PMG Failing Sync After Attempting Hardening

[King0321]

Hey, all!

I've been searching the forum for several hours (and the internet in general), and I'm not finding anything useful. I just moved from a SurgeMail/SurgeVault system to a conventional malfurious/postfix setup, and I incorporated a PMG into the mix to test things out. I haven't yet purchased a subscription because I'd like to get everything in place and test it out.

So far, I followed the instructions in the forum for configuring custom bounce messages here and here and Quarantine Web Interface Via Nginx Proxy, and all seemed to be working well. When I tested using MXToolbox, all checks were passing. Now, it's showing up as a possible open relay and TLS is not working! Somewhere, I found these instructions for PMG Harden, which I followed down to adding GeoIP, and now I receive the following error when I run pmgconfig sync --restart 1:

root@pmg:~# pmgconfig sync --restart 1 Use of uninitialized value $domain in concatenation (.) or string at /usr/share/perl5/PMG/Utils.pm line 643.

Here is the only link I could find for a similar issue, but it's still far off from what I'm experiencing.

root@pmg:~# pmgversion -v proxmox-mailgateway: 7.1-1 (API: 7.1-2/75d043b3, running kernel: 5.13.19-6-pve) pmg-api: 7.1-2 pmg-gui: 3.1-2 pve-kernel-helper: 7.1-13 pve-kernel-5.13: 7.1-9 pve-kernel-5.13.19-6-pve: 5.13.19-14 pve-kernel-5.13.19-1-pve: 5.13.19-3 clamav-daemon: 0.103.5+dfsg-0+deb11u1 ifupdown2: 3.1.0-1+pmx3 libarchive-perl: 3.4.0-1 libjs-extjs: 7.0.0-1 libjs-framework7: 4.4.7-1 libproxmox-acme-perl: 1.4.1 libproxmox-acme-plugins: 1.4.1 libpve-apiclient-perl: 3.2-1 libpve-common-perl: 7.1-5 libpve-http-server-perl: 4.1-1 libxdgmime-perl: 1.0-1 lvm2: 2.03.11-2.1 pmg-docs: 7.1-2 pmg-i18n: 2.6-2 pmg-log-tracker: 2.3.1-1 postgresql-13: 13.5-0+deb11u1 proxmox-mini-journalreader: 1.3-1 proxmox-spamassassin: 3.4.6-4 proxmox-widget-toolkit: 3.4-7 pve-firmware: 3.3-6 pve-xtermjs: 4.16.0-1 zfsutils-linux: 2.1.2-pve1

Any and all assistance would be GREATLY appreciated!

 

[Stoiko Ivanov]

root@pmg:~# pmgconfig sync --restart 1 Use of uninitialized value $domain in concatenation (.) or string at /usr/share/perl5/PMG/Utils.pm line 643.

On a hunch - did you set a (correct) 'search' domain in /etc/resolv.conf ?

see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_configuration_files_overview

I hope this helps!

(if not please provide the output of `pmgconfig dump`

 

[King0321]

Hey Stoiko,

Thanks for getting back to me. I hadn't until you advised me to. That clarified the sync issue. The open relay and TLS issues remain.

It appears as though /etc/postfix/main.cf was overwritten since I configured TLS. I'm pretty sure I set that up before realizing all configs had to be done through /etc/pmg/templates. I'm guessing the first time I ran 'pmgconfig sync' it overwrote whatever values before erring on the missing search domain value, or it reset during a reboot or something.

 

[Stoiko Ivanov]

The open relay and TLS issues remain.

not sure what your exact problems here are (logs, config settings, exact error report would help) - but a few observations/guesses:
* TLS with PMG usually just works - you only need to enable it in GUI->Configuration->Mail Proxy->TLS (that's assuming you did not modify the main.cf.in/master.cf.in template for those settings)
* if the issue is that the certificate is not created by a publicly trusted CA - check out the ACME integration of PMG:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#sysadmin_certificate_management
* regarding the Open Relay - PMG's config does prevent this in general by the following rules (slightly abridged):
** for mails on the external port (defaults to port 25) - only mails _to_ your Relay Domains are accepted
** for mails on the interal port (defaults to port 26) - only mails _from_ your trusted networks are accepted

I hope this helps!

 

[King0321]

Update: After setting the search domain in /etc/resolv.conf, and creating a /etc/resolv.conf.d/base file, adding the correct nameservers and search domain, and running 'resolveconf -u' it resets, wiping out the search domain. I know I can set a flag to inhibit overwrites, but I don't believe that is the correct way to address this.

I kind of figured that, but something is apparently incorrectly configured somewhere. I'm running my servers locally, behind a public VPS linked via VPN, but nothing too crazy. Traffic is proxied via HAProxy through the WireGuard tunnel to my local network. If I take the PMG out of the mix and direct all traffic through the mail server, everything's working as expected. What's strange to me is the PMG was working as intended and all checks were passing until I started the hardening procedure!

