Right now we have a pretty aggressive policy for detecting and blocking spam and malicious mail. That has consequences meaning we have to spend quite a lot of time daily working on adding whitelist items and checking why legitimate mail was blocked.
To reduce our workload I am looking into how we can enable quarantine access for our mail users. We filter mail for different companies and this seems like it's not the right use case of proxmox mail gateway because this solution is not build for multitenant use.
The goal for enabling quarantine is to reduce the time we have to deal with proxmox mail gateway to 0. We would only upgrade the solution once a month everything else users should be able to do themselves. If they have access to false positives via quarantine this should be possible right?
If quarantine access is implemented well this could be a solution to reduce our workload but I am worrying this might not be the case.
Some general questions about quarantine access via internet. This looks quite straight forward https://pmg.proxmox.com/wiki/index.php/Quarantine_Web_Interface_Via_Nginx_Proxy anyone is using this in production and can comment if there are any drawbacks or limitations with using this? I am guessing I can install this on separate debian server with nginx and change configuration to proxy requests from our mail gateway to quarantine access server and it should work fine. Right?
Is there any risk for exposing quarantine items for example via brute force access by malicious actors are the ticket's complex enough to be safe enough to expose via internet? This would be really bad if we can't guarantee quarantine data safety.
I want to reduce the attack vector and load on our mail gateway so separate servers for each component make sense. We have the infrastructure available for use so this is a non-issue. This could be a 1core 4GB ram machine and it should be able to sustain high levels of quarantine access without any performance degradation that users can notice. I am guessing when the email for quarantine access is send every day we would see quite a spike on server load because everyone is accessing quarantine at the same time.
Can you configure how many times per day to send the access link? Looks like you can send it only once a day at minimum? Like if we want to send it twice a day would that be possible?
How long does the daily access link work for each user via ticket access? I am guessing it's limited to 24h access or does it depends on quarantine retention? Is this value configurable?
Are all quarantine items (SPAM, Virus, Attachment) accessible via the same quarantine if not can they be?
Is it possible to modify the quarantine email message where the link to quarantine access is? I want to completely modify this for our use case. Is it possible to create a template item for this so after each upgrade this custom message is retained?
Is it possible for users to add exceptions for senders via quarantine items just for them? I am guessing this is not possible?
The biggest limitation to implementing quarantine access that I can see is that we have to disable almost every major function of proxmox mail gateway to be able to give our users full access to all blocked emails. This functions right now blocks the majority of spam and malicious emails.
Emails blocked by DNSBL, Reject Unknown Clients, Reject Unknown Senders, SMTP HELO checks, SPF will block email before it can even reach the quarantine so we are forced to disable all this functions to truly enable our users to see all the emails that have been blocked by the mail gateway. If we do not do this then we will still have false positives and we will have to deal with adding whitelist items.
If you have anything to add that I am missing please let me know.
EDIT: Been testing for a few hours and I have more questions.
I see that I am getting 403 Forbidden for qrcode.min.js.
https://example.com/qrcode.min.js
I am also getting 403 Permission check failed for
https://example.com/api2/json/quarantine/spamusers?starttime=1668726000&endtime=1669417200
Is the reason outdated nginx configuration on https://pmg.proxmox.com/wiki/index.php/Quarantine_Web_Interface_Via_Nginx_Proxy ? How do we fix this? Don't want any errors when deploying this that might produce unexpected behavior.
Can we replace the flavicon, the logo, link on the logo, the "Mail Gateway 7.1-11" and the page title <title>mx1-demo - Proxmox Mail Gateway</title> in a way that is persistent after upgrades? Is there a template available for this?
This would be a nice addition for proxmox subscribers to add logos, text, custom links for their company to give a more personalized look to the quarantine. We don't mind having powered by proxmox link that is non issue.
I would also like to translate everything to our native language so the spam reports and quarantine are translated and displayed in our language. This will be much better for the users.
Is it possible based on default browser language to detect and then display the default language as selected in the browser without manually changing the language?
I have found the old thread https://forum.proxmox.com/threads/translate-mail-gateway.49432/ will have a look if I can find how to do this so I can submit my translation. Looks complicated...
Any advice how to make a custom Daily Spam Report template that will be persistent after upgrades?
I will keep testing and working on it and will let you know if I have more questions.
To reduce our workload I am looking into how we can enable quarantine access for our mail users. We filter mail for different companies and this seems like it's not the right use case of proxmox mail gateway because this solution is not build for multitenant use.
The goal for enabling quarantine is to reduce the time we have to deal with proxmox mail gateway to 0. We would only upgrade the solution once a month everything else users should be able to do themselves. If they have access to false positives via quarantine this should be possible right?
If quarantine access is implemented well this could be a solution to reduce our workload but I am worrying this might not be the case.
Some general questions about quarantine access via internet. This looks quite straight forward https://pmg.proxmox.com/wiki/index.php/Quarantine_Web_Interface_Via_Nginx_Proxy anyone is using this in production and can comment if there are any drawbacks or limitations with using this? I am guessing I can install this on separate debian server with nginx and change configuration to proxy requests from our mail gateway to quarantine access server and it should work fine. Right?
Is there any risk for exposing quarantine items for example via brute force access by malicious actors are the ticket's complex enough to be safe enough to expose via internet? This would be really bad if we can't guarantee quarantine data safety.
I want to reduce the attack vector and load on our mail gateway so separate servers for each component make sense. We have the infrastructure available for use so this is a non-issue. This could be a 1core 4GB ram machine and it should be able to sustain high levels of quarantine access without any performance degradation that users can notice. I am guessing when the email for quarantine access is send every day we would see quite a spike on server load because everyone is accessing quarantine at the same time.
Can you configure how many times per day to send the access link? Looks like you can send it only once a day at minimum? Like if we want to send it twice a day would that be possible?
How long does the daily access link work for each user via ticket access? I am guessing it's limited to 24h access or does it depends on quarantine retention? Is this value configurable?
Are all quarantine items (SPAM, Virus, Attachment) accessible via the same quarantine if not can they be?
Is it possible for users to add exceptions for senders via quarantine items just for them? I am guessing this is not possible?
The biggest limitation to implementing quarantine access that I can see is that we have to disable almost every major function of proxmox mail gateway to be able to give our users full access to all blocked emails. This functions right now blocks the majority of spam and malicious emails.
Emails blocked by DNSBL, Reject Unknown Clients, Reject Unknown Senders, SMTP HELO checks, SPF will block email before it can even reach the quarantine so we are forced to disable all this functions to truly enable our users to see all the emails that have been blocked by the mail gateway. If we do not do this then we will still have false positives and we will have to deal with adding whitelist items.
If you have anything to add that I am missing please let me know.
EDIT: Been testing for a few hours and I have more questions.
I see that I am getting 403 Forbidden for qrcode.min.js.
https://example.com/qrcode.min.js
I am also getting 403 Permission check failed for
https://example.com/api2/json/quarantine/spamusers?starttime=1668726000&endtime=1669417200
Is the reason outdated nginx configuration on https://pmg.proxmox.com/wiki/index.php/Quarantine_Web_Interface_Via_Nginx_Proxy ? How do we fix this? Don't want any errors when deploying this that might produce unexpected behavior.
Can we replace the flavicon, the logo, link on the logo, the "Mail Gateway 7.1-11" and the page title <title>mx1-demo - Proxmox Mail Gateway</title> in a way that is persistent after upgrades? Is there a template available for this?
This would be a nice addition for proxmox subscribers to add logos, text, custom links for their company to give a more personalized look to the quarantine. We don't mind having powered by proxmox link that is non issue.
I would also like to translate everything to our native language so the spam reports and quarantine are translated and displayed in our language. This will be much better for the users.
Is it possible based on default browser language to detect and then display the default language as selected in the browser without manually changing the language?
I have found the old thread https://forum.proxmox.com/threads/translate-mail-gateway.49432/ will have a look if I can find how to do this so I can submit my translation. Looks complicated...
I will keep testing and working on it and will let you know if I have more questions.
Last edited: