Cannot close open relay

[gmac]

Using PMG 6.2-6 in a lxd container as a load-balance and fail over with another PMG in a vm. Container PMG called pmg2; vm PMG called pmg1.
Run an open relay test from https://tools.appriver.com/OpenRelay.aspx shows "Relay NOT accepted" on all tests for pmg1, but "Relay accepted" for pmg2.
I have compared pmg1 and pmg2 mail proxy configurations in the GUI with no apparent differences.
On pmg2, manually editing /etc/postfix/main.cf to change the order of smtpd_recipient_restrictions so that reject_unauth_destination precedes permit_mynetworks corrects the open relay problem BUT 1) pmg1 does not have that change, and 2) the change gets overwritten when postfix is next restarted.

What am I missing, please?

 

[tom]

By default, a Proxmox Mail Gateway is never an open relay.

There are protections on the internal and external SMTP port. So the first step is to check your port settings and (external) firewall settings.

 

[gmac]

Yes, I realise that PMG is never meant to be an open relay, hence my puzzlement at what I'm seeing - must be an error I've made but I can't locate it.

So, pmg2 runs in an lxd container with a NAT network via a bridge to the host. Only ports 25 (smtp) and 8006 (web gui) are open via lxd proxy devices. On the lxd host, I am running firewalld with ports 22, 25 and 8006 open.

In the pmg gui, in the mail proxy configuration, on the ports tab, I have external smtp port 25 and internal smtp port 26.

An example from the tracking centre of a message accepted and delivered (only email for my domain - bitsofstring.co.uk - should be accepted):

Oct 25 10:38:18 pmg2 postfix/smtpd[19131]: connect from pmg2.bitsofstring.co.uk[10.163.55.104]
Oct 25 10:38:18 pmg2 postfix/smtpd[19131]: NOQUEUE: client=pmg2.bitsofstring.co.uk[10.163.55.104]
Oct 25 10:38:19 pmg2 postfix/smtpd[19131]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (11B83E5F95559A78839); from=<info@labwig.com> to=<barjohn.williams@aol.com> proto=ESMTP helo=<[80.82.64.116]>
Oct 25 10:38:19 pmg2 postfix/smtpd[19131]: NOQUEUE: client=pmg2.bitsofstring.co.uk[10.163.55.104]
Oct 25 10:38:19 pmg2 postfix/smtpd[19131]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (11B83E5F95559B0A51B); from=<info@labwig.com> to=<fedex-ngr1967@live.com> proto=ESMTP helo=<[80.82.64.116]>
Oct 25 10:38:19 pmg2 postfix/smtpd[19131]: NOQUEUE: client=pmg2.bitsofstring.co.uk[10.163.55.104]
Oct 25 10:38:19 pmg2 pmg-smtp-filter[18979]: 11B83E5F95559B8FEE0: new mail message-id=
Oct 25 10:38:20 pmg2 pmg-smtp-filter[18979]: 11B83E5F95559B8FEE0: SA score=2/5 time=0.442 bayes=undefined autolearn=no autolearn_force=no hits=ALL_TRUSTED(-1),AWL(0.403),FREEMAIL_FORGED_REPLYTO(2.503),KAM_DMARC_STATUS(0.01),LOTS_OF_MONEY(0.001),MILLION_USD(0.001),MISSING_MID(0.14),SUBJ_ALL_CAPS(0.5),T_MONEY_PERCENT(0.01)
Oct 25 10:38:20 pmg2 postfix/smtpd[19136]: connect from localhost[127.0.0.1]
Oct 25 10:38:20 pmg2 postfix/smtpd[19136]: 1029F11B841: client=localhost[127.0.0.1], orig_client=pmg2.bitsofstring.co.uk[10.163.55.104]
Oct 25 10:38:20 pmg2 postfix/cleanup[19137]: 1029F11B841: message-id=<20201025103820.1029F11B841@pmg2.lxd>
Oct 25 10:38:20 pmg2 postfix/qmgr[469]: 1029F11B841: from=<info@labwig.com>, size=3075, nrcpt=1 (queue active)
Oct 25 10:38:20 pmg2 postfix/smtpd[19136]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Oct 25 10:38:20 pmg2 pmg-smtp-filter[18979]: 11B83E5F95559B8FEE0: accept mail to <markgensburger@gmail.com> (1029F11B841) (rule: default-accept)
Oct 25 10:38:20 pmg2 pmg-smtp-filter[18979]: 11B83E5F95559B8FEE0: processing time: 0.484 seconds (0.442, 0.023, 0)
Oct 25 10:38:20 pmg2 postfix/smtpd[19131]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (11B83E5F95559B8FEE0); from=<info@labwig.com> to=<markgensburger@gmail.com> proto=ESMTP helo=<[80.82.64.116]>
Oct 25 10:38:20 pmg2 postfix/smtpd[19131]: NOQUEUE: client=pmg2.bitsofstring.co.uk[10.163.55.104]
Oct 25 10:38:20 pmg2 postfix/smtpd[19131]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (11B83E5F95559C1A64A); from=<info@labwig.com> to=<samuel4chat21@yahoo.com> proto=ESMTP helo=<[80.82.64.116]>
Oct 25 10:38:20 pmg2 postfix/smtp[19122]: 1029F11B841: to=<markgensburger@gmail.com>, relay=gmail-smtp-in.l.google.com[209.85.202.26]:25, delay=0.59, delays=0/0/0.16/0.43, dsn=2.0.0, status=sent (250 2.0.0 OK 1603622301 h8si6022524ejj.258 - gsmtp)
Oct 25 10:38:20 pmg2 postfix/qmgr[469]: 1029F11B841: removed
Oct 25 10:38:20 pmg2 postfix/smtpd[19131]: disconnect from pmg2.bitsofstring.co.uk[10.163.55.104] ehlo=1 mail=4 rcpt=4 data=4 quit=1 commands=14

 

[Stoiko Ivanov]

Check the output of `pmgconfig dump` -the postfix transportnets variable contains all ip-ranges for which relaying from the internal port is allowed

Maybe the NAT part causes all mails to look like they originate from your host (and not from the outside)?

if you need to adapt the postfix configuration you need to use the templateting system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!

 

[gmac]

@Stoiko, thanks for the suggestions.

Good plan to check pmgconfig dump, I will compare both pmg1 and pmg2.

In the meantime, as you suggest, I have used the templating system to override the postfix config, prioritising reject_unauth_destination:

smtpd_recipient_restrictions =
        reject_unauth_destination
        reject_non_fqdn_recipient
        permit_mynetworks
        check_recipient_access  regexp:/etc/postfix/rcptaccess check_sender_access  regexp:/etc/postfix/senderaccess check_client_access  cidr:/etc/postfix/clientaccess check_policy_service inet:127.0.0.1:10022