This little virtual appliance is useful to keep spam and other malicious content from reaching your email server. Last week I was successful at moving my physical email server install to a “container” in Proxmox. That was one of my long term goals. This means the email is backed up regularly and I can move it to another machine easily. While doing this I thought that I’d like to look at the Proxmox Mail Gateway. I use pfsense to do a lot of spam blocking. I also have a customer that doesn’t use pfsense. When I look at their daily report I see tons of attempts by bad guys to get in. In my case I know pfsense is blocking that. That meant that when I was thinking about the mail gateway I was primarily thinking about them. In order to test this out I tried it on my own server first. I wanted to see the feature set and how effective it is.
A brief explanation. You have an IP address that identifies you to the internet. Everyone has one if you buy internet service. Your cell phone has one. The IP is like your phone number — but don’t get that confused with your cell number. When programs talk to your computer they talk to that number on a port. So two numbers to ask for access (IPAddress:port — 192.168.1.3:8080). There are a bunch of ports — over 65,000. Certain ports are assigned to certain types of tasks/data. Port 25 is the port that programs use to transfer incoming email between servers. This is why port 25 is relevant to this blog post. Emails go out on port 25 and come in on port 25 between servers — not between your email application and your email server. This is just communication between the bigger servers moving data around the internet. To talk to your email server you do so on other ports besides port 25, such as 465, 993, 143, 587, etc. Web pages are generally served on port 80.
This process consistes of several steps.
- Proxmox VE must previously be installed and running. You should know how to manage that.
- You need to have the Proxmox Mail Gateway ISO (an ISO is like an image of a DVD/CD). I did this by going to the proxmox.com website and downloading the file.
- You need to transfer the ISO to the Proxmox VE. I used scp at the Linux command line to do that.
- Once that is in place you need to create a VM in the Proxmox VE. Here is where you tell Proxmox that when starting the VM it should look to the CD/DVD drive. Here you can specify that the ISO file you downloaded and copied is to be used.
- You then start the VM. It will boot up to the installer which is being run from that ISO file you added.
- Follow the instructions and enter the appropriate information and reboot.
- The reboot of the VM will cause proxmox mail gateway VM itself to run.
- Access the web interface via “https://<IP Address>:8006
continuing…
The installation of the Proxmox Mail Gateway went pretty fast. I first downloaded the ISO from the Proxmox site. I copied it to the Proxmox VE server into the “/var/lib/vz/template/iso” folder. I then created a VM in Proxmox VE (virtual environment). I added the ISO as a DVD drive in the VM (for installation purposes) and told Proxmox to reboot the VM. When it came up I entered the info that I wanted (name, password, hostname, IP address, etc). After that was done it finished the install and I rebooted.
I accessed the Mail Gateway by entering the web interface in my browser by going to the IP address of the container at port 8006. I then entered the username and password and I was in.
I then had to figure out how to make it functional. I added the “domains” that I wanted this to handle and I added the “transport” (effectively the domain names and their IP(s)).
After I did this I updated pfsense alias and NAT rules. I created a new ALIAS for “port25toemail” and then created a new NAT rule to use that ALIAS as the port and specified the IP for the Proxmox Mail Gateway.
The order of the rules matter in pfsense. Pfsense will use the first matching rule. So, having port 25 in its own rule above the old rule that still references port 25 it will execute the new rule first because it is first.
If I want to switch off the Proxmox Mail Gateway I simply disable the rule and the following rule will pick up all incoming mail and send it directly to the email server. It’s an easy on/off switch.
Once I did this everything began to function. There were hiccups. I use Ublock Origin and that interferes with the Tracking Center. If you add “localhost” to the whitelist part of Ublock Origin the problem disappears.
I’ve used this setup ever since. I can see the incoming mail and who it is going to and I can see the rejected, quarantined, and greylisted emails. Greylisting is a big help. What it does is it rejects all email from a sender that it doesn’t know. So anyone sending you new email gets rejected. A normal email system will automatically retry. Since most spam comes from compromised user computer from all over the world, they never retry the delivery attempt. If they do retry then we know they can pass the greylist and then it goes to virus check and other checks. If these pass then the email is relayed to the actual email server, which does some of the same work. So greylisting gets rid of a large percentage of the spam without burdening the actual email server.
In looking at the implementation that I did for my customer it took care of hundreds of spam emails immediately across all their domains. That’s a big payoff.
Bear in mind that this won’t intercept all of them but it does a pretty good job and is worth it considering the small amount of resources that you put to make it work. I get to look at reports and see the activity and this gives me insight into what the fraudsters are up to and how they do it.