Here's the output from 'pmgconfig dump':

pmgconfig dump composed.wl_bounce_relays = pmg.localdomain dns.domain = localdomain dns.fqdn = pmg.localdomain dns.hostname = pmg ipconfig.int_ip = 192.168.70.43 pmg.admin.advfilter = 1 pmg.admin.avast = 0 pmg.admin.clamav = 1 pmg.admin.custom_check = 0 pmg.admin.custom_check_path = /usr/local/bin/pmg-custom-check pmg.admin.dailyreport = 1 pmg.admin.demo = 0 pmg.admin.dkim_selector = modoboa pmg.admin.dkim_sign = 1 pmg.admin.dkim_sign_all_mail = 1 pmg.admin.email = Me@MyDomain.TLD pmg.admin.http_proxy = pmg.admin.statlifetime = 7 pmg.clamav.archiveblockencrypted = 0 pmg.clamav.archivemaxfiles = 1000 pmg.clamav.archivemaxrec = 5 pmg.clamav.archivemaxsize = 25000000 pmg.clamav.dbmirror = database.clamav.net pmg.clamav.maxcccount = 0 pmg.clamav.maxscansize = 100000000 pmg.clamav.safebrowsing = 0 pmg.clamav.scriptedupdates = 1 pmg.mail.banner = MEI Proxmox pmg.mail.before_queue_filtering = 0 pmg.mail.conn_count_limit = 50 pmg.mail.conn_rate_limit = 0 pmg.mail.dnsbl_sites = pmg.mail.dnsbl_threshold = 1 pmg.mail.dwarning = 4 pmg.mail.ext_port = 25 pmg.mail.greylist = 1 pmg.mail.greylist6 = 0 pmg.mail.greylistmask4 = 24 pmg.mail.greylistmask6 = 64 pmg.mail.helotests = 0 pmg.mail.hide_received = 1 pmg.mail.int_port = 26 pmg.mail.max_filters = 38 pmg.mail.max_policy = 5 pmg.mail.max_smtpd_in = 100 pmg.mail.max_smtpd_out = 100 pmg.mail.maxsize = 10485760 pmg.mail.message_rate_limit = 0 pmg.mail.ndr_on_block = 0 pmg.mail.rejectunknown = 0 pmg.mail.rejectunknownsender = 0 pmg.mail.relay = 10.105.150.2 pmg.mail.relaynomx = 0 pmg.mail.relayport = 25 pmg.mail.relayprotocol = smtp pmg.mail.smarthost = pmg.mail.smarthostport = 25 pmg.mail.spf = 1 pmg.mail.tls = 1 pmg.mail.tlsheader = 1 pmg.mail.tlslog = 1 pmg.mail.verifyreceivers = 450 pmg.spam.bounce_score = 0 pmg.spam.clamav_heuristic_score = 3 pmg.spam.languages = all pmg.spam.maxspamsize = 262144 pmg.spam.rbl_checks = 1 pmg.spam.use_awl = 1 pmg.spam.use_bayes = 1 pmg.spam.use_razor = 1 pmg.spam.wl_bounce_relays = pmg.spamquar.allowhrefs = 1 pmg.spamquar.authmode = ticket pmg.spamquar.hostname = pmg.spamquar.lifetime = 7 pmg.spamquar.mailfrom = pmg.spamquar.port = 8006 pmg.spamquar.protocol = https pmg.spamquar.quarantinelink = 0 pmg.spamquar.reportstyle = verbose pmg.spamquar.viewimages = 1 pmg.virusquar.allowhrefs = 1 pmg.virusquar.lifetime = 7 pmg.virusquar.viewimages = 1 postfix.dnsbl_threshold = 1 postfix.int_ip = 192.168.70.43 postfix.mynetworks = 127.0.0.0/8 [::1]/128 192.168.70.0/24 10.105.150.2/32 postfix.transportnets = postfix.usepolicy = 1 postgres.version = 13

The local network is 192.168.70.0/24. The WG tunnel is 10.105.150.0/24. PMG is 10.105.150.3 and e-mail server is 10.105.150.2.

 

[King0321]

Okay! Even more interestingly, I definitely DID set the search domain in the GUI under Configuration upon initial setup. At some point, it appears to have been deleted. I just input the proper search domain and was able to run 'pmgconfig sync --restart 1' without failure. For the sake of it, I ran 'pmgconfig tlscert' and retested with MXToolbox. It's still showing as an open relay without TLS.

I'm going to review the information again later when I get back and play around a bit. I'll be sure to report back. Thanks again!

