Disable default local network whitelist

[masterx]

Hi

I was wondering how one would disable the default local network whitelist. It is my understanding, that any host on the same subnet as the PMG is allowed to relay. For me, that's kind of a security concern, I'd rather have only authorized clients sending mails through the gateway. Or is the PMG supposed to be put into a dedicated server subnet or DMZ network?

Would it work to blacklist the whole local subnet (lets say 172.16.0.0/24) and then selectively whitelist single hosts like 172.16.0.10/24?

Thanks!

 

[Stoiko Ivanov]

I was wondering how one would disable the default local network whitelist. It is my understanding, that any host on the same subnet as the PMG is allowed to relay.

this should only be true for the 'internal' port of pmg (check the service configuration template for postfix' master.cf (/var/lib/pmg/templates/master.cf.in - the config for smtpd on the external port explicitly sets mynetworks to 127.0.0.1/8 and the single ip of PMG)

I'd rather have only authorized clients sending mails through the gateway.

PMG is meant to be used as a smtp proxy, which usually does not use SMTPAUTH (if you would like that adapt the server configuration templates and create a SASL authentication for your relay servers)

see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine about the PMG specifics when it comes to MTA configuration

172.16.0.0/24) and then selectively whitelist single hosts like 172.16.0.10/24?

172.16.0.0/24 and 172.16.0.10/24 describe the same network (all IPs in 172.16.0.0-172.16.0.255) - the single ip would need to be written as 172.16.0.10 (or 172.16.0.10/32)

I hope this helps!

 

[masterx]

this should only be true for the 'internal' port of pmg (check the service configuration template for postfix' master.cf (/var/lib/pmg/templates/master.cf.in - the config for smtpd on the external port explicitly sets mynetworks to 127.0.0.1/8 and the single ip of PMG)

True, it says that in the config. So only 127.0.0.1/8 and the own IP of the PMG is whitelisted by default? In that case I must have misunderstood the manual, thanks for clarification.

PMG is meant to be used as a smtp proxy, which usually does not use SMTPAUTH (if you would like that adapt the server configuration templates and create a SASL authentication for your relay servers)

see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine about the PMG specifics when it comes to MTA configuration

I know and the reason why I brought this up is because I migrated from Symantec Messaging Gateway (now Broadcom, I guess) and there it was possible to make an internet-facing, virus and spam scanning user-SMTP gateway which requires users to authenticate before sending mail. That was very convenient because one didn't have to expose the internal mail server to the internet but it was still possible to use the central LDAP user store for authentication and all mails were scanned for viruses and spam in case some client PC got infected with crap.
Feel free to maybe consider this as a humble feature request for the future.
Feature creep is a bad thing but I think this could be accomplished rather easily as most parts are already there and it would bring a huge benefit, I think.

172.16.0.0/24 and 172.16.0.10/24 describe the same network (all IPs in 172.16.0.0-172.16.0.255) - the single ip would need to be written as 172.16.0.10 (or 172.16.0.10/32)

You are absolutely correct, I'm sorry. 172.16.0.10/32 was what i wanted to say.

I hope this helps!

Definitely, thanks!