Академический Документы
Профессиональный Документы
Культура Документы
Deployment Guide
8/22/2016
MailGatewayDeploymentGuide-V2.2.docx
Proxmox Server Solutions GmbH reserves the right to make changes to this document and to the
products described herein without notice. Before installing and using the software, please review the
latest version of this document, which is available from http://www.proxmox.com.
NOTE: All prices are one year subscription licenses. After expiration, Email flow continues but Spamand AV checks are not working anymore (Exception: ClamAV will continue working).
All other product or company names different from Proxmox may be trademarks or registered
trademarks of their owners.
Copyright 2005 - 2016 Proxmox Server Solutions GmbH. All rights reserved. No part of this
publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the
express prior written consent of Proxmox.
2 | 40
Table of Contents
1
Introduction ............................................................................................................................. 5
2.2
2.4
2.5
Proxmox Mail Gateway with multiple e-mail server and e-mail domains ................................... 11
3.2
Backup MX .................................................................................................................................................. 12
Rule system............................................................................................................................ 22
4.1 Default rules............................................................................................................................................... 24
4.1.1 Blacklist ................................................................................................................................................. 24
4.1.2 Block viruses ........................................................................................................................................ 24
4.1.3 Virus alert ............................................................................................................................................. 25
4.1.4 Block dangerous files ........................................................................................................................ 25
4.1.5 Modify header ..................................................................................................................................... 26
4.1.6 Whitelist ................................................................................................................................................ 27
4.1.7 Quarantine/Mark spam (Level 3) .................................................................................................... 27
4.2 Custom rules ............................................................................................................................................. 29
4.2.1 Enable spam quarantine for just a selection of users ............................................................... 29
4.2.2 Enable spam quarantine for existing LDAP users ...................................................................... 30
4.2.3 Block Spam e-mails with a score higher 10.................................................................................. 31
4.2.4 BCC object a simple archive solution ......................................................................................... 31
4.2.5 Block video and audio attachments ............................................................................................... 32
4.2.6 Add admin notification to rules ....................................................................................................... 32
4.2.7 Block Video and Audio Attachments for LDAP groups .............................................................. 32
3 | 40
5.2
5.3
6.2
Proxmox VE ................................................................................................................................................ 37
6.3
VMware .................................................................................................................................................... 37
Appendix ................................................................................................................................ 40
4 | 40
1 Introduction
The huge amount of e-mail traffic is a challenge for every e-mail environment. The daily e-mail routine
brings along some major problems, this includes: performance, reliability, regulation under public law
and e-mail threads like viruses or phishing attacks.
E-mail is an essential service for any organization, and professionally managed e-mail improves
organizational workflow and customer satisfaction. A missed e-mail could mean a lost opportunity, or
it could cause a public-relations problem that no organization would want.
How does the Proxmox Mail Gateway work?
When an e-mail arrives at the Proxmox Mail Gateway, it is analyzed and forwarded to your e-mail
server which is responsible for sending the e-mail to the receiver. If the e-mail server is not working,
Proxmox Mail Gateway temporarily stores the message in the e-mail queue for later transfer. The
process works similar for outgoing e-mails.
This document covers samples and deployment information how to integrate and customize
Proxmox in your e-mail environment.
Note:
See also the Proxmox Mail Gateway Administration Guide for a detailed product description.
5 | 40
In a sample configuration, your e-mail traffic (SMTP) arrives on the firewall and will be forwarded
directly to your e-mail server.
2.2
A single Proxmox Mail Gateway Server can handle unlimited mail domains with multiple internal mail
servers and millions of e-mails per day. For high availability and maximum performance it is
recommended to use a Proxmox Mail Gateway HA Cluster, see chapter 5 Proxmox Mail Gateway HA
cluster High availability.
Proxmox Mail Gateway can process incoming AND outgoing SMTP traffic by using different ports.
One port is assigned to incoming, one port for outgoing e-mails.
With the integrated Proxmox Mail Gateway system all your e-mail traffic is forwarded to the Proxmox
Mail Gateway which filters the whole e-mail traffic and removes unwanted e-mails. You can manage
incoming and outgoing e-mail traffic.
6 | 40
2.
Proxmox Mail Gateway is able to detect viruses sent from an internal host. I many countries
you are liable for not sending viruses to other people. Proxmox Mail Gateway outgoing e-mail
scanning feature is an additional protection to avoid that.
Proxmox Mail Gateway can gather statistics about outgoing e-mails too. Statistics about
incoming e-mails looks nice, but they are quite useless. Consider two users, user-1 receives
10 mails from news portals and wrote 1 mail to a person you never heard from. While user-2
receiver 5 mails from a customer and sent 5 mails back. Which user do you consider more
active? I am sure its user-2, because he communicates with your customers. Proxmox Mail
Gateway advanced address statistics can show you this important information. Solution
which does not scan outgoing mail cant do that.
7 | 40
2.3
2.3.1
The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and port 26 for
outgoing e-mails.
8 | 40
2.3.2
Sometimes it is not possible to change the outgoing port due to third party software limitations or
existing network configurations (e.g. changing MS Exchange to another sending port will have impact
on Exchange internals and its not recommend)
To receive e-mails you have to do port forwarding at your Firewall. So that youre external IP and port
25 shows to the Proxmox Mail Gateway IP and port 26.
9 | 40
2.4
To run a DMZ Zone you have to adjust your Firewall settings. The intranet (Local) and DMZ needs to
have different IP Networks, for example:
Interface
eth0
eth1
eth2
Zone
Local
Internet
DMZ
IP Address
192.168.1.1
10.0.0.2
192.168.16.1
Net mask
255.255.255.0
255.255.255.0
255.255.255.0
10 | 40
2.5
Proxmox Mail Gateway with multiple e-mail server and email domains
You can use Proxmox Mail Gateway sending e-mails to different internal e-mail servers. For example
you can send e-mails addressed to domain.com to your first e-mail server, and e-mails addressed to
subdomain.domain.com to a second one. In the e-mail proxy transport section add the IP addresses
or hostname, SMTP ports and mail domains of your additional e-mail servers.
you need for each e-mail domain an appropriate license, otherwise it will not work!
11 | 40
3 Performance tuning
3.1
Hardware benchmarks
Please use the command line tool proxperf to get an overview about your hardware and DNS
performance.
Note:
3.2
Backup MX
Using your ISPs e-mail server is not a good idea, because many ISPs do not use advanced spam
prevention techniques. And spammers know this and they use your ISP backup MX to work around
your Proxmox Mail Gateway spam filtering.
Additionally, you can never benefit of blocking spam messages on SMTP level.
If you need redundancy, it is recommended to run a second Proxmox Mail Gateway server in HA
Cluster mode to avoid lower spam detection rates.
3.3
Blocking emails before they reach your network saves your internet bandwidth and reduces
processing power. By doing the following, you can reduce your e-mail traffic by more than 90 %,
depends on your environment.
If you want to exclude some senders or receivers from getting blocked on the SMTP level, just enter
them in the Mail proxy whitelist.
12 | 40
3.3.1
Greylisting
Typically, a server that utilizes Greylisting will record the following three pieces of information
(referred to as triplet) for all incoming e-mail.
The client is checked against the mail server's internal whitelists (if any) first. Then, if the triplet has
never been seen before, it is greylisted for a period of time (how much time is dependent on the
server configuration). The e-mail is rejected with a temporary error. The assumption is that since
temporary failures are built into the RFC specifications for e-mail delivery, a legitimate server will
attempt to connect again later on to deliver the e-mail.
Greylisting is effective because many mass e-mail tools utilized by spammers are not set up to handle
temporary failures (or any failures for that matter) so the Spam is never received.
This feature can reduce e-mail traffic up to 50%. Greylisted e-mails never reach your mail server and
your mail server will stop sending useless "Non Delivery Reports" to spammers, filling up the queue.
If a sender has a valid SPF record, he will never be greylisted.
3.3.2
Domains use public records (DNS) to direct requests for different services (web, e-mail, etc.) to the
machines that perform those services. All domains already publish e-mail (MX) records to tell the
world what machines receive e-mail for the domain. SPF works by domains publishing "reverse MX"
records to tell the world what machines send e-mail for the domain. When receiving a message from
a domain, the recipient can check those records to make sure e-mail is coming from where it should
be coming from.
Please make sure, that you deploy a valid SPF record for your mail domain.
