Proxmox Mail Gateway 7.2 available

martin

Proxmox Staff Member
Staff member
Apr 28, 2005
754
1,742
223
Proxmox Mail Gateway 7.2 is out! It has been exactly a year since the last version, but today we are pleased to announce a new version of our email security solution. It's based on Debian 11.5 (“Bullseye”), uses the newer Linux kernel 5.15, as well as ZFS 2.1.6. The latest upstream release of Apache SpamAssassin 3.4.6 with an updated rule-set, and PostgreSQL 13.8 are included.

We have added support for Unicode characters and you can now better handle SMTPUTF8 emails. And a lot of improvements for the quarantine web interface.

Countless bugfixes and other smaller improvements are included as well, see the full release notes.

Thank you all for supporting the Proxmox Mail Gateway project over the last 17 years!

Release notes
https://pmg.proxmox.com/wiki/index.php/Roadmap#Proxmox_Mail_Gateway_7.2

Press release
https://www.proxmox.com/en/news/press-releases/

Download
https://www.proxmox.com/en/downloads
Alternate ISO download:
https://enterprise.proxmox.com/iso

HELP & SUPPORT

Documentation

https://pmg.proxmox.com/pmg-docs

Community Forum
https://forum.proxmox.com

Source Code
https://git.proxmox.com

Bugtracker
https://bugzilla.proxmox.com

FAQ
Q: Can I upgrade Proxmox Mail Gateway 7.x to 7.2 via GUI (or apt)?
A: Yes

Q: Can I install Proxmox Mail Gateway on top of Debian Bullseye?
A: Yes, see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_install_on_debian

Q: Can I install Proxmox Mail Gateway as a virtual machine on Proxmox Virtual Environment, VMware, or Hyper-V ?
A: Yes, just do the ISO install. If you install on Hyper-V as a generation 2 virtual machine, please disable secure boot.

Q: Can I install Proxmox Mail Gateway as LXC container on Proxmox Virtual Environment?
A: Yes, just download the template via the integrated template downloader.

A big Thank you to everyone who has contributed and sent feedback, and for testing, bug reporting and patch submitting!

__________________
Best regards,

Martin Maurer
Proxmox Mail Gateway project leader
 
Just upgraded. Thanks for the new version we have production-ready repositories and it seems to be working fine.
Shutout to @Stoiko Ivanov he has really been responsive and helpful always big thanks to him for helping and making this product enjoyable to use even with all limitations it has. It is really a single tenant product I wish I knew that before I started using it.

Something to consider for the future release that would improve the product in my opinion:
- Add an option to add custom branding especially for user quarantine. On every product we use we can add our company logo and our links (to our documentation) so the portal it's familiar to our users (it's coming from our company). It's also harder for spammers to completely replicate our quarantine look by just using stock proxmox without any custom branding
You can add powered by proxmox on the bottom or left side and your link to proxmox.com that is completely fine.
I am talking about this: /pve2/images/proxmox_logo.png, /pve2/images/logo-128.png

- Add more official antivirus support I am willing to offer to proxmox team licence for ESET Server Security for Linux for use for unlimited time for free as we have the licence available for use. I need more time but currently testing scanning via ICAP ESET on seperate server installed and it's working really well but I have no understanding if there are any failures happening or anything can be integrated better then just with a custom script. https://forum.proxmox.com/threads/o...inux-integration-with-pmg.116858/#post-509574

- If there is anything that can be improved with malicious/phishing links detection. It's one of the biggest pain points right now a lot of people abusing for example sendgrid.net and we can't just block them because a lot of legitimate companies use this service. It's already too late when the malicious mail it's delivered.
Can anything from https://safebrowsing.google.com/safebrowsing/report_phish/ or https://feedback.smartscreen.microsoft.com/feedback.aspx https://learn.microsoft.com/en-us/w...creen/microsoft-defender-smartscreen-overview be used here?

- Something to consider for really really long term I wish we had some kind of shared information between configurations of proxmox mail gateway something you can opt in for example right now everyone is trying on their own making their own scripts, rules for blocking messages that spamassasin or KAM rules can't detect if this information could be shared in a smart way (I know it's a hard problem to do this well) so when someone "trusted" creates some rule and blocks malicious email this rules/configuration is applied to everyone that opted in "proxmox malicious network". Mostly interested in rules that block things. Before we had Barracuda spam filter and they had an option to report malicious email to their team so they would improve detection in the future. We would be willing to pay for this feature as it would vastly improve the early detection of malicious mail. Speed of detection is crucial here.

I know everything I said above also increases complexity of the product so that is kind of contradictory to something I strongly believe. Keeping it as simple and clean as possible when you have something that is working extremely well.

Thank you keep up the good work!
 
