[SOLVED] Allow single IP in Trusted Network

[kez]

Hi there!

How do we allow single IPs (servers) in the Trusted Networks?

I've tried 1.2.3.4/30 and 1.2.3.4/32 for a single IP CIDR but none of the IPs can relay. The cPanel server 1.2.3.4 is smart-hosting to PMG on port 26.

Here is the log from PMG:

NOQUEUE: reject: RCPT from cpanel.example.com[1.2.3.4]: 554 5.7.1 : Relay access denied; from=<x> to=<x> proto=ESMTP helo=<cpanel.example.com>

Also, I see errors like this:

postfix/postscreen[16236]: warning: postscreen_access_list: non-null host address bits in "1.2.3.4/30", perhaps you should use "1.2.3.1/30" instead
postfix/postscreen[16236]: warning: postscreen_access_list: permit_mynetworks: mynetworks lookup error -- ignoring the remainder of this access list

Any help would be appreciated

 

[Stoiko Ivanov]

which versions do you have installed? (the output of `pmgversion -v`)

a similar issue was recently fixed and the version should be available on most repositories already

 

[kez]

Hi there,

Thanks for the help.

It seems to be 7.2-1:

root@mailgate:~# pmgversion -v
proxmox-mailgateway: 7.2-1 (API: 7.2-1/ab33025e, running kernel: 5.15.74-1-pve)
pmg-api: 7.2-1
pmg-gui: 3.2-2
pve-kernel-5.15: 7.2-14
pve-kernel-helper: 7.2-14
pve-kernel-5.15.74-1-pve: 5.15.74-1
clamav-daemon: 0.103.7+dfsg-0+deb11u1
ifupdown2: 3.1.0-1+pmx3
libarchive-perl: 3.4.0-1
libjs-extjs: 7.0.0-1
libjs-framework7: 4.4.7-1
libproxmox-acme-perl: 1.4.2
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.3-1
libpve-http-server-perl: 4.1-5
libxdgmime-perl: 1.0-1
lvm2: 2.03.11-2.1
pmg-docs: 7.2-1
pmg-i18n: 2.8-1
pmg-log-tracker: 2.3.2-1
postgresql-13: 13.8-0+deb11u1
proxmox-mini-journalreader: 1.3-1
proxmox-spamassassin: 3.4.6-5
proxmox-widget-toolkit: 3.5.3
pve-firmware: 3.5-6
pve-xtermjs: 4.16.0-1
zfsutils-linux: 2.1.6-pve1

 

[Stoiko Ivanov]

pmg-api: 7.2-1

The update fixing this is in pmg-api 7.2-4 - just upgrade to the latest version and try again.

I hope this helps!

 

[kez]

Thanks, sorry to be so dim but even after an upgrade and reboot it still says pmg-api: 7.2-1

root@mailgate1:~# pmgversion -v
proxmox-mailgateway: 7.2-1 (API: 7.2-1/ab33025e, running kernel: 5.15.74-1-pve)
pmg-api: 7.2-1

Did I miss something obvious?

 

[Stoiko Ivanov]

please post the complete output of `apt update` and `apt full-upgrade` as text (instead of a screenshot) - and also check if the pmg-api version maybe was upgraded already - the partial screenshot does not provide enough information...

 

[kez]

Sure, I only installed this yesterday for the first time so am still learning.

Installed version:

root@mailgate1:~# apt search pmg-api
Sorting... Done
Full Text Search... Done
pmg-api/now 7.2-1 all [installed,local]
  Proxmox Mailgateway API Server Implementation

apt update

# apt update
Hit:1 http://security.debian.org bullseye-security InRelease
Hit:2 http://ftp.uk.debian.org/debian bullseye InRelease
Get:3 http://ftp.uk.debian.org/debian bullseye-updates InRelease [44.1 kB]
Err:4 https://enterprise.proxmox.com/debian/pmg bullseye InRelease
  401  Unauthorized [IP: 51.91.38.34 443]
Reading package lists... Done
E: Failed to fetch https://enterprise.proxmox.com/debian/pmg/dists/bullseye/InRelease  401  Unauthorized [IP: 51.91.38.34 443]
E: The repository 'https://enterprise.proxmox.com/debian/pmg bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

and

# apt full-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Thanks again.

 

[Stoiko Ivanov]

E: Failed to fetch https://enterprise.proxmox.com/debian/pmg/dists/bullseye/InRelease 401 Unauthorized [IP: 51.91.38.34 443] E: The repository 'https://enterprise.proxmox.com/debian/pmg bullseye InRelease' is not signed.

You have configured the Enterprise repository, but don't seem to have a valid subscription:
* either get a subscription-key for your system or
* configure the pmg-no-subscription repository

see:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_package_repositories

 

[kez]

Thanks you!

 

[kez]

Hi Stoiko,

So I'm all up to date now:

root@mailgate1:~# pmgversion -v
proxmox-mailgateway: 7.2-1 (API: 7.2-4/532fc47f, running kernel: 5.15.74-1-pve)
pmg-api: 7.2-4

I added the cpanel server IP 1.2.3.4 like 1.2.3.4/30 in the Trusted Networks.

Then allowed cpanel to smart host to us: * <mypmgserver>::26

But still, all mail from all domains are Relay access denied:

Mar 27 11:11:01 mailgate1 postfix/smtpd[24576]: NOQUEUE: reject: RCPT from cpanel.example.co.uk[1.2.3.4]: 554 5.7.1 <user@domain.org.uk>: Relay access denied; from=<user@domain.org.uk> to=<user@domain.org.uk> proto=ESMTP helo=<cpanel.example.co.uk>
Mar 27 11:11:01 mailgate1 postfix/smtpd[24576]: disconnect from cpanel.example.co.uk[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7

Could you offer any more advice?

 

[kez]

I assumed IPs in Trusted Networks can relay any domain. The individual domains do not need to be specified in the Relay Domains section?

 

[Stoiko Ivanov]

So I'm all up to date now:

just to be sure - I'd suggest to reboot once! (although the post-installation scripts should take care of the issues)

I assumed IPs in Trusted Networks can relay any domain.

This is correct for mail arriving on the internal port of PMG

The individual domains do not need to be specified in the Relay Domains section?

Yes - they do not need to be specified for outbound mails (mail for all domains in your relay domains is accepted on the external port of PMG (25), no matter where it comes from)

* do you maybe have any port-forwarding/NAT settings that might change on which port the mails arrive?
* do you have any modification to the configuration templates in /etc/pmg/templates?

 

[kez]

Thanks, all resolved