Note:
13 | 40
3.3.3
Proxmox Mail Gateway can use RBL checks on SMTP level to reject e-mails. Therefore Proxmox Mail
Gateway has to query the RBL server for every SMTP connection.
Proxmox use the following RBL providers by default:
14 | 40
Reduced traffic, up to 90 %
Your internal e-mail server is now working for you again
Reduced load on your scanners, 90 % less e-mails to analyze for spam and viruses
Good performance and costs
15 | 40
Note: Your internal e-mail server has to be reconfigured to reject unknown user. Proxmox Mail
Gateway is doing a short query to the internal e-mail server to check if the user is valid. For settings
on Exchange 2003 SP2, see chapter 3.3.4.2.1 Settings for MS Exchange 2003 SP2
16 | 40
3.3.4.2.1
You have to enable Recipient Filtering, please use the Exchange System Manager.
17 | 40
18 | 40
19 | 40
3.3.4.2.2
First, make sure that you have the MS Exchange 2007 Anti-Spam agent. If you installed a typical one
server installation, this is NOT installed by default.
Microsoft provides an install script to manually install the Anti-Spam agent:
1.
2.
3.
4.
20 | 40
21 | 40
4 Rule system
The object-oriented rule system enables custom rules for your domains. Its an easy but very
powerful way to define filter rules by user, domains, time frame, content type and resulting action.
Who - object
For TO and/or FROM Category
Example: Mail object - Who is the sender or receiver of the e-mail?
When - object
Example: When is the e-mail received by Proxmox Mail Gateway?
What - object
Example: Does the e-mail contain spam?
Action - object
Example: Mark e-mail with "SPAM:" in the subject.
Every rule has got 5 categories (FROM, TO, WHEN, WHAT, ACTION) which can contain several objects.
For example enable Archive Solutions with BCC Object (Blind carbon copy, recipients not visible in the
"To" field) to Mailbox or to a Public Folder
FROM: Anybody
TO: Anybody
WHEN: Always
WHAT: Mail
ACTION: BCC to Publicfolder
In most of the countries worldwide a company has to forward all e-mails to their employees this
includes spam e-mails as well.
For example to send Spam e-mails in quarantine
FROM: Anybody
TO: Anybody
WHEN: Always
WHAT: Spam
ACTION: Quarantine
With this kind of setup the receiver gets detailed Information about the Spam e-mails.
Quarantine can be enabled just for existing LDAP groups or via BCC to Public Folders or Mailboxes.
At present the usefulness of e-mail is being threatened by three phenomena: spamming, phishing
and e-mail worms.
Spamming is unsolicited commercial e-mail. Because of the very low cost of sending e-mail,
spammers can send hundreds of millions of e-mail messages each day over an inexpensive internet
connection. Hundreds of active spammers sending this volume of mail results in information
overload for many computer users who receive tens or even hundreds of junk messages each day.
E-mail worms use e-mail as a way of replicating themselves into vulnerable computers.
The combination of spam and worm programs results in users receiving a constant drizzle of junk email, which reduces the usefulness of e-mail as a practical tool.
22.08.2016 Proxmox Server Solutions GmbH
22 | 40
To increase the efficiency of e-mail communications the use of anti-spam, anti-phishing and antivirus
software is essential. With the deployment of Proxmox Mail Gateway you get the job done. Based on
the design as software appliance one of the strengths of Proxmox Mail Gateway is its flexibility. It can
be easy integrated in existing E-mail architecture. Its compatible to every type of mail server or MTA
(e.g. MS Exchange, Lotus Domino, Postfix ).
For example a virus protection looks like this:
FROM: Anybody
TO: Anybody
WHEN: Always
WHAT: Virus
ACTION: Block (or Quarantine)
Options range from simple spam and virus filter setups to sophisticated, highly customized
configurations blocking certain types of e-mails and generating notifications.
23 | 40
4.1
4.1.1
Default rules
Blacklist
This rule blocks all emails received from the senders listed in the Blacklist. The Blacklist can contain
several items.
(Please note, the term Blacklist is widely used in industry and its not meant as racist.)
4.1.2
Block viruses
This rule quarantines all incoming virus e-mail and informs the admin via e-mail notification.
