Some questions about PMG

C

ChrisTG74

New Member
Nov 12, 2025
4
0
1
Hi there,

I'm currently running a test-drive of PMG 9.0 to roll it out later to protect our company-emails from spam and phishing. I used the bundled ISO for the install.
First, thanks for developing such an intuitive and great email-filter solution! From what I saw and experienced until now, I'm quite impressed. :)

I have a few questions for which I could not find answers in the docs:
  • Why are there no firewalld/ufw/iptables/etc. rules active? As far as I can see, the machine is completely "open" to the network.
  • Are there any plans to provide UI-support for setting up authentication for relay/transport entries?
  • Is it possible to in-place-upgrade later when a 10.x is released without losing any data?
Many thanks in advance!
 
ChrisTG74 said:
Why are there no firewalld/ufw/iptables/etc. rules active? As far as I can see, the machine is completely "open" to the network.
Click to expand...
mostly because PMG itself is meant to be deployed behind a firewall - see: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_deployment
But apart from that - because there are quite a few deployments which do need to adapt a few of the ports and settings - and providing a sensible and simple GUI for a generic firewall was out of scope for PMG.
Of course you can also simply pick your favorite packet filter and configuration frontend (nft/iptables/ufw/...) and add the rules fitting for your environment on PMG (it is based on Debian GNU/Linux after all).
Currently there is no immediate plan to change this - but at a future point we might add something for this (especially if we add packet filtering to PBS/PDM as well)

ChrisTG74 said:
Are there any plans to provide UI-support for setting up authentication for relay/transport entries?
Click to expand...
currently no - and for inbound mails we don't plan to change that (PMG is not meant to hold account information for your users) - one thing that we might add at some point (because it was requested multiple times) is storing credentials for a smart-host for outbound relaying.

ChrisTG74 said:
Is it possible to in-place-upgrade later when a 10.x is released without losing any data?
Click to expand...
Yes - this is something we aim for - see for example the in-place upgrade guides from 5->6, 6->7, 7->8, 8->9 in the PMG wiki:
https://pmg.proxmox.com/wiki/Category:Upgrade
If there are breaking changes we write those there, along with instructions how to migrate your existing installation.

I hope this helps!
 
  • Like
Reactions: ChrisTG74
Hi Stoiko,

thanks for your reply!
Stoiko Ivanov said:
mostly because PMG itself is meant to be deployed behind a firewall - see: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_deployment
But apart from that - because there are quite a few deployments which do need to adapt a few of the ports and settings - and providing a sensible and simple GUI for a generic firewall was out of scope for PMG.
Of course you can also simply pick your favorite packet filter and configuration frontend (nft/iptables/ufw/...) and add the rules fitting for your environment on PMG (it is based on Debian GNU/Linux after all).
Currently there is no immediate plan to change this - but at a future point we might add something for this (especially if we add packet filtering to PBS/PDM as well)
Click to expand...
Okay, that makes sense. I'd suggest to add a note about this circumstance in the docs.
Stoiko Ivanov said:
currently no - and for inbound mails we don't plan to change that (PMG is not meant to hold account information for your users) - one thing that we might add at some point (because it was requested multiple times) is storing credentials for a smart-host for outbound relaying.
Click to expand...
I'm not talking about user-logins, but for some relays you'll need authentication. That is the case for Amazon SES for example.
Stoiko Ivanov said:
Yes - this is something we aim for - see for example the in-place upgrade guides from 5->6, 6->7, 7->8, 8->9 in the PMG wiki:
https://pmg.proxmox.com/wiki/Category:Upgrade
If there are breaking changes we write those there, along with instructions how to migrate your existing installation.
Click to expand...
Good to know! That was the answer I was hoping to hear. :cool:
Stoiko Ivanov said:
I hope this helps!
Click to expand...
Yes, thank you again. That really helps!
 
If I understand you correctly, you want to keep using IPv6 (and IPv4) when receiving mail but now not use IPv6 for sending.

Quoting https://www.postfix.org/postconf.5.html#smtp_address_preference

"configure Postfix to receive mail over both IPv4 and IPv6, and to deliver mail over only IPv4.

/etc/postfix/main.cf:
inet_protocols = all
Click to expand...
/etc/postfix/master.cf
smtp ...other fields... smtp -o inet_protocols=ipv4
Click to expand...

This feature is available in Postfix 2.8 and later."
 
Onslow said:
If I understand you correctly, you want to keep using IPv6 (and IPv4) when receiving mail but now not use IPv6 for sending.

Quoting https://www.postfix.org/postconf.5.html#smtp_address_preference

"configure Postfix to receive mail over both IPv4 and IPv6, and to deliver mail over only IPv4.




This feature is available in Postfix 2.8 and later."
Click to expand...
Hi @Onslow, thanks for your reply.
I know that setting in Postfix. So it is enough to restrict it there? It thought it maybe needs to be disabled somewhere else in PMG, too.
 
I imagine PMG doesn't try to override such low level settings (but it's only my "gut feeling" ;-)).
Just try and you'll see. Empirical testing is the best way to verify :). Even if it won't work, I don't think it'll make any harm.
 
You must log in or register to reply here.
Top Bottom