Proxmox Mail Gateway: Deployment Guide

Proxmox Mail Gateway
Deployment Guide
5/21/2010
MailGatewayDeploymentGuide-V1.8.docx
Proxmox Server Solutions GmbH
Kohlgasse 51/10  A-1050 Vienna  office@proxmox.com  www.proxmox.com
Proxmox Server Solutions GmbH reserves the right to make changes to this document
and to the products described herein without notice. Before installing and using the
software, please review the latest version of this document, which is available from
http://www.proxmox.com.
NOTE: A license to the Proxmox Software usually includes the right to product updates
for one (1) year from the date of purchase. Maintenance can be renewed on an annual
basis.
All other product or company names different from Proxmox may be trademarks or
registered trademarks of their owners.
Copyright © 2010 Proxmox Server Solutions GmbH. All rights reserved. No part of this
publication may be reproduced, photocopied, stored in a retrieval system, or transmitted
without the express prior written consent of Proxmox.
© 21.05.2010 Proxmox Server Solutions GmbH 2  49

Table of Contents
1 Introduction .................................................................................................... 5
2 Proxmox Mail Gateway Integration ..................................................................... 6
2.1 E-mail system without Proxmox ................................................................... 6
2.2 E-mail system with Proxmox ........................................................................ 6
2.3 Proxmox in the Intranet .............................................................................. 8
2.3.1 Default port settings ............................................................................ 8
2.3.2 Alternative port settings (e.g. for MS Exchange) ..................................... 8
2.4 Proxmox in DMZ (demilitarized zone) ...........................................................10
2.5 Proxmox with multiple e-mail server and mail domains ..................................11
3 Performance Tuning ........................................................................................12
3.1 Hardware benchmarks ...............................................................................12
3.2 Backup MX ...............................................................................................12
3.3 Local DNS cache........................................................................................12
3.4 Blocking Emails on SMTP level ....................................................................13
3.4.1 Greylisting.........................................................................................13
3.4.2 Sender Policy Framework – SPF ...........................................................14
3.4.3 Real time Blacklists (RBL)....................................................................14
3.4.4 Local DNS RBL cache – Spamhaus Datafeed Service ...............................15
3.4.4.1 Configuring local DNS blacklist caches ............................................15
3.4.5 Receiver Verification ...........................................................................16
3.4.5.1 Proxmox Solutions .......................................................................16
3.4.5.2 Enabling Verify Receivers ..............................................................17
3.4.5.2.1 Settings for Exchange 2003 SP2 ..................................................18
3.4.5.2.2 Settings for Exchange 2007 SP1 ..................................................21
4 Rule System ...................................................................................................22
4.1 Default Rules ............................................................................................24
4.1.1 Block Viruses .....................................................................................24
4.1.2 Virus Alert .........................................................................................24
4.1.3 Block Dangerous Files .........................................................................25
4.1.4 Mark Spam ........................................................................................25
4.2 Custom Rules............................................................................................26
4.2.1 Enable Spam and Virus quarantine .......................................................26
4.2.2 Enable Spam quarantine for just a selection of users ..............................26
4.2.3 Enable Spam quarantine for existing LDAP users ....................................27
4.2.4 Block Spam e-mails with a score higher 10 ............................................29
4.2.5 BCC object – An simple archive solution ................................................33
4.2.6 Block Video and Audio Attachments ......................................................33
4.2.7 Add Admin Notification to Rules ...........................................................34
4.2.8 Preventing directory harvesting attacks with LDAP object ........................34
4.2.9 Block Video and Audio Attachments for LDAP Groups ..............................35
5 Proxmox HA Cluster – High availability ..............................................................37
5.1 Load Balancing with MX Records..................................................................38
5.2 Multiple Address Records ............................................................................39
5.3 Using third party Firewall features ...............................................................39
6 Hardware selection and Virtualization ................................................................40
6.1 Physical Hardware .....................................................................................40
6.1.1 Certified Hardware .............................................................................40
6.2 Proxmox VE (http://pve.proxmox.com) ........................................................40
6.3 VMware™ .................................................................................................40
6.3.1 Settings for VMware™ ESX, ESXi and vSphere .......................................41
6.3.1.1 Settings for the Proxmox Mail Gateway Virtual Machine ....................41
6.3.1.1.1 RAM settings .............................................................................41
6.3.1.1.2 VMware Tools............................................................................41
6.3.1.1.3 Enable VMI Paravirtualization ......................................................41
6.3.1.1.4 Enable time synchronization .......................................................42
6.3.2 Settings for a VMware™ Server 2 .........................................................42

6.3.2.1 Host memory settings...................................................................42
6.3.2.2 Settings for Proxmox Mail Gateway Virtual Machine ..........................43
6.3.2.2.1 RAM settings .............................................................................43
6.3.2.2.2 VMware Tools............................................................................43
6.3.2.2.3 Enable VMI Paravirtualization ......................................................43
6.3.2.2.4 Enable time synchronization .......................................................44
6.4 OpenVZ....................................................................................................45
7 Troubleshooting and technical support ...............................................................47
8 Table of figures ...............................................................................................48
9 Appendix .......................................................................................................49

1 Introduction
The huge amount of e-mail traffic is a challenge for every e-mail environment. The daily
e-mail routine brings along some major problems, this includes: performance, reliability,
regulation under public law and e-mail threads like viruses or Phishing attacks.
E-mail is an essential service for any organization, and professionally managed e-mail
improves organizational workflow and customer satisfaction. A missed e-mail could mean
a lost opportunity, or it could cause a public-relations problem that no organization would
want.
How does Proxmox work?
When an e-mail arrives at the Proxmox Mail Gateway, it is analyzed and forwarded to
your e-mail server which is responsible for sending the e-mail to the receiver. If the e-
mail server is not working, Proxmox Mail Gateway temporarily stores the message in the
e-mail queue for later transfer. The process works similar for outgoing e-mails.
This document covers samples and deployment information how to integrate and
customize Proxmox in your e-mail environment.
Note: See also the Proxmox Mail Gateway Administration Guide for a detailed product
description.

2 Proxmox Mail Gateway Integration

2.1 E-mail system without Proxmox
In a sample configuration, your e-mail traffic (SMTP) arrives on the firewall and will be
forwarded directly to your e-mail server.
Figure 2-1 System without Proxmox Mail Gateway
2.2 E-mail system with Proxmox

A single Proxmox Mail Gateway Server can handle unlimited mail domains with multiple
internal mail servers and millions of e-mails per day. For high availability and maximum
performance it is recommended to use a Proxmox HA Cluster, see chapter 5 Proxmox HA
Cluster – High availability.
Proxmox Mail Gateway can process incoming AND outgoing SMTP traffic by using
different ports. One port is assigned to incoming, one port for outgoing e-mails.
With the integrated Proxmox system all your e-mail traffic is forwarded to the Proxmox
Mail Gateway which filters the whole e-mail traffic and removes unwanted e-mails. You
can manage incoming and outgoing e-mail traffic.
Figure 2-2 Incoming e-mail with Proxmox Mail Gateway

Many mail filter solutions do not scan outgoing mails. Opposed to that Proxmox Mail
Gateway is designed to scan both incoming and outgoing mails. This has two major
advantages:
Figure 2-3 Outgoing with Proxmox Mail Gateway
1. Proxmox is able to detect viruses sent from an internal host. I many countries you
are liable for not sending viruses to other people. Proxmox outgoing e-mail
scanning feature is an additional protection to avoid that.
2. Proxmox can gather statistics about outgoing e-mails too. Statistics about
incoming e-mails looks nice, but they are quite useless. Consider two users, user-
1 receives 10 mails from news portals and wrote 1 mail to a person you never
heard from. While user-2 receiver 5 mails from a customer and sent 5 mails back.
Which user do you consider more active? I am sure its user-2, because he
communicates with your customers. Proxmox advanced address statistics can
show you this important information. Solution which does not scan outgoing mail
can’t do that.

2.3 Proxmox in the Intranet

2.3.1 Default port settings
The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and
port 26 for outgoing e-mails.
Figure 2-4 Incoming default port settings (port 25)
Outgoing Mails:
Configure your mail server to send all e-mails to the Proxmox Mail Gateway, port 26.
Note: Proxmox receives the outgoing e-mails on port 26, so Proxmox knows its internal
trusted e-mail. After processing, Proxmox sends the e-mails to Internet, using standard
port 25.
Figure 2-5 Outgoing default port settings (port 26)
2.3.2 Alternative port settings (e.g. for MS Exchange)

Sometimes it is not possible to change the outgoing port due to third party software
limitations or existing network configurations (e.g. changing MS Exchange to another
sending port will have impact on Exchange internals and it’s not recommend)
To receive e-mails you have to do port forwarding at your Firewall. So that you’re
external IP and port 25 shows to the Proxmox Mail Gateway IP and port 26.

Figure 2-6 Incoming alternative port settings (port 26)
With MS Exchange you should not use port 26 for outgoing so you have to switch these
two values (25 and 26). In the end you have to use port 25 for outgoing and port 26 for
incoming mails.
Figure 2-7 Outgoing alternative port settings (port 25)

2.4 Proxmox in DMZ (demilitarized zone)

To run a DMZ Zone you have to adjust your Firewall settings. The intranet (Local) and
DMZ needs to have different IP Networks, for example:
Interface Zone IP Address Net mask

eth0 Local 192.168.1.1 255.255.255.0
eth1 Internet 10.0.0.2 255.255.255.0
eth2 DMZ 192.168.16.1 255.255.255.0
Figure 2-8 Proxmox in DMZ

2.5 Proxmox with multiple e-mail server and mail domains

You can use Proxmox Mail Gateway sending e-mails to different internal e-mail servers.
For example you can send e-mails addressed to domain.com to your first e-mail server,
and e-mails addressed to subdomain.domain.com to a second one. In the e-mail proxy
transport section add the IP addresses or hostname, SMTP ports and mail domains of
your additional e-mail servers.
Figure 2-9 Multiple e-mail servers
Note: you need for each domain an appropriate license, otherwise it will not work!