24 | 40
4.1.3
Virus alert
This rule blocks all outgoing virus e-mail and informs the admin and sender via e-mail notification.
4.1.4
25 | 40
4.1.5
Modify header
This rule modifies e-mail header for all incoming e-email. It just adds the results of the spam analysis,
including the test names and the reached spam score.
26 | 40
4.1.6
Whitelist
This rule accepts all emails received from the senders listed in the Whitelist. The Whitelist can
contain several items.
(Please note, the term Whitelist is widely used in industry and its not meant as racist.)
4.1.7
This rule identifies Spam with Level 3 and modifies the e-mail subject and move the e-mail to the
spam quarantine.
22.08.2016 Proxmox Server Solutions GmbH
27 | 40
28 | 40
4.2
Custom rules
Proxmox Mail Gateway provides samples for custom rules to show the functionality. For support or
help configuring rules the Proxmox support forum at http://forum.proxmox.com or submit a support
request via the Proxmox Customer Portal at https://my.proxmox.com
4.2.1
If you want to use the spam quarantine for specific users or a specific domain (and for the rest just
Mark Spam), create a new WHO object containing these users or domains.
1.
2.
3.
4.
Create a new WHO object; give a name like Quarantine Users and add the users or domains
to this object
Use the existing (inactive) rule Spam Quarantine and set higher priority than the Mark
Spam rule (e.g. 81)
Add the WHO object Quarantine Users
Activate the rule
29 | 40
4.2.2
If you want to use the spam quarantine only for existing internal e-mail addresses, you can use the
LDAP query Existing LDAP.
1.
2.
3.
4.
Create a new WHO object; give a name like Existing LDAP address and add the LDAP group
Existing LDAP address
Use the existing (inactive) rule Spam Quarantine and set higher priority than the Mark
Spam rule (e.g. 81)
Add the WHO object Existing LDAP address
Activate the rule
30 | 40
4.2.3
The default rule moves Spam with a score higher 3 to the spam quarantine. By activating this
additional rule, you can block Spam with a score higher 10 to reduce the delivery of spam e-mails to
the user spam quarantine.
4.2.4
If you need to archive e-mails its useful to send a copy to a special mailbox. If you have Microsoft
Exchange, you can also send a copy to a e-mail enabled public folder.
1.
2.
3.
4.
Create an Action Object: Add BCC Object, name it BCC to Archive Public folder or Mailbox
Under Receiver, type the e-mail address of the public folder/Mailbox
Click on an already existing rule or create a new one
Add Action Object BCC to Archive Public folder or Mailbox to the rule
Create a public folder in MS Exchange (MS Exchange System Manager or via Outlook)
"Mail enable" the public folder via MS Exchange system manager right click an select Mail
Enable
Wait a few minutes, MS Exchange creates the e-mail address
Right click the folder an check the e-mail address (or change it, if you want), remember e-mail
address
Set appropriate client permission (note: anonymous must have the right to create items)
Optional: Set age limit: select Limits and set the age limit to 90 days (all messages older than
90 days will be automatically deleted)
31 | 40
4.2.5
1.
2.
3.
4.
5.
4.2.6
If you block mails its useful to inform the Proxmox Mail Gateway Admin.
1.
2.
4.2.7
Note:
32 | 40
Figure 4-14 Block video and Audio attachment for LDAP group Staff
33 | 40
Proxmox Mail Gateway uses a unique application level clustering scheme, which provides extremely
good performance. Special considerations where taken to make management as easy as possible.
Complete Cluster setup is done within minutes, and nodes automatically reintegrate after temporary
failures without any operator interaction.
Figure 5-1 Proxmox Mail Gateway HA Cluster with load balanced MX records
34 | 40
5.1
Its quite simple to set up a high performance load balanced mail cluster using MX records. You have
to define two MX records with the same priority.
You need to have 2 working Proxmox Mail Gateways (mail1.example.com and mail2.example.com),
each having its own IP address (the rest of the setting should be more or less equal, i.e. you can use
backup/restore to copy the rules).
We recommend adding reverse lookup entries (PTR records) for those hosts. Many e-mail systems
nowadays reject mails from hosts without valid PTR records.
This is all you need. You will receive mails on both hosts, more or less load-balanced (round-robin
scheduling). If one host fails the other is used.
