Now Reading: Proxmox Mail Gateway Security
-
01
Proxmox Mail Gateway Security
Proxmox Mail Gateway Security
Proxmox Mail Gateway (PMG) provides a robust security layer to protect email servers against spam, viruses, phishing, and other malicious content. However, using default settings may expose certain vulnerabilities. In this article, we will enhance PMG’s security through critical configuration adjustments.
1. Keep PMG Up to Date
Keeping PMG and its security patches updated is essential. Run the following commands regularly:
apt update && apt upgrade -y
pmgversion🛠️ Tip: Schedule maintenance windows to prevent disruptions to email traffic during updates.
2. Access Control and Secure Connections
2.1. Secure the Web Interface
Restrict access to the PMG web interface by allowing only specific IP addresses:
echo '192.168.1.0/24 allow' > /etc/pmg/pmgproxy/pmgproxy.conf
echo 'all deny' >> /etc/pmg/pmgproxy/pmgproxy.conf
systemctl restart pmgproxy2.2. TLS/SSL Certificate Configuration
Enhance HTTPS security by replacing PMG’s default certificate with a Let’s Encrypt or custom CA certificate:
pmgconfig set --section 'pmgproxy' --key 'ssl-cert' --value '/etc/letsencrypt/live/mail.example.com/fullchain.pem'
systemctl restart pmgproxy3. Postfix Configuration and Security
PMG uses Postfix for mail processing, and optimizing its configuration is critical for security.
3.1. Restrict Relaying
Prevent unauthorized email relaying:
postconf -e "smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination"
systemctl restart postfix3.2. Enable DNSBL (Blacklist) Checks
Block known spam sources using DNS-based blacklists:
postconf -e "smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org"
systemctl restart postfix3.3. Enable SPF, DKIM, and DMARC
Activate anti-spoofing mechanisms to verify sender identity:
pmgconfig set --section 'mail' --key 'use_spf' --value '1'
pmgconfig set --section 'mail' --key 'use_dkim' --value '1'
pmgconfig set --section 'mail' --key 'use_dmarc' --value '1'
systemctl restart pmg-smtp-filter4. Spam and Malicious Email Filtering
4.1. Adjust SpamAssassin Score Thresholds
Improve detection of suspicious emails by lowering the spam score threshold:
echo "required_score 4.0" >> /etc/mail/spamassassin/local.cf
systemctl restart pmg-smtp-filter4.2. Set Heuristic Scores in the Web Interface
In the PMG web UI, go to Spam Detector > Options and set the Heuristic Score threshold to 4 or 5 for stricter spam detection.
5. Antivirus and Threat Blocking
5.1. ClamAV Configuration
PMG integrates with ClamAV for virus scanning. Check for updates regularly:
freshclam
systemctl restart clamav-daemonEnable blocking of encrypted attachments:
In the PMG UI > Virus Detector > Options, set Block Encrypted Archives and Documents to Yes.
6. Block Malicious IPs with Fail2Ban
Fail2Ban protects PMG by blocking IPs after multiple failed login or relay attempts.
Create a Fail2Ban configuration for Postfix:
echo "[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port=25,465,587,submission, protocol=tcp]
logpath = /var/log/mail.log
maxretry = 3" > /etc/fail2ban/jail.d/postfix.conf
systemctl restart fail2banTo receive email alerts for banned IPs, edit or create /etc/fail2ban/fail2ban.local:
[DEFAULT]
destemail = ad***@*****le.com
sender = fa******@*****le.com
mta = mail
action = %(action_mwl)s✅ Conclusion
When properly configured, Proxmox Mail Gateway is a powerful solution for email security. By applying the configurations outlined in this guide, you can significantly improve PMG’s protection against spam, phishing, and malware.
🔒 Don’t forget:
- Perform regular system and signature updates
- Review logs frequently
- Limit access to administrative interfaces
