Problems getting full functionality on the mail gateway.

ReeceAB

New Member
Jun 5, 2023
7
0
1
So I know that the title is fairly generic, I have a lot of stuff here that will take time to read.

So the TLDR is, I can either receive mail on the server, or see the mail being registered on the gateway, but never both.

I have conducted various tests to try and narrow down what the precise issue is, I am still yet to identify the specific issue.
Test 1:
Firewall points to 192.168.0.171 (mail server)
Mailgateway rule is deactivated on firewall
Mailserver can receive mail
Mail gateway does not spot mail coming in.
mx records = mailserver.eplatform.ai, mailgateway.eplatform.ai
a records = mailserver

Test 2:
Our firewall points to 192.168.0.170 (mail gateway), with all relevant services required
mx record for the domain: mailgateway.eplatform.ai
here mail is not received by server, nor registered on mail gateway
one a record for mailserver

Test 3:
Firewall points to mail gateway
mx records: mailserver.eplatform.ai and mailgateway.eplatform.ai
a records: mailgateway, mailserver
mail is picked up by the mail gateway
mailserver still cannot receive any mails
Test 4:
Firewall now points to both devices, essentially the rule is cloned and points to the server and gateway
mx records as per test 3
a records as per test 3
mail gateway can spot mail
mail server cannot receive mail

Test 5:
Repeat of test 1, except A records match that of test 3

I really can't understand what the next step is, unfortunately there isn't a great deal of resources online to help me fix this.

****EDIT****

So I think it would be helpful for me to post all the relevant configurations on the various devices, like firewall, mailserver, pmg etc.
Starting with the firewall:
Our firewall points the following services to PMG:
imap
pop
imap over SSL
pop over SSL
Ports 25 & 26
smtp
smtp over SSL

The firewall points port 25 & 26 to mailserver.

As for the mail server configuration:
Default relay: mailserver.eplatform.ai
Relay Port: 25
Relay Protocol: smtp
Relay domains: eplatform.ai, mailserver.eplatform.ai
External SMTP Port: 25
Internal SMTP Port: 26
Transports:
Relay domain: mailserver.eplatform.ai
Host: 192.168.0.171
Protocol: smtp
Port: 25
Use MX: No
****EDIT ENDS****
 
Last edited:
a) I moved your thread to the Mail Gateway forum, as it seem this is a better match

In general the setup is not too complicated - see: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_deployment

* create one MX record pointing to a hostname, which resolves to the public IP of your firewall
* have one rule in your firewall, which forwards traffic on TCP/25 to port 25 (or whatever you configured as external port) on your PMG
* configure your PMG with your downstream mail-server as default relay (or if you have multiple domains, with different servers - use transport entries)

send a testmail - and keep an eye on the logs in the firewall, PMG and your mailserver

I hope this helps!
 
a) I moved your thread to the Mail Gateway forum, as it seem this is a better match

In general the setup is not too complicated - see: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_deployment

* create one MX record pointing to a hostname, which resolves to the public IP of your firewall
* have one rule in your firewall, which forwards traffic on TCP/25 to port 25 (or whatever you configured as external port) on your PMG
* configure your PMG with your downstream mail-server as default relay (or if you have multiple domains, with different servers - use transport entries)

send a testmail - and keep an eye on the logs in the firewall, PMG and your mailserver

I hope this helps!
Yeah I have set up all of those so I am not sure where I am going wrong
 
What does the log of your PMG say?
(or the one of your mailserver or firewall?)
 
Can you help me with the location of these logs on the PMG? I can see on the deferred mail tab on the queue administration page that it cannot connect to the mailserver on port 25 and gets a connection refused, so it could be something to do with that?
 
Can you help me with the location of these logs on the PMG? I can see on the deferred mail tab on the queue administration page that it cannot connect to the mailserver on port 25 and gets a connection refused, so it could be something to do with that?
OK I have found the logs, what info are you looking for? I've barely ever touched PMG so I am learning as I go here
 
Our firewall points the following services to PMG:
imap
pop
imap over SSL
pop over SSL
this is not necessary - PMG does not handle IMAP/POP connections - it is a smtp proxy
(similarly there is no smtp over ssl (unless you configure the non-standard port 465 manually in the PMG postfix config...)


Ports 25 & 26
smtp
smtp over SSL

The firewall points port 25 & 26 to mailserver.
this sounds off - your firewall can only forward port 25 (which is smtp) to one machine - you write that it forwards it to both PMG and your mailserver?

OK I have found the logs, what info are you looking for? I've barely ever touched PMG so I am learning as I go here
PMG logs everything to syslog - so files /var/log/syslog (and /var/log/mail.log, which contains only the mail-relevant subset of syslog) should contain the information...
 
this is not necessary - PMG does not handle IMAP/POP connections - it is a smtp proxy
(similarly there is no smtp over ssl (unless you configure the non-standard port 465 manually in the PMG postfix config...)



this sounds off - your firewall can only forward port 25 (which is smtp) to one machine - you write that it forwards it to both PMG and your mailserver?


PMG logs everything to syslog - so files /var/log/syslog (and /var/log/mail.log, which contains only the mail-relevant subset of syslog) should contain the information...
OK, I will deactivate pop, imap etc and just forward port 25 to it.

I am stabbing in the dark which is why I forwarded to both machines

Log files attached, syslog is too large to attach, shall I run a tail command and paste some of the findings here?
 

Attachments

Code:
E15E53210FB: to=<postmaster@eplatform.ai>, relay=none, delay=284859, delays=284859/0.03/0.07/0, dsn=4.4.1, status=deferred (connect to mailserver.eplatform.ai[62.64.134.114]:25: Connection refused)

not sure if eplatform.ai is your domain - if it is you probably should point it to your downstream mail-server (as said above by setting the default relay or a transport entry through the GUI)

the A record of mailserver.eplatform.ai points to the same address as mailgateway.eplatform.ai ... - you should clean this up as explained above

So ... it seems that the current root-cause is that you don't have a fitting DNS-entry for your internal network - PMG tries to send the mail to your public IP (which is your firewall, which blocks connections from the inside ...)

create an internal DNS-entry that points to the internal address of your downstream server
 
Code:
E15E53210FB: to=<postmaster@eplatform.ai>, relay=none, delay=284859, delays=284859/0.03/0.07/0, dsn=4.4.1, status=deferred (connect to mailserver.eplatform.ai[62.64.134.114]:25: Connection refused)

not sure if eplatform.ai is your domain - if it is you probably should point it to your downstream mail-server (as said above by setting the default relay or a transport entry through the GUI)

the A record of mailserver.eplatform.ai points to the same address as mailgateway.eplatform.ai ... - you should clean this up as explained above

So ... it seems that the current root-cause is that you don't have a fitting DNS-entry for your internal network - PMG tries to send the mail to your public IP (which is your firewall, which blocks connections from the inside ...)

create an internal DNS-entry that points to the internal address of your downstream server
As far as I am aware everything is correctly configured when it comes to setting up default relay and transports etc.
The a records pointing to the same place I assumed was correct as the Proxmox and Server are both local devices that sit behind our public firewall.

I will certainly look at creating an internal dns entry and see what I can do.
 
The a records pointing to the same place I assumed was correct as the Proxmox and Server are both local devices that sit behind our public firewall.
can be - and also can be useful - e.g. when you forward imap/pop to the mailserver

however your PMG needs to speak with your mailserver internally - thus when it resolves mailserver.your.domain it needs to get the private IP of the machine not the public one...
depending on your infrastructure - this is either achieved by an entry in PMG's /etc/hosts file - or through an entry in your internal DNS-server
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!