PMG transparent mode

Dec 31, 2019
35
0
11
37
Hello,
I wanted to test PMG to see how it performs on a relay of around 30,000 mails per day.
I have the impression that with PGM you can only relay domains that you have entered in "relay domains".
I have a constraint, because I manage customers who don't have SMTP and who get their mail from third-party operators, so I don't know the domain.
Is it possible to do this with PMG? If so, where can I do it?

Thank you for your help.
Anthony
 
Last edited:
See the reference documentation on the subject:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_deployment

PMG should very well be able to handle 30k mails/day

mails are processed in 2 directions:
* inbound - there PMG accepts mails for domains which are listed as relay domains - from everybody in the net - this happens on the external port of pmg
* outbound - there PMG accepts mails for every address, when they come from an IP listed in your trusted networks

I hope this helps!
 
This is very interesting question, I also want to know if possible to relay unknow domain on the incomming port 25 ? At first i thought the "Default Relay" could do this, but after testing I found it is not.
 
Hello,
I can't send an email, PMG refuses my emails, I have this error below.
However, in network I have added the IP of the computer sending the mail.

2023-07-17T09:45:23.238520+02:00 mailgateway postfix/smtpd[29761]: warning: hostname XXX-XXX-XX-XXX.reverse.XXXX.com does not resolve to address 185.243.17.227: Name or service not known
2023-07-17T09:45:23.238657+02:00 mailgateway postfix/smtpd[29761]: connect from unknown[XXX-XXX-XX-XXX]
2023-07-17T09:45:23.273484+02:00 mailgateway postfix/smtpd[29761]: NOQUEUE: reject: RCPT from unknown[XXX-XXX-XX-XXX]: 554 5.7.1 <XXXX.XXXX@XXX.com>: Relay access denied; from=<XXXX.XXXX@XXX.com> to=<XXXX.XXXX@XXX.com> proto=ESMTP helo=<[XXX-XXX-XX-XXX]>
2023-07-17T09:45:23.273588+02:00 mailgateway postfix/smtpd[29761]: using backwards-compatible default setting smtpd_relay_before_recipient_restrictions=no to reject recipient "XXXX.XXXX@XXX.com" from client "unknown[XXX-XXX-XX-XXX]"
2023-07-17T09:45:23.291381+02:00 mailgateway postfix/smtpd[29761]: lost connection after RCPT from unknown[XXX-XXX-XX-XXX]
2023-07-17T09:45:23.291456+02:00 mailgateway postfix/smtpd[29761]: disconnect from unknown[XXX-XXX-XX-XXX] ehlo=1 mail=1 rcpt=0/1 commands=2/3
 
sadly the obfuscation makes it impossible to see what is going on here exactly, but my guess is:

you send mail on the port 25 (the "incoming" port) but for a domain not entered in the relay domains
 
Hello,
here you will find all the logs for a shipment.
this one is in status accepted/bounced

Just so you understand my installation.
My mail client is configured with the public IP.
This IP is carried by my firewall, which NATs to my server on port 26.

My aim is to relay mail from any sender to any recipient, but I don't know the sender and recipient, so I need to authorize everyone.

i don't know if my request is understandable
 

Attachments

  • pmg.txt
    3.1 KB · Views: 6
first:
in your log it shows that the next email server (mx4.mail.ovh.net) does not accept the mail for the recipient
so it seems your pmg is not configured to properly lookup the mx records? how is it configured?

second:

My aim is to relay mail from any sender to any recipient, but I don't know the sender and recipient, so I need to authorize everyone.
this is a very bad idea, basically you're building an open relay, which will land you shortly on a blacklist (and then you won't be able to send any email)

again please look a the documentation my colleague posted above:

pmg is intended to sit bertween the internet and your mail servers (they don't have to be local, they can also be a cloud host)
and accept incoming mails for a predetermined list if domains (the domains for which your mail servers are configured to receive mails)
and accept outgoing mails for any domains but only from specific networks (the mails your employees, customers, etc. send out)
 
I removed the koesio.link domain in "relaying".
Now it no longer queries OVH, but the recipient's mx.
My mail is now in quarantine (see attached file).
why is it SPAM?

I need it to be an open relay, the security would be done on the upstream public IPs with a fortinet.

my goal is for my customers to use our PMG SMTP so that their sent mail can be analyzed to make sure it's not SPAM or VIRUS.
 

Attachments

  • pmg2.txt
    2 KB · Views: 4
the spam rule hits are:

BODY_SINGLE_WORD(0.001)
DMARC_MISSING(0.1)
KAM_DMARC_STATUS(0.01)
KAM_SOMETLD_ARE_BAD_TLD(5)
NO_FM_NAME_IP_HOSTN(0.001)
RDNS_NONE(1.274)
SCC_BODY_SINGLE_WORD(0.001)
SPF_SOFTFAIL(0.972)
TVD_SPACE_ RATIO(0.001)
T_SCC_BODY_TEXT_LINE(-0.01)

i emphasized the 3 most impactful (the tld is untrustworthy, spf was a softfail, and there was no rdns)
 
Merci pour votre avis.
Je suis vraiment mauvais au courrier.
que dois-je faire pour corriger le TLD ?
que dois-je faire pour corriger le RDNS

SPF_SOFTFAIL Je l'ai corrigé, je ne l'ai plus mais j'ai maintenant SPF_PASS(-0.001).
 
Merci pour votre avis.
Je suis vraiment mauvais au courrier.
que dois-je faire pour corriger le TLD ?
que dois-je faire pour corriger le RDNS

SPF_SOFTFAIL Je l'ai corrigé, je ne l'ai plus mais j'ai maintenant SPF_PASS(-0.001).
hi, please write your posts in english otherwise not everybody is able to help or understand

(i translated via deepl.com):

Thank you for your advice.
I'm really bad at mail.
what should I do to correct the TLD?
what should I do to correct the RDNS

SPF_SOFTFAIL I corrected it, I don't have it anymore but I now have SPF_PASS(-0.001).

the tld is the '.link' in the mail adress, you could possibly adapt the scoring of that specific rule, but most of such tlds are bad (thats the reason the rules exist)
(check https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_spamdetector chapter 'customization of rule scores')

the rdns is the reverse dns of the sending server, if you don't control that you cannot change it...

SPF_PASS is ok, it says spf passed ;)
 
Sorry, I went a bit fast.
thank goodness deepl is here ;-)

I'm having trouble understanding what rule I need to create to authorize the .link domain.
do you have an example?
 
no rule, just adapt the score for the 'KAM_SOMETLD_ARE_BAD_TLD' rule to something lower (this will impact other domains as well, like .xyz)
see the docs link i posted for info on how to do that
 
I did this, but it doesn't work.
I'm having trouble understanding what it says in the doc
 

Attachments

  • Capture d’écran 2023-07-19 à 09.16.44.png
    Capture d’écran 2023-07-19 à 09.16.44.png
    20.1 KB · Views: 13
Last edited:
please write your posts in english
 
I did this, but it doesn't work.
I'm having trouble understanding what it says in the doc
you have to put int he name of the rule, so "KAM_SOMETLD_ARE_BAD_TLD". but as i said this modified value is used for the whole rule, not only one specific domain
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!