Problems getting full functionality on the mail gateway.

[ReeceAB]

So I know that the title is fairly generic, I have a lot of stuff here that will take time to read.

So the TLDR is, I can either receive mail on the server, or see the mail being registered on the gateway, but never both.

I have conducted various tests to try and narrow down what the precise issue is, I am still yet to identify the specific issue.
Test 1:
Firewall points to 192.168.0.171 (mail server)
Mailgateway rule is deactivated on firewall
Mailserver can receive mail
Mail gateway does not spot mail coming in.
mx records = mailserver.eplatform.ai, mailgateway.eplatform.ai
a records = mailserver

Test 2:
Our firewall points to 192.168.0.170 (mail gateway), with all relevant services required
mx record for the domain: mailgateway.eplatform.ai
here mail is not received by server, nor registered on mail gateway
one a record for mailserver

Test 3:
Firewall points to mail gateway
mx records: mailserver.eplatform.ai and mailgateway.eplatform.ai
a records: mailgateway, mailserver
mail is picked up by the mail gateway
mailserver still cannot receive any mails
Test 4:
Firewall now points to both devices, essentially the rule is cloned and points to the server and gateway
mx records as per test 3
a records as per test 3
mail gateway can spot mail
mail server cannot receive mail

Test 5:
Repeat of test 1, except A records match that of test 3

I really can't understand what the next step is, unfortunately there isn't a great deal of resources online to help me fix this.

****EDIT****

So I think it would be helpful for me to post all the relevant configurations on the various devices, like firewall, mailserver, pmg etc.
Starting with the firewall:
Our firewall points the following services to PMG:
imap
pop
imap over SSL
pop over SSL
Ports 25 & 26
smtp
smtp over SSL

The firewall points port 25 & 26 to mailserver.

As for the mail server configuration:
Default relay: mailserver.eplatform.ai
Relay Port: 25
Relay Protocol: smtp
Relay domains: eplatform.ai, mailserver.eplatform.ai
External SMTP Port: 25
Internal SMTP Port: 26
Transports:
Relay domain: mailserver.eplatform.ai
Host: 192.168.0.171
Protocol: smtp
Port: 25
Use MX: No
****EDIT ENDS****

 

[Stoiko Ivanov]

a) I moved your thread to the Mail Gateway forum, as it seem this is a better match

In general the setup is not too complicated - see: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_deployment

* create one MX record pointing to a hostname, which resolves to the public IP of your firewall
* have one rule in your firewall, which forwards traffic on TCP/25 to port 25 (or whatever you configured as external port) on your PMG
* configure your PMG with your downstream mail-server as default relay (or if you have multiple domains, with different servers - use transport entries)

send a testmail - and keep an eye on the logs in the firewall, PMG and your mailserver

I hope this helps!

 

[ReeceAB]

a) I moved your thread to the Mail Gateway forum, as it seem this is a better match

In general the setup is not too complicated - see: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_deployment

* create one MX record pointing to a hostname, which resolves to the public IP of your firewall
* have one rule in your firewall, which forwards traffic on TCP/25 to port 25 (or whatever you configured as external port) on your PMG
* configure your PMG with your downstream mail-server as default relay (or if you have multiple domains, with different servers - use transport entries)

send a testmail - and keep an eye on the logs in the firewall, PMG and your mailserver

I hope this helps!

Yeah I have set up all of those so I am not sure where I am going wrong

 

[Stoiko Ivanov]

What does the log of your PMG say?
(or the one of your mailserver or firewall?)

 

[ReeceAB]

Can you help me with the location of these logs on the PMG? I can see on the deferred mail tab on the queue administration page that it cannot connect to the mailserver on port 25 and gets a connection refused, so it could be something to do with that?

 

[ReeceAB]

Can you help me with the location of these logs on the PMG? I can see on the deferred mail tab on the queue administration page that it cannot connect to the mailserver on port 25 and gets a connection refused, so it could be something to do with that?

