TLS policy for outbound connections.
+`/etc/pmg/tls_inbound_domains`::
+
+Sender domains for which TLS is enforced on inbound connections.
+
`/etc/pmg/transports`::
Message delivery transport setup.
[thumbnail="pmg-gui-mailproxy-relaying.png", big=1]
endif::manvolnum[]
-These settings are saved to the 'mail' subsection in `/etc/pmg/pmg.conf`,
-using the following configuration keys:
+These settings are saved to the 'mail' subsection in `/etc/pmg/pmg.conf`. Some of these correspond
+to postfix options in the `main.cf` (see the
+https://www.postfix.org/postconf.5.html[postconf documentation]).
+
+They use the following configuration keys:
include::pmg.mail-relaying-conf-opts.adoc[]
[thumbnail="pmg-gui-mailproxy-ports.png", big=1]
endif::manvolnum[]
-These settings are saved to the 'mail' subsection in `/etc/pmg/pmg.conf`,
-using the following configuration keys:
+These settings are saved to the 'mail' subsection in `/etc/pmg/pmg.conf`. Many of these correspond
+to postfix options in the `main.cf` (see the
+https://www.postfix.org/postconf.5.html[postconf documentation]).
+
+They use the following configuration keys:
include::pmg.mail-ports-conf-opts.adoc[]
encryption, or to work around a broken 'STARTTLS' ESMTP implementation. See
{postfix_tls_readme} for details on the supported policies.
+Additionally, TLS can also be enforced on incoming connections on the external
+port for specific sender domains by creating a TLS inbound domains entry. Mails
+with matching domains must use a encrypted SMTP session, otherwise they are
+rejected. All domains on this list have and entry of
+https://www.postfix.org/postconf.5.html#reject_plaintext_session[`reject_plaintext_session`]
+in a `check_sender_access` table.
+
Enable TLS logging::
To get additional information about SMTP TLS activity, you can enable
lead to finding such a pattern in your environment.
You can adjust the score of a rule by creating a new 'Custom Rule Score' entry
-in the GUI.
+in the GUI and entering a {spamassassin} rule as the name.
NOTE: In general, it is strongly recommended not to make large changes to the
default scores.
the xref:pmgconfig_template_engine[template engine], while the others can
get updated by any {spamassassin} package upgrade.
-To add your custom configuration, you have to create a new file and name it
-`custom.cf` (in this directory), then add your configuration there. Make sure
-to use the correct {spamassassin} syntax, and test it with:
+To add your custom configuration, you have to create a new file named
+`custom.cf` (in `/etc/mail/spamassassin/`), then add your configuration there.
+Make sure to use the correct {spamassassin_rule_syntax} and test it with:
----
# spamassassin -D --lint
[thumbnail="pmg-gui-ldap-user-config.png", big=1]
+With {pmg}, users can use LDAP and Active directory as authentication methods to
+access their individual xref:pmgadministration_spam_quarantine[Spam Quarantine].
+Additionally, if users have extra email aliases defined in the LDAP directory,
+they will have a single spam quarantine for all of these.
+
+NOTE: Authentication via LDAP must first be enabled using the `Authentication
+mode` (`authmode`) parameter in the
+xref:pmgconfig_spamdetector_quarantine[Spam Detector's Quarantine configuration settings].
+
You can specify multiple LDAP/Active Directory profiles, so that you can
-create rules matching those users and groups.
+create rules matching particular users and groups.
Creating a profile requires (at least) the following:
-* profile name
-* protocol (LDAP or LDAPS; LDAPS is recommended)
-* at least one server
-* a username and password (if your server does not support anonymous binds)
+* `Profile Name`: The name assigned to the LDAP profile.
+* `Protocol`: LDAP, LDAPS, or LDAP+STARTTLS (LDAP+STARTTLS is recommended).
+* `Server`: The domain name/IP address of the LDAP server. A fallback can also
+ be configured using the second field.
+* `User name`: The Bind DN for authentication on the LDAP server.
+ This is required if your server does not support anonymous binds.
+* `Password`: Password for the Bind DN user.
+* `Base DN`: The directory which users are searched under.
All other fields should work with the defaults for most setups, but can be
used to customize the queries.
-The settings are saved to `/etc/pmg/ldap.conf`. Details for the options
+The settings are saved to `/etc/pmg/ldap.conf`. Details about the options
can be found here: xref:pmg_ldap_configuration_file[ldap.conf]
Bind user
(for example OpenLDAP or FreeIPA), the username has to be of a format like
'uid=username,cn=users,cn=accounts,dc=domain', where the specific fields
depend on your setup. For Active Directory servers, the format should be
-like 'username@domain' or 'domain\username'.
+'username@domain' or 'domain\username'.
Sync
^^^^
Users of the admin interface can configure two-factor authentication to
increase protection of their accounts.
+NOTE: Joining a cluster with two-factor authentication enabled for the `root`
+user is not supported. Remove the second factor when joining the cluster.
+
Available Second Factors
~~~~~~~~~~~~~~~~~~~~~~~~
losing your smartphone or security key locks you out of your account
permanently.
-The following two-factor authentication methods are available in addition to
-realm-enforced TOTP and YubiKey OTP:
+The following two-factor authentication methods are available:
* User configured TOTP
(https://en.wikipedia.org/wiki/Time-based_One-Time_Password[Time-based One-Time Password]).
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Users can choose to enable 'TOTP' or 'WebAuthn' as a second factor on login,
-via the 'TFA' button in the user list (unless the realm enforces 'YubiKey
-OTP').
+via the 'TFA' button in the user list.
Users can always add and use one time 'Recovery Keys'.
For WebAuthn to work, you need to have two things:
* A trusted HTTPS certificate (for example, by using
- https://pve.proxmox.com/wiki/Certificate_Management[Let's Encrypt]).
+ xref:sysadmin_certs_get_trusted_acme_cert[Let's Encrypt]).
While it probably works with an untrusted certificate, some browsers may
warn or refuse WebAuthn operations if it is not trusted.
* Setup the WebAuthn configuration (see *User Management -> Two Factor ->