Hi and thanks for a really great and flexible product!
My usecase is a bit on the edge as i run my mail solution from home on an ISP customer ip with an internal Exchange server with only one mailbox for myself, which is setup to accept any emailaddress on all my domains.
I use a different emailaddress each place i register online/offline which makes it easy to block/filter emailaddresses.
The reason i was looking for a new MTA was the need for better logging of the reject events, as i closely monitor which emailaddresses are being used and potentially compromised.
My MTA up until a few days ago was SophosXG firewall, it has syslog but reject events are not logged there and can only be seen in the portal.
Installing Proxmox Mail Gateway (8.0.3) in a virtual environment was fast and easy.
Configuring relaying up/downstream
Default relay to the internal Exchange server was fast and easily done in the portal.
Exchange relay to Proxmox was confusing, kept getting relay denied even with ip added to Networks. After finding out about and updating Exchange to send on the internal SMTP port 26 instead was the key.
- maybe mention using the internal SMTP port in the Networks docs
- (on my todolist), how to not allow all ip's on the same subnet (i only have one subnet with servers+clients)
Proxmox relay to smarthost (i use Socketlabs because sending from a consumer grade ip has been more or less impossible for many years now) was the first challenge. Where was the authentication option... after some forum reading and fiddling with templates i finally got SASL working.
- this was by far the most surprising thing that was not supported out of the box, wish there was configurable options for "Smarthost Authentication" and "Smarthost Port" in Relaying
Configuring logging
Setting up external syslog was found through a forum post https://forum.proxmox.com/threads/remote-syslog.46146
- would have liked to be able to do this in the portal
- should be mentioned in the docs on how to do this eg in Syslog and Tasks as it is a somewhat common option(?)
Configuring blacklisting to reject compromised internal emailaddresses
Somewhat confusing. Adding recipients to the Blacklist did nothing. Found out Blacklist by default only applies to senders.
Made a new Blacklist which applies to recipients and voila, incoming messages was blocked.
But, this was not the same as Rejected, the messages was still being accepted and then blocked.
Solved by editing the main.cf.in template and replacing the smtpd_recipient_restrictions = check_recipient_access with a custom file hash:/etc/postfix/recipient_access and adding the emailaddresses there.
There is a "smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/rcptaccess" in the default config, but i was unable to populate this by any of the RegEx Who objects/rules in the portal, and no mention of this in the docs.
- wish it were possible to have the ability to have both reject and blocklists in the portal, where rejectlists can specify return code and message per item.
Insight
Tracking center is superfast, gives a good overview and has excellent filtering capabilities
Would like to see:
- colored rows for accepted messages (green?) to distinguish them from rejected (yellow?)
- an option to turn on a Subject column to more easily identify spam at a glance
- a spam info button similar to the "Toggle spam info" in Spam Quarantine to more easily view all types of accepted mail spamscores
Conclusion
Very easy to get started but some Linux commandline fiddling seems to be expected if you dont have a very basic setup.
Documentation is ok, but has many external references eg to postfix, makes it more timeconsuming to find out things. Eg, "what is the delimiter when using multiple DNSBL's", docs should have some examples of the most common used options.
For my personal needs it ticks all the boxes, and after getting somewhat more familiar under the hood i see how flexible this really is and have decided to permanently switch to Proxmox
Kind regards,
My usecase is a bit on the edge as i run my mail solution from home on an ISP customer ip with an internal Exchange server with only one mailbox for myself, which is setup to accept any emailaddress on all my domains.
I use a different emailaddress each place i register online/offline which makes it easy to block/filter emailaddresses.
The reason i was looking for a new MTA was the need for better logging of the reject events, as i closely monitor which emailaddresses are being used and potentially compromised.
My MTA up until a few days ago was SophosXG firewall, it has syslog but reject events are not logged there and can only be seen in the portal.
Installing Proxmox Mail Gateway (8.0.3) in a virtual environment was fast and easy.
Configuring relaying up/downstream
Default relay to the internal Exchange server was fast and easily done in the portal.
Exchange relay to Proxmox was confusing, kept getting relay denied even with ip added to Networks. After finding out about and updating Exchange to send on the internal SMTP port 26 instead was the key.
- maybe mention using the internal SMTP port in the Networks docs
- (on my todolist), how to not allow all ip's on the same subnet (i only have one subnet with servers+clients)
Proxmox relay to smarthost (i use Socketlabs because sending from a consumer grade ip has been more or less impossible for many years now) was the first challenge. Where was the authentication option... after some forum reading and fiddling with templates i finally got SASL working.
- this was by far the most surprising thing that was not supported out of the box, wish there was configurable options for "Smarthost Authentication" and "Smarthost Port" in Relaying
Configuring logging
Setting up external syslog was found through a forum post https://forum.proxmox.com/threads/remote-syslog.46146
- would have liked to be able to do this in the portal
- should be mentioned in the docs on how to do this eg in Syslog and Tasks as it is a somewhat common option(?)
Configuring blacklisting to reject compromised internal emailaddresses
Somewhat confusing. Adding recipients to the Blacklist did nothing. Found out Blacklist by default only applies to senders.
Made a new Blacklist which applies to recipients and voila, incoming messages was blocked.
But, this was not the same as Rejected, the messages was still being accepted and then blocked.
Solved by editing the main.cf.in template and replacing the smtpd_recipient_restrictions = check_recipient_access with a custom file hash:/etc/postfix/recipient_access and adding the emailaddresses there.
There is a "smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/rcptaccess" in the default config, but i was unable to populate this by any of the RegEx Who objects/rules in the portal, and no mention of this in the docs.
- wish it were possible to have the ability to have both reject and blocklists in the portal, where rejectlists can specify return code and message per item.
Insight
Tracking center is superfast, gives a good overview and has excellent filtering capabilities
Would like to see:
- colored rows for accepted messages (green?) to distinguish them from rejected (yellow?)
- an option to turn on a Subject column to more easily identify spam at a glance
- a spam info button similar to the "Toggle spam info" in Spam Quarantine to more easily view all types of accepted mail spamscores
Conclusion
Very easy to get started but some Linux commandline fiddling seems to be expected if you dont have a very basic setup.
Documentation is ok, but has many external references eg to postfix, makes it more timeconsuming to find out things. Eg, "what is the delimiter when using multiple DNSBL's", docs should have some examples of the most common used options.
For my personal needs it ticks all the boxes, and after getting somewhat more familiar under the hood i see how flexible this really is and have decided to permanently switch to Proxmox
Kind regards,
