Proxmox Mail Gateway Security

Proxmox Mail Gateway Security

Proxmox Mail Gateway (PMG) provides a robust security layer to protect email servers against spam, viruses, phishing, and other malicious content. However, using default settings may expose certain vulnerabilities. In this article, we will enhance PMG’s security through critical configuration adjustments.

1. Keep PMG Up to Date

Keeping PMG and its security patches updated is essential. Run the following commands regularly:

apt update && apt upgrade -y
pmgversion

🛠️ Tip: Schedule maintenance windows to prevent disruptions to email traffic during updates.

2. Access Control and Secure Connections

2.1. Secure the Web Interface

Restrict access to the PMG web interface by allowing only specific IP addresses:

echo '192.168.1.0/24 allow' > /etc/pmg/pmgproxy/pmgproxy.conf
echo 'all deny' >> /etc/pmg/pmgproxy/pmgproxy.conf
systemctl restart pmgproxy

2.2. TLS/SSL Certificate Configuration

Enhance HTTPS security by replacing PMG’s default certificate with a Let’s Encrypt or custom CA certificate:

pmgconfig set --section 'pmgproxy' --key 'ssl-cert' --value '/etc/letsencrypt/live/mail.example.com/fullchain.pem'
systemctl restart pmgproxy

3. Postfix Configuration and Security

PMG uses Postfix for mail processing, and optimizing its configuration is critical for security.

3.1. Restrict Relaying

Prevent unauthorized email relaying:

postconf -e "smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination"
systemctl restart postfix

3.2. Enable DNSBL (Blacklist) Checks

Block known spam sources using DNS-based blacklists:

postconf -e "smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org"
systemctl restart postfix

3.3. Enable SPF, DKIM, and DMARC

Activate anti-spoofing mechanisms to verify sender identity:

pmgconfig set --section 'mail' --key 'use_spf' --value '1'
pmgconfig set --section 'mail' --key 'use_dkim' --value '1'
pmgconfig set --section 'mail' --key 'use_dmarc' --value '1'
systemctl restart pmg-smtp-filter

4. Spam and Malicious Email Filtering

4.1. Adjust SpamAssassin Score Thresholds

Improve detection of suspicious emails by lowering the spam score threshold:

echo "required_score 4.0" >> /etc/mail/spamassassin/local.cf
systemctl restart pmg-smtp-filter

4.2. Set Heuristic Scores in the Web Interface

In the PMG web UI, go to Spam Detector > Options and set the Heuristic Score threshold to 4 or 5 for stricter spam detection.

5. Antivirus and Threat Blocking

5.1. ClamAV Configuration

PMG integrates with ClamAV for virus scanning. Check for updates regularly:

freshclam
systemctl restart clamav-daemon

Enable blocking of encrypted attachments:

In the PMG UI > Virus Detector > Options, set Block Encrypted Archives and Documents to Yes.

6. Block Malicious IPs with Fail2Ban

Fail2Ban protects PMG by blocking IPs after multiple failed login or relay attempts.

Create a Fail2Ban configuration for Postfix:

echo "[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port=25,465,587,submission, protocol=tcp]
logpath = /var/log/mail.log
maxretry = 3" > /etc/fail2ban/jail.d/postfix.conf

systemctl restart fail2ban

To receive email alerts for banned IPs, edit or create /etc/fail2ban/fail2ban.local:

[DEFAULT]
destemail = admin@example.com
sender = fail2ban@example.com
mta = mail
action = %(action_mwl)s

✅ Conclusion

When properly configured, Proxmox Mail Gateway is a powerful solution for email security. By applying the configurations outlined in this guide, you can significantly improve PMG’s protection against spam, phishing, and malware.

🔒 Don’t forget:

• Perform regular system and signature updates
• Review logs frequently
• Limit access to administrative interfaces