 

[King0321]

For the record, here is the output from a 'pmgconfig dump':

# pmgconfig dump composed.wl_bounce_relays = pmg.MyDomain.TLD dns.domain = MyDomain.TLD dns.fqdn = pmg.MyDomain.TLD dns.hostname = pmg ipconfig.int_ip = 192.168.70.43 pmg.admin.advfilter = 1 pmg.admin.avast = 0 pmg.admin.clamav = 1 pmg.admin.custom_check = 0 pmg.admin.custom_check_path = /usr/local/bin/pmg-custom-check pmg.admin.dailyreport = 1 pmg.admin.demo = 0 pmg.admin.dkim_selector = modoboa pmg.admin.dkim_sign = 1 pmg.admin.dkim_sign_all_mail = 1 pmg.admin.email = Me@MyDomain.TLD pmg.admin.http_proxy = pmg.admin.statlifetime = 7 pmg.clamav.archiveblockencrypted = 0 pmg.clamav.archivemaxfiles = 1000 pmg.clamav.archivemaxrec = 5 pmg.clamav.archivemaxsize = 25000000 pmg.clamav.dbmirror = database.clamav.net pmg.clamav.maxcccount = 0 pmg.clamav.maxscansize = 100000000 pmg.clamav.safebrowsing = 0 pmg.clamav.scriptedupdates = 1 pmg.mail.banner = MEI Proxmox pmg.mail.before_queue_filtering = 0 pmg.mail.conn_count_limit = 50 pmg.mail.conn_rate_limit = 0 pmg.mail.dnsbl_sites = pmg.mail.dnsbl_threshold = 1 pmg.mail.dwarning = 4 pmg.mail.ext_port = 25 pmg.mail.greylist = 1 pmg.mail.greylist6 = 0 pmg.mail.greylistmask4 = 24 pmg.mail.greylistmask6 = 64 pmg.mail.helotests = 0 pmg.mail.hide_received = 1 pmg.mail.int_port = 26 pmg.mail.max_filters = 38 pmg.mail.max_policy = 5 pmg.mail.max_smtpd_in = 100 pmg.mail.max_smtpd_out = 100 pmg.mail.maxsize = 10485760 pmg.mail.message_rate_limit = 0 pmg.mail.ndr_on_block = 0 pmg.mail.rejectunknown = 0 pmg.mail.rejectunknownsender = 0 pmg.mail.relay = 10.105.150.2 pmg.mail.relaynomx = 0 pmg.mail.relayport = 25 pmg.mail.relayprotocol = smtp pmg.mail.smarthost = pmg.mail.smarthostport = 25 pmg.mail.spf = 1 pmg.mail.tls = 1 pmg.mail.tlsheader = 1 pmg.mail.tlslog = 1 pmg.mail.verifyreceivers = 450 pmg.spam.bounce_score = 0 pmg.spam.clamav_heuristic_score = 3 pmg.spam.languages = all pmg.spam.maxspamsize = 262144 pmg.spam.rbl_checks = 1 pmg.spam.use_awl = 1 pmg.spam.use_bayes = 1 pmg.spam.use_razor = 1 pmg.spam.wl_bounce_relays = pmg.spamquar.allowhrefs = 1 pmg.spamquar.authmode = ticket pmg.spamquar.hostname = pmg.spamquar.lifetime = 7 pmg.spamquar.mailfrom = pmg.spamquar.port = 8006 pmg.spamquar.protocol = https pmg.spamquar.quarantinelink = 0 pmg.spamquar.reportstyle = verbose pmg.spamquar.viewimages = 1 pmg.virusquar.allowhrefs = 1 pmg.virusquar.lifetime = 7 pmg.virusquar.viewimages = 1 postfix.dnsbl_threshold = 1 postfix.int_ip = 192.168.70.43 postfix.mynetworks = 127.0.0.0/8 [::1]/128 192.168.70.0/24 10.105.150.2/32 postfix.transportnets = postfix.usepolicy = 1 postgres.version = 13

Now, the FQDN, bounce domain, and DNS are reflecting the proper entries, so there's progress! ;-)

 

[King0321]

On a hunch - did you set a (correct) 'search' domain in /etc/resolv.conf ?

see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_configuration_files_overview

I hope this helps!

(if not please provide the output of `pmgconfig dump`

Stoiko,

Thank you again for your assistance! You pointed me in the right direction and I figured out what was going on.

After further evaluation, I have found that TLS is working perfectly. It appears SMTP on port 25 is now rejected, or at least I'm unable to telnet into it on the straight domain. However, if I telnet mail.mydomain.tld 587, all checks pass, and I have verified this in the logs of both the PMG and the mail servers. I also confirmed this on MXToolbox with 587 appended to the URL.

My only question now is, was part of the hardening process restricting non-encrypted SMTP? Or am I looking at another configuration issue? I don't see anything abundantly obvious that would inhibit SMTP and only allow SMTP/S.

 

[Stoiko Ivanov]

However, if I telnet mail.mydomain.tld 587,

pmg does not listen on port 587 in it's default configuration (and does not offer a SMTP-Auth, which is usually required there)

My only question now is, was part of the hardening process restricting non-encrypted SMTP?

if you're referring to https://github.com/killmasta93/tutorials/wiki/PMG-Harden#geoip - I don't see anything which would modify the postfix config regarding TLS there?