Proxmox Mail Gateway -...

Proxmox Mail Gateway

Administration Guide

5/21/2010

MailGatewayAdminGuide-V3.1.doc

Proxmox Server Solutions GmbH

Kohlgasse 51/10 A-1050 Vienna [email protected] www.proxmox.com

© 21.05.2010 Proxmox Server Solutions GmbH 2 51

Proxmox Server Solutions GmbH reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the

software, please review the latest version of this document, which is available from http://www.proxmox.com. NOTE: A license to the Proxmox Software usually includes the right to product updates for one (1) year from the date of purchase. Maintenance can be renewed on an annual basis.

All other product or company names different from Proxmox may be trademarks or registered trademarks of their owners. Copyright © 2010 Proxmox Server Solutions GmbH. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Proxmox.

http://www.proxmox.com/




Table of Contents 1 What is Proxmox Mail Gateway?......................................................................... 5 2 Quick Start Guide ............................................................................................. 5 3 Planning for Deployment ................................................................................... 6

3.1 Easy integration into existing e-mail server architecture ................................. 6 3.1.1 Filtering Outgoing E-mails .................................................................... 6

3.2 Firewall settings ........................................................................................ 7 3.3 System requirements ................................................................................. 7

3.3.1 Minimum system requirements ............................................................. 8 3.3.2 Recommended system requirements ..................................................... 8 3.3.3 High performance system ..................................................................... 8

3.4 Compare the Proxmox Mail Gateway editions ................................................ 8 3.4.1 Proxmox Mail Gateway Free Version ...................................................... 8 3.4.2 Proxmox Mail Gateway Standard Versions .............................................. 8 3.4.3 Proxmox Mail Gateway Professional ....................................................... 9 3.4.4 Proxmox Mail Gateway HA Cluster ......................................................... 9 3.4.5 EDU, GOV and Non-Profit Organization Licensing ..................................... 9

3.5 Steps to get your Proxmox up and running ................................................... 9 4 Installing Proxmox Mail Gateway .......................................................................10

4.1 Complete installation in 3 to 5 minutes .......................................................10 4.2 Software RAID .........................................................................................10

4.2.1 Differences between RAID systems.......................................................10 4.3 Proxmox Mail Gateway Virtual Appliance editions .........................................11

4.3.1 VMware.............................................................................................11 4.3.2 Proxmox VE .......................................................................................11 4.3.3 OpenVZ ............................................................................................11

5 Getting started with Mail Gateway .....................................................................12 5.1 Web interface ..........................................................................................12 5.2 Upload license file ....................................................................................13

5.2.1 High performance system ....................................................................13 5.3 Configuration ...........................................................................................13

5.3.1 System .............................................................................................14 5.3.2 Mail Proxy .........................................................................................15 5.3.3 Spam Detector ...................................................................................17 5.3.4 Virus Detector....................................................................................19 5.3.5 User Management ..............................................................................20 5.3.6 Cluster ..............................................................................................21 5.3.7 License .............................................................................................21

5.4 Mail Filter ................................................................................................21 5.4.1 Rules ................................................................................................21 5.4.2 Actions .............................................................................................22 5.4.3 Who .................................................................................................23 5.4.4 What ................................................................................................24 5.4.5 When ................................................................................................24

5.5 Administration .........................................................................................25 5.5.1 Server ..............................................................................................25 5.5.2 Statistic ............................................................................................25 5.5.3 Quarantine ........................................................................................25 5.5.4 Tracking Center .................................................................................29

5.5.4.2 Real-time ............................................................................................................... 31

5.5.4.3 Greylist log ............................................................................................................. 31

5.5.5 Queues .............................................................................................31 6 LDAP Integration (Professional Version or LDAP Option) .......................................33

6.1 Creating a new LDAP Profile .......................................................................33 6.2 LDAP queries ...........................................................................................34




6.3 Sample LDAP rules ...................................................................................35 7 Example Mail server configuration (Outgoing Mails) .............................................35

7.1 Configuration for Microsoft Exchange ..........................................................35 7.2 Configuration for Postfix ............................................................................37

8 Example rules .................................................................................................38 9 Redundant Servers and Load Balancing .............................................................38

9.1 Hot Standby with Backup MX Records .........................................................38 9.2 Load Balancing with MX Records ................................................................38 9.3 Other ways ..............................................................................................39

9.3.1 Multiple Address Records.....................................................................39 9.3.2 Using Firewall features ........................................................................39

10 Proxmox HA Cluster .....................................................................................40 10.1 Hardware requirements ..........................................................................40 10.2 Required Licenses..................................................................................41 10.3 Load Balancing......................................................................................41 10.4 Cluster Administration ...........................................................................41

10.4.1 Creating a Cluster ..............................................................................41 10.4.2 List Cluster Status ..............................................................................41 10.4.3 Adding Cluster Nodes..........................................................................41 10.4.4 Deleting Nodes ..................................................................................42

10.5 Disaster recovery ..................................................................................42 10.5.1 Single Node Failure ............................................................................42 10.5.2 Master Failure ....................................................................................42 10.5.3 Total Cluster failure ............................................................................42

11 Troubleshooting and technical support ...........................................................43 11.1 Console login ........................................................................................43

12 Table of figures ...........................................................................................44 13 Appendix ....................................................................................................45

13.1 Available macros for rule system .............................................................45 13.2 Individual SpamAssassin configuration .....................................................45 13.3 Customized daily spam reports ...............................................................45 13.4 Using Regular Expressions ......................................................................46

13.4.1 Simple Regular Expressions .................................................................46 13.4.2 Metacharacters ..................................................................................46 13.4.3 References ........................................................................................47

13.5 Managing Software RAID ........................................................................47 13.5.1 Repair boot-loader (grub) on Software Raid ...........................................47

13.6 Backup considerations ...........................................................................49 13.6.1 Scheduled Backup ..............................................................................49 13.6.2 Backup via console .............................................................................49 13.6.3 Restore via console ............................................................................50 13.6.4 Bacula client (http://www.bacula.org) ..................................................50

13.7 Avira SAV Antivirus Integration ...............................................................50 13.8 SSL Certificate ......................................................................................50 13.9 Port Scans (nmap) ................................................................................51




1 What is Proxmox Mail Gateway?

E-mail security begins at the gateway by controlling all incoming and outgoing e-mail messages. Proxmox Mail Gateway addresses the full spectrum of unwanted e-mail traffic, focusing spam and virus detection. Proxmox Mail Gateway provides a powerful and affordable server solution to eliminate spam, viruses and blocking undesirable content from your e-mail system. All products are self-installing and can be used without deep knowledge of Linux.

Figure 1-1 Processing of incoming e-mail traffic

2 Quick Start Guide Experienced users can use this guide for a quick installation. For detailed instructions please read the whole documentation.

1. Burn the downloaded ISO image to a CD 2. Boot from this CD on your dedicated hardware - see 3.3 System requirements 3. Follow the instructions on the graphical screen – all existing data on your hard

disk will be lost! 4. After reboot, go to your desktop PC and point your browser (Internet Explorer or

Firefox) to the given IP address. 5. Upload license file and change the root password

6. Check the Proxmox IP configuration 7. Select Time Zone and save 8. Check your Firewall settings – see 3.2 Firewall settings 9. Configure Proxmox to forward the incoming SMTP traffic to your Mail server

(Configuration/Mail Proxy/Default Relay), Default Relay is your Mail server 10. Configure your Mail server to send all outgoing messages through your Proxmox

(Smart Host, port 26) – see 3.1.1 Filtering Outgoing E-mails

For detailed deployment scenarios see the “Proxmox Mail Gateway Deployment Guide”.




3 Planning for Deployment

3.1 Easy integration into existing e-mail server architecture In this sample configuration, your e-mail traffic (SMTP) arrives on the firewall and will be directly forwarded to your e-mail server.

Figure 3-1 Infrastructure without Proxmox Mail Gateway

Using the Proxmox solution all your e-mail traffic is forwarded to the Proxmox Mail Gateway, which filters the whole e-mail traffic and removes unwanted e-mails. You can manage incoming and outgoing mail traffic.

Figure 3-2 Infrastructure with integrated Proxmox Mail Gateway

3.1.1 Filtering Outgoing E-mails

Many e-mail filter solutions do not scan outgoing mails. Opposed to that Proxmox Mail Gateway is designed to scan both incoming and outgoing e-mails. This has two major advantages:




1. Proxmox is able to detect viruses sent from an internal host. In many countries

you are liable for not sending viruses to other people. Proxmox outgoing e-mail scanning feature is an additional protection to avoid that.

2. Proxmox can gather statistics about outgoing e-mails too. Statistics about incoming e-mails looks nice, but they are quite useless. Consider two users, user-1 receives 10 e-mails from news portals and wrote 1 e-mail to a person you never heard from. While user-2 receives 5 e-mails from a customer and sent 5 e-mails back. Which user do you consider more active? I am sure its user-2, because he communicates with your customers. Proxmox advanced address statistics can show you this important information. Solution which does not scan outgoing e-

mail can‟t do that. To enable outgoing e-mail filtering you just need to send all outgoing e-mails through your Proxmox Mail Gateway (usually by specifying Proxmox as “smarthost” on your e-mail server- see chapter 7 Example Mail server configuration (Outgoing Mails).

3.2 Firewall settings In order to pass e-mail traffic to the Proxmox Mail Gateway you need to enable SMTP the port. Our servers use the Network Time Protocol (NTP) for time synchronization, RAZOR, DNS and HTTP.

Service Port Protocol From To

SMTP 25 TCP Proxmox Internet

SMTP 25 TCP Internet Proxmox

NTP 123 TCP/UDP Proxmox Internet

RAZOR 2703 TCP Proxmox Internet

DNS 53 TCP/UDP Proxmox DNS Server

HTTP 80 TCP Proxmox Internet

The outgoing HTTP connection is mainly used by virus pattern updates, and can be

configured to use a proxy instead of a direct internet connection. You can use the nmap utility to test your firewall settings (see chapter 13.9).

3.3 System requirements Proxmox needs a dedicated PC or server hardware. Proxmox can also run as a Virtual Appliance:

VMware™ (Player, Workstation, Server 1 and 2, Virtual Infrastructure (ESX, ESXi and vSphere™)

Proxmox VE (http://pve.proxmox.com) KVM

OpenVZ Citrix XenServer (Full virtualized)

Known to work but not recommended

Hyper-V Xen (Full virtualized) Virtualbox Parallels Server

Please see http://www.proxmox.com for details.

http://pve.proxmox.com/





Please check our website for a list of certified hardware. In order to get a benchmark from your hardware, just run “proxperf” after installation.

Note: All existing data on the hard disk will be lost during the installation!

3.3.1 Minimum system requirements

Pentium 4 class PC, at least 2 GHZ 512 MB RAM

bootable CD-ROM-drive (also external USB drive support) 1024x768 capable VGA/Monitor for Installer Hard disk 8 GB - ATA/SATA/SCSI 10/100 MBps Network interface card

3.3.2 Recommended system requirements

Dual/Quad core PC/Server

1024 MB RAM or better Bootable CD-ROM-drive (also external USB drive support) 1024x768 capable VGA/Monitor for Installer Hard disk 36 GB SATA/SCSI/SAS or better, Hardware RAID, ATA/SATA/SAS

Software RAID, Raid Controllers need write cache with batteries backup module for best performance

100 MBps Network interface card

3.3.3 High performance system

Two Intel Xeon Quad core CPU´s 4 GB RAM Bootable CD-ROM-drive (also external USB drive support) 1024x768 capable VGA/Monitor for Installer

SAS/SCSI 15krpm Hard disks, Hardware Raid with write cache enabled with batteries backup module

100 MBps Network interface card

3.4 Compare the Proxmox Mail Gateway editions Proxmox Mail Gateway must be licensed for the number of relaying domains. For example, if you run a mail server receiving e-mails for three domains (e.g. domain.net, domain.com, domain.at), then you need the three domain version. All Editions are for unlimited users.

Note: Please see www.proxmox.com for details

If you like more features as offered with your license, you can always upgrade by buying an upgrade license without reinstallation.

3.4.1 Proxmox Mail Gateway Free Version

The free version is completely free of charge for private and commercial use and supports one domain with unlimited users. There are some functional limitations which are actually described on http://www.proxmox.com.

3.4.2 Proxmox Mail Gateway Standard Versions

Standard versions are available for one, three, five and unlimited domains.






If you need to query MS Active Directory, an optional LDAP connector for one, three and five domains can be purchased.

3.4.3 Proxmox Mail Gateway Professional

This edition is intended to meet the demands of complex and high performance installations. This license provides the highest flexibility and performance (Relayed domains can be edited on the web interface, LDAP integration, etc.).

3.4.4 Proxmox Mail Gateway HA Cluster

The Proxmox HA Cluster consists of a master and several nodes (minimum one node).

Configuration is done on the master. Configuration and all data are synchronized to all cluster nodes over a VPN tunnel. This provides the following advantages:

centralized configuration management fully redundant data storage without the need of expensive SAN high availability high performance

runs also in virtualization environments The Proxmox HA Cluster uses a unique application level clustering scheme, which provides extremely good performance. Special considerations where taken to make management as easy as possible. Complete Cluster setup is done within minutes, and nodes automatically reintegrate after temporary failures without any operator interaction.

3.4.5 EDU, GOV and Non-Profit Organization Licensing

To purchase Proxmox EDU/GOV/Non-Profit licenses, Proxmox must have proof of eligible status. Please attach information regarding your eligibility to an email and send it to [email protected]. Once the information is validated, we will reply as soon as possible.

Organization qualified: Universities, Schools, Governmental Organizations, NGO, etc. Currently, the following license is available for a reduced price:

Proxmox Mail Gateway Professional Proxmox Mail Gateway HA Cluster

3.5 Steps to get your Proxmox up and running Download ISO image and burn it on a CD Boot from CD and start the automatic installer on your dedicated hardware Request a license Configure the Proxmox Mail Gateway via web interface

If the installation succeeds you have to route all your incoming and outgoing e-mail traffic to the Mail Gateway. For incoming traffic you have to configure your firewall, for outgoing traffic your existing e-mail server configuration. There is one ISO image for download covering all versions, features depends on the uploaded license file. Download from http://www.proxmox.com





4 Installing Proxmox Mail Gateway

4.1 Complete installation in 3 to 5 minutes The installer boots from CD and detects your hardware without interaction. All Proxmox products are based on Linux packages and most i386 based PC and server hardware will work.

Burn the downloaded ISO image to a CD Boot form this CD on your dedicated hardware Follow the instructions on the graphical screen

4.2 Software RAID The installer supports hardware RAID and software RAID (mirroring). Please see chapter 13.5 Managing Software RAID for details. Requirements: two hard drives

Note: If you have a hardware RAID controller, this option is NOT available.

4.2.1 Differences between RAID systems

Hardware RAID Description Examples

Hardware RAID

Hardware XOR engine, integrated memory, high-performance bus, optional battery backup and audio alarm, Hot-swap drive support,

Easy of management and monitoring Write cache with batteries backup

Intel SRCU41L (SCSI) Intel SRCS28X (SATA) LSI Logic MegaRAID

(SCSI)

HP Smart Array SCSI/SAS

Adaptec …

Software RAID Mirroring is done from the operating system

Supported from the Proxmox operation system

HostRAID (integrated in the main board)

It is NOT hardware RAID, do not activate this in the bios – use Proxmox Software RAID instead

Intel ICH7, ICH8, ICH9, ICH10

HP embedded SATA LSI Logic integrated

SATA RAID Nvidia RAID …




Figure 4-1 Selecting Software RAID during installation

4.3 Proxmox Mail Gateway Virtual Appliance editions Proxmox always needs a dedicated PC or server hardware. Alternative, Proxmox can be run under VMware™, Proxmox VE, OpenVZ, KVM, XEN and others. Proxmox delivers prebuilt Virtual Appliances for:

VMware™ Proxmox VE OpenVZ

4.3.1 VMware

For all details see deployment guide.

4.3.2 Proxmox VE

See deployment guide.

4.3.3 OpenVZ

See deployment guide.




5 Getting started with Mail Gateway

5.1 Web interface After successful installation point your web browser to the IP address. Please use Microsoft Internet Explorer 6.0 or higher or Firefox 2.0 or higher, java script enabled. Web interface: https://youripaddress/ Default user: root Default password: admin

Note: Please change the default password after successful log in!

Figure 5-1 Login page Proxmox Mail Gateway




5.2 Upload license file There are several types of licenses:

Free version, single domain (Free for private and commercial use) Trial version (30 day functional, including full installation support) Standard Edition (for one, three, five, and unlimited mail domains) Professional Edition (unlimited domains with host locked license model) Proxmox HA Cluster (unlimited domains with host locked license model)

Note: To determine which license meets your requirements, check chapter 3.4

5.2.1 High performance system

Two Intel Xeon Quad core CPU´s 4 GB RAM Bootable CD-ROM-drive (also external USB drive support) 1024x768 capable VGA/Monitor for Installer

SAS/SCSI 15krpm Hard disks, Hardware Raid with write cache enabled with batteries backup module

100 MBps Network interface card Compare the Proxmox Mail Gateway editions.

Please visit www.proxmox.com to get a license. Without a valid license, the Mail Gateway

will not process any e-mail.

5.3 Configuration

Figure 5-2 Start page Proxmox Mail Gateway after log in





Note: By clicking these symbols on the configuration interface a dropdown menu is available

5.3.1 System

Network Review your IP configuration and complete all settings

Time Review or update your NTP server settings and time zone Check if your firewall enables you access to the NTP server

Backup Backup your system configuration and rule database to a file (a few Kbytes) – statistical data will not be saved via web interface, only via scheduled backup! Configure Scheduled Backups to FTP or Windows Share.

Note: see chapter 13.6 Backup considerations

Restore

Reset your rule settings to factory defaults. Restore your system settings and rules from a valid backup. Backup/Restore is only working between the same versions. (eg. You cannot restore a backup form a 2.0 to a 2.1)

Reports Enable or disable daily reports to the given e-mail address Enable or disable Advanced Statistic Filter (default is disabled)

Note: Advanced Statistic Filter only works if you filter outgoing emails

If you enable “Advanced Statistics”, the Statistics/Domain-Address/Receivers page shows only receivers who sent emails within the last 3 months (so only “active” receivers are displayed). The Statistics/Domain-Address/Contacts page shows only recipients where internal users have sent one or more emails within the last 3 months. See: 3.1.1 Filtering Outgoing E-mails Syslog Server

Define a remote syslog server (sending Syslog entries to a centralized server) Language (Currently we support: English, German, Spanish, Portuguese (Brazilian), Italian, French) Define the default language for the web interface and the daily reports

SSH Access SSH access is restricted for external networks by default to increase the security.




Note: for remote support, all SSH connections from proxmox.com and aurer-it.com are allowed.

DNS Cache For details see “Mail Gateway Deployment Guide”

5.3.2 Mail Proxy

Relaying IP address (or FQDN) and SMTP port of your existing e-mail server Relayed domains: list of relayed mail domains (displayed information from the uploaded license file) If you need more mail domains, upgrade your license

Note: If you use a Professional License, you can edit this list

Ports Review external (default 25) and internal (default 26) SMTP port Check these settings with your firewall and existing e-mail server.

Options Set maximum message size for e-mails in bytes Reject Unknown Clients: Reject the SMTP request when

1) the client IP address->name mapping fails, 2) the name->address mapping fails, or 3) the name->address mapping does not match the client

IP address. Reject Unknown Senders: Reject the request when the MAIL FROM address has no DNS A or MX record.

Note: If you enable these features, a lot of misconfigured mail servers cannot send mails anymore to your system – please use with care.

SMTP HELO checks The following checks are performed:

smtpd_helo_required Require that a remote SMTP client introduces itself at the beginning of an SMTP session with the HELO or EHLO command. reject_non_fqdn_hostname Reject the request when the HELO or EHLO hostname is not in fully-

qualified domain form, as required by the RFC. reject_invalid_hostname




Reject the request when the HELO or EHLO hostname syntax is invalid. Use RBL checks Use real time black lists checks on SMTP level. Verify Receivers select Yes or No (450 for temporary rejects or 550 for final rejects)

Note: You have to reconfigure your internal mail server if you use YES. For details see the Proxmox Mail Gateway Deployment Guide in the latest release.

Enable or disable Greylisting, default enabled

Enable or disable SPF (Sender Policy Framework), default enabled Delay Warning Time (4 hours default) Client Connection Count Limit (5 is default): How many simultaneous connections any client is allowed to make to the SMTP service. To disable this feature, specify a limit of 0. Client Connection Rate Limit: The maximal number of connection attempts any client is allowed to make to this service per minute. To disable this feature, specify a limit of 0. Client Message Rate Limit: The maximal number of message delivery requests that any client is allowed to make to this service per

minute. To disable this feature, specify a limit of 0. SMTPD Banner Type your custom SMTP Banner Smarthost: Use this option if you want to send all outgoing mails via another proxy (smarthost). You can use IP addresses or DNS names with an optional port specification, for example:

192.168.2.1 192.168.2.1:25 outproxy.domain.tld:26

Transport

s

You can use Proxmox Mail Gateway sending e-mails to different

internal e-mail servers. For example you can send e-mails addressed to domain.com to your first e-mail server, and e-mails addressed to subdomain.domain.com to a second one.

