Cluster - Banner Names, Sending Email and Certificates

fgams

fgams

Member
Proxmox Subscriber
Jun 10, 2021
33
5
8
Maryland, USA
Hi All,

I'm testing the cluster feature of ProxMox and have a question/comment.

Lets say you have a master PM server and one node with the following configuration:

Master: node1.domain.com 1.2.3.4
Node: node2.domain.com 1.2.3.5

Each server has a PTR (reverse dns) record and a Let's Encrypt certificate.

Problem: The SMTP banner for both servers are the same (node1.domain.com). When you send email through node2.domain.com, some ISPs will send the email to spam or block it altogether because the SMTP banner does not match the PTR record or the certificate.

I would think each server should have its own SMTP banner and we would do load balancing through MX records.

How do you guys handle this?
 
fgams said:
Problem: The SMTP banner for both servers are the same (node1.domain.com). When you send email through node2.domain.com, some ISPs will send the email to spam or block it altogether because the SMTP banner does not match the PTR record or the certificate.
Click to expand...
TBH I've seldomly seen mails being rejected due to the helo_name not matching up.

In any case in the default configuration the fqdn is used as smtp-banner and as helo_name if I remember correctly - where exactly is node1.domain.com shown where node2.domain.com should be shown?
did you modify the postfix configuration templates?
 
Mail Proxy --> options --> SMTP Banner, the setting is synced with the node.

I do have a custom template for main.in.cf

I have to say that I did not test to see if node2.domain.com uses its own fqdn or not. I'll test that today.
 
Here is an smtp test result from mxtoolbox. It replies with both node's fqdn, never seen that before. I guess its ok then, Thanks.

Connecting to 1.2.3.5

220 node2.domain.com node1.domain.com [312 ms]
EHLO keeper-us-east-1b.mxtoolbox.com
250-node2.domain.com
250-PIPELINING
250-SIZE 150485760
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING [123 ms]
MAIL FROM:<supertool@mxtoolboxsmtpdiag.com>
250 2.1.0 Ok [231 ms]
RCPT TO:<test@mxtoolboxsmtpdiag.com>
554 5.7.1 <test@mxtoolboxsmtpdiag.com>: Relay access denied [169 ms]
 
Last edited:
fgams said:
. It replies with both node's fqdn,
Click to expand...
I guess you set the SMTPd banner to node1.domain.com - the banner consists of <node.fqdn> <smtpd-banner>.

I hope this explains it

also the banner has no impact on sending mail (it is only displayed when another mailserver wants to send mail to PMG ...
 
I was also wondering how DKIM would work... below is an email I sent to gmail. It signs the email with node1's key, not sure how that is working, the email should be rejected I would think.

ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@domain.com header.s=node1 header.b=aI3KoNqh;
spf=pass (google.com: domain of recipient@domain.com designates 1.2.3.5 as permitted sender) smtp.mailfrom=recipient@domain.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=domain.com
Return-Path: <recipient@domain.com>
Received: from node2.domain.com (node1.domain.com. [1.2.3.5]) <--- not sure what's happening here
by mx.google.com with ESMTPS id h16si2222554qvr.90.2021.08.17.13.12.17
for <test@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 17 Aug 2021 13:12:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of recipient@domain.com designates 1.2.3.5 as permitted sender) client-ip=1.2.3.5;
Authentication-Results: mx.google.com;
dkim=pass header.i=@domain.com header.s=node1 header.b=aI3KoNqh;
spf=pass (google.com: domain of recipient@domain.com designates 1.2.3.5 as permitted sender) smtp.mailfrom=recipient@domain.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=domain.com
 
fgams said:
It signs the email with node1's key, not sure how that is working, the email should be rejected I would think.
Click to expand...
yes PMG uses one private key/selector per cluster - see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration
This works quite well - you publish one DKIM record in your DNS with the public key - mails get signed with the private key - and this then gets verified by the receiving server (DKIM matches a TXT DNS record of your domain to a signature - and has nothing to do with the IP where a mail is received from (SMTP can send mails through relays - which is not too uncommon)

why do you think that it should be rejected?

fgams said:
node2.domain.com (node1.domain.com. [1.2.3.5]) <--- not sure what's happening here
Click to expand...
my guess is that this might be an issue with DNS of of node1.domain.com/node2.domain.com and the reverse PTR of 1.2.3.5
-> check your dns records

I hope this helps!
 
  • Like
Reactions: fgams
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back