differentiate between "allow to deliver to local addresses" and "allow relay"

M

masterx

Member
Jun 6, 2020
21
4
8
24
Hi

I have transitioned to PMG in my semi-production home-lab environment a few weeks ago and I do like the product very much so far.
However one thing still bothers me a bit. In the previous product i was using, it was possible to allow local mail delivery (i.e. delivery to domains which the mail gateway is "responsible" for) from internal servers (like backup report mails, monitorin alerts, and so forth) without having to allow these servers relaying mails to outside recipients.

I did like this as kind of an additional security measure so that if one of the servers gets hacked (some of them are accessible from the internet), they can't be used as open relays because mailing is only possible to "internal" mail domains. In PMG I have to add an internal server to the whitelist or send via the internal port (26) but if I do this, the server is allowed to send to any recipient in the world.

I hope it is clear what I would like to see and if it is currently not possible, please look at this as a feature request :)

Thanks!
 
Not sure if I get the complete use case - but have you tried the following?:

* create a rule with appropriate priority and direction outbound
* create a who-object containing all IPs (or the networks) of your internal servers
* create a who-object containing your internal domains (where the internal servers may send mails to)
* set the first object as from on the rule, the second one as to
* add the action ACCEPT

* create a second rule with lower priority (one less than the previous rule)
* set the who object with your IPs as from
* set the object to BLOCK/Quarantine

Would that work?
 
Interesting approach, will definitely try that out. I didn't think of configuring rules because without whitelisting my "internal" "system-mails" got filtered already just because of the fact that they didn't pass the SPF check, obviously.
 
masterx said:
already just because of the fact that they didn't pass the SPF check, obviously.
Click to expand...
if you've enabled SPF checking in the mail proxy (GUI -> Configuration -> Mail Proxy ->Options) and your have a hard reject in your spf policy ('-all') then you either need to provide a changed SPF record in your internal DNS or add the server to the Mail Proxy Whitelist ( GUI -> Configuration -> Mail Proxy -> Whitelist)

I hope this helps!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back