Hi all,
Adding this here because I've just spent an hour trying to get to the bottom of why Proxmox notifications work perfectly through a smarthost, but system e-mails are sent directly. Hopefully somebody else will find this useful (or, more likely, future me will find this post when future me has exactly the same problem!).
Using a smart host for notifications in PVE or PBS is easy - in the host web interface, go to notifications and add an SMTP target.
System e-mails (e.g. anything using the 'mail' command) don't use the targets defined for PVE or PBS and will route via the gateway defined in postfix - if there isn't one, then it'll try to send direct. We've tightened the security screws on our mail servers and so now we need to route all e-mails out through a smarthost. So make the following changes on every host in your cluster or on the PBS box:
Install the SASL modules. Without these everything will seem to work, but you'll get "unable to authenticate, no mechanism" errors when you try to send e-mails.
Edit /etc/postfix/main.cf and make sure it has the following lines in it (replacing server names etc. with the correct ones for you as required):
Edit the file /etc/postfix/sasl_passwd and add the following line (changing details for your configuration). Note that the smarthost server must be *exactly* the same here as in main.cf, above.
Secure the password file, create the lookup table for the /etc/postfix/sasl_passwd file you just edited and then restart postfix:
Test (changing details as required)
Adding this here because I've just spent an hour trying to get to the bottom of why Proxmox notifications work perfectly through a smarthost, but system e-mails are sent directly. Hopefully somebody else will find this useful (or, more likely, future me will find this post when future me has exactly the same problem!).
Using a smart host for notifications in PVE or PBS is easy - in the host web interface, go to notifications and add an SMTP target.
System e-mails (e.g. anything using the 'mail' command) don't use the targets defined for PVE or PBS and will route via the gateway defined in postfix - if there isn't one, then it'll try to send direct. We've tightened the security screws on our mail servers and so now we need to route all e-mails out through a smarthost. So make the following changes on every host in your cluster or on the PBS box:
Install the SASL modules. Without these everything will seem to work, but you'll get "unable to authenticate, no mechanism" errors when you try to send e-mails.
Bash:
apt -y install libsasl2-modulesEdit /etc/postfix/main.cf and make sure it has the following lines in it (replacing server names etc. with the correct ones for you as required):
Code:
# Set the relayhost. The square brackets are required to stop postfix doing a MX lookup
relayhost = [YOUR.SMARTHOST.EXAMPLE.COM]:587
# Enable TLS
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
# Enable SASL authentication
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Make sure we can verify the relayhost's certificate
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crtEdit the file /etc/postfix/sasl_passwd and add the following line (changing details for your configuration). Note that the smarthost server must be *exactly* the same here as in main.cf, above.
Code:
[YOUR.SMARTHOST.EXAMPLE.COM]:587 USERNAME:PASSWORDSecure the password file, create the lookup table for the /etc/postfix/sasl_passwd file you just edited and then restart postfix:
Bash:
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
systemctl restart postfixTest (changing details as required)
Bash:
echo "This is the e-mail body" | mail -v -s "Testing smart host" YOUR.EMAIL@YOUR.DOMAIN