Change internal filtering port 10025

E

emper0r

New Member
Dec 16, 2022
19
0
1
Hi community

I want to change the port 26 to use this 10025 , i saw PMG use 10025 as smtp filter internal port. so i changed into /etc/postfix/master.cf but when i changed from UI web, the master.cf is re-writen again so ... exist the possibility to changed in other way using pmgcommand or something in permanent way ?.

we are many devices using actual server with port 10025 so make all review to changed to 26 is a pain.. so is more easy in 1 place (the pmg).
i don't want disabled smtp filtering I just want to move actual smtpfiltering from 10025 for example to 11025 and use actual 26 as a 10025 to avoid modify thousands of devices manually 1 by 1. or if if possible modified this internal port in the next releases would be more better to avoid touch underground files would be never be touched.

any idea ?

thanks in advance.
 
emper0r said:
want to change the port 26 to use this 10025 , i saw PMG use 10025 as smtp filter internal port. so i changed into /etc/postfix/master.cf but when i changed from UI web, the master.cf is re-writen again so ... exist the possibility to changed in other way using pmgcommand or something in permanent way ?.
Click to expand...
this won't work (at least in a direct way) - port 10025 is hard-coded in a few places ...

What you maybe could do is
- keep the internal listener on 127.0.0.1:10025 (then pmg-smtp-filter can relay its mails there)
- configure one on <IP.of.your.pmg>:10025 - but this will also need to be done manually in the master.cf - through the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope it works like that - because changing pmg to use a different port for re-submitting mail won't be possible (at least we won't change it after many years due to one deployment having used 10025 for another thing...)

you can maybe also have some luck with port-rewriting with `nft` or `iptables` - but as said - try binding to an explicit ip:10025 first!

I hope this helps
 
Hi Stoiko Ivanov

Thanks for quick answer.... I modified the template as doc explain, and now i have my_ip:10025 listening but now the emails are rejected

here is the log

Dec 19 11:24:08 pmg postfix/smtpd[24674]: connect from unknown[192.168.33.63]
Dec 19 11:24:08 pmg postfix/smtpd[24674]: NOQUEUE: reject: RCPT from unknown[192.168.33.63]: 554 5.7.1 <alerts@mydomdain.it>: Recipient address rejected: Access denied; from=<bastion.sbox1@mydomain.it> to=<alerts@mydomain.it> proto=ESMTP helo=<bastion.sbox1>
Dec 19 11:24:08 pmg postfix/smtpd[24674]: NOQUEUE: reject: RCPT from unknown[192.168.33.63]: 554 5.7.1 <bastion.sbox1@mydomain.it>: Recipient address rejected: Access denied; from=<> to=<bastion.sbox1@mydomain.it> proto=ESMTP helo=<bastion.sbox1>
Dec 19 11:24:08 pmg postfix/smtpd[24674]: disconnect from unknown[192.168.33.63] ehlo=1 mail=2 rcpt=0/2 data=0/2 rset=3 quit=1 commands=7/11

i had the network 192.168.33.0/24 in my trust settings to accept mail and mydomain.it in global white list but still rejecting mail

any idea?
 
share your main.cf, master.cf (and the modified templates)
 
here is main.cf

===========
# auto-generated by proxmox

compatibility_level = 2
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix

# appending .domain is the MUA's job.
append_dot_mydomain = yes

smtpd_banner = $myhostname ESMTP Proxmox
biff = no

delay_warning_time = 4h

best_mx_transport = local
message_size_limit = 10485760
mailbox_size_limit = 51200000

mydomain = mydomain.local
myhostname = pmg.mydomain.local

parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost, $myhostname
mynetworks = 172.16.0.0/24 192.168.33.0/24 [::1]/128

relay_domains = hash:/etc/pmg/domains
transport_maps = hash:/etc/pmg/transport
relay_transport = smtp:mydomain.it:25

default_transport = smtp:smtp-relay.gmail.com:25
content_filter=scan:127.0.0.1:10024
mail_name = Proxmox
smtpd_helo_restrictions =

postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_access

postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce

smtpd_sender_restrictions =
permit_mynetworks
reject_non_fqdn_sender
check_client_access cidr:/etc/postfix/clientaccess
check_sender_access regexp:/etc/postfix/senderaccess
check_recipient_access regexp:/etc/postfix/rcptaccess