35 | 40
5.2
Using several DNS MX record is sometime clumsy if you have many domains. It is also possible to use
one MX record per domain, but multiple address records:
5.3
Many firewalls can do some kind of RR-Scheduling (round-robin) when using DNAT. See your firewall
manual for more details.
36 | 40
6.1
Proxmox VE (KVM)
VMware vSphere (VMware tools are integrated in the ISO)
Hyper-V (Hyper-V Linux integration tools are integrated in the ISO)
KVM (virtio drivers are integrated, great performance)
Virtual box
Citrix XenServer
Physical Hardware
6.2
Enterprise class SSD with power loss protection (e.g. Intel SSD DC 35xx/36xx/37xx)
Two physical CPU with a lot of cores (e.g. Intel Xeon)
4 GB ECC
Proxmox VE
The Proxmox Mail Gateway runs perfectly on qemu/KVM. Just install from ISO, use virtio for disk and
network.
6.3
VMware
37 | 40
38 | 40
8 Table of figures
Figure 2-1 System without Proxmox Mail Gateway............................................................................................ 6
Figure 2-2 Incoming e-mail with Proxmox Mail Gateway .................................................................................. 7
Figure 2-3 Outgoing with Proxmox Mail Gateway .............................................................................................. 7
Figure 2-4 Incoming default port settings (port 25) ........................................................................................... 8
Figure 2-5 Outgoing default port settings (port 26) ........................................................................................... 8
Figure 2-6 Incoming alternative port settings (port 26) .................................................................................... 9
Figure 2-7 Outgoing alternative port settings (port 25) .................................................................................... 9
Figure 2-8 Proxmox Mail Gateway in DMZ ......................................................................................................... 10
Figure 2-9 Multiple e-mail servers ........................................................................................................................ 11
Figure 3-1 Mail proxy whitelist .............................................................................................................................. 13
Figure 3-2 Enable RBL checks ............................................................................................................................... 14
Figure 3-3 Enable Verify Receivers ....................................................................................................................... 16
Figure 3-4 Exchange 2003: Filter recipients 1 ................................................................................................... 17
Figure 3-5 Exchange 2003: Filter recipients 2 ................................................................................................... 18
Figure 3-6 Exchange 2003: Filter recipients 3 ................................................................................................... 19
Figure 3-7 Exchange 2003: Filter recipients 4 ................................................................................................... 19
Figure 3-8 MS Exchange 2007 SP1: Install Anti-Spam agent ......................................................................... 20
Figure 3-9 MS Exchange 2007 SP1: Filter recipients 1 .................................................................................... 21
Figure 3-10 MS Exchange 2007 SP1: Filter recipients 2 .................................................................................. 21
Figure 4-1 Rule: Blacklist ......................................................................................................................................... 24
Figure 4-2 Who Object: Blacklist ........................................................................................................................... 24
Figure 4-3 Rule: Block Viruses ............................................................................................................................... 25
Figure 4-4 Rule: Virus Alert..................................................................................................................................... 25
Figure 4-5 Rule: Block Dangerous Files ............................................................................................................... 26
Figure 4-6 Rule: Modify Header ............................................................................................................................ 26
Figure 4-7 Rule: Whitelist ........................................................................................................................................ 27
Figure 4-8 Who Object: Whitelist .......................................................................................................................... 27
Figure 4-9 Rule: Quarantine/Mark Spam (Level 3)............................................................................................ 28
Figure 4-10 Enable Spam quarantine for just a selection of users .............................................................. 29
Figure 4-11 Create WHO object Existing LDAP address ............................................................................... 30
Figure 4-12 Enable Spam quarantine for existing LDAP addresses ............................................................ 30
Figure 4-13 Activate Block Spam (Level 10) ..................................................................................................... 31
Figure 4-14 Block video and Audio attachment for LDAP group Staff ...................................................... 33
Figure 5-1 Proxmox Mail Gateway HA Cluster with load balanced MX records ........................................ 34
Figure 5-2 Load balancing via MX Records ........................................................................................................ 35
Figure 5-3 Load balancing Multiple Address Records ..................................................................................... 36
39 | 40
9 Appendix
Reference document: Mail Gateway AdminGuide
You can download the latest version from www.proxmox.com
- End of document -
40 | 40