Bypassing PMG for just one domain

t0mz

t0mz

Member
Proxmox Subscriber
Jan 20, 2022
40
6
13
24
We have the requirement to host a new email domain on our email servers, while this domain should follow the same email flow as the other domains, this new domain should effectively bypass PMG and hit our mail servers directly. Reason is that this domain gets it's SPAM/Virus checks done by a 3rd party provider before it even hits our servers.
So inbound email flow is like below:
External sender/email server -> new domain MX record points to -> 3rd party (virus check) -> our PMG (bypass) -> our Mailserver

What would you consider to be the most effective way to handle this situation? Simply add that domain to MailProxy/Whitelist, direction Receiver?
I could obviously have the 3rd party talk directly to my mail servers, but I'd like to avoid exposing the mail servers to the internet.
 
while you could add the domain to the whitelists, note that some checks happen even before pmg knows the receiver address/domain (e.g. ip/dns checks of the source server) which you can only enable/disable globally
OTOH, if you simply forward every mail to the mail server anyway, is there really a difference to opening the smtp port of that mail server to the internet? (with a sane and patche mail server of course)
 
Thanks a lot Dominik, "going direct" would be mean a slightly more complicated setup, new DNS entries and public IP addresses.
Having PMG do some of the basic sanity checks may actually be good in this scenario, because either 3rd party did it's job and nothing bad comes through or someone is somehow playing man in the middle in which case those checks may be helpful.

I got something to work with, so thanks for responding!
 
Hello @t0mz ,

I would say direct to your mail server, however restrict the source of mail on the email server.
In other words, accept email form their gateway, and accept email from your gateway and nowhere else on your email server.
 
Thanks everyone, I now have the domains in question listed under Mail Proxy / Whitelist
Type: Domain
Direction: Receiver
Value: WhitelistedDomain.com

According to the documentation (All SMTP checks are disabled for those entries (e.g. Greylisting, SPF, DNSBL, …)) and the conversations higher up that should do the trick?
But yet, there are still emails that get quarantined?

Nov 30 08:42:08 pmg1 postfix/smtpd[1105814]: connect from mail-wm1-f70.google.com[209.85.128.70] Nov 30 08:42:08 pmg1 postfix/smtpd[1105814]: Anonymous TLS connection established from mail-wm1-f70.google.com[209.85.128.70]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 Nov 30 08:42:08 pmg1 postfix/smtpd[1105814]: NOQUEUE: client=mail-wm1-f70.google.com[209.85.128.70] Nov 30 08:42:08 pmg1 pmg-smtp-filter[1106601]: DC183163871760D6760: new mail message-id=<d1f979f0.AWAAAAOOwJ0AAAABO8AAAAOHsoIAAAAAN1QAADEvABrHRwBjhxci@mailjet.com>#012 Nov 30 08:42:12 pmg1 pmg-smtp-filter[1106601]: DC183163871760D6760: SA score=5/5 time=3.978 bayes=undefined autolearn=disabled hits=AWL(1.279),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),HEADER_FROM_DIFFERENT_DOMAINS(0.249),HTML_MESSAGE(0.001),MAILING_LIST_MULTI(-1),RAZOR2_CF_RANGE_51_100(2.43),RAZOR2_CHECK(1.729),SPF_FAIL(0.919),SPF_HELO_NONE(0.001),T_KAM_HTML_FONT_INVALID(0.01) Nov 30 08:42:13 pmg1 pmg-smtp-filter[1106601]: DC183163871760D6760: moved mail for <receiver@WhitelistedDomain.com> to spam quarantine - DC189663871764EFC0D (rule: Quarantine/Mark Spam (Level 05)) Nov 30 08:42:13 pmg1 pmg-smtp-filter[1106601]: DC183163871760D6760: processing time: 4.22 seconds (3.978, 0.079, 0) Nov 30 08:42:13 pmg1 postfix/smtpd[1105814]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (DC183163871760D6760); from=<d1f979f0.AWAAAAOOwJ0AAAABO8AAAAOHsoIAAAAAN1QAADEvABrHRwBjhxci@a1754951.bnc3.mailjet.com> to=<receiver@WhitelistedDomain.com> proto=ESMTP helo=<mail-wm1-f70.google.com> Nov 30 08:42:43 pmg1 postfix/smtpd[1105814]: disconnect from mail-wm1-f70.google.com[209.85.128.70] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7

Is there anything else which could overrule MailProxy/Whitelist? I can't set any priorities so I would expect this whitelist to get executed before any other rules come into play?

Anyway, to avoid more emails ending in quarantine while I sort this out I went ahead and created a new rule in the Mail Filter section:
- A who object with the receiving domains I want to traverse through PMG unchallenged
- Action: Accept
- Priority: 99 (highest)

I can see the new filter being applied as there are already log entries mentioning the filter:
Nov 30 13:28:28 pmg2 pmg-smtp-filter[2657487]: C0484063875A7A44061: accept mail to <receiver@WhitelistedDomain.com> (D3242C0488F) (rule: Bypass PMG)

So I guess I got this covered, yet the question remains why the simple Proxy/Whitelist didn't show the expected effect?

Thanks
Thomas
 
  • Like
Reactions: t0mz
Stoiko Ivanov said:
The mail got quarantined by the rule system - not rejected during the smtp-dialog by postfix (which is what the Mailproxy Whitelist is used for) - see the reference documentation on the different accesslists in PMG:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_whitelist_overview

I hope this helps!
Click to expand...
It does definitely help. That means the rule engine always kicks in before the Mail Proxy which is important to understand as in that case Proxy Whitelisting is very different from what I thought.
 
t0mz said:
. That means the rule engine always kicks in before the Mail Proxy
Click to expand...
mail is passed to the rule engine (done by pmg-smtp-filter) _after_ it gets handled by the Mail Proxy (postfix/postscreen/pmgpolicy) - but is orthogonal - if a mail gets handed to it, it just means it passed through the Mail Proxy
 
poetry said:
I had the same issue in the end I had to configure direct delivery of email to the mail server. Do not process emails via proxmox mail gateway if you are not filtering emails as your Bayesian and statistics will be all wrong. It's not possible to completely disable filtering for one domain/server more info the thread below:
https://forum.proxmox.com/threads/d...e-sender-ip-of-the-sender.118346/#post-513270
Click to expand...
Indeed, exact same scenario as mine. Short term I should be ok with Proxy/Whitelist + Filter, but mid term it seems I will have to bite the bullet and make our mail servers accessible externally. Or maybe I can redirect at the OpnSense level…
Thanks for sharing!
 
t0mz said:
Indeed, exact same scenario as mine. Short term I should be ok with Proxy/Whitelist + Filter, but mid term it seems I will have to bite the bullet and make our mail servers accessible externally. Or maybe I can redirect at the OpnSense level…
Thanks for sharing!
Click to expand...
We have only enabled access to the mail server from the server that needs to be sending email directly and nothing else. This is the best way to do this in a secure way. Access list it's called ask your network guys. Only allow access to the mail server on port 25 for IP that will be sending you email.
 
  • Like
Reactions: t0mz
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back