your internal mail server if you use YES.
For details see the Proxmox Mail Gateway Deployment Guide in the latest
release.
192.168.2.1
18 | 55
Transports
192.168.2.1:25
outproxy.domain.tld:26
You can use Proxmox Mail Gateway sending e-mails to different internal email servers. For example you can send e-mails addressed to domain.com
to
your
first
e-mail
server,
and
e-mails
addressed
to
subdomain.domain.com to a second one.
Note: you need for each domain an appropriate license, otherwise it will
not work!
Add the IP addresses, hostname and SMTP ports and mail domains (or just
single email addresses) of your additional e-mail servers.
Networks
TLS
TLS support
Transport Layer Security (TLS) provides certificate-based authentication
and encrypted sessions. An encrypted session protects the information
that is transmitted with SMTP mail. When you activate TLS, Proxmox Mail
Gateway automatically generates a new self signed certificate for you.
Proxmox Mail Gateway uses opportunistic TLS encryption. The SMTP
transaction is encrypted if the STARTTLS ESMTP feature is supported by
the server. Otherwise, messages are sent in the clear.
Enable TLS logging
To get additional information about SMTP TLS activity you can enable TLS
logging. That way information about TLS sessions and used certificates is
logged via syslog.
Add TLS received header
Set this option to include information about the protocol and cipher used
as well as the client and issuer CommonName into the "Received:"
message header.
Whitelist
(formerly
Greylist excl.)
SMTP whitelist: All SMTP checks are disabled for those entries (e. g.
Greylisting, SPF, RBL, )
Note: If you use a backup-MX server (e.g. your ISP offers this service for
you) you should always add those servers.
19 | 55
5.3.3
Spam detector
Proxmox Mail Gateway uses a wide variety of local and network tests to identify spam signatures. This
makes it harder for spammers to identify one aspect which they can craft their messages to work
around.
Every single e-mail will be analyzed and get a spam score assigned. The systems attempt to optimize
the efficiency of the rules that are run in terms of minimizing the number of false positives and false
negatives.
Note:
For detailed spam configuration, see also chapter 5.4 Mail filter.
Options
Use auto-whitelists
Use Bayesian filter
Use RBL checks
Enabling All give best results but could be performance bottleneck for
high volume sites. In this case use Commtouch (fast) only.
Use OCR
Use image recognition to detect spam messages inside images. OCR is
CPU intensive, please do not activate is your server is already under heavy
load.
By default, all features are enabled except OCR.
Max Spam Size (bytes)
Specify the maximum size of a single email targeted for spam analysis. Emails bigger than this are not scanned for spam.
Bulk Message Score
Set the spam score for Commtouch Bulk Message detection (Default is 3).
Languages
Quarantine
20 | 55
Report style
Verbose
Verbose (Outlook 2007)
Short
Custom (see 13.3 Customized daily spam reports)
No reports
Backscatter
Theme
21 | 55
5.3.4
Virus detector
Proxmox Mail Gateway uses the following antivirus engines Dual Scanning in all versions:
ClamAV
Review the database update server. Click update now and check the
output log file. The database will be regularly updated (several times a day)
you dont have to configure the update schedule.
CYREN
Avira SAV
Options
Review the settings for dealing with archives (e.g. zip files)
If you have no direct connection to the web for updates, you can configure
your proxy server to get antivirus database updates.
Max credit card numbers (new data loss prevention DLP)
Detect credit card numbers (a reasonable setting is 3, 0 means disabled). If
an email contains 3 credit card numbers it gets detected.
HTTP Proxy Settings
Configure a http proxy for accessing the internet for signature updates
Quarantine
Lifetime (days)
Specify the lifetime of quarantined virus e-mails
Mail preview settings:
View images
Enable images in the preview (if you uncheck this, images are not
downloaded and displayed)
Allow HREFs
22 | 55
Enables links in the mail preview (disable to get a more secure preview)
5.3.5
User management
Local
LDAP
POP
5.3.6
Cluster
Status
5.3.7
License
5.4
Mail filter
The following default settings are available. You can add or edit custom settings by clicking on the
symbols.