Note: you need for each domain an appropriate license, otherwise it will not work!

Add the IP addresses, hostname and SMTP ports and mail domains (or just single email addresses) of your additional e-mail servers.




Networks Add Internal (trusted) IP Networks or Hosts All hosts in this list are allowed to relay.

Note: Hosts in the same subnet with Proxmox can relay by default and it‟s not needed to add them in this list.

TLS TLS support Transport Layer Security (TLS) provides certificate-based

authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail. When you activate TLS, proxmox automatically generates a new self signed certificate for you. Proxmox Mail Gateway uses opportunistic TLS encryption. The SMTP transaction is encrypted if the STARTTLS ESMTP feature is supported by the server. Otherwise, messages are sent in the clear.

Enable TLS logging To get additional information about SMTP TLS activity you can enable TLS logging. That way information about TLS sessions and used cetificates is logged via syslog. Add TLS received header Set this option to include information about the protocol and cipher used as well as the client and issuer CommonName into the "Received:" message header.

Figure 5-3 Enable TLS (Transport Layer Security)

Whitelist (formely Greylist excl.)

SMTP whitelist: All SMTP checks are disabled for those entries (e. g. Greylisting, SPF, RBL, …)

Note: If you use a backup-MX server (e.g. your ISP offers this service for you) you should always add those servers.

5.3.3 Spam Detector

Proxmox Mail Gateway uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around.




Every single e-mail will be analyzed and get a spam score assigned. The systems attempt to optimize the efficiency of the rules that are run in terms of minimizing the number of false positives and false negatives.

Note: For detailed spam configuration, see also chapter 5.4 Mail Filter.

Options Use auto-whitelists

Use Bayesian filter Use Advanced Tests Additional spam detection tests, enable this by default Use Razor Network

Note: Please make sure that your Proxmox can access DCC and

Razor, see chapter 13.9 Port Scans (nmap) for testing this.

Use RBL checks Enabling this checks the following RBL lists to analyse emails against black lists (rule system level, gives higher scores)

Note: For high traffic sites and if you need to provide quality of service, please use the local RBL cache, see Proxmox Mail Gateway Deployment Guide in the latest release.

Use OCR Use image recognition to detect spam messages inside images.

OCR is CPU intensive, please do not activate is your server is already under heavy load. By default, all features are enabled except OCR.

Languages By default, all languages are enabled. Selecting languages means you will prefer this one. E-mails in unwanted languages get a higher spam score.

Quarantine Lifetime (days) Specify the lifetime of quarantined e-mails Authentication mode Choose how users access their spam quarantine. Ticket is default. If you select LDAP, make sure you have a license for

LDAP and a configured LDAP profile (connection to MS Active Directory) Report style

Verbose Verbose (Outlook 2007) Short Custom (see 13.3 Customized daily spam reports) No reports




Allow access via http Enables access to the spam quarantine via http. If you do not select this, access is only via https.

Note: If you use https, consider uploading a valid certificate, see chapter 13.8 SSL Certificate

Quarantine Host (optional) This name will be used for the links to the quarantine

EMail 'From:' (optional) Default value: Proxmox Mail Gateway <[email protected]> Please enter only values in the following format: Name <[email protected]> Mail preview settings

View images Enable images in the preview (disable to speed up the system) Allow HREFs Enables links in the mail preview (disable to get a more secure preview)

Backscatter What are backscatter emails? When spammers or worms send emails with forged sender addresses, sites are flooded with undeliverable mail notifications. These emails are called backscatter emails. Bounce message score (0 – means disabled)

Define the spam score for detected backscatters Whitelist bounce relays Add your valid bounce relays

Note: Please test your settings and review your quarantine to check false positives

Theme Customize the end user quarantine interface, upload a custom logo. The theme is only for visible on this part "Configuration/Spam Detector/Theme" and for the end users spam quarantine web

interface. It does not change the style of the admin interface.

Note: If you change anything, please reload the site in the browser to see the changes

5.3.4 Virus Detector

Proxmox uses the following antivirus engines:




ClamAV (default), no additional license required Kaspersky AV, you have to purchase an additional license – see

http://www.proxmox.com for details.

Kaspersky AV

End of Sale, existing customer will be supported till 11/2010. Review and select the database update server – Click save. After you saved your settings, click “update now” and check the output log file.

Note: The first update can take considerable long, depending on

your network connections and the update servers.

Go to Administration/Server and start the “AVEServer” service. The database will now be regularly updated (several times a day) – you don‟t have to configure the update schedule.

Avira SAV Click “update now” and check the output log file.

Note: You need to purchase a Avira SAV for PMG license, contact your Proxmox Partner for details.

ClamAV Review the database update server. Click “update now” and check the output log file. The database will be regularly updated (several times a day) – you don‟t have to configure the update schedule.

Options Review the settings for dealing with archives (e.g. zip files) If you have no direct connection to the web for updates, you can configure your proxy server to get antivirus database updates. Max credit card numbers (new data loss prevention DLP) Detect credit card numbers (a reasonable setting is 3, 0 means

disabled). If an email contains 3 credit card numbers it gets detected. HTTP Proxy Settings Configure a http proxy for accessing the internet for signature updates

Quarantine Lifetime (days) Specify the lifetime of quarantined virus e-mails Mail preview settings: View images Enable images in the preview (if you uncheck this, images are not

downloaded and displayed) Allow HREFs Enables links in the mail preview (disable to get a more secure preview)

5.3.5 User Management

Local Local User Database: Default is the root (super user) account





Enable SSH login (insert allowed SSH public keys)

Note: A Restore Job does not change (restore) the password!

The root users can add local users Following roles can be assigned:

Administrator (full access to the web interface) Quarantine Manager (Access to Spam and Virus quarantine) Audit (Read only)

LDAP LDAP Integration: See chapter 6 LDAP Integration (Professional Version or LDAP Option)

POP POP3 support. Messaged fetched from those POP3 accounts are injected into the filter system.

5.3.6 Cluster

Status See status of all nodes. For Cluster configuration details see chapter 10 Proxmox HA Cluster

5.3.7 License

Check your license information or upload a new license file. Displayed information:

License Nr. Company Name Product Expires

5.4 Mail Filter The following default settings are available. You can add or edit custom settings by

clicking on the “ ” symbols.

5.4.1 Rules

The object-oriented rule system enables custom rules for your domains. It‟s an easy but very flexible way to define filter rules by user, domains, time frame, content type and resulting action.

Who – object for TO and/or FROM Category

Example: Mail object – Who is the sender or receiver of the e-mail? When – object

Example: When is the e-mail received by Proxmox Mail Gateway?

What – object

Example: Does the e-mail contain spam?




Action – object Example: Mark e-mail with “SPAM:” in the subject.

Every rule has got 5 categories (FROM, TO, WHEN, WHAT, ACTION) which can contain several objects. For example a virus protection looks like this:

FROM: Anybody TO: Anybody WHEN: Always WHAT: Virus

ACTION: Block

Active Rules

Currently active rules

Inactive Rules

Not active. New rules are always inactive, you have to set it

active manually by clicking the symbol “ ”.