3 Performance Tuning
3.1 Hardware benchmarks
Please use the command line tool “proxperf” to get an overview about your hardware and
DNS performance.
Note: Never run “proxperf” if the system is under load.
Here is a sample output of “proxperf”:
proxmox:~# proxperf
CPU BOGOMIPS: 8489.64
REGEX/SECOND: 410814
HD SIZE: 6.89 GB (/dev/sda2)
BUFFERED READS: 116.38 MB/sec
AVERAGE SEEK TIME: 8.09 ms
FSYNCS/SECOND: 1084.51
DNS EXT: 46.26 ms
DNS INT: 1.05 ms (domain.com)
DNSBL: 35.47 ms (zen.spamhaus.org)
proxmox:~#
Please compare your results against this reference. If you get lower results please
analyze your hardware and DNS setup – for comments email your results to
support@proxmox.com.
3.2 Backup MX
Using your ISPs mail server is not a good idea, because many ISPs do not use advanced
spam prevention techniques. And spammers know this and they use your ISP backup MX
to work around your Proxmox spam filtering.
Additionally, you can never benefit of blocking spam messages on SMTP level.
If you need redundancy, it is recommended to run a second Proxmox server in HA

Cluster mode to avoid lower spam detection rates
3.3 Local DNS cache

Proxmox includes a local DNS cache. It is recommended to enable it if you do not have
access to fast (internal) DNS servers, or if you want to reduce the load on those servers.
Figure 3-1 Use local DNS Cache

3.4 Blocking Emails on SMTP level

Blocking emails before they reach your network saves your internet bandwidth and
reduces processing power. By doing the following, you can reduce your email traffic by
more than 90 %, depends on your environment.
If you want to exclude some senders or receivers from getting blocked on the SMTP
level, just enter in the Mail proxy whitelist.
Figure 3-2 Mail proxy whitelist
3.4.1 Greylisting
Typically, a server that utilizes Greylisting will record the following three pieces of
information (referred to as triplet) for all incoming e-mail.
 The IP address of the connecting host

 The envelope sender address
 The envelope recipient address
The client is checked against the mail server's internal whitelists (if any) first. Then, if
the triplet has never been seen before, it is greylisted for a period of time (how much
time is dependent on the server configuration). The e-mail is rejected with a temporary
error. The assumption is that since temporary failures are built into the RFC
specifications for e-mail delivery, a legitimate server will attempt to connect again later
on to deliver the e-mail.
Greylisting is effective because many mass e-mail tools utilized by spammers are not set
up to handle temporary failures (or any failures for that matter) so the Spam is never
received.
This feature can reduce e-mail traffic up to 50%. Greylisted e-mails never reach your
mail server and your mail server will stop sending useless "Non Delivery Reports" to
spammers, filling up the queue.
If a sender has a valid SPF record, he will never be greylisted.

3.4.2 Sender Policy Framework – SPF

Domains use public records (DNS) to direct requests for different services (web, e-mail,
etc.) to the machines that perform those services. All domains already publish e-mail
(MX) records to tell the world what machines receive e-mail for the domain. SPF works
by domains publishing "reverse MX" records to tell the world what machines send e-
mail for the domain. When receiving a message from a domain, the recipient can check
those records to make sure e-mail is coming from where it should be coming from.
Please make sure, that you deploy a valid SPF record for your mail domain.
Note: see http://www.openspf.org for setting up a SPF for your mail domain.
3.4.3 Real time Blacklists (RBL)

Proxmox can use RBL checks on SMTP level to reject e-mails. Therefore Proxmox has to
query the RBL server for every SMTP connection.
Proxmox use the following RBL providers by default:

• Spamhaus.org
• dsbl.org
Figure 3-3 Enable RBL checks

3.4.4 Local DNS RBL cache – Spamhaus Datafeed Service

Each e-mail leads to a DNS query to the RBL server of spamhaus and dsbl. If these
servers are under heavy it cannot be guaranteed that you will get an answer – also if you
are running a high traffic site it is recommended to locally cache both RBL´s.
Proxmox can synchronize these blacklists locally to provide quality of service and speed
up the query time.
3.4.4.1 Configuring local DNS blacklist caches

Some DNS blacklist providers offers data feed services. You can locally mirror blacklist
data making queries to remote DNS servers unnecessary. Proxmox can use local DNS
blacklist caches of spamhaus.org and dsbl.org. Just set the IP address of your local
mirror, or '127.0.0.1' to disable it (default).
You can use your Proxmox Server to download the blacklists, but you can also use any
other server within your network.
Note: Spamhaus data feed is a commercial service – additional license/account required.

For details visit http://www.proxmox.com
HowTo: Synchronize DNS blacklist to the Proxmox server
Local sync is done via proxblsync, usually started via cron. Please log in to the console
and configure the following:
crontab –e
11,41 * * * * proxblsync --spamhaus rsync1.spamhaus.org --dsbl rsync.dsbl.org -

-mailto root
Note: “11,41” stands for the minutes of each hour, please replace these values with the
one in your spamhaus datafeed license.
Next, configure the RBLDNS daemon configuration file:
nano /etc/default/rbldnsd
RBLDNSD="- -r/var/lib/rbldns -f -b127.0.0.2 \

sbl.spamhaus.org:ip4set:sbl \
pbl.spamhaus.org:ip4trie:pbl \
xbl.spamhaus.org:ip4tset:xbl \
zen.spamhaus.org:ip4set:sbl \
zen.spamhaus.org:ip4trie:pbl \
zen.spamhaus.org:ip4tset:xbl \
list.dsbl.org:ip4set:dsbl"

Start the RBLDNS service:
/etc/init.d/rbldnsd start
Finally, redirect query to local mirror:
Figure 3-4 Enable local RLB cache – Spamhaus.org and Dsbl.org
3.4.5 Receiver Verification

