10 pmgconfig - Proxmox Mail Gateway Configuration Management Toolkit
16 include::pmgconfig.1-synopsis.adoc[]
23 Configuration Management
24 ========================
28 {pmg} is usually configured using the web-based Graphical User
29 Interface (GUI), but it is also possible to directly edit the
30 configuration files, use the REST API over 'https'
31 or the command line tool `pmgsh`.
33 The command line tool `pmgconfig` is used to simplify some common
34 configuration tasks, i.e. to generate cerificates and to rewrite
35 service configuration files.
37 NOTE: We use a Postgres database to store mail filter rules and
38 statistic data. See chapter xref:chapter_pmgdb[Database Management]
42 Configuration files overview
43 ----------------------------
45 `/etc/network/interfaces`::
47 Network setup. We never modify this files directly. Instead, we write
48 changes to `/etc/network/interfaces.new`. When you reboot, we rename
49 the file to `/etc/network/interfaces`, so any changes gets activated
54 DNS search domain and nameserver setup.
58 The system's host name.
62 Static table lookup for hostnames.
66 Stores common administration options, i.e. the spam and mail proxy setup.
68 `/etc/pmg/cluster.conf`::
74 The list of relay domains.
76 `/etc/pmg/fetchmailrc`::
78 Fetchmail configuration (POP3 and IMAP setup).
80 `/etc/pmg/ldap.conf`::
84 `/etc/pmg/mynetworks`::
86 List of local (trusted) networks.
88 `/etc/pmg/subscription`::
90 Stores your subscription key and status.
92 `/etc/pmg/transports`::
94 Message delivery transport setup.
96 `/etc/pmg/user.conf`::
98 GUI user configuration.
100 `/etc/mail/spamassassin/custom.cf`::
102 Custom {spamassassin} setup.
105 Keys and Certificates
106 ---------------------
108 `/etc/pmg/pmg-api.pem`::
110 Key and certificate (combined) used be the HTTPs server (API).
112 `/etc/pmg/pmg-authkey.key`::
114 Privat key use to generate authentication tickets.
116 `/etc/pmg/pmg-authkey.pub`::
118 Public key use to verify authentication tickets.
120 `/etc/pmg/pmg-csrf.key`::
122 Internally used to generate CSRF tokens.
124 `/etc/pmg/pmg-tls.pem`::
126 Key and certificate (combined) to encrypt mail traffic (TLS).
129 Service Configuration Templates
130 -------------------------------
132 {pmg} uses various services to implement mail filtering, for example
133 the {postfix} Mail Transport Agent (MTA), the {clamav} antivirus
134 engine and the Apache {spamassassin} project. Those services use
135 separate configuration files, so we need to rewrite those files when
136 configuration is changed.
138 We use a template based approach to generate those files. The {tts} is
139 a well known, fast and flexible template processing system. You can
140 find the default templates in `/var/lib/pmg/templates/`. Please do not
141 modify them directly, because your modification would get lost on the
142 next update. Instead, copy them to `/etc/pmg/templates/`, then apply
145 Templates can access any configuration setting, and you can use the
146 `pmgconfig dump` command to get a list of all variable names:
151 dns.domain = yourdomain.tld
153 ipconfig.int_ip = 192.168.2.127
154 pmg.admin.advfilter = 1
158 The same tool is used to force regeneration of all template based
159 configuration files. You need to run that after modifying a template,
160 or when you directly edit configuration files
163 # pmgconfig sync --restart 1
166 Above commands also restarts services if underlying configuration
167 files are changed. Please note that this is automatically done when
168 you change the configuration using the GUI or API.
170 NOTE: Modified templates from `/etc/pmg/templates/` are automatically
171 synced from the master node to all cluster members.
181 image::images/screenshot/pmg-gui-network-config.png[]
184 Normally the network and time is already configured when you visit the
185 GUI. The installer asks for those setting and sets up the correct
188 The default setup uses a single Ethernet adapter and static IP
189 assignment. The configuration is stored at '/etc/network/interfaces',
190 and the actual network setup is done the standard Debian way using
193 .Example network setup '/etc/network/interfaces'
195 source /etc/network/interfaces.d/*
198 iface lo inet loopback
201 iface ens18 inet static
202 address 192.168.2.127
203 netmask 255.255.240.0
209 Many tests to detect SPAM mails use DNS queries, so it is important to
210 have a fast and reliable DNS server. We also query some public
211 available DNS Blacklists. Most of them apply rate limits for clients,
212 so they simply will not work if you use a public DNS server (because
213 they are usually blocked). We recommend to use your own DNS server,
214 which need to be configured in 'recursive' mode.
221 image::images/screenshot/pmg-gui-system-options.png[]
225 Those settings are saved to subsection 'admin' in `/etc/pmg/pmg.conf`,
226 using the following configuration keys:
228 include::pmg.admin-conf-opts.adoc[]
231 Mail Proxy Configuration
232 ------------------------
238 image::images/screenshot/pmg-gui-mailproxy-relaying.png[]
241 Those settings are saved to subsection 'mail' in `/etc/pmg/pmg.conf`,
242 using the following configuration keys:
244 include::pmg.mail-relaying-conf-opts.adoc[]
250 image::images/screenshot/pmg-gui-mailproxy-relaydomains.png[]
253 List of relayed mail domains, i.e. what destination domains this
254 system will relay mail to. The system will reject incoming mails to
262 image::images/screenshot/pmg-gui-mailproxy-ports.png[]
265 Those settings are saved to subsection 'mail' in `/etc/pmg/pmg.conf`,
266 using the following configuration keys:
268 include::pmg.mail-ports-conf-opts.adoc[]
275 image::images/screenshot/pmg-gui-mailproxy-options.png[]
278 Those settings are saved to subsection 'mail' in `/etc/pmg/pmg.conf`,
279 using the following configuration keys:
281 include::pmg.mail-options-conf-opts.adoc[]
288 image::images/screenshot/pmg-gui-mailproxy-transports.png[]
291 You can use {pmg} to send e-mails to different internal
292 e-mail servers. For example you can send e-mails addressed to
293 domain.com to your first e-mail server, and e-mails addressed to
294 subdomain.domain.com to a second one.
296 You can add the IP addresses, hostname and SMTP ports and mail domains (or
297 just single email addresses) of your additional e-mail servers.
304 image::images/screenshot/pmg-gui-mailproxy-networks.png[]
307 You can add additional internal (trusted) IP networks or hosts.
308 All hosts in this list are allowed to relay.
310 NOTE: Hosts in the same subnet with Proxmox can relay by default and
311 it’s not needed to add them in this list.
318 image::images/screenshot/pmg-gui-mailproxy-tls.png[]
321 Transport Layer Security (TLS) provides certificate-based
322 authentication and encrypted sessions. An encrypted session protects
323 the information that is transmitted with SMTP mail. When you activate
324 TLS, {pmg} automatically generates a new self signed
325 certificate for you (`/etc/pmg/pmg-tls.pem`).
327 {pmg} uses opportunistic TLS encryption. The SMTP transaction is
328 encrypted if the 'STARTTLS' ESMTP feature is supported by the remote
329 server. Otherwise, messages are sent in the clear.
333 To get additional information about SMTP TLS activity you can enable
334 TLS logging. That way information about TLS sessions and used
335 certificate’s is logged via syslog.
337 Add TLS received header::
339 Set this option to include information about the protocol and cipher
340 used as well as the client and issuer CommonName into the "Received:"
343 Those settings are saved to subsection 'mail' in `/etc/pmg/pmg.conf`,
344 using the following configuration keys:
346 include::pmg.mail-tls-conf-opts.adoc[]
353 image::images/screenshot/pmg-gui-mailproxy-whitelist.png[]
356 All SMTP checks are disabled for those entries (e. g. Greylisting,
359 NOTE: If you use a backup MX server (e.g. your ISP offers this service
360 for you) you should always add those servers here.
363 Spam Detector Configuration
364 ---------------------------
370 image::images/screenshot/pmg-gui-spam-options.png[]
373 {pmg} uses a wide variety of local and network tests to identify spam
374 signatures. This makes it harder for spammers to identify one aspect
375 which they can craft their messages to work around the spam filter.
377 Every single e-mail will be analyzed and gets a spam score
378 assigned. The system attempts to optimize the efficiency of the rules
379 that are run in terms of minimizing the number of false positives and
382 include::pmg.spam-conf-opts.adoc[]
389 image::images/screenshot/pmg-gui-spamquar-options.png[]
392 Proxmox analyses all incoming e-mail messages and decides for each
393 e-mail if its ham or spam (or virus). Good e-mails are delivered to
394 the inbox and spam messages can be moved into the spam quarantine.
396 The system can be configured to send daily reports to inform users
397 about the personal spam messages received the last day. That report is
398 only sent if there are new messages in the quarantine.
400 include::pmg.spamquar-conf-opts.adoc[]
403 Virus Detector Configuration
404 ----------------------------
410 image::images/screenshot/pmg-gui-virus-options.png[]
413 All mails are automatically passed to the included virus detector
414 ({clamav}). The default setting are considered safe, so it is usually
415 not required to change them.
417 {clamav} related settings are saved to subsection 'clamav' in `/etc/pmg/pmg.conf`,
418 using the following configuration keys:
420 include::pmg.clamav-conf-opts.adoc[]
423 image::images/screenshot/pmg-gui-clamav-database.png[]
426 Please note that the virus signature database it automatically
427 updated. But you can see the database status on the GUI, and you can
428 trigger manual updates there.
435 image::images/screenshot/pmg-gui-virusquar-options.png[]
438 Indentified virus mails are automatically moved to the virus
439 quarantine. The administartor can view those mails using the GUI, or
440 deliver them in case of false positives. {pmg} does not notify
441 individual users about received virus mails.
443 Virus quarantine related settings are saved to subsection 'virusquar'
444 in `/etc/pmg/pmg.conf`, using the following configuration keys:
446 include::pmg.virusquar-conf-opts.adoc[]
449 Custom SpamAssassin configuration
450 ---------------------------------
452 This is only for advanced users. To add or change the Proxmox
453 {spamassassin} configuration please login to the console via SSH. Go
454 to directory `/etc/mail/spamassasin/`. In this directory there are several
455 files (`init.pre`, `local.cf`, ...) – do not change them.
457 To add your special configuration, you have to create a new file and
458 name it `custom.cf` (in this directory), then add your
459 configuration there. Be aware to use the {spamassassin}
460 syntax, and test with
463 # spamassassin -D --lint
466 If you run a cluster, the `custom.cf` file is synchronized from the
467 master node to all cluster members.
473 User management in {pmg} consists of three types of users/accounts:
479 image::images/screenshot/pmg-gui-local-user-config.png[]
481 Local users are used to manage and audit {pmg}. Those users can login on the
482 management web interface.
484 There are three roles:
488 Is allowed to manage settings of {pmg}, except some tasks like
489 network configuration and upgrading.
493 Is allowed to manage quarantines, blacklists and whitelists, but not other
494 settings. Has no right to view any other data.
498 With this role, the user is only allowed to view data and configuration, but
501 In addition there is always the 'root' user, which is used to perform special
502 system administrator tasks, such as updgrading a host or changing the
503 network configuration.
505 NOTE: Only pam users are able to login via the webconsole and ssh, which the
506 users created with the web interface are not. Those users are created for
507 {pmg} administration only.
509 Local user related settings are saved in `/etc/pmg/user.conf`.
511 For details of the fields see xref:pmg_user_configuration_file[user.conf]
513 LDAP/Active Directory
514 ~~~~~~~~~~~~~~~~~~~~~
516 image::images/screenshot/pmg-gui-ldap-user-config.png[]
518 You can specify multiple LDAP/Active Directory profiles, so that you can
519 create rules matching those users and groups.
521 Creating a profile requires (at least) the following:
524 * protocol (LDAP or LDAPS; LDAPS is recommended)
525 * at least one server
526 * a user and password (if your server does not support anonymous binds)
528 All other fields should work with the defaults for most setups, but can be
529 used to customize the queries.
531 The settings are saved to `/etc/pmg/ldap.conf`. Details for the options
532 can be found here: xref:pmg_ldap_configuration_file[ldap.conf]
537 It is highly recommended that the user which you use for connecting to the
538 LDAP server only has the permission to query the server. For LDAP servers
539 (for example OpenLDAP or FreeIPA), the username has to be of a format like
540 'uid=username,cn=users,cn=accounts,dc=domain' , where the specific fields are
541 depending on your setup. For Active Directory servers, the format should be
542 like 'username@domain' or 'domain\username'.
547 {pmg} synchronizes the relevant user and group info periodically, so that
548 that information is available in a fast manner, even when the LDAP/AD server
549 is temporarily not accessible.
551 After a successfull sync, the groups and users should be visible on the web
552 interface. After that, you can create rules targeting LDAP users and groups.
558 image::images/screenshot/pmg-gui-fetchmail-config.png[]
560 Fetchmail is utility for polling and forwarding e-mails. You can define
561 e-mail accounts, which will then be fetched and forwarded to the e-mail
564 You have to add an entry for each account/target combination you want to
565 fetch and forward. Those will then be regularly polled and forwarded,
566 according to your configuration.
568 The API and web interface offer following configuration options:
570 include::fetchmail.conf.5-opts.adoc[]
574 include::pmg-copyright.adoc[]