About Proxmox Mail Gateway
This Article has been revised (Thanks to Robert Schuster for correction).
Proxmox Mail Gateway 5.0 was released a long time ago. It has a lot of feature to securing your email server from the spam attack. They did a big revolution from the latest version. And it’s amazed me.
For more information about Proxmox Mail Gateway 5.0, please see the docs.
One of the best features,
Many spams coming to a non-existent user. So, PMG will protect your email server from this problem. PMG will synchronize users from your mail server LDAP or Active Directory. This can be done if you have an email server that using LDAP or AD to save your user data. For Example, I use Zimbra Mail Server who have LDAP Services to synchronize it with PMG.
Before you go to configuration steps, make sure:
- You have configured your email server MX route to Proxmox Mail Gateway.
- You have configured your email route from Proxmox Mail Gateway to your email servers.
- Your incoming traffic for port 25 has been configured correctly.
- And…Don’t forget to take a cup of coffee.
Let’s Configure it ..!
So, in this case. I have Zimbra Mail Server and Proxmox Mail Gateway with below identity:
- Proxmox Mail Gateway : 192.168.88.122
- Zimbra Mail Server : 192.168.88.121
Create LDAP Configuration
First, we have to connect and set up LDAP connection on PMG to Zimbra. Make sure it can connect to each other.
To add LDAP configuration on PMG, please following this steps:
- Go to PMG web administration, https://yourpmgip:8006
- On Configuration Menu, click User Management | LDAP
- Add your LDAP configuration, below is example configuration :
Notes:
- Profile Name: Your LDAP profile name. Give it name as you wish, don’t use a symbol or special characters.
- Protocol: LDAP. leave it as default. If your LDAP using TLS connections you can change it to LDAPS protocol.
- Server: Your LDAP/Zimbra IP Address.
- Port: 389 for LDAP. 636 for LDAPS
- Username: You can use one of your email server user. to configure it use the LDAP format, such as: “uid=yourldapuser,ou=people,dc=dhenandi,dc=web,dc=id“.
- Password: Your LDAP user password
Then, save your configuration, LDAP will synchronize it! Yay.
Configure the Rules!
It’s not over, the next step we have to configure the rule in order to activating LDAP Verification on PMG.
- Go to Mail Filter Menu | Choose Who Objects | and create a new rule
- Then, fill it with unknown LDAP Groups. It’s mean this who object define users who not included on your LDAP.
- You can choose to use Unknown LDAP Address to define per LDAP profile or choose “Unknown LDAP Address, any profile” to define all profiles if you have multiple LDAP profiles. In this case,
i will define only one LDAP profile (ldapmail) - Next,
i will give bounce-back notifications to the sender that their destination did not exist. To configure it, go to Mail Filter Menu | Choose Action Objects and Add Notification. Below is an exampleof a bounce message.
Notes:
- Name: Bounce Back Unknown Recipient
- Descriptions: This rule contains email for
user who sends an email to an unknown recipient - Receiver: __SENDER__ (it’s mean, a notification email will be sent to sender)
- Subject: Fill it as you wish. For example “Notification [Bounce Back] : __SUBJECT__“
- Body: Your email content, example:
This is the mail system at host asav.dhenandi.web.id.
I'm sorry to have to inform you that your message could not be delivered, because: <__TARGETS__> didn't listed in our email servers.
So, please check whether the email address you typed is correct.
For more variables, please see the PMG docs.
- Then, to activate your
object-oriented rules that you have configured. Go to Mail Filter menu then add a rule like this.
- And, configure the rule according to your objects. You can click + symbols to add it to your rules. And give it Block Action to discard the message.
- Finally, you have configure it! Yeay
Ah, for the last thing. PMG will synchronize LDAP every 10 minutes. So, it doesn’t directly sync if you add a new user on your email servers and it takes a time to sync.
But, you can sync LDAP every minutes to speed up your synchronization using crontab, for example you want to sync it every minutes.
Go to CLI/PMG Console you can use SSH or PMG web administration on Administration | Console, and add a cronjob like this.
# crontab -e
* * * * * pmgconfig ldapsync >/dev/null 2>&1
Gotcha! Now, test your configuration by sending an email to user that not existed on email server.
And, your email will be rejected by PMG because the rule that you have created, and it will give a bounce notification.
Voillaa…You did it!
