Does anyone use the combination of NethServer (as mail server) - Proxmox Mail Gateway (PMG)?
I am unable to configure the sending of emails through PMG. It should work by configuring “Smart host” in NethServer (Settings) but …
I must be wrong somewhere, either at NethServer, or at PMG, or even at both.
Hi Gabriel,
I’m using PMG, although not with NS, but the settings should be same.
Can you please post at least mail.cf of your postfixes at NS and PMG?
I think you meant main.cf instead of mail.cf, right?
History in brief:
NethServer and PMG are virtual machines on PVE;
Both are in the DMZ (made with Endian Firewall Community);
In EFW, through NAT, port 25 is forward from RED to PMG IP;
All incoming emails go through PMG without any problem;
I followed the solution proposed by @mrmarkuzhere for adding port 26 in NethServer (I don’t know if the solution is the right one);
When I want to configure smarthost in NS to connect to PMG, any combination of user/password I use, results in a failure;
In Syslog PMG, these records appear regarding the connection attempt via smarthost:
Nov 17 15:55:00 pmg-gtbs postfix/smtpd[22786]: connect from host-gtbs.gtbs.ro[10.0.10.12]
Nov 17 15:55:00 pmg-gtbs postfix/smtpd[22786]: Anonymous TLS connection established from host-gtbs.gtbs.ro[10.0.10.12]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 ( 256/256 bits)
Nov 17 15:55:00 pmg-gtbs postfix/smtpd[22786]: disconnect from host-gtbs.gtbs.ro[10.0.10.12] ehlo=2 starttls=1 quit=1 commands=4
Is there a configuration tested and working for SMTP and related on a client?
Can nethserver ping 10.0.10.5?
Can you telnet on port 26 from Nethserver?
It works for incoming emails.
It responds to PING.
I think there is a problem with TELNET …
SYSLOG PMG to TELNET:
Nov 19 13:12:50 pmg-gtbs postfix/smtpd[50965]: lost connection after CONNECT from host-gtbs.gtbs.ro[10.0.10.12]
Nov 19 13:12:50 pmg-gtbs postfix/smtpd[50965]: disconnect from host-gtbs.gtbs.ro[10.0.10.12] commands=0/0
[root@host-gtbs ~]#
[root@host-gtbs ~]# ping 10.0.10.5
PING 10.0.10.5 (10.0.10.5) 56(84) bytes of data.
64 bytes from 10.0.10.5: icmp_seq=1 ttl=64 time=0.541 ms
64 bytes from 10.0.10.5: icmp_seq=2 ttl=64 time=0.573 ms
64 bytes from 10.0.10.5: icmp_seq=3 ttl=64 time=0.579 ms
64 bytes from 10.0.10.5: icmp_seq=4 ttl=64 time=0.586 ms
64 bytes from 10.0.10.5: icmp_seq=5 ttl=64 time=0.556 ms
^C
--- 10.0.10.5 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.541/0.567/0.586/0.016 ms
[root@host-gtbs ~]#
[root@host-gtbs ~]#
[root@host-gtbs ~]#
[root@host-gtbs ~]# telnet 10.0.10.5 26
Trying 10.0.10.5...
Connected to 10.0.10.5.
Escape character is '^]'.
220 pmg-gtbs.gtbs.ro mail.gtbs.ro
^]
telnet> quit
Connection closed.
[root@host-gtbs ~]#
No encryption or authentication.
PMG expects this host to be on the “inside” of your network and it will receive and forward.
Don’t forget to configure DKIM per domain.
I tried without: username, password and Encrypted connections.
I did not succeed.
PMG and NS are in the DMZ (same network).
DKIM is configured from NS.
From what I saw in the PMG syslog, for inbound, the connection appears on port 25, but when I try to connect via smarthost, port 26 does not appear:
Nov 21 08:59:53 pmg-gtbs postfix/postscreen[183906]: CONNECT from [103.151.125.9]:25675 to [10.0.10.5]:25
Nov 21 08:59:53 pmg-gtbs postfix/dnsblog[183908]: addr 103.151.125.9 listed by domain zen.spamhaus.org as 127.0.0.3
Nov 21 08:59:53 pmg-gtbs postfix/dnsblog[183908]: addr 103.151.125.9 listed by domain zen.spamhaus.org as 127.0.0.4
Nov 21 08:59:53 pmg-gtbs postfix/postscreen[183906]: PREGREET 11 after 0.29 from [103.151.125.9]:25675: EHLO User\r\n
Nov 21 08:59:53 pmg-gtbs postfix/postscreen[183906]: DISCONNECT [103.151.125.9]:25675
Nov 21 09:00:08 pmg-gtbs systemd[1]: Starting Hourly Proxmox Mail Gateway activities… Nov 21 09:00:08 pmg-gtbs postfix/smtpd[183948]: connect from host-gtbs.gtbs.ro[10.0.10.12] Nov 21 09:00:08 pmg-gtbs postfix/smtpd[183948]: Anonymous TLS connection established from host-gtbs.gtbs.ro[10.0.10.12]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 ( 256/256 bits)
Nov 21 09:00:08 pmg-gtbs postfix/smtpd[183948]: disconnect from host-gtbs.gtbs.ro[10.0.10.12] ehlo=2 starttls=1 quit=1 commands=4
BR,
Gabriel
P.S
If I create a relay host in Email → Relay (without username, password, with or without TLS) then I can send emails via PMG, but I don’t think it’s the same as when using smarthost.
Maybe you have not created the transport in PMG? Every host or domain that will use PMG as a proxy needs to be configured in the transport tab.
Port 25 is the one PMG will use to receive email and filter (it does a bad job at it).
Port 26 is the one PMG will use to receive email and send to the destination.
SPF wil be set on your nameserver.
DKIM needs to be disabled in NS and enabled in PMG.
From what I understood from the PMG documentation, “Transport” is used for additional mail servers. I have only one mail server and nothing should be configured here. Anyway, I also tried with Transport, although in my case the settings are the same as in “Relayng”.
Also, in the PMG documentation it is written that if the PMG and the mail server are in the same subnet (DMZ in my case), nothing needs to be configured in “Networks”. However, I have added the mail server IP here.
As I said before, in the firewall I forwarded port 25 from RED (the public IP of the mail server) to DMZ (the internal IP of the mail server). All the emails I receive (inbound emails) go through PMG and reach the mail server without any problem.
The problem I have is with sending emails through PMG, configuring/using Smarthost.
I don’t know if the solution adopted with the addition of port 26 in the mail server (NethServer) and not the total replacement of port 25 with 26 is the correct one.
Also, why can I connect to PMG from NethServer on port 26 from “Email → Relay → Create relay host” and from “System → Settings → Smart host: use a smarthost”, no (the settings are almost the same : PMG IP, port, without username and password)?
Usually, I configure/put the records for SPF, DMARC and DKIM, in the nameserver.
Sorry for taking too long to reply, but I’m addicted to Soccer
OK, from nethserver install telnet:
yum install telnet
Then, try from the nethserver:
telnet IP_of_PMG 26
Here you can configure the ports:
You need to configure the DKIM on this server, which will be the last one before the email goes out.
Nov 25 11:51:37 pmg-gtbs postfix/smtpd[230656]: connect from host-gtbs.gtbs.ro[10.0.10.12]
Nov 25 11:51:48 pmg-gtbs postfix/smtpd[230656]: lost connection after CONNECT from host-gtbs.gtbs.ro[10.0.10.12]
Nov 25 11:51:48 pmg-gtbs postfix/smtpd[230656]: disconnect from host-gtbs.gtbs.ro[10.0.10.12] commands=0/0
The only thing I haven’t done yet is to disable DKIM from NethServer, delete the registration from my nameserver and set DKIM from PMG. But I don’t think this prevents authentication as a “Smarthost” from NethServer.
Again, the authentication as “Relay host” from NethServer works.
So everything IS working. As you stated, you are relaying the messages from your domain in NS through the PMG server, meaning you are using the PMG as a smarthost.
Which of the two ways should be used in this case (NS Mail server → PMG → Internet)?
In the “Default relay host settings” section, it says in two places that this method is not recommended, but towards the end, it says that “The System > Settings > Smart host section, configures the outgoing messages to be directed through a special SMTP server, technically named smarthost.”
Isn’t PMG “a special SMTP server”?
I think this is where my confusion comes from regarding the two ways of sending emails through PMG as smarthost.
AFAIK… NethServer might (or might not) be a Mailserver.
If it’s a mailserver, can use a SmartHost for deliver messages submitted by users (as username and password)
If it’s not a mail server, it acts like a client for deliver notifications using a specified email server.
In my case, NethServer is a Mailserver.
So, “can use a SmartHost for deliver messages submitted by users (as username and password)”.
But what do you mean by “use a SmartHost”?
“Relay hosts” or “Default relay host settings”?
But it’s not the correct section for deliver messages as email server
which is in eMail → Relay, but only for telling to the Email server “hey buddy, if you have to deliver user messages, you should use these servers and settings instead of deliver them by yourself” (a.k.a. acting like a proper mailserver). Relay settings might lead to a huge user case list for different options.
You can also not use smarthost for notifications, but this could lead to some kind of issues (you might not be notified if postfix is having issues)
These are my info and usercases… anyone can have different mileage.