Reduce Spam Email Using LDAP Verification on Proxmox Mail Gateway

About Proxmox Mail Gateway

Proxmox Mail Gateway 5.0 was released a long time ago. It has a lot of feature to securing your email server from the spam attack. They did a big revolution from the latest version. And it’s amazed me.

For more information about Proxmox Mail Gateway 5.0, please see the docs.

One of the best features, I guess. They have Receiver verification on SMTP level and they also have a Receiver Verification using LDAP Connection. 

Many spams coming to a non-existent user. So, PMG will protect your email server from this problem. PMG will synchronize users from your mail server LDAP or Active Directory. This can be done if you have an email server that using LDAP or AD to save your user data. For Example, I use Zimbra Mail Server who have LDAP Services to synchronize it with PMG.

Before you go to configuration steps, make sure: 

  1. You have configured your email server MX route to Proxmox Mail Gateway.
  2. You have configured your email route from Proxmox Mail Gateway to your email servers.
  3. Your incoming traffic for port 25 has been configured correctly. 
  4. And…Don’t forget to take a cup of coffee.

Let’s Configure it ..!

So, in this case. I have Zimbra Mail Server and Proxmox Mail Gateway with below identity: 

  1. Proxmox Mail Gateway : 192.168.88.122
  2. Zimbra Mail Server : 192.168.88.121

Create LDAP Configuration

First, we have to connect and set up LDAP connection on PMG to Zimbra. Make sure it can connect to each other. 

To add LDAP configuration on PMG, please following this steps: 

  • Go to PMG web administration, https://yourpmgip:8006 
  • On Configuration Menu, click User Management | LDAP
  • Add your LDAP configuration, below is example configuration :
Example LDAP Configuration

Notes

  • Profile Name: Your LDAP profile name. Give it name as you wish, don’t use a symbol or special characters.
  • Protocol: LDAP. leave it as default. If your LDAP using TLS connections you can change it to LDAPS protocol.
  • Server: Your LDAP/Zimbra IP Address.
  • Port: 389 for LDAP. 636 for LDAPS
  • Username: You can use one of your email server user. to configure it use the LDAP format,  such as: “uid=yourldapuser,ou=people,dc=dhenandi,dc=web,dc=id“.
  • Password: Your LDAP user password  

Then, save your configuration, LDAP will synchronize it! Yay.

List of LDAP Users

Configure the Rules!

It’s not over, the next step we have to configure the rule in order to activating LDAP Verification on PMG. 

  • Go to Mail Filter Menu | Choose Who Objects | and create a new rule
  • Then, fill it with unknown LDAP Groups. It’s mean this who object define users who not included on your LDAP. 
  • You can choose to use Unknown LDAP Address to define per LDAP profile or choose “Unknown LDAP Address, any profile” to define all profiles if you have multiple LDAP profiles. In this case, i will define only one LDAP profile (ldapmail)
  • Next, i will give bounce-back notifications to the sender that their destination did not exist. To configure it, go to Mail Filter Menu | Choose Action Objects and Add Notification. Below is an example of a bounce message.
Example for bounce message

Notes

  • Name: Bounce Back Unknown Recipient
  • Descriptions: This rule contains email for user who sends an email to an unknown recipient 
  • Receiver: __SENDER__ (it’s mean, a notification email will be sent to sender)
  • Subject: Fill it as you wish. For example “Notification [Bounce Back] : __SUBJECT__
  • Body: Your email content, example: 
This is the mail system at host asav.dhenandi.web.id.
I'm sorry to have to inform you that your message could not be delivered, because: <__RECEIVERS__> didn't listed in our email servers.
So, please check whether the email address you typed is correct.

For more variables, please see the PMG docs.

  • Then, to activate your object-oriented rules that you have configured. Go to Mail Filter menu then add a rule like this.
Create a Rule
  • And, configure the rule according to your objects. You can click + symbols to add it to your rules. And give it Block Action to discard the message.
PMG Rules
  • Finally, you have configure it! Yeay

Ah, for the last thing. PMG will synchronize LDAP every 10 minutes. So, it doesn’t directly sync if you add a new user on your email servers and it takes a time to sync.

But, you can sync LDAP every minutes to speed up your synchronization using crontab, for example you want to sync it every minutes.

Go to CLI/PMG Console you can use SSH or PMG web administration on Administration | Console, and add a cronjob like this.

# crontab -e 
* * * * pmgconfig ldapsync >/dev/null 2>&1

Gotcha! Now, test your configuration by sending an email to user that not existed on email server.

Test to Unknown Users

And, your email will be rejected by PMG because the rule that you have created, and it will give a bounce notification.

Bounce Back Notification

Voillaa…You did it!

Notes: Need to fix the sender notifications in order to use your domain (postmaster@yourdomain.com), not use your hostname (postmaster@hostname.yourdomain.com)?. I mean, please see the sender on above picture. I have a solution for you….Just give me a time to write it 😀

Update: For the above problem. i have written it on my next article. Read: Change Postmaster Address to Domain on Proxmox Mail Gateway.

Last…

Interested to use Proxmox Mail Gateway Support & Subscriptions License?

Don’t hesitate to contact sales@excellent.co.id. Our sales will give the best price and best services for you!

5 thoughts on “Reduce Spam Email Using LDAP Verification on Proxmox Mail Gateway

  1. Hi Dhenandi,

    great tutorial – unfortunately it doesn’t work in my case.
    Evewn if I can see all my LDAP-users and alle the emailaddresses and I’ve configured the rule set following your thoughts nothing happens.
    Email with wrong (not existing) addresses get forwarded to the final mailbox server which than bounces them back.
    No notification (like configured) ist sent out.
    Any ides – even ways to debug?

    kind regards
    Robert

    1. Hi Robert,

      Thanks for your feedback! sorry to hear that.

      I’ve tried it twice before i publish the guide. But now, Let’s start debugging:

      1. First, Can i see your Who Object Configuration?
      2. Can i see your Action Object Configuration?
      3. And your Mail Filter Configuration

      If you don’t mind, please sent an email to m@dhenandi.com. Thank you!

  2. Hi Dhenandi,

    first off all – my installation seems to be a bit broken:-( I’ve played a lot with the configuration templates and may I’ve destroyed something.
    But after doing a second install and switched some domains to tne server I’ve had the situation that all mail to existing users got rejected.
    So – is it possible you have a little mistake in your last screenshot (PMG rules)?
    I’ve changed the object “NOT LDAP User” from “From” to “To” (what makes sense for me) and now it work like charm.

    regards
    Robert

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.