Notes: Need to fix the sender notifications in order to use your domain (postmaster@yourdomain.com), not use your hostname (postmaster@hostname.yourdomain.com)?. I mean, please see the sender on above picture. I have a solution for you….Just give me a time to write it 😀
Update: For the above problem.
Last…
Interested to use Proxmox Mail Gateway Support & Subscriptions License?
Don’t hesitate to contact sales@excellent.co.id. Our sales will give the best price and best services for you!
14 Comments
Robert Schuster · October 10, 2018 at 3:53 pm
Hi Dhenandi,
great tutorial – unfortunately it doesn’t work in my case.
Evewn if I can see all my LDAP-users and alle the emailaddresses and I’ve configured the rule set following your thoughts nothing happens.
Email with wrong (not existing) addresses get forwarded to the final mailbox server which than bounces them back.
No notification (like configured) ist sent out.
Any ides – even ways to debug?
kind regards
Robert
Dhenandi Putra · October 10, 2018 at 4:36 pm
Hi Robert,
Thanks for your feedback! sorry to hear that.
I’ve tried it twice before i publish the guide. But now, Let’s start debugging:
1. First, Can i see your Who Object Configuration?
2. Can i see your Action Object Configuration?
3. And your Mail Filter Configuration
If you don’t mind, please sent an email to m@dhenandi.com. Thank you!
Robert Schuster · October 10, 2018 at 6:50 pm
Hi Dhenandi,
first off all – my installation seems to be a bit broken:-( I’ve played a lot with the configuration templates and may I’ve destroyed something.
But after doing a second install and switched some domains to tne server I’ve had the situation that all mail to existing users got rejected.
So – is it possible you have a little mistake in your last screenshot (PMG rules)?
I’ve changed the object “NOT LDAP User” from “From” to “To” (what makes sense for me) and now it work like charm.
regards
Robert
Dhenandi Putra · October 10, 2018 at 10:19 pm
Hi Robert,
Thanks for the correction!
Aha, nice to hear that. I think i took wrong screenshot on my guide.
Sorry to make you confusing. I’ll revise it.
Thanks! Good luck to you.
Alexandru · February 10, 2019 at 10:20 am
I think I am not able to install
Dhenandi Putra · October 10, 2019 at 8:19 am
Tell me the problem, what do you mean you can’t install?
Nikolay · September 26, 2019 at 7:46 pm
How can I filter disabled AD accounts (with e-mail) in LDAP profile?
LIju K Oommen · November 6, 2019 at 6:17 pm
H, Dhenandi..
I have a Zimbra email server with 20 domains and 350 users in it.
Then how should I get the below like expression as I have lot of domains? From where I will get that information?
uid=yourldapuser,ou=people,dc=dhenandi,dc=web,dc=id“
Regards,
Liju.
oktay · December 21, 2019 at 7:52 am
all good. except proxmox staff says SMTP VRFY (which is available already) is more efficient and basically does the same thing but via SMTP. You’d have the internal mail server check the users like you’re checking them here.
Dhenandi Putra · January 23, 2020 at 1:31 pm
Hi Oktay,
Yes, i have already asked it before i create this tutorial.
The problem with smtp verify is about accuracy. Some of the invalid users still come to the internal mail server. Then, if internal mail server has a recipient check. They will reject it. But if no, the internal mail server will process it and will send a bounce message.
The purpose of this tutorial is to make maximizing proxmox as a gateway for incoming mail. So, the mail server SMTP not involved in checking whether the sender is valid or no. This is the proxmox jobs.
But it’s a choice. You can use it or something like this.
Urbaniak · April 19, 2021 at 7:45 pm
hi Dhenandi,
I have configured several accepted domains on my exchange server.
I have set up several email addresses for each user. Will the emails be delivered or is only the primary email address allowed?
cyprian
Sergey · January 18, 2022 at 3:35 pm
The article does not contain all the pictures with the settings
Dhenandi Putra · April 5, 2022 at 6:22 am
Hi, sorry. i just opened my blog. could you tell where your problem is?
Change Postmaster Address to Domain on Proxmox Mail Gateway - dhenandi.com · August 29, 2018 at 9:11 am
[…] I have already explained one of PMG tips to reduce your spam email yesterday, on my previous article. Read: Prevent Spam Email Using LDAP Verification on Proxmox Mail Gateway. […]