Nowadays, e-mail domains are receiving a lot of e-mails to non-existing users. This could
be up to 95 % of junk messages.
In short, this means for your systems:
 Increased traffic on your internet connection

 Your e-mail server is handling junk e-mails instead of working for you
 High load on your scanners
 Slow overall performance and high costs
3.4.5.1 Proxmox Solutions

Proxmox can detect these e-mails to non-existing users on SMTP level, which means
BEFORE the e-mails are transferred to your networks.
In short, this means for your systems:
 reduced traffic, up to 90 %
 Your internal e-mail server is now working for you again
 Reduced load on your scanners, 90 % less e-mails to analyze for spam and
viruses
 Good performance and costs

3.4.5.2 Enabling Verify Receivers
You can enable this option on the admin interface (Configuration/Mail Proxy/Options)
We recommend selecting yes (450). 450 means, that in the case of a short downtime of
your internal mail server no messages are lost.
Note: Your internal e-mail server has to be reconfigured to reject unknown user.
Proxmox is doing a short query to the internal e-mail server to check if the user is valid.
For settings on Exchange 2003 SP2, see chapter 3.4.5.2.1 Settings for Exchange 2003
SP2
Figure 3-5 Enable Verify Receivers

3.4.5.2.1 Settings for Exchange 2003 SP2

You have to enable Recipient Filtering, please use the Exchange System Manager.
Figure 3-6 Exchange 2003: Filter recipients 1



3.4.5.2.2 Settings for Exchange 2007 SP1

First, make sure that you have the Exchange 2007 Anti-Spam agent. If you installed a
typical one server installation, this is NOT installed by default.
Microsoft provides an install script to manually install the Anti-Spam agent:
1. Open the Exchange Management Shell

2. cd “c:\program files\Microsoft\Exchange Server\Scripts”
3. .\install-AntispamAgents
4. Restart the Microsoft Exchange Transport service
Figure 3-10 Exchange 2007 SP1: Install Anti-Spam agent
Now you can enable Recipient Filtering on the Anti-Spam agent, please use the Exchange
Management Console.
Figure 3-11 Exchange 2007 SP1: Filter recipients 1

Figure 3-12 Exchange 2007 SP1: Filter recipients 2
4 Rule System
The object-oriented rule system enables custom rules for your domains. It’s an easy but
very powerful way to define filter rules by user, domains, time frame, content type and
resulting action.
 Who - object
For TO and/or FROM Category
Example: Mail object - Who is the sender or receiver of the e-mail?
 When - object
Example: When is the e-mail received by Proxmox Mail Gateway?
 What - object
Example: Does the e-mail contain spam?
 Action - object
Example: Mark e-mail with "SPAM:" in the subject.
Every rule has got 5 categories (FROM, TO, WHEN, WHAT, ACTION) which can contain
several objects. For example enable Archive Solutions with BCC Object (Blind carbon
copy, recipients not visible in the "To" field) to Mailbox or to a Public Folder
 FROM: Anybody
 TO: Anybody
 WHEN: Always
 WHAT: Mail
 ACTION: BCC to Publicfolder
In most of the countries worldwide a company has to forward all e-mails to there
employees this includes spam e-mails as well.
For example to send Spam mails in quarantine
 FROM: Anybody
 TO: Anybody
 WHEN: Always
 WHAT: Spam
 ACTION: Quarantine
With this kind of setup the receiver gets detailed Information about the Spam e-mails.
Quarantine can be enabled just for existing LDAP groups or via BCC to Public Folders or
Mailboxes.
At present the usefulness of e-mail is being threatened by three phenomena: spamming,

pishing and e-mail worms.
Spamming is unsolicited commercial e-mail. Because of the very low cost of sending e-
mail, spammers can send hundreds of millions of e-mail messages each day over an
inexpensive internet connection. Hundreds of active spammers sending this volume of
mail results in information overload for many computer users who receive tens or even
hundreds of junk messages each day.
E-mail worms use e-mail as a way of replicating themselves into vulnerable computers.
The combination of spam and worm programs results in users receiving a constant
drizzle of junk e-mail, which reduces the usefulness of e-mail as a practical tool.
To increase the efficiency of e-mail communications the use of anti-spam, anti-pishing

and antivirus software is essential. With the deployment of Proxmox Mail Gateway you
get the job done. Based on the design as software appliance one of the strengths of
Proxmox Mail Gateway is its flexibility. It can be easy integrated in existing E-mail
architecture. It’s compatible to every type of mail server or MTA (e.g. Microsoft
Exchange, Lotus Domino, Postfix …).
For example a virus protection looks like this:
 FROM: Anybody
 TO: Anybody
 WHEN: Always
 WHAT: Virus
 ACTION: Block
Options range from simple spam and virus filter setups to sophisticated, highly
customized configurations blocking certain types of e-mails and generating notifications.

