Differences when PMG is directly connected to Internet or after a mail relay

[ph.adam]

Hello,

Currently, a postfix server receives incomming mails then relays to Proxmox Mail Gateway which relays to our Exchange. If I remove the postfix, incoming mails are not accepted (either way there is a message about unknow mailbox or blocked using spam lists) :
- Recipient address rejected: User unknown in relay recipient table; (but I copied the ldap config from the edge postfix and added the ldap config in PMG too)
- NOQUEUE: reject: RCPT from [XXX]:13160: 550 5.7.1 Service unavailable; client [XXX] blocked using zen.spamhaus.org; (but there is no reason that those mails are blocked, these are legit test mails from hotmail or gmail)

Trying to solve this, I found this statement :

keep in mind that as Proxmox do not receive emails directly, a lot of filtering methods are not possible : SPF, greylisting, RBL checks etc.

Here are my questions :
- Why is greylisting and RBL checks not working if not directly connected to Internet, are there other features not working?
- In general, what are the important differences between a PMG directly connected to Internet (edge) and not (receiving only mails from another mail relay) ?
- Can we create filtering rules using second or third sender IP or domain? When connected to a another relay, the send ip is always the relay. What would be interesting is to check the first sender ip.


Thank you in advance for your help.

 

[airtite76]

spf, rbl, greylisting using the sending server IP to do those checks right now the sending server is your postfix server. As far as I know and I am quite new to pmg but all you need to do is add your domain to the relay domains and add your end point server to the transports and then activate recipient checking pretty sure you dont need the ldap lookups happening locally but I could be wrong.

 

[Stoiko Ivanov]

NOQUEUE: reject: RCPT from [XXX]:13160: 550 5.7.1 Service unavailable; client [XXX] blocked using zen.spamhaus.org;

This means that your upstream server is listed on zen.spamhaus.org (or that the DNS resolution on your PMG has errors) - both should be fixed if you want to send/receive mail.

If you want to have another mailserver in front of PMG you can check-out the xforward settings and howto - if the server uses xforward (and PMG trusts this hosts' xforward information) you should get similar results to having PMG directly as MX - see the postfix documentation on the topic:

https://www.postfix.org/XFORWARD_README.html
https://www.postfix.org/postconf.5.html#smtpd_authorized_xforward_hosts

(but I copied the ldap config from the edge postfix and added the ldap config in PMG too)

why not simply use the recipient verification (GUI->Configuration->Mail Proxy->Options - this uses SMTP to check with the downstream server if a mailbox exists ?

 

[ph.adam]

spf, rbl, greylisting using the sending server IP to do those checks right now the sending server is your postfix server. As far as I know and I am quite new to pmg but all you need to do is add your domain to the relay domains and add your end point server to the transports and then activate recipient checking pretty sure you dont need the ldap lookups happening locally but I could be wrong.

Thank you airtite76. I knew for DKIM but didn't think it was a problem for rbl and greylisting.
I didn't activate recipient checking (verify receivers). Is it mandatory if PMG is directly connected to the Internet? Because it works for the moment (when there's a mail server before PMG).

 

[ph.adam]

(or that the DNS resolution on your PMG has errors)

I'm wondering what I missed in the DNS side.
External DNS and MX point to a public IP in our firewall. This firewall redirects to postfix. I changed so the firewall redirects to pmg instead.
I then tryed to give the postfix names to pmg (myhostname and other things) with no success. I then tryed to change the external DNS to point to the PMG hostname.
Internally, I didn't change anything.

If you want to have another mailserver in front of PMG you can check-out the xforward settings and howto - if the server uses xforward (and PMG trusts this hosts' xforward information) you should get similar results to having PMG directly as MX - see the postfix documentation on the topic:

https://www.postfix.org/XFORWARD_README.html
https://www.postfix.org/postconf.5.html#smtpd_authorized_xforward_hosts

It is working with another mailserver in front of PMG for the moment. Should I remove or disable the xforward if used?

why not simply use the recipient verification (GUI->Configuration->Mail Proxy->Options - this uses SMTP to check with the downstream server if a mailbox exists ?

I didn't know it could work simply like this. And as my predecessor configured the existent postfix with ldap recipient checking, I replicated and tryed to enable this in PMG.


Anybody knows if we can use all the <from> headers in the mail to create filters or only the latest in the chain?

Thank you for your help

 

[Stoiko Ivanov]

nybody knows if we can use all the <from> headers in the mail to create filters or only the latest in the chain?

you can match the 'Received' header with a Match field object, but postscreen_tests, and some SpamAssassin rules will only consider the connecting IP-address (which is your other postfix instance)

It is working with another mailserver in front of PMG for the moment. Should I remove or disable the xforward if used?

If it's working fine - I would not change the config

'm wondering what I missed in the DNS side.

can the PMG resolve everything fine?
e.g. does `dig proxmox.com` work ? (you might need to install dnsutils for the dig command)

 

[ph.adam]

If it's working fine - I would not change the config

The goal is to remove the postfix before the pmg. This night I'll the enabling verify recipients and a full DNS check.

The dig seams to work. It returns the IP address of proxmox.com at least.
Dig my domain mx gives 0 answer from the pmg. But it's the same from my working edge postfix.

# dig proxmox.com

; <<>> DiG 9.16.37-Debian <<>> proxmox.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25835
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;proxmox.com.                   IN      A

;; ANSWER SECTION:
proxmox.com.            3255    IN      A       212.224.123.69

;; Query time: 0 msec
;; SERVER: 172.16.132.10#53(172.16.132.10)
;; WHEN: Wed Mar 29 14:53:31 CEST 2023
;; MSG SIZE  rcvd: 56

 

[ph.adam]

Hello,

Is it possible that a not matching PTR record makes some mails to be rejected? And that ISP updates the PTR record automatically after 24h or so?

I changed the mx record at my ISP but the reverse lookup still points to the old mta domain name. And I don’t see any place to change this record. I’m waiting for their response.

Thank you in advance