Note:
23 | 55
5.4.1
Rules
The object-oriented rule system enables custom rules for your domains. Its an easy but very flexible
way to define filter rules by user, domains, time frame, content type and resulting action.
Who object
for TO and/or FROM Category
Example: Mail object Who is the sender or receiver of the e-mail?
When object
Example: When is the e-mail received by Proxmox Mail Gateway?
What object
Example: Does the e-mail contain spam?
Action object
Example: Mark e-mail with SPAM: in the subject.
Every rule has got 5 categories (FROM, TO, WHEN, WHAT, ACTION) which can contain several objects.
For example a virus protection looks like this:
FROM: Anybody
TO:
Anybody
WHEN: Always
WHAT: Virus
ACTION:
Block
Active Rules
Inactive Rules
Not active. New rules are always inactive, you have to set it active
manually by clicking the symbol
Priority
Direction
5.4.2
Actions
Accept
Accept mail for Delivery (Final action, no following rule will trigger)
24 | 55
Block
Quarantine
Notify Admin
Notify Sender
25 | 55
Remove all
attachments
Remove attachments
Disclaimer
5.4.3
Who
Blacklist
Global Blacklist
Whitelist
Global Whitelist
User defined
5.4.4
What
Dangerous Content
Images
Multimedia
Office Files
Spam
26 | 55
Note:
Virus
Custom
You can define custom what objects by adding the following items:
Add Spam Filter
Specify a specific spam level
Add Virus Filter
Detect viruses
Add ContentType Filter
Match attachments (eg. images, videos, )
Add Archive Filter
Match content types (attachments) in archive files (eg. detect exe
files in zip archives)
Add Match Field
Match for mail header fields (eg. Subject:, From:, )
Add Match Filename
Match filenames, eg. *.exe, *.bat,
5.4.5
When
Office Hours
Note:
5.5
5.5.1
Administration
Server
Services
Updates
27 | 55
5.5.2
Statistic
Those pages displays statistical data concerning e-mail traffic on the Proxmox Mail Gateway.
5.5.3
Quarantine
Spam
Status
Displays statistical data about your quarantine
Archive
By specifying an e-mail address, you can access the quarantine section for this
user
Blacklist
View and edit personal blacklist
Whitelist
View and edit personal whitelist
Virus
Status
Displays statistical date about your quarantine
Archive
By specifying an e-mail address, you can access the quarantine section for this
user
28 | 55
29 | 55
30 | 55
5.5.4
Tracking center
Status description:
Status
Accepted/delivered
Accepted/deferred
Accepted/bounced
Quarantine
Blocked
Rejected
Greylisted
Queued/delivered
Queued/deferred
Queued/bounced
Description
Email arrived, filtered, and successfully delivered to email server
Email arrived, filtered, but not delivered (still trying to deliver)
Email arrived, filtered, but not accepted by your email server (e. g. user
unknown)
Email arrived, filtered, and moved to Proxmox Quarantine
Email arrived, but blocked by a filter rule.
Email rejected on SMTP level (e.g. sender IP is listed on a CYREN
blacklist)
Email greylisted on SMTP level
Internal Emails from Proxmox, successfully delivered to email server
(e.g. Daily spam report, Notifications, Admin report, BCC emails, )
Internal Emails from Proxmox, not yet delivered
Internal Emails from Proxmox, but not accepted by the email server (e.
g. user unknown)
31 | 55
32 | 55
5.5.4.2
Real-time
The real-time syslog shows the last 100 lines, the output can be filtered by selecting the log files from
a service or by entering an individual search string.
5.5.4.3
Greylist log
Displays the greylist log. For message tracking issues use the search function in the message tracking
center.
33 | 55
5.5.5
Queues
Mail
34 | 55
6.1
LDAP profiles are created on the Configuration/System/LDAP page. Please select Create new LDAP
profile on the menu:
35 | 55
6.2
LDAP queries
The object-oriented rule system enables LDAP based Who objects. There are two different kinds
of LDAP objects:
36 | 55
LDAP user
Can be used to test if an email address belongs to a specific LDAP user (One LDAP user can have
more than one email address).