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
check_recipient_access regexp:/etc/postfix/rcptaccess

smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_message_rate_limit = 0
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/pmg/tls_policy
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pmg/pmg-tls.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
lmtp_tls_security_level = $smtp_tls_security_level
lmtp_tls_policy_maps = $smtp_tls_policy_maps
lmtp_tls_CAfile = $smtp_tls_CAfile
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
lmtp_tls_loglevel = $smtp_tls_loglevel
smtpd_tls_received_header = yes
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
lmtp_tls_session_cache_database = btree:/var/lib/postfix/lmtp_tls_session_cache
default_destination_concurrency_limit = 40
lmtp_destination_concurrency_limit = 20
relay_destination_concurrency_limit = 20
smtp_destination_concurrency_limit = 20
virtual_destination_concurrency_limit = 20
recipient_delimiter = +
===========
 
master.cf

===========

#
# Postfix master process configuration file. Each logical line
# describes how a Postfix daemon program should be run.
#
# A logical line starts with non-whitespace, non-comment text.
# Empty lines and whitespace-only lines are ignored, as are comment
# lines whose first non-whitespace character is a `#'.
# A line that starts with whitespace continues a logical line.
#
# The fields that make up each line are described below. A "-" field
# value requests that a default value be used for that field.
#
# Service: any name that is valid for the specified transport type
# (the next field). With INET transports, a service is specified as
# host:port. The host part (and colon) may be omitted. Either host
# or port may be given in symbolic form or in numeric form. Examples
# for the SMTP server: localhost:smtp receives mail via the loopback
# interface only; 10025 receives mail on port 10025.
#
# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
# sockets, "fifo" for named pipes.
#
# Private: whether or not access is restricted to the mail system.
# Default is private service. Internet (inet) sockets can't be private.
#
# Unprivileged: whether the service runs with root privileges or as
# the owner of the Postfix system (the owner name is controlled by the
# mail_owner configuration variable in the main.cf file). Only the
# pipe, virtual and local delivery daemons require privileges.
#
# Chroot: whether or not the service runs chrooted to the mail queue
# directory (pathname is controlled by the queue_directory configuration
# variable in the main.cf file). Presently, all Postfix daemons can run
# chrooted, except for the pipe, virtual and local delivery daemons.
# The proxymap server can run chrooted, but doing so defeats most of
# the purpose of having that service in the first place.
# The files in the examples/chroot-setup subdirectory describe how
# to set up a Postfix chroot environment for your type of machine.
#
# Wakeup time: automatically wake up the named service after the
# specified number of seconds. A ? at the end of the wakeup time
# field requests that wake up events be sent only to services that
# are actually being used. Specify 0 for no wakeup. Presently, only
# the pickup, queue manager and flush daemons need a wakeup timer.
#
# Max procs: the maximum number of processes that may execute this
# service simultaneously. Default is to use a globally configurable
# limit (the default_process_limit configuration parameter in main.cf).
# Specify 0 for no process count limit.
#
# Command + args: the command to be executed. The command name is
# relative to the Postfix program directory (pathname is controlled by
# the daemon_directory configuration variable). Adding one or more
# -v options turns on verbose logging for that service; adding a -D
# option enables symbolic debugging (see the debugger_command variable
# in the main.cf configuration file). See individual command man pages
# for specific command-line options, if any.
#
# In order to use the "uucp" message transport below, set up entries
# in the transport table.
#
# In order to use the "cyrus" message transport below, configure it
# in main.cf as the mailbox_transport.
#
# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
#
# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================

scan unix - - n - 31 lmtp
-o lmtp_send_xforward_command=yes
-o lmtp_connection_cache_on_demand=no
-o disable_dns_lookups=yes

26 inet n - - - 100 smtpd
-o content_filter=scan:127.0.0.1:10023
-o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=

25 inet n - - - 1 postscreen

smtpd pass - - - - 100 smtpd
-o content_filter=scan:127.0.0.1:10024
-o receive_override_options=no_address_mappings
-o smtpd_discard_ehlo_keywords=silent-discard,dsn
-o mynetworks=127.0.0.0/8,172.16.0.55

172.16.0.10:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_restriction_classes=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_tls_security_level=none
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o message_size_limit=20971520

pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
-o message_size_limit=20971520

qmgr fifo n - - 300 1 qmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
verify unix - - - - 1 verify
trace unix - - n - 0 bounce
tlsmgr unix - - - 1000? 1 tlsmgr
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
discard unix - - - - - discard
retry unix - - - - - error
dnsblog unix - - - - 0 dnsblog
tlsproxy unix - - - - 0 tlsproxy
===========
 
template modified was this one: master.cf.in

#
# Postfix master process configuration file. Each logical line
# describes how a Postfix daemon program should be run.
#
# A logical line starts with non-whitespace, non-comment text.
# Empty lines and whitespace-only lines are ignored, as are comment
# lines whose first non-whitespace character is a `#'.
# A line that starts with whitespace continues a logical line.
#
# The fields that make up each line are described below. A "-" field
# value requests that a default value be used for that field.
#
# Service: any name that is valid for the specified transport type
# (the next field). With INET transports, a service is specified as
# host:port. The host part (and colon) may be omitted. Either host
# or port may be given in symbolic form or in numeric form. Examples
# for the SMTP server: localhost:smtp receives mail via the loopback
# interface only; 10025 receives mail on port 10025.
#
# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
# sockets, "fifo" for named pipes.
#
# Private: whether or not access is restricted to the mail system.
# Default is private service. Internet (inet) sockets can't be private.
#
# Unprivileged: whether the service runs with root privileges or as
# the owner of the Postfix system (the owner name is controlled by the
# mail_owner configuration variable in the main.cf file). Only the
# pipe, virtual and local delivery daemons require privileges.
#
# Chroot: whether or not the service runs chrooted to the mail queue
# directory (pathname is controlled by the queue_directory configuration
# variable in the main.cf file). Presently, all Postfix daemons can run
# chrooted, except for the pipe, virtual and local delivery daemons.
# The proxymap server can run chrooted, but doing so defeats most of
# the purpose of having that service in the first place.
# The files in the examples/chroot-setup subdirectory describe how
# to set up a Postfix chroot environment for your type of machine.
#
# Wakeup time: automatically wake up the named service after the
# specified number of seconds. A ? at the end of the wakeup time
# field requests that wake up events be sent only to services that
# are actually being used. Specify 0 for no wakeup. Presently, only
# the pickup, queue manager and flush daemons need a wakeup timer.
#
# Max procs: the maximum number of processes that may execute this
# service simultaneously. Default is to use a globally configurable
# limit (the default_process_limit configuration parameter in main.cf).
# Specify 0 for no process count limit.
#
# Command + args: the command to be executed. The command name is
# relative to the Postfix program directory (pathname is controlled by
# the daemon_directory configuration variable). Adding one or more
# -v options turns on verbose logging for that service; adding a -D
# option enables symbolic debugging (see the debugger_command variable
# in the main.cf configuration file). See individual command man pages
# for specific command-line options, if any.
#
# In order to use the "uucp" message transport below, set up entries
# in the transport table.
#
# In order to use the "cyrus" message transport below, configure it
# in main.cf as the mailbox_transport.
#
# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
#
# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================

[% IF ! pmg.mail.before_queue_filtering -%]
scan unix - - n - [% pmg.mail.max_filters %] lmtp
-o lmtp_send_xforward_command=yes
-o lmtp_connection_cache_on_demand=no
-o disable_dns_lookups=yes
[% END -%]

[% pmg.mail.int_port %] inet n - - - [% pmg.mail.max_smtpd_out %] smtpd
[% IF pmg.mail.before_queue_filtering -%]
-o smtpd_proxy_filter=127.0.0.1:10023
-o smtpd_proxy_options=speed_adjust
-o smtpd_client_connection_count_limit=[% pmg.mail.conn_count_limit div 5 %]
[%- ELSE -%]
-o content_filter=scan:127.0.0.1:10023
[%- END %]
-o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=

[% pmg.mail.ext_port %] inet n - - - 1 postscreen

smtpd pass - - - - [% pmg.mail.max_smtpd_in %] smtpd
[% IF pmg.mail.before_queue_filtering -%]
-o smtpd_proxy_filter=127.0.0.1:10024
-o smtpd_proxy_options=speed_adjust
-o smtpd_client_connection_count_limit=[% pmg.mail.conn_count_limit div 5 %]
[%- ELSE -%]
-o content_filter=scan:127.0.0.1:10024
[%- END %]
-o receive_override_options=no_address_mappings
-o smtpd_discard_ehlo_keywords=silent-discard,dsn
-o mynetworks=127.0.0.0/8,[% postfix.int_ip %]

172.16.0.10:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_restriction_classes=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_tls_security_level=none
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o message_size_limit=[% (pmg.mail.maxsize*2) %]

pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
-o message_size_limit=[% (pmg.mail.maxsize*2) %]

qmgr fifo n - - 300 1 qmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
verify unix - - - - 1 verify
trace unix - - n - 0 bounce
tlsmgr unix - - - 1000? 1 tlsmgr
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
discard unix - - - - - discard
retry unix - - - - - error
dnsblog unix - - - - 0 dnsblog
tlsproxy unix - - - - 0 tlsproxy
=============

was copied as doc explained from /var/lib/pmg/templates/master.cf.in to /etc/pmg/templates/master.cf.in

then restarted using: pmgconfig sync --restart 1
 
a) you need to keep the smtpd listener on 127.0.0.1:10025 - for PMG's internal use
b) you need to use the same smtpd-options for 172.16.0.10:10025 as used for the listener on port 26...

also - please use code-tags for config-files
 
Thanks... now works fine. I notice using this way now the port 26 from UI is ignored, Is fine for us. In any case we know now for that part is used by template.
 
Hi again @Stoiko Ivanov ,

thanks for the tips before but i have a little miss configuration with this...
on port 25 everything is working fine.

after the modify with templates to change to our w.x.y.z:10025 as you explained above, the server is receiving (like 26) but in the options i keep the rest of settings, take a look

Code: 
w.x.y.z:10025       inet  n -       -       -       [% pmg.mail.max_smtpd_out %]      smtpd
[% IF pmg.mail.before_queue_filtering -%]
  -o smtpd_proxy_filter=127.0.0.1:10023
  -o smtpd_proxy_options=speed_adjust
  -o smtpd_client_connection_count_limit=[% pmg.mail.conn_count_limit div 5 %]
[%- ELSE -%]
  -o content_filter=scan:127.0.0.1:10023
[%- END %]
  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=

after restart pmgconfig the override for master.cf end like this.

Code: 
scan      unix  -       -       n       -       31      lmtp
  -o lmtp_send_xforward_command=yes
  -o lmtp_connection_cache_on_demand=no
  -o disable_dns_lookups=yes

w.x.y.z:10025       inet  n -       -       -       100      smtpd
  -o content_filter=scan:127.0.0.1:10023
  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=

25       inet  n -       -       -       1 postscreen

smtpd       pass  - -       -       -       100      smtpd
  -o content_filter=scan:127.0.0.1:10024
  -o receive_override_options=no_address_mappings
  -o smtpd_discard_ehlo_keywords=silent-discard,dsn
  -o mynetworks=127.0.0.0/8,172.16.0.55

127.0.0.1:10025 inet  n       -       n       -       -      smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_restriction_classes=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o smtpd_tls_security_level=none
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  -o message_size_limit=20971520

but the issue is in permit_mynetworks

I implement the same uses case like Nikole following your instruction from this thread

https://forum.proxmox.com/threads/limit-ips-that-send-through-internal-port-26.107959/#post-463968,

so i can remove the subnet by default where PMG is, changing the mynetworks postfix variables by default.

/etc/pmg/templates/main.cf.in

Code: 
mydestination = localhost, $myhostname
mynetworks = [% postfix.mynetworks FILTER replace ('my.cidr.sub.net\/24 ', '') %]

so on mynetworks is limit exactly by trusted networks list, and the server where i sending email test, PMG still is accepting email.

so if I restrict explicit to networks allow section. so where is the missing configuration to still pmg accept from IP even if not set in the trusted mynetworks list , and not exist in whitelist either ?

thanks
 
Not sure if I get the question correctly - but your PMG is still accepting mail from more IPs on the internal port than you want?

please post - your /etc/postfix/main.cf (as this shows what is actually rendered as mynetworks and `pmgconfig dump` - as this shows what gets input there .

