This is a rough draft of an idea from this thread over in the PMG forum:
https://forum.proxmox.com/threads/how-to-close-open-port-111.43310/
Two notes: it would be nice if a future version of PVE included macros for PVE web interface and PMG Submission. There is "Submission" but that's not port 26. Also, there is PMG for the PMG web interface which is technically the same port number, but if an admin who is not familiar with the systems needs to do work, it could be a little confusing. OR change the macro to "PMG/PVE".
WARNING: MAKE SURE TO CONFIGURE THE HOST ZONE CORRECTLY OR YOU WILL BE LOCKED OUT.
If you get locked out, you will need to edit the files in this directory from the console:
These settings are based on the information in the PMG documentation here:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#:~:text=2.3.-,Firewall Settings,-In order to
There is an additional rule to allow Let's Encrypt's Certbot to do its thing as needed, but that can be removed if you're not using Certbot.
Name: admin
Comment: Admin IPs and ranges
> OK
Datacenter > Firewall > IPSet > admin > Add:
IP/CIDR: <ipORrange>
Comment: <describeIP>
> Create
Direction: in
Action: ACCEPT
Enable: true
Protocol: tcp
Source: +admin
Dest. port: 8006
Comment: Allow PVE GUI/API in from admin IPs and ranges
> OK
Order: 0
Direction: in
Action: ACCEPT
Enable: true
Macro: SSH
Source: +admin
Comment: Allow SSH in from admin IPs and ranges
> OK
Order: 1
Firewall: true
Name: pmg
Comment: Proxmox Mail Gateway
> Create
Name: mailservers
Comment: Mail server IPs
> OK
Datacenter > Firewall > IPSet > mailservers > Add:
IP/CIDR: <ipORrange>
Comment: <hostname>
> Create
Direction: in
Action: ACCEPT
Enable: true
Macro: HTTP
Comment: Allow HTTP in for certbot renewal
> OK
Order: 0
Direction: in
Action: ACCEPT
Enable: true
Macro: SMTP
Comment: Allow SMTP in
> OK
Order: 1
Direction: in
Action: ACCEPT
Enable: true
Protocol: tcp
Source: +mailservers
Dest. port: 26
Comment: Allow submission on port 26 from mail servers
> OK
Order: 2
Direction: in
Action: ACCEPT
Enable: true
Macro: PMG
Source: +admin
Comment: Allow PMG GUI and API in from admin IPs and ranges
> OK
Order: 3
Firewall: true
> OK
Datacenter > {node} > {vm} > Firewall > Insert Security Group:
Security Group: pmg
Interface: net0
Enable: true
Comment: PMG security group rules
> Add
Datacenter > {node} > {vm} > Firewall > Options > Firewall > Edit:
Firewall: true
> OK
https://forum.proxmox.com/threads/how-to-close-open-port-111.43310/
Two notes: it would be nice if a future version of PVE included macros for PVE web interface and PMG Submission. There is "Submission" but that's not port 26. Also, there is PMG for the PMG web interface which is technically the same port number, but if an admin who is not familiar with the systems needs to do work, it could be a little confusing. OR change the macro to "PMG/PVE".
WARNING: MAKE SURE TO CONFIGURE THE HOST ZONE CORRECTLY OR YOU WILL BE LOCKED OUT.
If you get locked out, you will need to edit the files in this directory from the console:
/etc/pve/firewall/
These settings are based on the information in the PMG documentation here:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#:~:text=2.3.-,Firewall Settings,-In order to
There is an additional rule to allow Let's Encrypt's Certbot to do its thing as needed, but that can be removed if you're not using Certbot.
Admin IPSet
Datacenter > Firewall > IPSet > Create:Name: admin
Comment: Admin IPs and ranges
> OK
Datacenter > Firewall > IPSet > admin > Add:
IP/CIDR: <ipORrange>
Comment: <describeIP>
> Create
Host Zone (PVE)
GUI/API
Datacenter > Firewall > Add:Direction: in
Action: ACCEPT
Enable: true
Protocol: tcp
Source: +admin
Dest. port: 8006
Comment: Allow PVE GUI/API in from admin IPs and ranges
> OK
Order: 0
SSH
Datacenter > Firewall > Add:Direction: in
Action: ACCEPT
Enable: true
Macro: SSH
Source: +admin
Comment: Allow SSH in from admin IPs and ranges
> OK
Order: 1
Enable
Datacenter > Firewall > Options > Firewall > Edit:Firewall: true
Guest Zone (PMG)
Security Group
Datacenter > Firewall > Security Group > Create:Name: pmg
Comment: Proxmox Mail Gateway
> Create
Mailserver IPSet
Datacenter > Firewall > IPSet > Create:Name: mailservers
Comment: Mail server IPs
> OK
Datacenter > Firewall > IPSet > mailservers > Add:
IP/CIDR: <ipORrange>
Comment: <hostname>
> Create
Rules
HTTP
Datacenter > Firewall > Security Group > pmg > Add:Direction: in
Action: ACCEPT
Enable: true
Macro: HTTP
Comment: Allow HTTP in for certbot renewal
> OK
Order: 0
SMTP
Datacenter > Firewall > Security Group > pmg > Add:Direction: in
Action: ACCEPT
Enable: true
Macro: SMTP
Comment: Allow SMTP in
> OK
Order: 1
Submission:26
Datacenter > Firewall > Security Group > pmg > Add:Direction: in
Action: ACCEPT
Enable: true
Protocol: tcp
Source: +mailservers
Dest. port: 26
Comment: Allow submission on port 26 from mail servers
> OK
Order: 2
GUI/API
Datacenter > Firewall > Security Group > pmg > Add:Direction: in
Action: ACCEPT
Enable: true
Macro: PMG
Source: +admin
Comment: Allow PMG GUI and API in from admin IPs and ranges
> OK
Order: 3
Apply Security Group
Datacenter > {node} > {vm} > Hardware > net0 > Edit:Firewall: true
> OK
Datacenter > {node} > {vm} > Firewall > Insert Security Group:
Security Group: pmg
Interface: net0
Enable: true
Comment: PMG security group rules
> Add
Datacenter > {node} > {vm} > Firewall > Options > Firewall > Edit:
Firewall: true
> OK
Last edited: