no TLS inside, TLS outside

D

dodoj

Member
Aug 17, 2020
9
0
21
63
We are still running old email server (2003 :-( ). It is not covering latest TLS protocols. How can I configure that no TLS should be used between PMG and intern mail server and force it to be used between PMG and outside world?

This should allow us to test and maybe use PMG.

Thanks
 
regarding
dodoj said:
How can I configure that no TLS should be used between PMG and intern mail server
Click to expand...
set a fitting TLS Destination policy (in GUI->Configuration->Mail Proxy->TLS->TLS Destination policy) (with policy 'none')
see: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration (section 4.6.9)

since this is an internal mail server it will be either configured as default relay(GUI->Configuration->Mail Proxy->Relaying), or as Transport (GUI->Configuration->Mail Proxy->Transports) you need to create an entry for 'next-hop' destination - see this forum thread for such a case:
https://forum.proxmox.com/threads/cannot-start-tls-handshake-failure.82838/post-364678

dodoj said:
and force it to be used between PMG and outside world?
Click to expand...
'forcing' TLS for SMTP is (in almost all cases) not a good idea for a server which needs to connect to and receive mail from the whole internet:
* many SMTP servers (still) don't have a working (let alone valid) TLS setup
* this usually results in many not deliverable mails
simply enabling TLS in the GUI enables TLS where this is possible with the remote server, else the mail is sent in the clear

I hope this helps!
 
Stoiko Ivanov said:
regarding

set a fitting TLS Destination policy (in GUI->Configuration->Mail Proxy->TLS->TLS Destination policy) (with policy 'none')
see: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration (section 4.6.9)

since this is an internal mail server it will be either configured as default relay(GUI->Configuration->Mail Proxy->Relaying), or as Transport (GUI->Configuration->Mail Proxy->Transports) you need to create an entry for 'next-hop' destination - see this forum thread for such a case:
https://forum.proxmox.com/threads/cannot-start-tls-handshake-failure.82838/post-364678


'forcing' TLS for SMTP is (in almost all cases) not a good idea for a server which needs to connect to and receive mail from the whole internet:
* many SMTP servers (still) don't have a working (let alone valid) TLS setup
* this usually results in many not deliverable mails
simply enabling TLS in the GUI enables TLS where this is possible with the remote server, else the mail is sent in the clear

I hope this helps!
Click to expand...
Thanks,

the secret was to put IP in brackets [xxx.xxx.xxx.xxx]:25 with address of intern mail server. So I succeded to conect from PMG to intern server. But there are still issues:

1) PMG is installed behind firewall. Firewall is forwarding port 25 to PMG. Let say "mail.example.com" port 25 should be forwarded to "mail.example.local" port 25. Intern mail server should relay using PMG. But how to make it?

a) If I use "example.local" as search domain in PMG than PMG respond to outside word with "mail.example.local" (and it should be "mail.example.com"). There is a mismatch in SMTP banner, so I can't use it.
b) If I use "example.com" as search domain in PMG, then PMG is not valid registered in local DNS (I am using static address for PMG). There is no DNS registration for "mail.example.local" in local network. I must use FQDN for smart host in exchange config to relay through PMG.

In my understanding, option to configure SMTP banner separately from search-domain is missing. Any idea?
 
dodoj said:
1) PMG is installed behind firewall. Firewall is forwarding port 25 to PMG. Let say "mail.example.com" port 25 should be forwarded to "mail.example.local" port 25. Intern mail server should relay using PMG. But how to make it?
Click to expand...
as a side-note - most firewalls I know keep the rules based on IPs (and not on hostnames) - but that should not be too material here...
Usually you configure your internal mail server to use PMG (based on hostname or IP-address) as 'Smarthost' or 'outbound relay' - nothing more needed. How to do that configuration depends on the software running on your internal server.

AFAIK very few SMTP-servers refuse to send mail to a host, which has a different name in it's helo response than what the DNS says?
and all SMTP servers I know have a way of adding an exception for this

put differently - what error-messages do you get from your Exchange?

The Banner is configurable (GUI->Configuration->Mail Proxy->Options) - however the smtp_helo_name is not configurable via GUI - you'd need to adapt the main.cf.in configuration template for this:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!
 
Thanks for info.

I solved the issue by:
a) adding dns definition for mail server with correct FQDN (mail.example.local)
b) this name is added to exchange as smarthost
c) host name and search path for mail server remained public: (mail.example.com)

Now it works. However, I still think that it should be good to configure fqdn of maile server in local network separately from public fqdn.

Cheers!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back