4.1 Default Rules

4.1.1 Block Viruses
This rule blocks all incoming virus e-mail and informs the admin via e-mail notification.
Figure 4-1 Rule: Block Viruses
4.1.2 Virus Alert

This rule blocks all outgoing virus e-mail and informs the admin and sender via e-mail
notification.
Figure 4-2 Rule: Virus Alert

4.1.3 Block Dangerous Files

This rule removes dangerous attachments from incoming e-mails (.vbs,.bat,.com, …)
Figure 4-3 Rule: Block Dangerous Files
4.1.4 Mark Spam

This rule identifies spam and modifies the spam level and the e-mail subject.
Figure 4-4 Rule: Mark Spam

4.2 Custom Rules

Proxmox provides samples for custom rules to show the functionality. For support or help
configuring rules see the Proxmox support forum at: http://www.proxmox.com/forum/ or
contact a Proxmox partner.
4.2.1 Enable Spam and Virus quarantine

Activate or change the Spam and/or Virus rule with the existing action object
“Quarantine”.
Figure 4-5 Add “Quarantine” action to rule “Mark Spam”
4.2.2 Enable Spam quarantine for just a selection of users

If you want to use the spam quarantine for specific users or a specific domain (and for
the rest just “Mark Spam”), create a new WHO object containing these users or domains.
1. Create a new WHO object; give a name like “Quarantine Users” and add the users
or domains to this object
2. Use the existing (inactive) rule “Spam Quarantine” and set higher priority than the
“Mark Spam” rule (e.g. 81)
3. Add the WHO object “Quarantine Users”
4. Activate the rule

Figure 4-6 Enable Spam quarantine for just a selection of users
4.2.3 Enable Spam quarantine for existing LDAP users

If you want to use the spam quarantine only for existing internal e-mail addresses, you
can use the LDAP query “Existing LDAP”.
1. Create a new WHO object; give a name like “Existing LDAP address” and add the
LDAP group “Existing LDAP address”
2. Use the existing (inactive) rule “Spam Quarantine” and set higher priority than the
“Mark Spam” rule (e.g. 81)
3. Add the WHO object “Existing LDAP address”
Figure 4-7 Create WHO object “Existing LDAP address”

Figure 4-8 Enable Spam quarantine for existing LDAP addresses

4.2.4 Block Spam e-mails with a score higher 10

The default setting marks Spam with a score higher 5 and delivers the e-mail to the user.
With this additional rule, you can block Spam with a score higher 10 to reduce the
delivery of spam e-mails to the user.
1. Create a new “What Object”, give a name, e.g. “Spam Level 10” Figure 4-9
2. Add “Spam Filter” to the Object Figure 4-10
3. Set the Set Spam Filter to Level 10 Figure 4-11
4. Add new Rule, give a name, e.g. “Delete Spamlevel 10”, Set Priority to 81 (higher
than the “Mark Spam” rule!, set Direction to “In” Figure 4-12
5. Add What Object “Spam Level 10” to the rule Figure 4-13
6. Add Action Object “Block” to the rule Figure 4-14
7. Final review (still inactive) Figure 4-15
8. Activate rule Figure 4-16
Figure 4-9 Add new What Object

Figure 4-10 Add Spam Filter to a What Object
Figure 4-11 Set Spam Filter to Level 10

Figure 4-12 Add new Rule
Figure 4-13 Add What Object to a Rule

Figure 4-14 Add Action Object to a Rule
Figure 4-15 Final Review of Rule (still inactive)

Figure 4-16 Activate Rule
4.2.5 BCC object – An simple archive solution

If you need to archive e-mails it’s useful to send a copy to a special mailbox. If you have
Microsoft Exchange, you can also send a copy to a mail enabled public folder.
1. Create an Action Object: “Add BCC Object”, name it “BCC to Archive Public folder
or Mailbox”
2. Under “Receiver”, type the e-mail address of the public folder/Mailbox
3. Click on an already existing rule or create a new one
4. Add Action Object “BCC to Archive Public folder or Mailbox” to the rule
How to create a Mail Enable Public Folder under Exchange 2000/2003?
1. Create a public folder in Exchange (Exchange System Manager or via Outlook)

2. "Mail enable" the public folder via Exchange system manager – right click an
select “Mail Enable”
3. Wait a few minutes, Exchange creates the e-mail address
4. Right click the folder an check the e-mail address (or change it, if you want),
remember e-mail address
5. Set appropriate client permission (note: anonymous must have the right to create
items)
6. Optional: Set age limit: select “Limits” and set the age limit to 90 days (all
messages older than 90 days will be automatically deleted)
4.2.6 Block Video and Audio Attachments

1. Create a new rule, e.g. “Block Multimedia Files”, define direction and set priority
2. Add What Object “Multimedia” to the rule
3. Add Action Object “Block” to the rule

4. Final review (still inactive)
4.2.7 Add Admin Notification to Rules

If you block mails it’s useful to inform the Proxmox Admin.
1. Click on the desired rule

2. Add the “notify Admin” action to the rule
4.2.8 Preventing directory harvesting attacks with LDAP object

The LDAP group object “Unknown LDAP address” can be used to prevent directory
harvesting attacks. The Mail Gateway can check incoming e-mail addresses against valid
e-mail addresses in your organization.
1. Create a new “WHO Object”, give a name, e.g. “Unknown LDAP”

2. Add an “LDAP Group” to the Object, select “Any profile” and “Unknown LDAP
Address”, then click save.
3. Now you can test your object against e-mail addresses. If you type an unknown
e-mail address, it should be member of the Unknown LDAP group. If you type a
valid e-mail address, it should not be member.
4. Add new rule, give a name, e.g. “Unknown LDAP”, set priority to 85 (higher than
the “Mark Spam” rule, set direction to “in”
5. Add the WHO object “Unknown LDAP” from above to the rule (as “to”)
6. Add the WHAT “Spam” to the rule
7. Add the ACTION object “block” (for testing, just add a notify to see results – be
careful with block action)
8. Final review (still inactive)
Note: Add always the “Spam” object – because most directory attacks are also spam. So
you just block attacks from spammers and you still are able to send NDR to people just
mistyping an e-mail address.

Figure 4-17 Unknown LDAP address rule
4.2.9 Block Video and Audio Attachments for LDAP Groups

The LDAP groups can be used to apply special settings to groups.
Most people like sending joke videos and audio files via e-mail – this grows up your users
mailboxes. On the other side, you do not want to block these funny things for everybody.
We assume you have a LDAP group called “Staff”.
 Create a new “WHO Object”, give a name, e.g. “Staff”

 Add “LDAP Group” to the Object, select “your LDAP Profile” and select “Staff” from
the dropdown menu, click save.
 Now you can test your object against e-mail addresses
 Add new rule, give a name, e.g. “Block Multimedia for Staff”, set priority to 70,
set direction to “in”, click save
 Add the WHO object “Staff” from above to the rule (as “to”)
 Add the WHAT “Multimedia” to the rule
 Add the ACTION object “Remove Attachments”
 Final review (still inactive)
 Activate the rule
Note: Removed attachments from e-mails are replaced with a text file.

Figure 4-18 Block video and Audio attachment for LDAP group “Staff”

5 Proxmox HA Cluster – High availability

We are living in a world where e-mail becomes more and more important - failures in e-
mail systems are just not acceptable. To meet these requirements we developed the
Proxmox HA (High Availability) Cluster.
The Proxmox HA Cluster consists of a master and several nodes (minimum one node).
Configuration is done on the master. Configuration and data is synchronized to all cluster
nodes over a VPN tunnel. This provides the following advantages:
 centralized configuration management

 fully redundant data storage
 high availability
 high performance
Proxmox uses a unique application level clustering scheme, which provides extremely
good performance. Special considerations where taken to make management as easy as
possible. Complete Cluster setup is done within minutes, and nodes automatically
reintegrate after temporary failures without any operator interaction.
Figure 5-1 Proxmox HA Cluster with load balanced MX records

5.1 Load Balancing with MX Records

It’s quite simple to set up a high performance load balanced mail cluster using MX
records. You have to define two MX records with the same priority.
You need to have 2 working Proxmox Mail Gateways (mail1.example.com and

mail2.example.com), each having its own IP address (the rest of the setting should be
more or less equal, i.e. you can use backup/restore to copy the rules).
We recommend adding reverse lookup entries (PTR records) for those hosts. Many e-mail
systems nowadays reject mails from hosts without valid PTR records.
This is all you need. You will receive mails on both hosts, more or less load-balanced
(round-robin scheduling). If one host fails the other is used.
Figure 5-2 Load balancing via MX Records

5.2 Multiple Address Records

Using several DNS MX record is sometime clumsy if you have many domains. It is also
possible to use one MX record per domain, but multiple address records:
Figure 5-3 Load balancing Multiple Address Records
5.3 Using third party Firewall features

Many firewalls can do some kind of RR-Scheduling (round-robin) when using DNAT. See
your firewall manual for more details.

6 Hardware selection and Virtualization

Proxmox always needs a dedicated PC or server hardware. Alternative, Proxmox can be
run under VMware™, OpenVZ and Proxmox VE.
Proxmox delivers prebuilt Virtual Appliances for:
 Proxmox VE (http://pve.proxmox.com)
 VMware™
 OpenVZ
Also known to work (Intel VT or AMD-V needed):
 Virtualbox
 XEN (Full virtualized)
 Citrix XenServer (Full virtualized)
 Parallels Server
 Virtualbox
 Hyper-V
For best performance please use physical hardware or OS virtualization like Proxmox VE
(OpenVZ).
6.1 Physical Hardware

See http://www.proxmox.com for certified hardware. For maximum performance we
recommend:
Hard disks SAS Disk (15.000rpm), Hardware Raid with battery backup and cache
enabled
CPU Two Quad Core Xeon (5xxx)
RAM 4 GB ECC
6.1.1 Certified Hardware

The latest certified hardware list is published on http://www.proxmox.com.
6.2 Proxmox VE (http://pve.proxmox.com)

The Mail Gateway is available as a certified Virtual Appliance for Proxmox VE.
For all details see http://pve.proxmox.com/wiki/Proxmox_Mail_Gateway
6.3 VMware™
Proxmox runs perfectly under VMware™. For quick deployment Proxmox

delivers a ready to run, preconfigured and certified Virtual Appliance.
Installation from the ISO-Image is also fully supported and gives the
possibility for custom settings, optimized for the VMware™ Host.
Proxmox 2.3 and later supports VMware™ para-virtualization (Kernel

2.6.27) and we deliver a prebuilt VMware Tools package for installation
(already included in the Appliance).

6.3.1 Settings for VMware™ ESX, ESXi and vSphere

Proxmox dynamically adapts the number of processes referring to the given memory to
maximize performance. This means, if Proxmox runs on a machine with 1 GB memory it
uses 1 GB of memory.
A VMware™ host can swap memory between guests and if configured, the host can show
more physical memory to the guest as available by swapping to disks. This leads to very
poor performance. While memory overcommit is possible, for optimal operation you
should never assign more memory to virtual machines than is available on the host. For
more details see VMware documentation on http://www.vmware.com.
6.3.1.1 Settings for the Proxmox Mail Gateway Virtual Machine
6.3.1.1.1 RAM settings

The minimum memory for running Proxmox Mail Gateway is 512 MB RAM.
6.3.1.1.2 VMware Tools

Proxmox precompiles the VMware Tools components for easy installation.
Please visit the support forum for detailed instructions and downloads.
http://www.proxmox.com/forum/.
6.3.1.1.3 Enable VMI Paravirtualization
Figure 6-1 Enable VMI Paravirtualization for Proxmox Mail Gateway on ESX

6.3.1.1.4 Enable time synchronization
Figure 6-2 Enable time synchronization on ESX/ESXi
6.3.2 Settings for a VMware™ Server 2

Proxmox dynamically adapts the number of processes referring to the given memory to
maximize performance. This means, if Proxmox runs on a machine with 1 GB memory it
uses 1 GB of memory.
A VMware™ host can swap memory between guests and if configured, the host can show
more physical memory to the guest as available by swapping to disks. This leads to very
poor performance. While memory overcommit is possible, for optimal operation you
should never assign more memory to virtual machines than is available on the host. For
more details see VMware documentation on http://www.vmware.com.
6.3.2.1 Host memory settings

Always choose this option: “Fit all virtual machine memory into reserved host RAM”
Strictly apply the reserved memory limit set in the top of the panel. This setting imposes
the tightest restrictions on the number and memory size of virtual machines that can run
at a given time. Because the virtual machines are running entirely in RAM, they have the
best possible performance.

Figure 6-3 Memory settings for VMware Server 2 Host
6.3.2.2 Settings for Proxmox Mail Gateway Virtual Machine
6.3.2.2.1 RAM settings

The minimum memory for running Proxmox Mail Gateway is 512 MB RAM.
6.3.2.2.2 VMware Tools
Proxmox precompiles the VMware Tools components for easy installation.
Please visit the support forum for detailed instructions and downloads.
http://www.proxmox.com/forum/.
6.3.2.2.3 Enable VMI Paravirtualization

Figure 6-4 Enable VMI Paravirtualization for Proxmox Mail Gateway
6.3.2.2.4 Enable time synchronization

Figure 6-5 Enable time synchronization on VMware Server 2 Host
6.4 OpenVZ
OpenVZ is an Open Source Operating System-level server virtualization solution, built on
Linux. For details about OpenVZ, please visit http://openvz.org/.
OpenVZ is also used in Proxmox VE (http://pve.proxmox.com).
Main advantage from Operating System-level server virtualization is minimum overhead

which leads to maximum performance. Proxmox runs on OpenVZ quite as fast as on
physical hardware with all advantages from virtualization. OpenVZ supports online
migration from a running Proxmox from one hardware node to another without
downtime.
For running Proxmox on OpenVZ, we launched a wiki page on:

http://wiki.openvz.org/Proxmox_Mail_Gateway_in_VE
For online backups of a running OpenVZ, we developed vzdump:
http://wiki.openvz.org/Backup_of_a_running_VE_with_vzdump

7 Troubleshooting and technical support

Use the moderated Proxmox support forum or contact a Proxmox partner for their
support offerings.
All information:
http://www.proxmox.com
Email support:
support@proxmox.com

8 Table of figures
Figure 2-1 System without Proxmox Mail Gateway ............................................ 6
Figure 2-2 Incoming e-mail with Proxmox Mail Gateway................................... 6
Figure 2-3 Outgoing with Proxmox Mail Gateway .............................................. 7
Figure 2-4 Incoming default port settings (port 25) .......................................... 8
Figure 2-5 Outgoing default port settings (port 26) .......................................... 8
Figure 2-6 Incoming alternative port settings (port 26) .................................... 9
Figure 2-7 Outgoing alternative port settings (port 25) .................................... 9
Figure 2-8 Proxmox in DMZ ..............................................................................10
Figure 2-9 Multiple e-mail servers ....................................................................11
Figure 3-1 Use local DNS Cache ........................................................................12
Figure 3-2 Mail proxy whitelist .........................................................................13
Figure 3-3 Enable RBL checks ...........................................................................14
Figure 3-4 Enable local RLB cache – Spamhaus.org and Dsbl.org .....................16
Figure 3-5 Enable Verify Receivers ...................................................................17
Figure 3-6 Exchange 2003: Filter recipients 1 ..................................................18
Figure 3-10 Exchange 2007 SP1: Install Anti-Spam agent ................................21
Figure 3-11 Exchange 2007 SP1: Filter recipients 1..........................................21
Figure 3-12 Exchange 2007 SP1: Filter recipients 2..........................................22
Figure 4-1 Rule: Block Viruses ..........................................................................24
Figure 4-2 Rule: Virus Alert ..............................................................................24
Figure 4-3 Rule: Block Dangerous Files ............................................................25
Figure 4-4 Rule: Mark Spam .............................................................................25
Figure 4-5 Add “Quarantine” action to rule “Mark Spam” .................................26
Figure 4-6 Enable Spam quarantine for just a selection of users ......................27
Figure 4-7 Create WHO object “Existing LDAP address” ...................................27
Figure 4-8 Enable Spam quarantine for existing LDAP addresses .....................28
Figure 4-9 Add new What Object ......................................................................29
Figure 4-10 Add Spam Filter to a What Object ..................................................30
Figure 4-11 Set Spam Filter to Level 10 ............................................................30
Figure 4-12 Add new Rule ................................................................................31
Figure 4-13 Add What Object to a Rule .............................................................31
Figure 4-14 Add Action Object to a Rule ...........................................................32
Figure 4-15 Final Review of Rule (still inactive) ...............................................32
Figure 4-16 Activate Rule .................................................................................33
Figure 4-17 Unknown LDAP address rule..........................................................35
Figure 4-18 Block video and Audio attachment for LDAP group “Staff” ............36
Figure 5-1 Proxmox HA Cluster with load balanced MX records ........................37
Figure 5-2 Load balancing via MX Records........................................................38
Figure 5-3 Load balancing Multiple Address Records ........................................39
Figure 6-1 Enable VMI Paravirtualization for Proxmox Mail Gateway on ESX ...41
Figure 6-2 Enable time synchronization on ESX/ESXi .......................................42
Figure 6-3 Memory settings for VMware Server 2 Host .....................................43
Figure 6-4 Enable VMI Paravirtualization for Proxmox Mail Gateway ...............44
Figure 6-5 Enable time synchronization on VMware Server 2 Host ...................45

9 Appendix
Reference document: Mail Gateway AdminGuide
You can download the latest version from www.proxmox.com
- End of document -

Proxmox Mail Gateway: Deployment Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Proxmox Mail Gateway: Deployment Guide

Uploaded by

Copyright:

Available Formats

Proxmox Mail Gateway

© 21.05.2010 Proxmox Server Solutions GmbH 2  49

6.3.2 Settings for a VMware™ Server 2 .........................................................42

© 21.05.2010 Proxmox Server Solutions GmbH 4  49

How does Proxmox work?

© 21.05.2010 Proxmox Server Solutions GmbH 5  49

2 Proxmox Mail Gateway Integration

Figure 2-1 System without Proxmox Mail Gateway

2.2 E-mail system with Proxmox

Figure 2-2 Incoming e-mail with Proxmox Mail Gateway

Figure 2-3 Outgoing with Proxmox Mail Gateway

© 21.05.2010 Proxmox Server Solutions GmbH 7  49

2.3 Proxmox in the Intranet

Figure 2-4 Incoming default port settings (port 25)

Figure 2-5 Outgoing default port settings (port 26)

2.3.2 Alternative port settings (e.g. for MS Exchange)

© 21.05.2010 Proxmox Server Solutions GmbH 8  49

Figure 2-6 Incoming alternative port settings (port 26)

Figure 2-7 Outgoing alternative port settings (port 25)

© 21.05.2010 Proxmox Server Solutions GmbH 9  49

2.4 Proxmox in DMZ (demilitarized zone)

Interface Zone IP Address Net mask

Figure 2-8 Proxmox in DMZ

© 21.05.2010 Proxmox Server Solutions GmbH 10  49

2.5 Proxmox with multiple e-mail server and mail domains

Figure 2-9 Multiple e-mail servers

© 21.05.2010 Proxmox Server Solutions GmbH 11  49

Note: Never run “proxperf” if the system is under load.

Here is a sample output of “proxperf”:

If you need redundancy, it is recommended to run a second Proxmox server in HA

3.3 Local DNS cache

Figure 3-1 Use local DNS Cache

© 21.05.2010 Proxmox Server Solutions GmbH 12  49

3.4 Blocking Emails on SMTP level

Figure 3-2 Mail proxy whitelist

 The IP address of the connecting host

If a sender has a valid SPF record, he will never be greylisted.

© 21.05.2010 Proxmox Server Solutions GmbH 13  49

3.4.2 Sender Policy Framework – SPF

3.4.3 Real time Blacklists (RBL)

Proxmox use the following RBL providers by default:

Figure 3-3 Enable RBL checks

© 21.05.2010 Proxmox Server Solutions GmbH 14  49

3.4.4 Local DNS RBL cache – Spamhaus Datafeed Service

3.4.4.1 Configuring local DNS blacklist caches

Note: Spamhaus data feed is a commercial service – additional license/account required.

HowTo: Synchronize DNS blacklist to the Proxmox server

11,41 * * * * proxblsync --spamhaus rsync1.spamhaus.org --dsbl rsync.dsbl.org -

Next, configure the RBLDNS daemon configuration file:

RBLDNSD="- -r/var/lib/rbldns -f -b127.0.0.2 \

© 21.05.2010 Proxmox Server Solutions GmbH 15  49

Start the RBLDNS service:

Finally, redirect query to local mirror:

Figure 3-4 Enable local RLB cache – Spamhaus.org and Dsbl.org

3.4.5 Receiver Verification

In short, this means for your systems:

 Increased traffic on your internet connection

3.4.5.1 Proxmox Solutions

In short, this means for your systems:

© 21.05.2010 Proxmox Server Solutions GmbH 16  49

3.4.5.2 Enabling Verify Receivers

Figure 3-5 Enable Verify Receivers

© 21.05.2010 Proxmox Server Solutions GmbH 17  49