(and indicate which IP/network you don't want to have there)
 
in fact with pmgdump i see the whole networks wich must be delete it from mynetworks config

Code: 
# auto-generated by proxmox

compatibility_level = 2
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix

# appending .domain is the MUA's job.
append_dot_mydomain = yes

smtpd_banner = $myhostname ESMTP Proxmox
biff = no

delay_warning_time = 4h

best_mx_transport = local
message_size_limit = 10485760
mailbox_size_limit = 51200000

mydomain = apsystems.local
myhostname = pmg.apsystems.local

parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost, $myhostname
mynetworks = 192.168.33.1/32 192.168.33.2/32 192.168.33.10/32 192.168.10.0/23 127.0.0.0/8 [::1]/128

relay_domains = hash:/etc/pmg/domains

transport_maps = hash:/etc/pmg/transport
relay_transport = smtp:mydomain.it:25
default_transport = smtp:smtp-relay.gmail.com:25
content_filter=scan:127.0.0.1:10024
mail_name = Proxmox
smtpd_helo_restrictions =

postscreen_access_list =
        permit_mynetworks,
        cidr:/etc/postfix/postscreen_access

postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce

smtpd_sender_restrictions =
        permit_mynetworks
        reject_non_fqdn_sender
        check_client_access     cidr:/etc/postfix/clientaccess
        check_sender_access     regexp:/etc/postfix/senderaccess
        check_recipient_access  regexp:/etc/postfix/rcptaccess reject_unknown_client_hostname

smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_non_fqdn_recipient
        check_recipient_access  regexp:/etc/postfix/rcptaccess check_sender_access  regexp:/etc/postfix/senderaccess check_client_access  cidr:/etc/postfix/clientaccess check_policy_service inet:127.0.0.1:10022

smtpd_client_connection_count_limit = 100
smtpd_client_connection_rate_limit = 0
smtpd_client_message_rate_limit = 0

smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/pmg/tls_policy
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pmg/pmg-tls.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

lmtp_tls_security_level = $smtp_tls_security_level
lmtp_tls_policy_maps = $smtp_tls_policy_maps
lmtp_tls_CAfile = $smtp_tls_CAfile

smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
lmtp_tls_loglevel = $smtp_tls_loglevel

smtpd_tls_received_header = yes

smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
lmtp_tls_session_cache_database = btree:/var/lib/postfix/lmtp_tls_session_cache

default_destination_concurrency_limit = 40
lmtp_destination_concurrency_limit = 20
relay_destination_concurrency_limit = 20
smtp_destination_concurrency_limit = 20
virtual_destination_concurrency_limit = 20

recipient_delimiter = +

dump

Code: 
composed.wl_bounce_relays = pmg.mydomain.local
dns.domain = mydomain.local
dns.fqdn = pmg.mydomain.local
dns.hostname = pmg
ipconfig.int_ip = 192.168.33.55
pmg.admin.advfilter = 1
pmg.admin.avast = 0
pmg.admin.clamav = 1
pmg.admin.custom_check = 0
pmg.admin.custom_check_path = /usr/local/bin/pmg-custom-check
pmg.admin.dailyreport = 1
pmg.admin.demo = 0
pmg.admin.dkim_selector =
pmg.admin.dkim_sign = 0
pmg.admin.dkim_sign_all_mail = 0
pmg.admin.email = alerts.pmg@mydomain.it
pmg.admin.http_proxy =
pmg.admin.statlifetime = 7
pmg.clamav.archiveblockencrypted = 0
pmg.clamav.archivemaxfiles = 1000
pmg.clamav.archivemaxrec = 5
pmg.clamav.archivemaxsize = 25000000
pmg.clamav.dbmirror = database.clamav.net
pmg.clamav.maxcccount = 0
pmg.clamav.maxscansize = 100000000
pmg.clamav.safebrowsing = 0
pmg.clamav.scriptedupdates = 1
pmg.mail.banner = ESMTP Proxmox
pmg.mail.before_queue_filtering = 0
pmg.mail.conn_count_limit = 100
pmg.mail.conn_rate_limit = 0
pmg.mail.dnsbl_sites =
pmg.mail.dnsbl_threshold = 1
pmg.mail.dwarning = 4
pmg.mail.ext_port = 25
pmg.mail.greylist = 0
pmg.mail.greylist6 = 0
pmg.mail.greylistmask4 = 24
pmg.mail.greylistmask6 = 64
pmg.mail.helotests = 0
pmg.mail.hide_received = 0
pmg.mail.int_port = 26
pmg.mail.max_filters = 31
pmg.mail.max_policy = 5
pmg.mail.max_smtpd_in = 100
pmg.mail.max_smtpd_out = 100
pmg.mail.maxsize = 10485760
pmg.mail.message_rate_limit = 0
pmg.mail.ndr_on_block = 0
pmg.mail.rejectunknown = 1
pmg.mail.rejectunknownsender = 0
pmg.mail.relay = mydomain.it
pmg.mail.relaynomx = 0
pmg.mail.relayport = 25
pmg.mail.relayprotocol = smtp
pmg.mail.smarthost = smtp-relay.gmail.com
pmg.mail.smarthostport = 25
pmg.mail.spf = 1
pmg.mail.tls = 1
pmg.mail.tlsheader = 1
pmg.mail.tlslog = 1
pmg.mail.verifyreceivers =
pmg.spam.bounce_score = 0
pmg.spam.clamav_heuristic_score = 3
pmg.spam.languages = all
pmg.spam.maxspamsize = 262144
pmg.spam.rbl_checks = 1
pmg.spam.use_awl = 0
pmg.spam.use_bayes = 1
pmg.spam.use_razor = 1
pmg.spam.wl_bounce_relays =
pmg.spamquar.allowhrefs = 1
pmg.spamquar.authmode = ticket
pmg.spamquar.hostname =
pmg.spamquar.lifetime = 7
pmg.spamquar.mailfrom =
pmg.spamquar.port = 8006
pmg.spamquar.protocol = https
pmg.spamquar.quarantinelink = 0
pmg.spamquar.reportstyle = verbose
pmg.spamquar.viewimages = 1
pmg.virusquar.allowhrefs = 1
pmg.virusquar.lifetime = 7
pmg.virusquar.viewimages = 1
postfix.dnsbl_threshold = 1
postfix.int_ip = 172.16.0.55
postfix.mynetworks = 192.168.33.1/32 192.168.33.2/32 192.168.33.10/32 192.168.10.0/23 192.168.33.0/24 127.0.0.0/8 [::1]/128
postfix.transportnets =
postfix.usepolicy = 1
postgres.version = 13

into main.cf Not exist 192.168.33.0/24 by template replaces filter
and dump appears 192.168.33.0/24 this must be not exist... i guess this still in some hardcoding to remove or use filter in other places.
 
Last edited:
emper0r said:
into main.cf Not exist 192.168.33.0/24 by template replaces filter
and dump appears 192.168.33.0/24 this must be not exist... i guess this still in some hardcoding to remove or use filter in other places.
Click to expand...
ok - that looks good then - then mails should not get accepted based on coming from 192.168.33.0/24 (if they are not coming from one of the ips explicitly listed - 192.168.33.1/32 192.168.33.2/32 192.168.33.10/32

Please share the logs of such a mail which was accepted although it should not have been accepted - maybe we see more then

also keep in mind that 'reject_unauth_destination' is still listed in the recipient restrictions - so if you're sending _to_ one of your relay domains ... the mail would still get processed and accepted (after all it would be processed if it came from the public internet)
 
but we need to restrict from internal port 10025 like we are using 25,
can we replicate master.cf from templates to set the same settings like 25???
maybe this would help from the begining, because we only use pmg to relay to gmail,
our requires are.
use port 25 and 10025 must be restricted not from same subnet where pmg is, and must be exist on trusted networks / whitelisted in case we apply filters to can send email to relay.
 
The 2 ports in PMG behave (very roughly) in the following way:
* external port (default 25) - accept mail for processing (from anywhere) only if it's for an address (recipient) in one of the relay domains
* internal port (default 26, for you 10025) - accept mail for any address only if it's from one of the IPs listed in the trusted networks (the issue here is that by default the 'localnet' of PMG is also added (i.e. main-ip/netmask from the network config is added - in your case 192.168.33.0/24)

you can of course modify the postfix templates to your needs - but in most cases the 2 distinctions work really well.

Only make sure to not create an open relay

I hope this explains it! (else please provide logs as asked above)
 
here is the log for test server where isn't in the trusted networks, and not in whitelist, using 10025 and send email, even with filter mynetworks subnets removed., and can send to other domain as relay even if not set. is like open relay from internal network using this 10025

Code: 
Dec 30 12:28:30 pmg postfix/smtpd[173550]: connect from testserver1.mydomain.local[192.16.33.32]
Dec 30 12:28:30 pmg postfix/smtpd[173550]: 3997D3A0A07: client=testserver1.mydomain.local[192.16.33.32]
Dec 30 12:28:30 pmg postfix/cleanup[173640]: 3997D3A0A07: message-id=<>
Dec 30 12:28:30 pmg postfix/qmgr[163290]: 3997D3A0A07: from=<user01@google-domain>, size=339, nrcpt=1 (queue active)
Dec 30 12:28:30 pmg pmg-smtp-filter[173554]: 2022/12/30-12:28:30 CONNECT TCP Peer: "[127.0.0.1]:36506" Local: "[127.0.0.1]:10023"
Dec 30 12:28:30 pmg pmg-smtp-filter[173554]: 3E721863AECB5E47332: new mail message-id=Dec 30 12:28:30 pmg postfix/smtpd[173647]: connect from localhost.localdomain[127.0.0.1]
Dec 30 12:28:30 pmg postfix/smtpd[173647]: 4C8333A0F1A: client=localhost.localdomain[127.0.0.1],  orig_client=testserver1.mydomain.local[192.16.33.32]
Dec 30 12:28:30 pmg postfix/cleanup[173636]: 4C8333A0F1A: message-id=<20221230112830.4C8333A0F1A@pmg.mydomain.local>
Dec 30 12:28:30 pmg pmg-smtp-filter[173554]: 3E721863AECB5E47332: accept mail to <myuser@google-domain> (4C8333A0F1A) (rule: default-accept)
Dec 30 12:28:30 pmg postfix/smtpd[173647]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Dec 30 12:28:30 pmg postfix/qmgr[163290]: 4C8333A0F1A: from=<user01@google-domain>, size=611, nrcpt=1 (queue active)
Dec 30 12:28:30 pmg pmg-smtp-filter[173554]: 3E721863AECB5E47332: processing time: 0.068 seconds (0, 0.015, 0)
Dec 30 12:28:30 pmg postfix/lmtp[173398]: 3997D3A0A07: to=<myuser@google-domain>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.13, delays=0.01/0/0.04/0.07, dsn=2.5.0, status=sent (250 2.5.0 OK (3E721863AECB5E47332))
Dec 30 12:28:30 pmg postfix/qmgr[163290]: 3997D3A0A07: removed
Dec 30 12:28:30 pmg postfix/smtp[173406]: Trusted TLS connection established to smtp-relay.gmail.com[108.177.127.28]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)
Dec 30 12:28:30 pmg postfix/smtp[173406]: 4C8333A0F1A: to=<myuser@google-domain>, relay=smtp-relay.gmail.com[108.177.127.28]:25, delay=0.35, delays=0.05/0/0.16/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK  1672399710 m13-20020a17090672cd00b007c0f2124727sm318652ejl.165 - gsmtp)
Dec 30 12:28:30 pmg postfix/qmgr[163290]: 4C8333A0F1A: removed
 
Last edited:
Thanks for the logs!

* is google-domain listed in your relay domains?
* are the addresses user01@google-domain and myuser@google-domain:
** in the same domain (i.e. is google-domain the same for both)
** is user01 different from myuser?

EDIT: since 192.16.33.32 seems a bit odd - is this your actual (public IP) - if not and you anonymized it - please make sure you did not overlook something
 
Last edited:
yes. our google-domain is listed in "relay domain" option, and by "default relay" setting

both users are in the same domain, and exist in our google-domain,
 
emper0r said:
yes. our google-domain is listed in "relay domain" option, and by "default relay" setting
Click to expand...
Thats the reason why it accepts the mail - it would accept the mail from any IP in the internet on its external port anyways
(the setting that allows it is reject_unauth_destination) - check out the postfix config

to verify this - you can sen an email to any external address (not listed in your relay domains)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back