LDAP group
Used to test if an email address belongs to a user in the specified group.
Both Objects refer to LDAP profiles. That way you can query individual servers.
The LDAP group object has 2 additional selections Existing Users and Unknown Users. Those
objects can be used to test if a user (e-mail address) exists or not.
6.3
Note:
37 | 55
7.1
The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and port 26 for
outgoing e-mails.
With MS Exchange SMTP connectors you can't use port 26 for outgoing (as this conflicts with MS
Exchange internal replication mechanism) so you have to switch these two values (25 and 26). In the
end you have to use port 25 for outgoing and port 26 for incoming mails.
IMPORTANT NOTE:
To receive e-mails from the Internet you have to do port forwarding at your Firewall. So that youre
external IP and Port 25 shows to the Proxmox Mail Gateway IP and port 26.
38 | 55
Figure 7-2 MS Exchange 2003: SMTP Connector (Define smart host: Proxmox Mail Gateway)
39 | 55
7.2
Just add a default_transport entry to your Postfix main configuration file (usually /etc/postfix/main.cf),
for example if you mail gateway uses address 1.2.3.4 add the line:
default_transport = smtp:1.2.3.4:26
40 | 55
8 Example rules
Proxmox uses a powerful rule system to handle e-mail traffic. The default setting is ready for use in
the first run.
Note:
Please refer to the Proxmox Mail Gateway Deployment Guide for sample rules.
41 | 55
;; ANSWER SECTION:
proxmox.com.
22879
IN
MX
10 mail.proxmox.com.
;; ADDITIONAL SECTION:
mail.proxmox.com.
22879
IN
213.129.239.114
Please notice that there is one single MX record for the Domain proxmox.com, pointing to
mail.proxmox.com. The dig command automatically puts out the corresponding address record if it
exists. In our case it points to 213.129.239.114. The priority of our MX record is set to 10 (preferred
default value).
9.1
Many people do not want to install two redundant mail proxies, instead they use the mail proxy of
their ISP as fall-back. This is simply done by adding an additional MX Record with a lower priority
(higher number). With the example above this looks like that:
proxmox.com.
22879
IN
MX
100 mail.provider.tld.
Sure, your provider must accept mails for your domain and forward received mails to you.
You will never lose mails with such a setup, because the sending Mail Transport Agent (MTA) will
simply deliver the mail to the backup server (mail.provider.tld) if the primary server
(mail.proxmox.com) is not available.
9.2
Using your ISPs mail server is not always a good idea, because many ISPs do not use advanced spam
prevention techniques like Greylisting. It is often better to run a second server yourself to avoid lower
spam detection rates.
Anyways, its quite simple to set up a high performance load balanced mail cluster using MX records.
You just need to define two MX records with the same priority. I will explain this using a complete
example to make it clearer.
First, you need to have at least 2 working Proxmox mail gateways (mail1.example.com and
mail2.example.com) setup as cluster (see chapter 10 Proxmox Mail Gateway HA cluster), each having
its own IP address. Let us assume the following addresses (DNS address records):
mail1.example.com.
mail2.example.com.
22879
22879
IN
IN
A
A
1.2.3.4
1.2.3.5
Btw, it is always a good idea to add reverse lookup entries (PTR records) for those hosts. Many email
systems nowadays reject mails from hosts without valid PTR records.
22.08.2016 Proxmox Server Solutions GmbH
42 | 55
22879
22879
IN
IN
MX
MX
10 mail1.example.com.
10 mail2.example.com.
This is all you need. You will receive mails on both hosts, more or less load-balanced using roundrobin scheduling. If one host fails the other is used.
9.3
9.3.1
Other ways
Multiple address records
Using several DNS MX record is sometime clumsy if you have many domains. It is also possible to use
one MX record per domain, but multiple address records:
example.com.
mail.example.com.
mail.example.com.
9.3.2
22879
22879
22879
IN
IN
IN
MX
A
A
10 mail.example.com.
1.2.3.4
1.2.3.5
Many firewalls can do some kind of RR-Scheduling (round-robin) when using DNAT. See your firewall
manual for more details.
43 | 55
We use a unique application level clustering scheme, which provides extremely good performance.
Special considerations where taken to make management as easy as possible. Complete Cluster
setup is done within minutes, and nodes automatically reintegrate after temporary failures without
any operator interaction.
44 | 55
10.1
Hardware requirements
There are no special hardware requirements, although it is highly recommended to use fast and
reliable server with redundant disks on all cluster nodes (Hardware RAID with BBU and write cache
enabled).
The HA Cluster can also run in virtualized environments.
10.2
Required licenses
Each host in a Cluster needs its own Cluster Subscription License file. Please upload the license file
before adding a node to the cluster.
10.3
Load balancing
You can use one of the mechanism described in chapter 9 if you want to distribute mail traffic among
the cluster nodes. Please note that this is not always required, because it is also reasonable to use
only one node to handle SMTP traffic. The second node is used as quarantine host (provide the web
interface to user quarantine).
10.4
Cluster administration
Cluster administration is done with a single command line utility called proxca. So you need to login
via ssh to manage the cluster setup.
Note: Always setup the IP configuration before adding a node to the cluster. IP address, network
mask, gateway address and hostname cant be changed later.
10.4.1
Creating a cluster
You can create a cluster from any existing Proxmox host. All data is preserved.
10.4.2
Run: proxca -l
10.4.3
When you add a new node to a cluster (join) all data on that node is destroyed. The whole database
is initialized with cluster data from the master.
You need to enter the root password of the master host when asked for a password.
Attention:
Node initialization deletes all existing databases, stops and then restarts all services
accessing the database. So do not add nodes which are already active and receive mails.
22.08.2016 Proxmox Server Solutions GmbH
45 | 55
Also, joining a cluster can take several minutes, because the new node needs to synchronize all data
from the master (although this is done in the background).
Note: If you join a new node, existing quarantined items from the other nodes are not
synchronized to the new node.
10.4.4
Deleting nodes
10.5
Disaster recovery
It is highly recommended to use redundant disks on all cluster nodes (RAID). So in almost any
circumstances you just need to replace the damaged Hardware or Disk. Proxmox Mail Gateway uses
an asynchronous clustering algorithm, so you just need to reboot the repaired node, and everything
will work again transparently.
The following scenarios only apply when you really loose the contents of the hard disk.
10.5.1
10.5.2
Master failure
10.5.3
proxca m
proxca s h $MASTERIP
restore backup (Cluster and node information is not restored, you have to recreate master
and nodes)
tell it to become master:
proxca c
add new nodes:
proxca a h $MASTERIP
46 | 55
11.1
Console login
Advanced users can use the console or SSH login. For normal operation, this is never necessary.
Default user:
Default password:
Note:
root
admin (the same as for the web interface!)
47 | 55
12 Table of figures
Figure 1-1 Processing of incoming e-mail traffic................................................................................................. 6
Figure 3-1 Infrastructure without Proxmox Mail Gateway ............................................................................... 8
Figure 3-2 Infrastructure with integrated Proxmox Mail Gateway ................................................................. 8
Figure 4-1 Selecting Software RAID during installation ................................................................................... 13
Figure 5-1 Login page Proxmox Mail Gateway .................................................................................................. 14
Figure 5-2 Start page Proxmox Mail Gateway after log in .............................................................................. 15
Figure 5-3 Preview of a quarantined Spam e-mail ........................................................................................... 29
Figure 5-4 Preview of a quarantined Spam e-mail with spam info ............................................................... 29
Figure 5-5 Preview of a quarantined Phishing e-mail ...................................................................................... 30
Figure 5-6 Message Tracking Center ................................................................................................................... 32
Figure 5-7 Real time log .......................................................................................................................................... 33
Figure 5-8 Display Mail Queue .............................................................................................................................. 34
Figure 6-1 LDAP Server settings: Create new LDAP Profile 1 ........................................................................ 35
Figure 6-2 LDAP Server settings: Create new LDAP Profile 2 ........................................................................ 36
Figure 6-3 LDAP Server settings: Three profiles configured .......................................................................... 36
Figure 7-1 MS Exchange: Port settings for use with MS Exchange .............................................................. 38
Figure 7-2 MS Exchange 2003: SMTP Connector (Define smart host: Proxmox Mail Gateway)............ 39
Figure 7-3 MS Exchange 2003: SMTP connector Address space .............................................................. 40
Figure 10-1 Proxmox Mail Gateway HA Cluster ................................................................................................ 44
Figure 13-1 Configure scheduled backup Windows share ......................................................................... 52
48 | 55
13 Appendix
13.1
It is possible to use macros inside most fields of action objects. That way it is possible to access and
include data contained in the original mail, get envelope sender and receivers addresses or include
additional information about Viruses and Spam. Currently the following macros are defined:
Macro
__SENDER__
__RECEIVERS__
__ADMIN__
__TARGETS__
__SUBJECT__
__MSGID__
__RULE__
__RULE_INFO__
__VIRUS_INFO__
__SPAMLEVEL__
__SPAM_INFO__
__SENDER_IP__
__VERSION__
__FILENAME__
__SPAMSTARS__
Comment
(envelope) sender mail address
(envelope) receiver mail address list
Email address of the administrator
Subset of receivers matched by the rule
Subject of the message
The message ID
Name of the matching rule
Additional information about the matching rule
Additional information about detected viruses
Computed spam level
Additional information why message is spam
IP address of sending host
The current software version (proxmox mail gateway)
Attachment file name
A series of "*" charactes where each one represents a full score
(__SPAMLEVEL__) point
A simple example is the Modify Spam Subject action which adds SPAM: to the original message
subject. To achieve this just use SPAM: __SUBJECT__ as value for that action object.
13.2
This is only for advanced users. To add/change configuration of the Proxmox SpamAssassin please
login to the console via SSH. Go to /etc/mail/spamassasin/. In this directory there are two files
(init.pre, local.cf) do not change this. To add your special configuration, you have to create a new file
and name it custom.cf (in this directory). Now you can add your configuration to custom.cf, be aware
to use the SpamAssassin syntax. For more information see http://spamassassin.apache.org/
The custom.cf file is also synchronized in a HA Cluster environment.
13.3
Its possible to customize the daily spam reports. The report generator uses a simple HTML template
file which may contain macros. To activate customized reports you need to generate such template
file and copy it to /etc/proxmox/spamreport.tmpl. Two examples can be found in
/var/lib/proxmox/templates/spamreport-verbose.tmpl
or
/var/lib/proxmox/templates/spamreport-short.tmpl those templates are actually
used to generate the default spam reports. You also need to select the Custom report style on the
web interface to use the custom template (Configuration/Spam/Quarantine/ReportStyle).
The following macros are currently defined:
22.08.2016 Proxmox Server Solutions GmbH
49 | 55
Macro
__SENDER__
__RECEIVER__
__SUBJECT__
__FROM__
__DATE__
__TIME__
__TICKET__
__BYTES__
__SPAMLEVEL__
__SPAMINFO__
__PMAIL__
__HREF__
__WLHREF__
__BLHREF__
__DELETEHREF__
__DELIVERHREF__
__PROTOCOL__
__FQDN__
__HOSTNAME__
__DOMAIN__
__ACTIONHREF__
__MAILCOUNT__
__MSG_XXXX__
global
No
No
No
No
Yes
No
Yes
No
No
No
Yes
No
NO
NO
NO
NO
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Comment
(envelope) sender mail address
(envelope) receiver mail address
subject of the message
from field
message arrival date or report date
message arrival time
authorization ticket
message size
spam level of message
additional information about why it is spam
primary mail address of receiver
href to view message
href to whitelist sender
href to blacklist sender
href to delete message
href to deliver message
selected protocol (http or https)
fully qualified domain name of quarantine host
quarantine host hostname
quarantine host domain
href to perform various actions
number of mails
Standard messages use by standard reports (translated to
various languages)
A detailed report usually displays information about each mail. Inside the template everything
between <!--start entry--> and <!--end entry--> is repeated for every mail. Most macros
are only defined inside those marks. Only the global macros are available outside those marks.