Priority Set processing order between 1 and 100. The highest priority is 100.

Direction Set the processing direction. In Rule applies for all incoming e-mails

Out Rule applies for all outgoing e-mails In & Out Rule applies for both directions

5.4.2 Actions

Accept

Accept mail for Delivery (Final action, no following rule will trigger)

Block

Block mail (Final action, no following rule will trigger)

Quarantine Move to quarantine (virus mails are moved to the “virus quarantine”, other mails are moved to “spam quarantine”); (Final action, no following rule will trigger)

Notify Admin

Send notification to admin Sample content: Proxmox Notification: Sender: __SENDER__ Receiver: __RECEIVERS__ Targets: __TARGETS__ Subject: __SUBJECT__ Matching Rule: __RULE__ __RULE_INFO__

__VIRUS_INFO__ __SPAM_INFO__

Notify Sender Send notification to sender




Sample content: Proxmox Notification: Sender: __SENDER__ Receiver: __RECEIVERS__ Targets: __TARGETS__ Subject: __SUBJECT__ Matching Rule: __RULE__

__RULE_INFO__ __VIRUS_INFO__ __SPAM_INFO__

Modify Spam Level

Mark mail as spam by adding a header tag. Sample content:

Fieldname: X-SPAM-LEVEL Value: __SPAMLEVEL__, hits=__SPAM_HITS__ New in 2.0: use this instead of (__SPAMLEVEL__,

hits=__SPAM_HITS__)

Value: __SPAM_INFO__ This shows detailed scores

Modify Spam Subject

Mark mail as spam by modifying the subject. Sample content:

Fieldname: subject Value: SPAM: __SUBJECT__

Remove all attachments

Remove all attachments You can edit the text replacement

Remove attachments

Remove matching attachments You can edit the text replacement

Disclaimer

Add Disclaimer

5.4.3 Who

Blacklist

Global Blacklist

Whitelist

Global Whitelist

User defined Define custom WHO objects, possible values: Add Domain Add Mail address Add Regular Expression Add IP Address Add IP Network




Add LDAP Group: See chapter 6 LDAP Integration (Professional Version or LDAP Option)

Add LDAP User: See chapter 6 LDAP Integration (Professional Version or LDAP Option)

5.4.4 What

Dangerous Content

executable files and partial messages The default list contains most common known dangerous attachments.

Images

All kinds of graphic files

Multimedia

Audio and video files

Office Files

Common Office files

Spam

Matches possible spam mail Spam Filter Settings Spam Level: 5 (default)

Note: Start with the default level.

Virus

Matches virus infected mail

Custom You can define custom what objects by adding the following items: Add Spam Filter Specify a specific spam level Add Virus Filter Detect viruses Add ContentType Filter

Match attachments (eg. images, videos, …) Add Archive Filter Match content types (attachments) in archive files (eg. detect exe files in zip archives) Add Match Field Match for mail header fields (eg. Subject:, From:, …) Add Match Filename Match filenames, eg. *.exe, *.bat, …

5.4.5 When

Office Hours Usual office hours

Note: valid all days (7 days a week)




5.5 Administration

5.5.1 Server

Services Displays running services If necessary you can reboot and shutdown the Proxmox server.

Updates Upload Proxmox service packs, if available. Check http://www.proxmox.com for available updates and make sure you follow the update instructions in the release notes of each service pack or hotfix.

5.5.2 Statistic

Those pages displays statistical data concerning e-mail traffic on the Proxmox Mail Gateway.

5.5.3 Quarantine

Manage Spam and Virus quarantine.

Note: Default, quarantine is not activated – in order to activate the end user quarantine you have to:

1. Review the global settings for: - Configuration/Spam detector/Quarantine - Configuration/Virus detector/Quarantine

- Review hard drive space

2. Activate or change the Spam and/or Virus rule with the action object “Quarantine” 3. Tip: Quarantine can also enabled on the free version (just add the action object

“quarantine” to the existing spam rule)

Spam Status Displays statistical data about your quarantine Archive By specifying an e-mail address, you can access the quarantine section for this user

Blacklist View and edit personal blacklist Whitelist View and edit personal whitelist

Virus Status Displays statistical date about your quarantine Archive





By specifying an e-mail address, you can access the quarantine section for this user

Figure 5-4 Preview of a quarantined Spam e-mail




Figure 5-5 Preview of a quarantined Spam e-mail with spam info




Figure 5-6 Preview of a quarantined Phishing e-mail




5.5.4 Tracking Center

5.5.4.1 Message Tracking Center Introduced in Proxmox Mail Gateway 2.1, the message tracking center simplifies the

search for emails dramatically. All log files from the last 7 days can be queried and the results are summarized by an intelligent algorithm. The message tracking center is very fast and powerful, tested on Proxmox sites processing 1 million emails per day. All corresponding log files are displayed:

Arrival of the email Proxmox filtering processing with results Internal queue to your email server Status of final delivery

Status description:

Status Description

Accepted/delivered Email arrived, filtered, and successfully delivered to email server

Accepted/deferred Email arrived, filtered, but not delivered (still trying to deliver)

Accepted/bounced Email arrived, filtered, but not accepted by your email server (e. g. user unknown)

Quarantine Email arrived, filtered, and moved to Proxmox Quarantine

Blocked Email arrived, but blocked by a filter rule.

Rejected Email rejected on SMTP level (e.g. sender IP is listed on a Spamhaus blacklist)

Greylisted Email greylisted on SMTP level

Queued/delivered Internal Emails from Proxmox, successfully delivered to email server (e.g. Daily spam report, Notifications, Admin report, BCC emails, …)

Queued/deferred Internal Emails from Proxmox, not yet delivered

Queued/bounced Internal Emails from Proxmox, but not accepted by the email server (e. g. user unknown)




Figure 5-7 Message Tracking Center

Figure 5-8 Message Tracking Center: RBL rejects (Spamhaus.org)




5.5.4.2 Real-time

The real-time syslog shows the last 100 lines, the output can be filtered by selecting the log files from a service or by entering an individual search string.

Figure 5-9 Real time log

5.5.4.3 Greylist log

Displays the greylist log. For message tracking issues use the search function in the message tracking center.

5.5.5 Queues

Mail Display the mail queue You can flush or delete the queue. By clicking on a recipient domain you will see details about the queue status.




Figure 5-10 Display Mail Queue




6 LDAP Integration (Professional Version or LDAP Option)

The Mail Gateway can query existing LDAP directories for Users, Groups and e-mail addresses. Proxmox uses a unique approach to cache LDAP data. That way, LDAP data is always available, even when the LDAP servers are temporarily unavailable. LDAP hierarchies can be complex, and it is quite usual to have more than one server. Proxmox supports such infrastructure by having multiple LDAP profiles. Each profile has its own settings, and you can query either a selected profile, or simple search all profiles.

LDAP queries are using the local cache, so they are extremely fast, even when you query multiple servers. You first need to create one or more LDAP profiles in order to use LDAP queries inside the rule system. Proxmox supports Microsoft Windows 2000 and Windows 2003 Active Directory, with Exchange 2000 and 2003.

6.1 Creating a new LDAP Profile LDAP profiles are created on the Configuration/System/LDAP page. Please select „Create new LDAP profile‟ on the menu:

Figure 6-1 LDAP Server settings: Create new LDAP Profile 1

First, you now need to choose a profile name. Profile names may contain alphanumeric

characters, underscores and white spaces. Other characters are not allowed. A reasonable naming scheme is to use the domain name separated by underscores (example.com example_com).

Now add the IP address of your LDAP server. You can also add a second IP address if you have a backup/fallback server. That second server is used when the first server is not reachable. We currently use the unencrypted LDAP protocol as default, but LDAPS is recommend for security reasons. So please use LDAPS (secure LDAP) if available. The last required setting is a username and password used to connect to the LDAP server. We recommend using an unprivileged user who does not have any other right than querying the LDAP database. Active Directory uses names like “domain\user” or

email style usernames like [email protected]. Although not strictly required, we recommend specifying the LDAP BaseDN.

mailto:[email protected]




Press “save” when you are finished.

Figure 6-2 LDAP Server settings: Create new LDAP Profile 2 Proxmox now tries to connect to the server. On success it will display the number of

found user, groups and email addresses.

Figure 6-3 LDAP Server settings: Three profiles configured

6.2 LDAP queries The object-oriented rule system enables LDAP based “Who – objects”. There are two different kinds of LDAP objects: • LDAP user Can be used to test if an email address belongs to a specific LDAP user (One LDAP user can have more than one email address).




• LDAP group Used to test if an email address belongs to a user in the specified group. Both Objects refer to LDAP profiles. That way you can query individual servers.

The LDAP group object has 2 additional selections – “Existing Users” and “Unknown Users”. Those objects can be used to test if a user (e-mail address) exists or not.

6.3 Sample LDAP rules

Note: Please refer to the Proxmox Mail Gateway Deployment Guide for sample rules.

7 Example Mail server configuration (Outgoing Mails) The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and port 26 for outgoing e-mails.

Outgoing Mails: Configure your mail server to send all e-mails to the Proxmox Mail Gateway, port 26. Incoming Mails: see 3.2 Firewall settings Please see the Proxmox Mail Gateway Deployment Guide for all scenarios.

7.1 Configuration for Microsoft Exchange The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and port 26 for outgoing e-mails. With Exchange SMTP connectors you can't use port 26 for outgoing (as this conflicts with

Exchange internal replication mechanism) so you have to switch these two values (25 and 26). In the end you have to use port 25 for outgoing and port 26 for incoming mails.

Figure 7-1 Exchange: Port settings for use with Exchange

IMPORTANT NOTE: To receive e-mails from the Internet you have to do port forwarding at your Firewall. So that you‟re external IP and Port 25 shows to the Proxmox Mail Gateway IP and port 26.




Figure 7-2 Exchange: SMTP Connector (Define smart host: Proxmox Mail Gateway)




Figure 7-3 Exchange: SMTP connector – Address space

7.2 Configuration for Postfix Just add a „default_transport‟ entry to your Postfix main configuration file (usually /etc/postfix/main.cf), for example if you mail gateway uses address 1.2.3.4 add the line: default_transport = smtp:1.2.3.4:26




8 Example rules Proxmox uses a powerful rule system to handle e-mail traffic. The default setting is ready

for use in the first run.

Note: Please refer to the Proxmox Mail Gateway Deployment Guide for sample rules.

9 Redundant Servers and Load Balancing

The normal mail delivery process looks up DNS Mail Exchange (MX) records to determine the destination host. A MX record tells the sending system where to deliver mail for a certain domain. It is also possible to have several MX records for a single domain, they can have different priorities. For example, our MX record looks like that:

> dig -t mx proxmox.com

;; ANSWER SECTION:

proxmox.com. 22879 IN MX 10 mail.proxmox.com.

;; ADDITIONAL SECTION:

mail.proxmox.com. 22879 IN A 213.129.239.114

Please notice that there is one single MX record for the Domain proxmox.com, pointing to

mail.proxmox.com. The „dig‟ command automatically puts out the corresponding address record if it exists. In our case it points to “213.129.239.114”. The priority of our MX record is set to 10 (preferred default value).

9.1 Hot Standby with Backup MX Records Many people do not want to install two redundant mail proxies, instead they use the mail proxy of their ISP as fallback. This is simply done by adding an additional MX Record with a lower priority (higher number). With the example above this looks like that: proxmox.com. 22879 IN MX 100 mail.provider.tld.

Sure, your provider must accept mails for your domain and forward received mails to you. You will never lose mails with such a setup, because the sending Mail Transport Agent (MTA) will simply deliver the mail to the backup server (mail.provider.tld) if the primary server (mail.proxmox.com) is not available.

9.2 Load Balancing with MX Records Using your ISPs mail server is not always a good idea, because many ISPs do not use advanced spam prevention techniques like greylisting. It is often better to run a second server yourself to avoid lower spam detection rates. Anyways, it‟s quite simple to set up a high performance load balanced mail cluster using MX records. You just need to define two MX records with the same priority. I will explain this using a complete example to make it clearer. First, you need to have at least 2 working Proxmox mail gateways (mail1.example.com and mail2.example.com) setup as cluster (see chapter 10 Proxmox HA Cluster), each having its own IP address. Let us assume the following addresses (DNS address records):




mail1.example.com. 22879 IN A 1.2.3.4

mail2.example.com. 22879 IN A 1.2.3.5

Btw, it is always a good idea to add reverse lookup entries (PTR records) for those hosts. Many email systems nowadays reject mails from hosts without valid PTR records.

Then you need to define your MX records:

example.com. 22879 IN MX 10 mail1.example.com.

example.com. 22879 IN MX 10 mail2.example.com.

This is all you need. You will receive mails on both hosts, more or less load-balanced using round-robin scheduling. If one host fails the other is used.

9.3 Other ways

9.3.1 Multiple Address Records

Using several DNS MX record is sometime clumsy if you have many domains. It is also possible to use one MX record per domain, but multiple address records:

example.com. 22879 IN MX 10 mail.example.com.

mail.example.com. 22879 IN A 1.2.3.4

mail.example.com. 22879 IN A 1.2.3.5

9.3.2 Using Firewall features

Many firewalls can do some kind of RR-Scheduling (round-robin) when using DNAT. See your firewall manual for more details.




10 Proxmox HA Cluster We are living in a world where email becomes more and more important - failures in

email systems are just not acceptable. To meet these requirements we developed the Proxmox HA (High Availability) Cluster. The Proxmox HA Cluster consists of a master and several nodes (minimum one node). Configuration is done on the master. Configuration and data is synchronized to all cluster nodes over a VPN tunnel. This provides the following advantages:

centralized configuration management

fully redundant data storage high availability high performance

We use a unique application level clustering scheme, which provides extremely good performance. Special considerations where taken to make management as easy as possible. Complete Cluster setup is done within minutes, and nodes automatically

reintegrate after temporary failures without any operator interaction.

Figure 10-1 Proxmox HA Cluster

10.1 Hardware requirements There are no special hardware requirements, although it is highly recommended to use fast and reliable server with redundant disks on all cluster nodes (Hardware RAID). The HA Cluster can also run in virtualized environments.




10.2 Required Licenses Each host in a Cluster needs its own Cluster License file. Please upload the license file before adding a node to the cluster.

10.3 Load Balancing You can use one of the mechanism described in chapter 9 if you want to distribute mail traffic among the cluster nodes. Please note that this is not always required, because it is also reasonable to use only one node to handle SMTP traffic. The second node is used as quarantine host (provide the web interface to user quarantine).

10.4 Cluster Administration Cluster administration is done with a single command line utility called proxca. So you

need to login via ssh to manage the cluster setup.

Note: Always setup the IP configuration before adding a node to the cluster. IP address, network mask, gateway address and hostname can‟t be changed later.

10.4.1 Creating a Cluster

You can create a cluster from any existing Proxmox host. All data is preserved.

upload a cluster licence make sure you have the right IP configuration (IP/MASK/GATEWAY/HOSTNAME),

because you cannot changed that later run: proxca –c

10.4.2 List Cluster Status

Run: proxca -l

10.4.3 Adding Cluster Nodes

When you add a new node to a cluster (join) all data on that node is destroyed. The whole database is initialized with cluster data from the master.

Upload a cluster license to the node make sure you have the right IP configuration run (on new node): proxca –a –h $MASTERIP

You need to enter the root password of the master host when asked for a password.

Attention: Node initialization deletes all existing databases, stops and then restarts all services accessing the database. So do not add nodes which are already active and receive mails.

Also, joining a cluster can take several minutes, because the new node needs to synchronize all data from the master (although this is done in the background).

Note: If you join a new node, existing quarantined items from the other nodes are not synchronized to the new node.




10.4.4 Deleting Nodes

Run (on master): proxca –d CID

CID (Cluster ID) is the unique ID displayed by proxca -l

10.5 Disaster recovery It is highly recommended to use redundant disks on all cluster nodes (RAID). So in almost any circumstances you just need to replace the damaged Hardware or Disk. Proxmox Mail Gateway uses an asynchronous clustering algorithm, so you just need to reboot the repaired node, and everything will work again transparently. The following scenarios only apply when you really loose the contents of the hard disk.

10.5.1 Single Node Failure

delete failed node on master: proxca –d CID

add (re-join) a new node: proxca –a –h $MASTERIP

10.5.2 Master Failure

force another node to be master: proxca –m tell other nodes that master has changed: proxca –s –h $MASTERIP

10.5.3 Total Cluster failure

restore backup (Cluster and node information is not restored, you have to recreate master and nodes)

tell it to become master: proxca –c

add new nodes: proxca –a –h $MASTERIP




11 Troubleshooting and technical support Use the moderated Proxmox support forum or contact a Proxmox partner for their

support offerings. All information: http://www.proxmox.com Email support: [email protected]

11.1 Console login Advanced users can use the console or SSH login. For normal operation, this is never necessary. Default user: root Default password: admin (the same as for the web interface!)

Note: It‟s not recommended to change settings via the console.

http://www.proxmox.com/forum/


mailto:[email protected]




12 Table of figures

Figure 1-1 Processing of incoming e-mail traffic ............................................... 5 Figure 3-1 Infrastructure without Proxmox Mail Gateway ................................. 6 Figure 3-2 Infrastructure with integrated Proxmox Mail Gateway ..................... 6 Figure 4-1 Selecting Software RAID during installation ....................................11 Figure 5-1 Login page Proxmox Mail Gateway ..................................................12 Figure 5-2 Start page Proxmox Mail Gateway after log in .................................13 Figure 5-3 Enable TLS (Transport Layer Security) ............................................17 Figure 5-4 Preview of a quarantined Spam e-mail ............................................26 Figure 5-5 Preview of a quarantined Spam e-mail with spam info ....................27 Figure 5-6 Preview of a quarantined Phishing e-mail .......................................28 Figure 5-7 Message Tracking Center .................................................................30 Figure 5-8 Message Tracking Center: RBL rejects (Spamhaus.org)...................30 Figure 5-9 Real time log ...................................................................................31 Figure 5-10 Display Mail Queue ........................................................................32 Figure 6-1 LDAP Server settings: Create new LDAP Profile 1 ............................33 Figure 6-2 LDAP Server settings: Create new LDAP Profile 2 ............................34 Figure 6-3 LDAP Server settings: Three profiles configured .............................34 Figure 7-1 Exchange: Port settings for use with Exchange ...............................35 Figure 7-2 Exchange: SMTP Connector (Define smart host: Proxmox Mail Gateway) ...........................................................................................................36 Figure 7-3 Exchange: SMTP connector – Address space ...................................37 Figure 10-1 Proxmox HA Cluster.......................................................................40 Figure 13-1 Configure scheduled backup – Windows share ..............................49




13 Appendix

13.1 Available macros for rule system It is possible to use macros inside most fields of action objects. That way it is possible to access and include data contained in the original mail, get envelope sender and receivers addresses or include additional information about Viruses and Spam. Currently the following macros are defined:

Macro Comment __SENDER__ (envelope) sender mail address __RECEIVERS__ (envelope) receiver mail address list __ADMIN__ Email address of the administrator __TARGETS__ Subset of receivers matched by the rule __SUBJECT__ Subject of the message __MSGID__ The message ID __RULE__ Name of the matching rule __RULE_INFO__ Additional information about the matching rule __VIRUS_INFO__ Additional information about detected viruses __SPAMLEVEL__ Computed spam level __SPAM_INFO__ Additional information why message is spam __SENDER_IP__ IP address of sending host __VERSION__ The current software version (proxmox mail gateway) __FILENAME__ Attachment file name __SPAMSTARS__ A series of "*" charactes where each one represents a

full score (__SPAMLEVEL__) point

A simple example is the “Modify Spam Subject” action which adds “SPAM:” to the original message subject. To achieve this just use “SPAM: __SUBJECT__” as value for that action object.

13.2 Individual SpamAssassin configuration This is only for advanced users. To add/change configuration of the Proxmox SpamAssassin please login to the console via SSH. Go to /etc/mail/spamassasin/. In this directory there are two files (init.pre, local.cf) – do not change this. To add your special configuration, you have to create a new file and name it custom.cf (in this

directory). Now you can add your configuration to custom.cf, be aware to use the SpamAssassin syntax. For more information see http://spamassassin.apache.org/ The custom.cf file is also synchronized in a HA Cluster environment.

13.3 Customized daily spam reports It‟s possible to customize the daily spam reports. The report generator uses a simple HTML template file which may contain macros. To activate customized reports you need to generate such template file and copy it to ‘/etc/proxmox/spamreport.tmpl’. Two

examples can be found in ‘/var/lib/proxmox/templates/spamreport-verbose.tmpl’

or ‘/var/lib/proxmox/templates/spamreport-short.tmpl’ – those templates are

actually used to generate the default spam reports. You also need to select the „Custom‟ report style on the web interface to use the custom template (Configuration/Spam/Quarantine/ReportStyle). The following macros are currently defined:

Macro global Comment

__SENDER__ No (envelope) sender mail address __RECEIVER__ No (envelope) receiver mail address __SUBJECT__ No subject of the message __FROM__ No from field __DATE__ Yes message arrival date or report date __TIME__ No message arrival time __TICKET__ Yes authorization ticket __BYTES__ No message size __SPAMLEVEL__ No spam level of message __SPAMINFO__ No additional information about why it is spam __PMAIL__ Yes primary mail address of receiver __HREF__ No href to view message __WLHREF__ NO href to whitelist sender __BLHREF__ NO href to blacklist sender __DELETEHREF__ NO href to delete message __DELIVERHREF__ NO href to deliver message __PROTOCOL__ Yes selected protocol (http or https) __FQDN__ Yes fully qualified domain name of quarantine host __HOSTNAME__ Yes quarantine host „hostname‟ __DOMAIN__ Yes quarantine host „domain‟ __ACTIONHREF__ Yes href to perform various actions __MAILCOUNT__ Yes number of mails __MSG_XXXX__ Yes Standard messages use by standard reports (translated

to various languages)

A detailed report usually displays information about each mail. Inside the template everything between  and  is repeated for every

mail. Most macros are only defined inside those marks. Only the global macros are available outside those marks.

Note: A template has to be correct html. You can use any html editor for easy and fast editing.

13.4 Using Regular Expressions A regular expression is a string of characters which tells us which string you are looking for. The following is a short introduction in the syntax of regular expressions linked to editing Who Objects. If you are familiar with Perl, you already know the syntax.

13.4.1 Simple Regular Expressions

In its simplest form, a regular expression is just a word or phrase to search for. Mail would match the string “Mail”. The search is case sensitive so “MAIL”, “Mail”,

“mail” would not be matched.

13.4.2 Metacharacters

Some characters have a special meaning. These characters are called metacharacters. The Period (.) is a commonly used metacharacter. It matches exactly one character, regardless of what the character is. e.mail would match either “e-mail” or “e-mail” or “e2mail” but not “e-some-mail”.

The question mark (?) indicates that the character immediately preceding it either zero times ore one time. e?mail would match either “email” or “mail” but not “e-mail”




Another metacharacter is the star (*). This indicates that the character immediately to its left may repeated any number of times, including zero. e*mail would match either “email” or “mail” or “eeemail”.

The plus (+) metacharacter does the same as the star (*) excluding zero. So e+mail do not match “mail”.

Metacharacters may be combined. A common combination includes the period and star metacharacters, with the star immediately following the period. This is used to match an arbitrary string of any length, including the null string. For example: .*company.* matches “[email protected]” or “[email protected]” or

[email protected].

For more information take a look at the references

13.4.3 References

Mastering Regular Expressions Powerful Techniques for Perl and Other Tools

By Jeffrey E. F. Friedl First Edition Januar 1997 ISBN 1-56592-257-3

13.5 Managing Software RAID Software RAID is managed on the console with the unix command mdadm. Please see

the manual pages for more information (man mdadm). To view the RAID status use:

mdadm --detail /dev/md0

And

cat /proc/mdstat

To add a new disk after a crash: (Assuming /dev/sdb2 is the newly created partition on a new disk, please use fdisk to partition harddisks)):

mdadm --manage /dev/md0 –-add /dev/sdb2

After success, please type “lilo” to rewrite the boot information to both harddisks.

lilo

To initialize the swap partitions, type:

mkswap /dev/sda1 (assuming that sda1 is a swap)

mkswap /dev/sdb1 (assuming that sdb1 is a swap)

swapon –a

Finally reboot the machine and check all services.

13.5.1 Repair boot-loader (grub) on Software Raid

Beginning with Proxmox Mail Gateway 2.3, “grub” is used as boot loader instead of “lilo”. If the Mail Gateway is installed on Software Raid, the boot loader is only installed on the first drive. Therefore, if the first drive is in trouble or removed, the system does not boot anymore as no boot loader is on the remaining disk.




To reinstall grub, boot the system from the Proxmox Mail Gateway ISO CD and type “raidboot” on the boot prompt. The system boots now from the remaining hard disk and you can run “grub-install hd0” to fix the bootloader.




13.6 Backup considerations

13.6.1 Scheduled Backup

Scheduled backups can be configured to store the backup data to a FTP host or Windows share. Old backup files can be deleted automatically. The following data will be stored via scheduled backups:

System configuration Rule configuration

Statistic database License

Log files and quarantined emails are never in the backup. A backup can only restored to an identical version of Proxmox.

Figure 13-1 Configure scheduled backup – Windows share

13.6.2 Backup via console

You can use the command line utility proxbackup to backup the whole database including

statistical data:

proxbackup -s full-backup.tgz

Please see the manual page for more information (man proxbackup).




13.6.3 Restore via console

In order to restore system configuration, rules database and statistical data you need to restore on the console.

proxbackup -c –d -s -r full-backup.tgz After restore you need to reboot to activate changes.

13.6.4 Bacula client (http://www.bacula.org)

Bacula is an open source network based backup solution. You can use the Bacula client to backup the whole system.

Note: You need an extra Bacula server which is not included

For details please see the documentation section of http://www.bacula.org.

13.7 Avira SAV Antivirus Integration Proxmox supports Avira SAV engine as an additional virus scanner. Please check http://www.proxmox.com for details and pricing.

13.8 SSL Certificate Access to the administration web interface is always done via https. The default

certificate is never valid for your browser and you get always warnings. You can safely ignore these warnings. If you want to get rid of these warnings, you have to generate a valid certificate for your server. Login to your Proxmox via ssh or use the console:

openssl req -newkey rsa:1024 -nodes -keyout key.pem -out req.pem Follow the instructions on the screen, see this example:

Country Name (2 letter code) [AU]: AT

State or Province Name (full name) [Some-State]:Vienna Locality Name (eg, city) []:Vienna Organization Name (eg, company) [Internet Widgits Pty Ltd]: Proxmox GmbH Organizational Unit Name (eg, section) []:Proxmox Mail Gateway Common Name (eg, YOUR name) []: yourproxmox.yourdomain.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: not necessary An optional company name []: not necessary

After you finished this certificate request you have to send the file req.pem to your CA (Certification Authority). The CA will issue the certificate (BASE64 encoded) based on

your request – save this file as “cert.pem” to your Proxmox. To activate the new certificate, do the following on your Proxmox:

http://www.bacula.org/

http://www.bacula.org/





cat key.pem cert.pem >/etc/apache2/apache.pem

/etc/init.d/apache2 restart

Test your new certificate by using your browser.

Note: To transfer files from and to your Proxmox, you can use secure copy: If you desktop is Linux, you can use „scp‟ – if your desktop PC is windows, please use a scp client like WinSCP (see http://winscp.net/)

13.9 Port Scans (nmap) Nmap is designed to allow system administrators to scan large networks to determine

which hosts are up and what services they are offering. You can use nmap to test your

firewall setting, for example to see if the required ports are open. Test Razor port (tcp port 2703): nmap -P0 -sS -p 2703 c101.cloudmark.com

See the manual page (man nmap) for more information about nmap.

- End of document -

Proxmox Mail Gateway -...

Documents

Transcript of Proxmox Mail Gateway -...