OK I have found the logs, what info are you looking for? I've barely ever touched PMG so I am learning as I go here

 

[ReeceAB]

I have posted my configurations on the end of the post if that helps.

 

[Stoiko Ivanov]

Our firewall points the following services to PMG:
imap
pop
imap over SSL
pop over SSL

this is not necessary - PMG does not handle IMAP/POP connections - it is a smtp proxy
(similarly there is no smtp over ssl (unless you configure the non-standard port 465 manually in the PMG postfix config...)

Ports 25 & 26
smtp
smtp over SSL

The firewall points port 25 & 26 to mailserver.

this sounds off - your firewall can only forward port 25 (which is smtp) to one machine - you write that it forwards it to both PMG and your mailserver?

OK I have found the logs, what info are you looking for? I've barely ever touched PMG so I am learning as I go here

PMG logs everything to syslog - so files /var/log/syslog (and /var/log/mail.log, which contains only the mail-relevant subset of syslog) should contain the information...

 

[ReeceAB]

this is not necessary - PMG does not handle IMAP/POP connections - it is a smtp proxy
(similarly there is no smtp over ssl (unless you configure the non-standard port 465 manually in the PMG postfix config...)



this sounds off - your firewall can only forward port 25 (which is smtp) to one machine - you write that it forwards it to both PMG and your mailserver?


PMG logs everything to syslog - so files /var/log/syslog (and /var/log/mail.log, which contains only the mail-relevant subset of syslog) should contain the information...

OK, I will deactivate pop, imap etc and just forward port 25 to it.

I am stabbing in the dark which is why I forwarded to both machines

Log files attached, syslog is too large to attach, shall I run a tail command and paste some of the findings here?

 

[Stoiko Ivanov]

E15E53210FB: to=<postmaster@eplatform.ai>, relay=none, delay=284859, delays=284859/0.03/0.07/0, dsn=4.4.1, status=deferred (connect to mailserver.eplatform.ai[62.64.134.114]:25: Connection refused)

not sure if eplatform.ai is your domain - if it is you probably should point it to your downstream mail-server (as said above by setting the default relay or a transport entry through the GUI)

the A record of mailserver.eplatform.ai points to the same address as mailgateway.eplatform.ai ... - you should clean this up as explained above

So ... it seems that the current root-cause is that you don't have a fitting DNS-entry for your internal network - PMG tries to send the mail to your public IP (which is your firewall, which blocks connections from the inside ...)

create an internal DNS-entry that points to the internal address of your downstream server

 

[ReeceAB]

E15E53210FB: to=<postmaster@eplatform.ai>, relay=none, delay=284859, delays=284859/0.03/0.07/0, dsn=4.4.1, status=deferred (connect to mailserver.eplatform.ai[62.64.134.114]:25: Connection refused)

not sure if eplatform.ai is your domain - if it is you probably should point it to your downstream mail-server (as said above by setting the default relay or a transport entry through the GUI)

the A record of mailserver.eplatform.ai points to the same address as mailgateway.eplatform.ai ... - you should clean this up as explained above

So ... it seems that the current root-cause is that you don't have a fitting DNS-entry for your internal network - PMG tries to send the mail to your public IP (which is your firewall, which blocks connections from the inside ...)

create an internal DNS-entry that points to the internal address of your downstream server

As far as I am aware everything is correctly configured when it comes to setting up default relay and transports etc.
The a records pointing to the same place I assumed was correct as the Proxmox and Server are both local devices that sit behind our public firewall.

I will certainly look at creating an internal dns entry and see what I can do.

 

[Stoiko Ivanov]

The a records pointing to the same place I assumed was correct as the Proxmox and Server are both local devices that sit behind our public firewall.

can be - and also can be useful - e.g. when you forward imap/pop to the mailserver

however your PMG needs to speak with your mailserver internally - thus when it resolves mailserver.your.domain it needs to get the private IP of the machine not the public one...
depending on your infrastructure - this is either achieved by an entry in PMG's /etc/hosts file - or through an entry in your internal DNS-server