Note: A template has to be correct html. You can use any html editor for easy and fast editing.
13.4
A regular expression is a string of characters which tells us which string you are looking for. The
following is a short introduction in the syntax of regular expressions linked to editing Who Objects. If
you are familiar with Perl, you already know the syntax.
13.4.1
In its simplest form, a regular expression is just a word or phrase to search for.
Mail would match the string Mail. The search is case sensitive so MAIL, Mail, mail would
not be matched.
13.4.2
Metacharacters
Some characters have a special meaning. These characters are called metacharacters.
The Period (.) is a commonly used metacharacter. It matches exactly one character, regardless of
what the character is.
e.mail would match either e-mail or e-mail or e2mail but not e-some-mail.
50 | 55
The question mark (?) indicates that the character immediately preceding it either zero times ore one
time.
e?mail would match either email or mail but not e-mail
Another metacharacter is the star (*). This indicates that the character immediately to its left may
repeated any number of times, including zero.
e*mail would match either email or mail or eeemail.
The plus (+) metacharacter does the same as the star (*) excluding zero.
So e+mail do not match mail.
Metacharacters may be combined. A common combination includes the period and star
metacharacters, with the star immediately following the period. This is used to match an arbitrary
string of any length, including the null string. For example:
.*company.* matches company@domain.com or company@domain.co.uk or
department.company@domain.com.
For more information take a look at the references
13.4.3
References
13.5
Software RAID is managed on the console with the unix command mdadm. Please see the manual
pages for more information (man mdadm).
To view the RAID status use:
cat /proc/mdstat
And
update-grub
grub-install /dev/sda
grub-install /dev/sdb
51 | 55
13.6
Backup considerations
13.6.1
Scheduled backup
Scheduled backups can be configured to store the backup data to a FTP host or Windows share. Old
backup files can be deleted automatically.
The following data will be stored via scheduled backups:
System configuration
Rule configuration
Statistic database
License
Log files and quarantined emails are never in the backup. A backup can only restored to an identical
version of Proxmox.
52 | 55
13.6.2
You can use the command line utility proxbackup to backup the whole database including statistical
data:
proxbackup -s full-backup.tgz
Please see the manual page for more information (man proxbackup).
13.6.3
In order to restore system configuration, rules database and statistical data you need to restore on
the console.
proxbackup -c d -s -r full-backup.tgz
13.7
13.8
an
additional
virus
scanner.
Please
check
SSL certificate
Access to the administration web interface is always done via https. The default certificate is never
valid for your browser and you get always warnings. You can safely ignore these warnings.
If you want to get rid of these warnings, you have to generate a valid certificate for your server.
Login to your Proxmox via ssh or use the console:
After you finished this certificate request you have to send the file req.pem to your CA (Certification
Authority). The CA will issue the certificate (BASE64 encoded) based on your request save this file as
cert.pem to your Proxmox.
53 | 55
/etc/init.d/apache2 restart
Note: To transfer files from and to your Proxmox, you can use secure copy: If you desktop is Linux,
you can use scp if your desktop PC is windows, please use a scp client like WinSCP (see
http://winscp.net/)
13.9
Nmap is designed to allow system administrators to scan large networks to determine which hosts
are up and what services they are offering. You can use nmap to test your firewall setting, for example
to see if the required ports are open.
Test Razor port (tcp port 2703):
nmap -P0 -sS -p 2703 c301.cloudmark.com
Starting Nmap 5.00 ( http://nmap.org ) at 2012-07-31 11:10 CEST
Interesting ports on c301.cloudmark.com (208.83.137.114):
PORT
STATE SERVICE
2703/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
See the manual page (man nmap) for more information about nmap.
Using USB sticks is faster and more environmental friendly and therefore the recommended way to
install Proxmox Mail Gateway.
In order to boot the installation media you need to copy the ISO image to your USB media. You need
at least a 1024 mb USB stick.
54 | 55
Be sure to replace /dev/XYZ with the correct device name (be careful, and do not overwrite your hard
disk!)
- End of document -
55 | 55