Miracle of ESA corporate mail protection or implementation of free mail gateways based on Proxmox Mail Gateway


Firewalls have become a de facto attribute of any network infrastructure. Mail traffic also needs filtering tools. Therefore, in modern relays in reality, it is hard to imagine the mail infrastructure of an organization without mail gateways (mail gateways).

Why you need a mail gateway and how to choose one

Email (EP) is one of the attack vectors as a means for delivering malware to clients in order to penetrate the corporate network of an organization. But ES has another enemy – spam, which interferes with work and fills up useful disk space on mail servers. To solve these problems, solutions have already been developed: commercial and distributed under free licenses. The most popular commercial product is Cisco Email Security Appliance (ESA). But we all know about the problems of “scaling” and reviews the end of vendor licenses under the current conditions, so let’s try to look in the direction of freely distributed products.

Free solutions are considered more complex to set up and require experience in setting up and administering. Of course you can roll CentOS and put there postfix using SpamAssassin, ClamAV, OpenDKIM, SPF and DMARC. However, if you, like me, would like to roll out one virtual machine (which already has everything you need out of the box), go to the webcam and set everything up there – then your choice is Proxmox Mail Gateway (PMG).

Proxmox Mail Gateway

Many have heard of Proxmox thanks to its virtualization solution – Proxmox VE (PVE)as a replacement ESXi from VMWare. Therefore, people familiar with PVE, PMG will not seem like something new in installation and administration, since this is the same Debian with the same Web interface, only it is sharpened for ES.

Who uses Proxmox Mail Gateway

To be honest, I thought that few people use this software product and was skeptical about it as a replacement for ESA. However, information from shodan surprised me and gave me confidence that I’m not the only one.

378 scan results shodan
378 scan results shodan
Wildberries also seem to be successfully using Proxmox
Wildberries also seem to be successfully using Proxmox

Where to put

As mentioned above, a mail gateway is analogous to a firewall for mail. Therefore, you need to install PMG, like any other gateway, contrary (on the border of getting mail traffic from outside) mail traffic. Thus, there is a barrier between the sender’s (or spammer’s) SMTP server and the recipient’s SMTP server in the form of a mail gateway.

What to bet on

PMG is supplied as ISO-installer. Therefore, on what to install it is a decision on the taste and color of each. At least on an old PC, at least on a server, at least using virtualization.

Installation

Installation is extremely simple, described in the official documentation and is not much different from installing a typical OS from an ISO installer. PVE users won’t notice a significant difference at all.

How to enter

After successful installation, to manage PMG, you need to go to the browser at: https://{ip_or_domain_name_pmg}:8006
and enter the credentials provided during installation.

Configuring Proxmox Mail Gateway

If we describe the configuration of all features, then the article will turn into the documentation of the developer’s site, so I will briefly describe the main (required) parameters.
To configure (administer) the mechanisms of the mail gateway, the following are presented: sections:

  • Mail Filter – setting up chains of rules for content filtering of messages (similar to Content Filters at ESA). Concerns the processing of letters and actions on them;

  • Configuration – setting the main parameters of the gateway itself. Enabling / disabling protection mechanisms, network settings, relaying, anti-virus and spam engines, user management, cluster configuration, backup, certificates;

  • Administration – managing mail queues, quarantines, setting up Black/White lists, viewing message tracking;

Mail Filter

PMG out of the box is already endowed with chains of rules in Mail Filter, ready to work guarding your email traffic. I don’t see the point in dwelling on this in detail, those who worked with ESA will understand and finish it for themselves, those who look at it for the first time need to understand the essence. The bottom line is that for building chains of rules (rules) there are the following objects:

  • Action Objects – actions applied when hitting the rule (Rule). For example, deliver an email to a user, drop an email, quarantine it, delete attachments, notify an administrator, etc.;

  • Who Objects – lists of objects grouped by some attribute related to the sender or recipient (specific addresses, domains, IP addresses, regular expressions, etc.);

  • What Objects – lists of objects grouped according to some criteria related to the content of the e-mail (pictures, links, attachments, office files, etc.);

  • When Objects – lists of objects related to a time interval, grouped according to some attribute, for example, non-working hours or night;

Blocking addresses from the blacklist
Blocking addresses from the blacklist

Accordingly, like compiling an ACL, combining these objects into a chain is the rules. Figuratively it works like this:
If I received an email from spammer@spam.ru (address from Blacklist in Who Objects), in the letter office document .docx (file from What Objects) – block the message or send it to quarantine (action from Action Objects).