Last edited:
  • Like
Reactions: Stoiko Ivanov
Thanks for the feedback :)

- Add an option to add custom branding especially for user quarantine.
see https://bugzilla.proxmox.com/show_bug.cgi?id=1685


- Add more official antivirus support
As said - most antivirus solutions don't offer a sensible licensing for the use-case - and integrating a third party product into PMG has more than once been a disappointing experience for our users, when the third party provider changed their licensing ...
However I would consider looking into implementing an ICAP client in PMG potentially worth-while (if there is a bit wider support - which I would have to check, and if it doesn't mean that every antivirus speaks its own dialect of ICAP ;) - if you want you can open an enhancement request over at https://bugzilla.proxmox.com - no promises when/if we'll get around to implementing this though :)

Thanks for you research into ESET in any case!

If there is anything that can be improved with malicious/phishing links detection. It's one of the biggest pain points right now a lot of people abusing for example sendgrid.net and we can't just block them because a lot of legitimate companies use this service. It's already too late when the malicious mail it's delivered.
Can anything from https://safebrowsing.google.com/safebrowsing/report_phish/ or https://feedback.smartscreen.microsoft.com/feedback.aspx https://learn.microsoft.com/en-us/w...creen/microsoft-defender-smartscreen-overview be used here?
Currently I'm not aware of any new technology/service that would actually improve that experiece (but getting results from uribl is definitely one of the things that hugely improve detection rates)
regarding Google Safe Browsing - ClamAV stopped distributing the signature file for it - and we removed the option as well from the GUI (and will drop the option with 8.0):
https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html
Additionally in our experience that database did not really generate any sensible hits - but should you wish to experiment with it see:
https://github.com/Cisco-Talos/clamav-safebrowsing

Regarding the Microsoft Defender smartscreen - from what I see it's something running in your browser - or do they offer any other (sensibly licensed) URL checking service? Also having such things running in your browser does seem like a fine place for such things in general.

wish we had some kind of shared information between configurations of proxmox mail gateway something you can opt in for example right now everyone is trying on their own making their own scripts, rules for blocking messages that spamassasin or KAM rules can't detect if this information could be shared in a smart way
Depending on what you have in mind concretely I think most of the ideas I have don't really work well for this use-case:
* rules people implement because they need them for _their_ environment - sharing those makes little sense, since they are tailored for a specific environment
* reporting malicious mails for better detection: Razor, Pyzor, DCC, ... and quite a few other services already did (and partially still do) that - eventually sadly the data does not help too much (last time I checked for us - razor/pyzor caused a few (not many) false positives, and the actually bad mails were caught by other indicators in SpamAssassin quite well) - so for now I don't think that such a service will really improve general detection
 
  • Like
Reactions: t.lamprecht
Hello,

I am trying to update my Proxmox Mail Gateway from version 7.1-1 to 7.2 using the command line upgrade process. I followed the steps given in the official documentation and ran the following commands:

apt update
apt dist-upgrade

However, after the reboot, my Proxmox Mail Gateway is still on version 7.1-1 and the update did not seem to be successful.

I checked my internet connection and it seems to be working fine. I also made sure to create a backup of my configuration before attempting the update.

Does anyone have any idea what could be causing this issue? Any help would be greatly appreciated.

Thank you.
 
please share the output of both commands here (in code blocks as text)

else it's not really possible to see what might be wrong
 
root@smtpgateway:~# apt update
Hit:1 http://security.debian.org bullseye-security InRelease
Err:2 https://enterprise.proxmox.com/debian/pmg bullseye InRelease
401 Unauthorized [IP: 212.224.123.70 443]
Hit:3 http://ftp.us.debian.org/debian bullseye InRelease
Hit:4 http://ftp.us.debian.org/debian bullseye-updates InRelease
Reading package lists... Done
E: Failed to fetch https://enterprise.proxmox.com/debian/pmg/dists/bullseye/InRelease 401 Unauthorized [IP: 212.224.123.70 443]
E: The repository 'https://enterprise.proxmox.com/debian/pmg bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
root@smtpgateway:~# apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@smtpgateway:~#
 
Thank you.
I have successfully passed 7.2.
I have a second question.
I can't update SPAM.
I put the update screen information for spam in the attachment.
It used to be regularly updated.
 

Attachments

  • 222.JPG
    222.JPG
    32.3 KB · Views: 8
Thank you.
I have successfully passed 7.2.
I have a second question.
I can't update SPAM.
I put the update screen information for spam in the attachment.
It used to be regularly updated.
I'd guess there is a problem in your DNS settings - or with the outbound firewall (sa-update needs access to the internet)

If this does not help - please open a new thread for the issue
 
gateway is only used to receive mail.
It is not used to send mail.
I did not make any changes to the system.
I kept doing the classic updates.
Is it possible to impose a restriction on DATACENTER?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!