Blocking letters with office documents
Blocking letters with office documents

Configuration

The main section for configuring the mail gateway. In this section, the first step is to configure mail proxy.

mail proxy

In chapter relaying in field default relay specify the IP address or domain name of the SMTP server to which you want to send letters further (the server serving your domain).

In chapter relay domains need to add domains, served by your SMTP server. This is done so that PMG understands which letters to process and send further.

In chapter Ports you can change which ports the PMG should listen on. By default port 25 (External) is used to receive messages from outside (from the Internet). Port 26 (Internal) is a relay for receiving emails from your mail server and then sending them out (to other mail domains).

In chapter transports you must specify which domain which SMTP server to use for forwarding. You can have multiple accepted domains, and each of those domains can have its own SMTP server.

In chapter Networks you must specify trusted networks – networks from which allowed acceptance for forwarding to other domains. This is done so that letters are sent out only from your trusted SMTP servers.

In chapter TLS you can enable TLS when sending and receiving messages. This means that when TLS is enabled, PMG will try to send emails outside using the ESMTP extension – STARTTLSas well as be able to accept such such letters.

In chapter DKIM you can enable signing of outgoing messages. How to add your signature key to PMG is written in the documentation.

In chapter Whitelist you can specify those addresses and domains that will not pass the checks included in the section Options.

In chapter Options Customize review mechanisms based on your organization’s policy. On my own behalf, I would like to advise you to change the standard banner and not show everyone what you are using.

This concludes the basic configuration of the mail gateway. All other settings are adjusted depending on your personal preferences and security requirements.

Spam Detector

As an anti-spam solution, PMG uses under the hood SpamAssassin. It is enabled by default and ready to go out of the box. The following sections are used to change the anti-spam settings:
Options, Quarantine, Status, Custom Scores

Virus Detector

As an AVZ, PMG uses the engine ClamAV. It is enabled by default and ready to go out of the box. The following sections are used to change the anti-virus engine settings:
Options, ClamAV, Quarantine

Cluster

Cisco ESA allows you to work in cluster mode. This means you can have 2 mail gateways (for load balancing or failover). In this mode of operation, the settings and policies applied on one gateway are synchronized with another and vice versa (similar to the stack of switches).

Proxmox Mail Gateway also out of the box allows you to make a cluster of several node An analogy is a cluster in PVE, where multiple physical hypervisors can be clustered together.

The setup is tritely simple and takes place in the section Cluster. To set up the association of PMG nodes into a cluster, you must:

  1. Create a cluster on the master node (press the button Create) and wait for the operation to complete;

Create a cluster
Create a cluster
  1. Click on the button on the master node Add and copy to yourself IP address and Fingerprint;

Fingerprint copying
Fingerprint copying
  1. On the node you want to add to the cluster, click the button Join and enter IP Address, Password and Fingerprintcopied from the master node.

Adding a node to a cluster
Adding a node to a cluster

The cluster is ready. Now the settings applied on one of the nodes will be applied on the other. It’s simple, isn’t it?

Working cluster of two nodes
Working cluster of two nodes

Outcome

And it’s all? Certainly, Yes no. This article is designed to introduce you to such a wonderful, in my opinion, solution as Proxmox Mail Gateway. Course up Cisco ESA he is still far away, but from what he offers open source – This top. The settings given in the article only allow you to prepare PMG to forward messages from an external sender to an internal mail server and vice versa. As I said at the very beginning, the beauty of this solution is that it is ready to fight spam out of the box, with minimal setup costs. The main task of tuning comes down to “direction” mail traffic through the mail gateway. The beauty of this solution is that under the hood Debian with Postfix, SpamAssassin, ClamAV, OpenDKIM etc., which already interact with each other. All you have to do is tweak the rules and policies. If there are not enough opportunities from the webcam, we climb SSH on PMG, install packages, configure files, dance with a tambourine – everything is in your hands, everything we love. And, of course, reading the documentation. PMG has its own utilities for managing policies, as well as the Rest API.

Don’t forget to set your SMTP server (MTA) as relay – PMG with port 26, to send all mail out through the gateway. Also don’t forget to set NAT on your edge equipment to external IP with port 25 pointed to port 25 of the PMG. Dare!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *