Proxmox Mail Gateway Administration Guide

Proxmox Mail Gateway Administration Guide 5/21/2010 MailGatewayAdminGuide-V3.1.doc

Proxmox Server Solutions GmbH reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the latest version of this document, which is available from http://www.proxmox.com. NOTE: A license to the Proxmox Software usually includes the right to product updates for one (1) year from the date of purchase. Maintenance can be renewed on an annual basis. All other product or company names different from Proxmox may be trademarks or registered trademarks of their owners. Copyright 2010 Proxmox Server Solutions GmbH. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Proxmox. 21.05.2010 Proxmox Server Solutions GmbH 2 51

Table of Contents 1 What is Proxmox Mail Gateway?... 5 2 Quick Start Guide... 5 3 Planning for Deployment... 6 3.1 Easy integration into existing e-mail server architecture... 6 3.1.1 Filtering Outgoing E-mails... 6 3.2 Firewall settings... 7 3.3 System requirements... 7 3.3.1 Minimum system requirements... 8 3.3.2 Recommended system requirements... 8 3.3.3 High performance system... 8 3.4 Compare the Proxmox Mail Gateway editions... 8 3.4.1 Proxmox Mail Gateway Free Version... 8 3.4.2 Proxmox Mail Gateway Standard Versions... 8 3.4.3 Proxmox Mail Gateway Professional... 9 3.4.4 Proxmox Mail Gateway HA Cluster... 9 3.4.5 EDU, GOV and Non-Profit Organization Licensing... 9 3.5 Steps to get your Proxmox up and running... 9 4 Installing Proxmox Mail Gateway...10 4.1 Complete installation in 3 to 5 minutes...10 4.2 Software RAID...10 4.2.1 Differences between RAID systems...10 4.3 Proxmox Mail Gateway Virtual Appliance editions...11 4.3.1 VMware...11 4.3.2 Proxmox VE...11 4.3.3 OpenVZ...11 5 Getting started with Mail Gateway...12 5.1 Web interface...12 5.2 Upload license file...13 5.2.1 High performance system...13 5.3 Configuration...13 5.3.1 System...14 5.3.2 Mail Proxy...15 5.3.3 Spam Detector...17 5.3.4 Virus Detector...19 5.3.5 User Management...20 5.3.6 Cluster...21 5.3.7 License...21 5.4 Mail Filter...21 5.4.1 Rules...21 5.4.2 Actions...22 5.4.3 Who...23 5.4.4 What...24 5.4.5 When...24 5.5 Administration...25 5.5.1 Server...25 5.5.2 Statistic...25 5.5.3 Quarantine...25 5.5.4 Tracking Center...29 5.5.4.2 Real-time... 31 5.5.4.3 Greylist log... 31 5.5.5 Queues...31 6 LDAP Integration (Professional Version or LDAP Option)...33 6.1 Creating a new LDAP Profile...33 6.2 LDAP queries...34 21.05.2010 Proxmox Server Solutions GmbH 3 51

6.3 Sample LDAP rules...35 7 Example Mail server configuration (Outgoing Mails)...35 7.1 Configuration for Microsoft Exchange...35 7.2 Configuration for Postfix...37 8 Example rules...38 9 Redundant Servers and Load Balancing...38 9.1 Hot Standby with Backup MX Records...38 9.2 Load Balancing with MX Records...38 9.3 Other ways...39 9.3.1 Multiple Address Records...39 9.3.2 Using Firewall features...39 10 Proxmox HA Cluster...40 10.1 Hardware requirements...40 10.2 Required Licenses...41 10.3 Load Balancing...41 10.4 Cluster Administration...41 10.4.1 Creating a Cluster...41 10.4.2 List Cluster Status...41 10.4.3 Adding Cluster Nodes...41 10.4.4 Deleting Nodes...42 10.5 Disaster recovery...42 10.5.1 Single Node Failure...42 10.5.2 Master Failure...42 10.5.3 Total Cluster failure...42 11 Troubleshooting and technical support...43 11.1 Console login...43 12 Table of figures...44 13 Appendix...45 13.1 Available macros for rule system...45 13.2 Individual SpamAssassin configuration...45 13.3 Customized daily spam reports...45 13.4 Using Regular Expressions...46 13.4.1 Simple Regular Expressions...46 13.4.2 Metacharacters...46 13.4.3 References...47 13.5 Managing Software RAID...47 13.5.1 Repair boot-loader (grub) on Software Raid...47 13.6 Backup considerations...49 13.6.1 Scheduled Backup...49 13.6.2 Backup via console...49 13.6.3 Restore via console...50 13.6.4 Bacula client (http://www.bacula.org)...50 13.7 Avira SAV Antivirus Integration...50 13.8 SSL Certificate...50 13.9 Port Scans (nmap)...51 21.05.2010 Proxmox Server Solutions GmbH 4 51

1 What is Proxmox Mail Gateway? E-mail security begins at the gateway by controlling all incoming and outgoing e-mail messages. Proxmox Mail Gateway addresses the full spectrum of unwanted e-mail traffic, focusing spam and virus detection. Proxmox Mail Gateway provides a powerful and affordable server solution to eliminate spam, viruses and blocking undesirable content from your e-mail system. All products are self-installing and can be used without deep knowledge of Linux. Figure 1-1 Processing of incoming e-mail traffic 2 Quick Start Guide Experienced users can use this guide for a quick installation. For detailed instructions please read the whole documentation. 1. Burn the downloaded ISO image to a CD 2. Boot from this CD on your dedicated hardware - see 3.3 System requirements 3. Follow the instructions on the graphical screen all existing data on your hard disk will be lost! 4. After reboot, go to your desktop PC and point your browser (Internet Explorer or Firefox) to the given IP address. 5. Upload license file and change the root password 6. Check the Proxmox IP configuration 7. Select Time Zone and save 8. Check your Firewall settings see 3.2 Firewall settings 9. Configure Proxmox to forward the incoming SMTP traffic to your Mail server (Configuration/Mail Proxy/Default Relay), Default Relay is your Mail server 10. Configure your Mail server to send all outgoing messages through your Proxmox (Smart Host, port 26) see 3.1.1 Filtering Outgoing E-mails For detailed deployment scenarios see the Proxmox Mail Gateway Deployment Guide. 21.05.2010 Proxmox Server Solutions GmbH 5 51

3 Planning for Deployment 3.1 Easy integration into existing e-mail server architecture In this sample configuration, your e-mail traffic (SMTP) arrives on the firewall and will be directly forwarded to your e-mail server. Figure 3-1 Infrastructure without Proxmox Mail Gateway Using the Proxmox solution all your e-mail traffic is forwarded to the Proxmox Mail Gateway, which filters the whole e-mail traffic and removes unwanted e-mails. You can manage incoming and outgoing mail traffic. Figure 3-2 Infrastructure with integrated Proxmox Mail Gateway 3.1.1 Filtering Outgoing E-mails Many e-mail filter solutions do not scan outgoing mails. Opposed to that Proxmox Mail Gateway is designed to scan both incoming and outgoing e-mails. This has two major advantages: 21.05.2010 Proxmox Server Solutions GmbH 6 51

1. Proxmox is able to detect viruses sent from an internal host. In many countries you are liable for not sending viruses to other people. Proxmox outgoing e-mail scanning feature is an additional protection to avoid that. 2. Proxmox can gather statistics about outgoing e-mails too. Statistics about incoming e-mails looks nice, but they are quite useless. Consider two users, user- 1 receives 10 e-mails from news portals and wrote 1 e-mail to a person you never heard from. While user-2 receives 5 e-mails from a customer and sent 5 e-mails back. Which user do you consider more active? I am sure its user-2, because he communicates with your customers. Proxmox advanced address statistics can show you this important information. Solution which does not scan outgoing e- mail can t do that. To enable outgoing e-mail filtering you just need to send all outgoing e-mails through your Proxmox Mail Gateway (usually by specifying Proxmox as smarthost on your e- mail server- see chapter 7 Example Mail server configuration (Outgoing Mails). 3.2 Firewall settings In order to pass e-mail traffic to the Proxmox Mail Gateway you need to enable SMTP the port. Our servers use the Network Time Protocol (NTP) for time synchronization, RAZOR, DNS and HTTP. Service Port Protocol From To SMTP 25 TCP Proxmox Internet SMTP 25 TCP Internet Proxmox NTP 123 TCP/UDP Proxmox Internet RAZOR 2703 TCP Proxmox Internet DNS 53 TCP/UDP Proxmox DNS Server HTTP 80 TCP Proxmox Internet The outgoing HTTP connection is mainly used by virus pattern updates, and can be configured to use a proxy instead of a direct internet connection. You can use the nmap utility to test your firewall settings (see chapter 13.9). 3.3 System requirements Proxmox needs a dedicated PC or server hardware. Proxmox can also run as a Virtual Appliance: VMware (Player, Workstation, Server 1 and 2, Virtual Infrastructure (ESX, ESXi and vsphere ) Proxmox VE (http://pve.proxmox.com) KVM OpenVZ Citrix XenServer (Full virtualized) Known to work but not recommended Hyper-V Xen (Full virtualized) Virtualbox Parallels Server Please see http://www.proxmox.com for details. 21.05.2010 Proxmox Server Solutions GmbH 7 51

Please check our website for a list of certified hardware. In order to get a benchmark from your hardware, just run proxperf after installation. Note: All existing data on the hard disk will be lost during the installation! 3.3.1 Minimum system requirements Pentium 4 class PC, at least 2 GHZ 512 MB RAM bootable CD-ROM-drive (also external USB drive support) 1024x768 capable VGA/Monitor for Installer Hard disk 8 GB - ATA/SATA/SCSI 10/100 MBps Network interface card 3.3.2 Recommended system requirements Dual/Quad core PC/Server 1024 MB RAM or better Bootable CD-ROM-drive (also external USB drive support) 1024x768 capable VGA/Monitor for Installer Hard disk 36 GB SATA/SCSI/SAS or better, Hardware RAID, ATA/SATA/SAS Software RAID, Raid Controllers need write cache with batteries backup module for best performance 100 MBps Network interface card 3.3.3 High performance system Two Intel Xeon Quad core CPU s 4 GB RAM Bootable CD-ROM-drive (also external USB drive support) 1024x768 capable VGA/Monitor for Installer SAS/SCSI 15krpm Hard disks, Hardware Raid with write cache enabled with batteries backup module 100 MBps Network interface card 3.4 Compare the Proxmox Mail Gateway editions Proxmox Mail Gateway must be licensed for the number of relaying domains. For example, if you run a mail server receiving e-mails for three domains (e.g. domain.net, domain.com, domain.at), then you need the three domain version. All Editions are for unlimited users. Note: Please see www.proxmox.com for details If you like more features as offered with your license, you can always upgrade by buying an upgrade license without reinstallation. 3.4.1 Proxmox Mail Gateway Free Version The free version is completely free of charge for private and commercial use and supports one domain with unlimited users. There are some functional limitations which are actually described on http://www.proxmox.com. 3.4.2 Proxmox Mail Gateway Standard Versions Standard versions are available for one, three, five and unlimited domains. 21.05.2010 Proxmox Server Solutions GmbH 8 51

If you need to query MS Active Directory, an optional LDAP connector for one, three and five domains can be purchased. 3.4.3 Proxmox Mail Gateway Professional This edition is intended to meet the demands of complex and high performance installations. This license provides the highest flexibility and performance (Relayed domains can be edited on the web interface, LDAP integration, etc.). 3.4.4 Proxmox Mail Gateway HA Cluster The Proxmox HA Cluster consists of a master and several nodes (minimum one node). Configuration is done on the master. Configuration and all data are synchronized to all cluster nodes over a VPN tunnel. This provides the following advantages: centralized configuration management fully redundant data storage without the need of expensive SAN high availability high performance runs also in virtualization environments The Proxmox HA Cluster uses a unique application level clustering scheme, which provides extremely good performance. Special considerations where taken to make management as easy as possible. Complete Cluster setup is done within minutes, and nodes automatically reintegrate after temporary failures without any operator interaction. 3.4.5 EDU, GOV and Non-Profit Organization Licensing To purchase Proxmox EDU/GOV/Non-Profit licenses, Proxmox must have proof of eligible status. Please attach information regarding your eligibility to an email and send it to office@proxmox.com. Once the information is validated, we will reply as soon as possible. Organization qualified: Universities, Schools, Governmental Organizations, NGO, etc. Currently, the following license is available for a reduced price: Proxmox Mail Gateway Professional Proxmox Mail Gateway HA Cluster 3.5 Steps to get your Proxmox up and running Download ISO image and burn it on a CD Boot from CD and start the automatic installer on your dedicated hardware Request a license Configure the Proxmox Mail Gateway via web interface If the installation succeeds you have to route all your incoming and outgoing e-mail traffic to the Mail Gateway. For incoming traffic you have to configure your firewall, for outgoing traffic your existing e-mail server configuration. There is one ISO image for download covering all versions, features depends on the uploaded license file. Download from http://www.proxmox.com 21.05.2010 Proxmox Server Solutions GmbH 9 51

4 Installing Proxmox Mail Gateway 4.1 Complete installation in 3 to 5 minutes The installer boots from CD and detects your hardware without interaction. All Proxmox products are based on Linux packages and most i386 based PC and server hardware will work. Burn the downloaded ISO image to a CD Boot form this CD on your dedicated hardware Follow the instructions on the graphical screen 4.2 Software RAID The installer supports hardware RAID and software RAID (mirroring). Please see chapter 13.5 Managing Software RAID for details. Requirements: two hard drives Note: If you have a hardware RAID controller, this option is NOT available. 4.2.1 Differences between RAID systems Hardware RAID Description Examples Hardware RAID Software RAID Hardware XOR engine, integrated memory, high-performance bus, optional battery backup and audio alarm, Hot-swap drive support, Easy of management and monitoring Write cache with batteries backup Mirroring is done from the operating system Intel SRCU41L (SCSI) Intel SRCS28X (SATA) LSI Logic MegaRAID (SCSI) HP Smart Array SCSI/SAS Adaptec Supported from the Proxmox operation system HostRAID (integrated in the main board) It is NOT hardware RAID, do not activate this in the bios use Proxmox Software RAID instead Intel ICH7, ICH8, ICH9, ICH10 HP embedded SATA LSI Logic integrated SATA RAID Nvidia RAID 21.05.2010 Proxmox Server Solutions GmbH 10 51

Figure 4-1 Selecting Software RAID during installation 4.3 Proxmox Mail Gateway Virtual Appliance editions Proxmox always needs a dedicated PC or server hardware. Alternative, Proxmox can be run under VMware, Proxmox VE, OpenVZ, KVM, XEN and others. Proxmox delivers prebuilt Virtual Appliances for: VMware Proxmox VE OpenVZ 4.3.1 VMware For all details see deployment guide. 4.3.2 Proxmox VE See deployment guide. 4.3.3 OpenVZ See deployment guide. 21.05.2010 Proxmox Server Solutions GmbH 11 51

5 Getting started with Mail Gateway 5.1 Web interface After successful installation point your web browser to the IP address. Please use Microsoft Internet Explorer 6.0 or higher or Firefox 2.0 or higher, java script enabled. Web interface: Default user: Default password: https://youripaddress/ root admin Note: Please change the default password after successful log in! Figure 5-1 Login page Proxmox Mail Gateway 21.05.2010 Proxmox Server Solutions GmbH 12 51

5.2 Upload license file There are several types of licenses: Free version, single domain (Free for private and commercial use) Trial version (30 day functional, including full installation support) Standard Edition (for one, three, five, and unlimited mail domains) Professional Edition (unlimited domains with host locked license model) Proxmox HA Cluster (unlimited domains with host locked license model) Note: To determine which license meets your requirements, check chapter 3.4 5.2.1 High performance system Two Intel Xeon Quad core CPU s 4 GB RAM Bootable CD-ROM-drive (also external USB drive support) 1024x768 capable VGA/Monitor for Installer SAS/SCSI 15krpm Hard disks, Hardware Raid with write cache enabled with batteries backup module 100 MBps Network interface card Compare the Proxmox Mail Gateway editions. Please visit www.proxmox.com to get a license. Without a valid license, the Mail Gateway will not process any e-mail. 5.3 Configuration Figure 5-2 Start page Proxmox Mail Gateway after log in 21.05.2010 Proxmox Server Solutions GmbH 13 51

Note: By clicking these symbols available on the configuration interface a dropdown menu is 5.3.1 System Network Review your IP configuration and complete all settings Time Review or update your NTP server settings and time zone Check if your firewall enables you access to the NTP server Backup Backup your system configuration and rule database to a file (a few Kbytes) statistical data will not be saved via web interface, only via scheduled backup! Configure Scheduled Backups to FTP or Windows Share. Note: see chapter 13.6 Backup considerations Restore Reset your rule settings to factory defaults. Restore your system settings and rules from a valid backup. Backup/Restore is only working between the same versions. (eg. You cannot restore a backup form a 2.0 to a 2.1) Reports Enable or disable daily reports to the given e-mail address Enable or disable Advanced Statistic Filter (default is disabled) Note: Advanced Statistic Filter only works if you filter outgoing emails If you enable Advanced Statistics, the Statistics/Domain- Address/Receivers page shows only receivers who sent emails within the last 3 months (so only active receivers are displayed). The Statistics/Domain-Address/Contacts page shows only recipients where internal users have sent one or more emails within the last 3 months. See: 3.1.1 Filtering Outgoing E-mails Syslog Server Define a remote syslog server (sending Syslog entries to a centralized server) Language (Currently we support: English, German, Spanish, Portuguese (Brazilian), Italian, French) Define the default language for the web interface and the daily reports SSH Access SSH access is restricted for external networks by default to increase the security. 21.05.2010 Proxmox Server Solutions GmbH 14 51

Note: for remote support, all SSH connections from proxmox.com and aurer-it.com are allowed. DNS Cache For details see Mail Gateway Deployment Guide 5.3.2 Mail Proxy Relaying IP address (or FQDN) and SMTP port of your existing e-mail server Relayed domains: list of relayed mail domains (displayed information from the uploaded license file) If you need more mail domains, upgrade your license Note: If you use a Professional License, you can edit this list Ports Review external (default 25) and internal (default 26) SMTP port Check these settings with your firewall and existing e-mail server. Options Set maximum message size for e-mails in bytes Reject Unknown Clients: Reject the SMTP request when 1) the client IP address->name mapping fails, 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address. Reject Unknown Senders: Reject the request when the MAIL FROM address has no DNS A or MX record. Note: If you enable these features, a lot of misconfigured mail servers cannot send mails anymore to your system please use with care. SMTP HELO checks The following checks are performed: smtpd_helo_required Require that a remote SMTP client introduces itself at the beginning of an SMTP session with the HELO or EHLO command. reject_non_fqdn_hostname Reject the request when the HELO or EHLO hostname is not in fullyqualified domain form, as required by the RFC. reject_invalid_hostname 21.05.2010 Proxmox Server Solutions GmbH 15 51

Reject the request when the HELO or EHLO hostname syntax is invalid. Use RBL checks Use real time black lists checks on SMTP level. Verify Receivers select Yes or No (450 for temporary rejects or 550 for final rejects) Note: You have to reconfigure your internal mail server if you use YES. For details see the Proxmox Mail Gateway Deployment Guide in the latest release. Enable or disable Greylisting, default enabled Enable or disable SPF (Sender Policy Framework), default enabled Delay Warning Time (4 hours default) Client Connection Count Limit (5 is default): How many simultaneous connections any client is allowed to make to the SMTP service. To disable this feature, specify a limit of 0. Client Connection Rate Limit: The maximal number of connection attempts any client is allowed to make to this service per minute. To disable this feature, specify a limit of 0. Client Message Rate Limit: The maximal number of message delivery requests that any client is allowed to make to this service per minute. To disable this feature, specify a limit of 0. SMTPD Banner Type your custom SMTP Banner Smarthost: Use this option if you want to send all outgoing mails via another proxy (smarthost). You can use IP addresses or DNS names with an optional port specification, for example: 192.168.2.1 192.168.2.1:25 outproxy.domain.tld:26 Transport s You can use Proxmox Mail Gateway sending e-mails to different internal e-mail servers. For example you can send e-mails addressed to domain.com to your first e-mail server, and e-mails addressed to subdomain.domain.com to a second one. Note: you need for each domain an appropriate license, otherwise it will not work! Add the IP addresses, hostname and SMTP ports and mail domains (or just single email addresses) of your additional e-mail servers. 21.05.2010 Proxmox Server Solutions GmbH 16 51

Networks Add Internal (trusted) IP Networks or Hosts All hosts in this list are allowed to relay. Note: Hosts in the same subnet with Proxmox can relay by default and it s not needed to add them in this list. TLS TLS support Transport Layer Security (TLS) provides certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail. When you activate TLS, proxmox automatically generates a new self signed certificate for you. Proxmox Mail Gateway uses opportunistic TLS encryption. The SMTP transaction is encrypted if the STARTTLS ESMTP feature is supported by the server. Otherwise, messages are sent in the clear. Enable TLS logging To get additional information about SMTP TLS activity you can enable TLS logging. That way information about TLS sessions and used cetificates is logged via syslog. Add TLS received header Set this option to include information about the protocol and cipher used as well as the client and issuer CommonName into the "Received:" message header. Figure 5-3 Enable TLS (Transport Layer Security) Whitelist (formely Greylist excl.) SMTP whitelist: All SMTP checks are disabled for those entries (e. g. Greylisting, SPF, RBL, ) Note: If you use a backup-mx server (e.g. your ISP offers this service for you) you should always add those servers. 5.3.3 Spam Detector Proxmox Mail Gateway uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around. 21.05.2010 Proxmox Server Solutions GmbH 17 51

Every single e-mail will be analyzed and get a spam score assigned. The systems attempt to optimize the efficiency of the rules that are run in terms of minimizing the number of false positives and false negatives. Note: For detailed spam configuration, see also chapter 5.4 Mail Filter. Options Use auto-whitelists Use Bayesian filter Use Advanced Tests Additional spam detection tests, enable this by default Use Razor Network Note: Please make sure that your Proxmox can access DCC and Razor, see chapter 13.9 Port Scans (nmap) for testing this. Use RBL checks Enabling this checks the following RBL lists to analyse emails against black lists (rule system level, gives higher scores) Note: For high traffic sites and if you need to provide quality of service, please use the local RBL cache, see Proxmox Mail Gateway Deployment Guide in the latest release. Use OCR Use image recognition to detect spam messages inside images. OCR is CPU intensive, please do not activate is your server is already under heavy load. By default, all features are enabled except OCR. Languages By default, all languages are enabled. Selecting languages means you will prefer this one. E-mails in unwanted languages get a higher spam score. Quarantine Lifetime (days) Specify the lifetime of quarantined e-mails Authentication mode Choose how users access their spam quarantine. Ticket is default. If you select LDAP, make sure you have a license for LDAP and a configured LDAP profile (connection to MS Active Directory) Report style Verbose Verbose (Outlook 2007) Short Custom (see 13.3 Customized daily spam reports) No reports 21.05.2010 Proxmox Server Solutions GmbH 18 51

Allow access via http Enables access to the spam quarantine via http. If you do not select this, access is only via https. Note: If you use https, consider uploading a valid certificate, see chapter 13.8 SSL Certificate Quarantine Host (optional) This name will be used for the links to the quarantine EMail 'From:' (optional) Default value: Proxmox Mail Gateway <postmaster@yourdomain.tld> Please enter only values in the following format: Name <youremail@yourdomain.com> Mail preview settings View images Enable images in the preview (disable to speed up the system) Allow HREFs Enables links in the mail preview (disable to get a more secure preview) Backscatter What are backscatter emails? When spammers or worms send emails with forged sender addresses, sites are flooded with undeliverable mail notifications. These emails are called backscatter emails. Bounce message score (0 means disabled) Define the spam score for detected backscatters Whitelist bounce relays Add your valid bounce relays Note: Please test your settings and review your quarantine to check false positives Theme Customize the end user quarantine interface, upload a custom logo. The theme is only for visible on this part "Configuration/Spam Detector/Theme" and for the end users spam quarantine web interface. It does not change the style of the admin interface. Note: If you change anything, please reload the site in the browser to see the changes 5.3.4 Virus Detector Proxmox uses the following antivirus engines: 21.05.2010 Proxmox Server Solutions GmbH 19 51

ClamAV (default), no additional license required Kaspersky AV, you have to purchase an additional license see http://www.proxmox.com for details. Kaspersky AV End of Sale, existing customer will be supported till 11/2010. Review and select the database update server Click save. After you saved your settings, click update now and check the output log file. Note: The first update can take considerable long, depending on your network connections and the update servers. Go to Administration/Server and start the AVEServer service. The database will now be regularly updated (several times a day) you don t have to configure the update schedule. Avira SAV Click update now and check the output log file. Note: You need to purchase a Avira SAV for PMG license, contact your Proxmox Partner for details. ClamAV Review the database update server. Click update now and check the output log file. The database will be regularly updated (several times a day) you don t have to configure the update schedule. Options Review the settings for dealing with archives (e.g. zip files) If you have no direct connection to the web for updates, you can configure your proxy server to get antivirus database updates. Max credit card numbers (new data loss prevention DLP) Detect credit card numbers (a reasonable setting is 3, 0 means disabled). If an email contains 3 credit card numbers it gets detected. HTTP Proxy Settings Configure a http proxy for accessing the internet for signature updates Quarantine Lifetime (days) Specify the lifetime of quarantined virus e-mails Mail preview settings: View images Enable images in the preview (if you uncheck this, images are not downloaded and displayed) Allow HREFs Enables links in the mail preview (disable to get a more secure preview) 5.3.5 User Management Local Local User Database: Default is the root (super user) account 21.05.2010 Proxmox Server Solutions GmbH 20 51

Enable SSH login (insert allowed SSH public keys) Note: A Restore Job does not change (restore) the password! The root users can add local users Following roles can be assigned: Administrator (full access to the web interface) Quarantine Manager (Access to Spam and Virus quarantine) Audit (Read only) LDAP LDAP Integration: See chapter 6 LDAP Integration (Professional Version or LDAP Option) POP POP3 support. Messaged fetched from those POP3 accounts are injected into the filter system. 5.3.6 Cluster Status See status of all nodes. 5.3.7 License For Cluster configuration details see chapter 10 Proxmox HA Cluster Check your license information or upload a new license file. Displayed information: License Nr. Company Name Product Expires 5.4 Mail Filter The following default settings are available. You can add or edit custom settings by clicking on the symbols. 5.4.1 Rules The object-oriented rule system enables custom rules for your domains. It s an easy but very flexible way to define filter rules by user, domains, time frame, content type and resulting action. Who object for TO and/or FROM Category Example: Mail object Who is the sender or receiver of the e-mail? When object Example: When is the e-mail received by Proxmox Mail Gateway? What object Example: Does the e-mail contain spam? 21.05.2010 Proxmox Server Solutions GmbH 21 51

Action object Example: Mark e-mail with SPAM: in the subject. Every rule has got 5 categories (FROM, TO, WHEN, WHAT, ACTION) which can contain several objects. For example a virus protection looks like this: FROM: Anybody TO: Anybody WHEN: Always WHAT: Virus ACTION: Block Active Rules Currently active rules Inactive Rules Not active. New rules are always inactive, you have to set it active manually by clicking the symbol. Priority Set processing order between 1 and 100. The highest priority is 100. Direction Set the processing direction. In Out In & Out Rule applies for all incoming e-mails Rule applies for all outgoing e-mails Rule applies for both directions 5.4.2 Actions Accept Accept mail for Delivery (Final action, no following rule will trigger) Block Block mail (Final action, no following rule will trigger) Quarantine Move to quarantine (virus mails are moved to the virus quarantine, other mails are moved to spam quarantine ); (Final action, no following rule will trigger) Notify Admin Send notification to admin Sample content: Proxmox Notification: Sender: SENDER Receiver: RECEIVERS Targets: TARGETS Subject: SUBJECT Matching Rule: RULE RULE_INFO VIRUS_INFO SPAM_INFO Notify Sender Send notification to sender 21.05.2010 Proxmox Server Solutions GmbH 22 51

Sample content: Proxmox Notification: Sender: SENDER Receiver: RECEIVERS Targets: TARGETS Subject: SUBJECT Matching Rule: RULE RULE_INFO VIRUS_INFO SPAM_INFO Modify Spam Level Mark mail as spam by adding a header tag. Sample content: Fieldname: X-SPAM-LEVEL Value: SPAMLEVEL, hits= SPAM_HITS New in 2.0: use this instead of ( SPAMLEVEL, hits= SPAM_HITS ) Value: SPAM_INFO This shows detailed scores Modify Spam Subject Mark mail as spam by modifying the subject. Sample content: Fieldname: subject Value: SPAM: SUBJECT Remove all attachments Remove attachments Remove all attachments You can edit the text replacement Remove matching attachments You can edit the text replacement Disclaimer Add Disclaimer 5.4.3 Who Blacklist Global Blacklist Whitelist Global Whitelist User defined Define custom WHO objects, possible values: Add Domain Add Mail address Add Regular Expression Add IP Address Add IP Network 21.05.2010 Proxmox Server Solutions GmbH 23 51

Add LDAP Group: See chapter 6 LDAP Integration (Professional Version or LDAP Option) Add LDAP User: See chapter 6 LDAP Integration (Professional Version or LDAP Option) 5.4.4 What Dangerous Content executable files and partial messages Images All kinds of graphic files Multimedia Audio and video files Office Files Common Office files The default list contains most common known dangerous attachments. Spam Matches possible spam mail Spam Filter Settings Spam Level: 5 (default) Note: Start with the default level. Virus Matches virus infected mail Custom You can define custom what objects by adding the following items: 5.4.5 When Add Spam Filter Specify a specific spam level Add Virus Filter Detect viruses Add ContentType Filter Match attachments (eg. images, videos, ) Add Archive Filter Match content types (attachments) in archive files (eg. detect exe files in zip archives) Add Match Field Match for mail header fields (eg. Subject:, From:, ) Add Match Filename Match filenames, eg. *.exe, *.bat, Office Hours Usual office hours Note: valid all days (7 days a week) 21.05.2010 Proxmox Server Solutions GmbH 24 51

5.5 Administration 5.5.1 Server Services Displays running services If necessary you can reboot and shutdown the Proxmox server. Updates Upload Proxmox service packs, if available. Check http://www.proxmox.com for available updates and make sure you follow the update instructions in the release notes of each service pack or hotfix. 5.5.2 Statistic Those pages displays statistical data concerning e-mail traffic on the Proxmox Mail Gateway. 5.5.3 Quarantine Manage Spam and Virus quarantine. Note: Default, quarantine is not activated in order to activate the end user quarantine you have to: 1. Review the global settings for: - Configuration/Spam detector/quarantine - Configuration/Virus detector/quarantine - Review hard drive space 2. Activate or change the Spam and/or Virus rule with the action object Quarantine 3. Tip: Quarantine can also enabled on the free version (just add the action object quarantine to the existing spam rule) Spam Status Displays statistical data about your quarantine Archive By specifying an e-mail address, you can access the quarantine section for this user Blacklist View and edit personal blacklist Whitelist View and edit personal whitelist Virus Status Displays statistical date about your quarantine Archive 21.05.2010 Proxmox Server Solutions GmbH 25 51

By specifying an e-mail address, you can access the quarantine section for this user Figure 5-4 Preview of a quarantined Spam e-mail 21.05.2010 Proxmox Server Solutions GmbH 26 51

Figure 5-5 Preview of a quarantined Spam e-mail with spam info 21.05.2010 Proxmox Server Solutions GmbH 27 51

Figure 5-6 Preview of a quarantined Phishing e-mail 21.05.2010 Proxmox Server Solutions GmbH 28 51

5.5.4 Tracking Center 5.5.4.1 Message Tracking Center Introduced in Proxmox Mail Gateway 2.1, the message tracking center simplifies the search for emails dramatically. All log files from the last 7 days can be queried and the results are summarized by an intelligent algorithm. The message tracking center is very fast and powerful, tested on Proxmox sites processing 1 million emails per day. All corresponding log files are displayed: Arrival of the email Proxmox filtering processing with results Internal queue to your email server Status of final delivery Status description: Status Accepted/delivered Accepted/deferred Accepted/bounced Quarantine Blocked Rejected Greylisted Queued/delivered Queued/deferred Queued/bounced Description Email arrived, filtered, and successfully delivered to email server Email arrived, filtered, but not delivered (still trying to deliver) Email arrived, filtered, but not accepted by your email server (e. g. user unknown) Email arrived, filtered, and moved to Proxmox Quarantine Email arrived, but blocked by a filter rule. Email rejected on SMTP level (e.g. sender IP is listed on a Spamhaus blacklist) Email greylisted on SMTP level Internal Emails from Proxmox, successfully delivered to email server (e.g. Daily spam report, Notifications, Admin report, BCC emails, ) Internal Emails from Proxmox, not yet delivered Internal Emails from Proxmox, but not accepted by the email server (e. g. user unknown) 21.05.2010 Proxmox Server Solutions GmbH 29 51

Figure 5-7 Message Tracking Center Figure 5-8 Message Tracking Center: RBL rejects (Spamhaus.org) 21.05.2010 Proxmox Server Solutions GmbH 30 51

5.5.4.2 Real-time The real-time syslog shows the last 100 lines, the output can be filtered by selecting the log files from a service or by entering an individual search string. 5.5.4.3 Greylist log Figure 5-9 Real time log Displays the greylist log. For message tracking issues use the search function in the message tracking center. 5.5.5 Queues Mail Display the mail queue You can flush or delete the queue. By clicking on a recipient domain you will see details about the queue status. 21.05.2010 Proxmox Server Solutions GmbH 31 51

Figure 5-10 Display Mail Queue 21.05.2010 Proxmox Server Solutions GmbH 32 51

6 LDAP Integration (Professional Version or LDAP Option) The Mail Gateway can query existing LDAP directories for Users, Groups and e-mail addresses. Proxmox uses a unique approach to cache LDAP data. That way, LDAP data is always available, even when the LDAP servers are temporarily unavailable. LDAP hierarchies can be complex, and it is quite usual to have more than one server. Proxmox supports such infrastructure by having multiple LDAP profiles. Each profile has its own settings, and you can query either a selected profile, or simple search all profiles. LDAP queries are using the local cache, so they are extremely fast, even when you query multiple servers. You first need to create one or more LDAP profiles in order to use LDAP queries inside the rule system. Proxmox supports Microsoft Windows 2000 and Windows 2003 Active Directory, with Exchange 2000 and 2003. 6.1 Creating a new LDAP Profile LDAP profiles are created on the Configuration/System/LDAP page. Please select Create new LDAP profile on the menu: Figure 6-1 LDAP Server settings: Create new LDAP Profile 1 First, you now need to choose a profile name. Profile names may contain alphanumeric characters, underscores and white spaces. Other characters are not allowed. A reasonable naming scheme is to use the domain name separated by underscores (example.com example_com). Now add the IP address of your LDAP server. You can also add a second IP address if you have a backup/fallback server. That second server is used when the first server is not reachable. We currently use the unencrypted LDAP protocol as default, but LDAPS is recommend for security reasons. So please use LDAPS (secure LDAP) if available. The last required setting is a username and password used to connect to the LDAP server. We recommend using an unprivileged user who does not have any other right than querying the LDAP database. Active Directory uses names like domain\user or email style usernames like user@domain.tld. Although not strictly required, we recommend specifying the LDAP BaseDN. 21.05.2010 Proxmox Server Solutions GmbH 33 51

Press save when you are finished. Figure 6-2 LDAP Server settings: Create new LDAP Profile 2 Proxmox now tries to connect to the server. On success it will display the number of found user, groups and email addresses. Figure 6-3 LDAP Server settings: Three profiles configured 6.2 LDAP queries The object-oriented rule system enables LDAP based Who objects. There are two different kinds of LDAP objects: LDAP user Can be used to test if an email address belongs to a specific LDAP user (One LDAP user can have more than one email address). 21.05.2010 Proxmox Server Solutions GmbH 34 51

LDAP group Used to test if an email address belongs to a user in the specified group. Both Objects refer to LDAP profiles. That way you can query individual servers. The LDAP group object has 2 additional selections Existing Users and Unknown Users. Those objects can be used to test if a user (e-mail address) exists or not. 6.3 Sample LDAP rules Note: Please refer to the Proxmox Mail Gateway Deployment Guide for sample rules. 7 Example Mail server configuration (Outgoing Mails) The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and port 26 for outgoing e-mails. Outgoing Mails: Configure your mail server to send all e-mails to the Proxmox Mail Gateway, port 26. Incoming Mails: see 3.2 Firewall settings Please see the Proxmox Mail Gateway Deployment Guide for all scenarios. 7.1 Configuration for Microsoft Exchange The default configuration of the Proxmox Mail Gateway uses port 25 for incoming and port 26 for outgoing e-mails. With Exchange SMTP connectors you can't use port 26 for outgoing (as this conflicts with Exchange internal replication mechanism) so you have to switch these two values (25 and 26). In the end you have to use port 25 for outgoing and port 26 for incoming mails. Figure 7-1 Exchange: Port settings for use with Exchange IMPORTANT NOTE: To receive e-mails from the Internet you have to do port forwarding at your Firewall. So that you re external IP and Port 25 shows to the Proxmox Mail Gateway IP and port 26. 21.05.2010 Proxmox Server Solutions GmbH 35 51

Figure 7-2 Exchange: SMTP Connector (Define smart host: Proxmox Mail Gateway) 21.05.2010 Proxmox Server Solutions GmbH 36 51

Figure 7-3 Exchange: SMTP connector Address space 7.2 Configuration for Postfix Just add a default_transport entry to your Postfix main configuration file (usually /etc/postfix/main.cf), for example if you mail gateway uses address 1.2.3.4 add the line: default_transport = smtp:1.2.3.4:26 21.05.2010 Proxmox Server Solutions GmbH 37 51

8 Example rules Proxmox uses a powerful rule system to handle e-mail traffic. The default setting is ready for use in the first run. Note: Please refer to the Proxmox Mail Gateway Deployment Guide for sample rules. 9 Redundant Servers and Load Balancing The normal mail delivery process looks up DNS Mail Exchange (MX) records to determine the destination host. A MX record tells the sending system where to deliver mail for a certain domain. It is also possible to have several MX records for a single domain, they can have different priorities. For example, our MX record looks like that: > dig -t mx proxmox.com ;; ANSWER SECTION: proxmox.com. 22879 IN MX 10 mail.proxmox.com. ;; ADDITIONAL SECTION: mail.proxmox.com. 22879 IN A 213.129.239.114 Please notice that there is one single MX record for the Domain proxmox.com, pointing to mail.proxmox.com. The dig command automatically puts out the corresponding address record if it exists. In our case it points to 213.129.239.114. The priority of our MX record is set to 10 (preferred default value). 9.1 Hot Standby with Backup MX Records Many people do not want to install two redundant mail proxies, instead they use the mail proxy of their ISP as fallback. This is simply done by adding an additional MX Record with a lower priority (higher number). With the example above this looks like that: proxmox.com. 22879 IN MX 100 mail.provider.tld. Sure, your provider must accept mails for your domain and forward received mails to you. You will never lose mails with such a setup, because the sending Mail Transport Agent (MTA) will simply deliver the mail to the backup server (mail.provider.tld) if the primary server (mail.proxmox.com) is not available. 9.2 Load Balancing with MX Records Using your ISPs mail server is not always a good idea, because many ISPs do not use advanced spam prevention techniques like greylisting. It is often better to run a second server yourself to avoid lower spam detection rates. Anyways, it s quite simple to set up a high performance load balanced mail cluster using MX records. You just need to define two MX records with the same priority. I will explain this using a complete example to make it clearer. First, you need to have at least 2 working Proxmox mail gateways (mail1.example.com and mail2.example.com) setup as cluster (see chapter 10 Proxmox HA Cluster), each having its own IP address. Let us assume the following addresses (DNS address records): 21.05.2010 Proxmox Server Solutions GmbH 38 51

mail1.example.com. 22879 IN A 1.2.3.4 mail2.example.com. 22879 IN A 1.2.3.5 Btw, it is always a good idea to add reverse lookup entries (PTR records) for those hosts. Many email systems nowadays reject mails from hosts without valid PTR records. Then you need to define your MX records: example.com. 22879 IN MX 10 mail1.example.com. example.com. 22879 IN MX 10 mail2.example.com. This is all you need. You will receive mails on both hosts, more or less load-balanced using round-robin scheduling. If one host fails the other is used. 9.3 Other ways 9.3.1 Multiple Address Records Using several DNS MX record is sometime clumsy if you have many domains. It is also possible to use one MX record per domain, but multiple address records: example.com. 22879 IN MX 10 mail.example.com. mail.example.com. 22879 IN A 1.2.3.4 mail.example.com. 22879 IN A 1.2.3.5 9.3.2 Using Firewall features Many firewalls can do some kind of RR-Scheduling (round-robin) when using DNAT. See your firewall manual for more details. 21.05.2010 Proxmox Server Solutions GmbH 39 51

10 Proxmox HA Cluster We are living in a world where email becomes more and more important - failures in email systems are just not acceptable. To meet these requirements we developed the Proxmox HA (High Availability) Cluster. The Proxmox HA Cluster consists of a master and several nodes (minimum one node). Configuration is done on the master. Configuration and data is synchronized to all cluster nodes over a VPN tunnel. This provides the following advantages: centralized configuration management fully redundant data storage high availability high performance We use a unique application level clustering scheme, which provides extremely good performance. Special considerations where taken to make management as easy as possible. Complete Cluster setup is done within minutes, and nodes automatically reintegrate after temporary failures without any operator interaction. 10.1 Hardware requirements Figure 10-1 Proxmox HA Cluster There are no special hardware requirements, although it is highly recommended to use fast and reliable server with redundant disks on all cluster nodes (Hardware RAID). The HA Cluster can also run in virtualized environments. 21.05.2010 Proxmox Server Solutions GmbH 40 51

10.2 Required Licenses Each host in a Cluster needs its own Cluster License file. Please upload the license file before adding a node to the cluster. 10.3 Load Balancing You can use one of the mechanism described in chapter 9 if you want to distribute mail traffic among the cluster nodes. Please note that this is not always required, because it is also reasonable to use only one node to handle SMTP traffic. The second node is used as quarantine host (provide the web interface to user quarantine). 10.4 Cluster Administration Cluster administration is done with a single command line utility called proxca. So you need to login via ssh to manage the cluster setup. Note: Always setup the IP configuration before adding a node to the cluster. IP address, network mask, gateway address and hostname can t be changed later. 10.4.1 Creating a Cluster You can create a cluster from any existing Proxmox host. All data is preserved. upload a cluster licence make sure you have the right IP configuration (IP/MASK/GATEWAY/HOSTNAME), because you cannot changed that later run: proxca c 10.4.2 List Cluster Status Run: proxca -l 10.4.3 Adding Cluster Nodes When you add a new node to a cluster (join) all data on that node is destroyed. The whole database is initialized with cluster data from the master. Upload a cluster license to the node make sure you have the right IP configuration run (on new node): proxca a h $MASTERIP You need to enter the root password of the master host when asked for a password. Attention: Node initialization deletes all existing databases, stops and then restarts all services accessing the database. So do not add nodes which are already active and receive mails. Also, joining a cluster can take several minutes, because the new node needs to synchronize all data from the master (although this is done in the background). Note: If you join a new node, existing quarantined items from the other nodes are not synchronized to the new node. 21.05.2010 Proxmox Server Solutions GmbH 41 51

10.4.4 Deleting Nodes Run (on master): proxca d CID CID (Cluster ID) is the unique ID displayed by proxca -l 10.5 Disaster recovery It is highly recommended to use redundant disks on all cluster nodes (RAID). So in almost any circumstances you just need to replace the damaged Hardware or Disk. Proxmox Mail Gateway uses an asynchronous clustering algorithm, so you just need to reboot the repaired node, and everything will work again transparently. The following scenarios only apply when you really loose the contents of the hard disk. 10.5.1 Single Node Failure delete failed node on master: proxca d CID add (re-join) a new node: proxca a h $MASTERIP 10.5.2 Master Failure force another node to be master: proxca m tell other nodes that master has changed: proxca s h $MASTERIP 10.5.3 Total Cluster failure restore backup (Cluster and node information is not restored, you have to recreate master and nodes) tell it to become master: proxca c add new nodes: proxca a h $MASTERIP 21.05.2010 Proxmox Server Solutions GmbH 42 51

11 Troubleshooting and technical support Use the moderated Proxmox support forum or contact a Proxmox partner for their support offerings. All information: http://www.proxmox.com Email support: support@proxmox.com 11.1 Console login Advanced users can use the console or SSH login. For normal operation, this is never necessary. Default user: Default password: root admin (the same as for the web interface!) Note: It s not recommended to change settings via the console. 21.05.2010 Proxmox Server Solutions GmbH 43 51

12 Table of figures Figure 1-1 Processing of incoming e-mail traffic... 5 Figure 3-1 Infrastructure without Proxmox Mail Gateway... 6 Figure 3-2 Infrastructure with integrated Proxmox Mail Gateway... 6 Figure 4-1 Selecting Software RAID during installation...11 Figure 5-1 Login page Proxmox Mail Gateway...12 Figure 5-2 Start page Proxmox Mail Gateway after log in...13 Figure 5-3 Enable TLS (Transport Layer Security)...17 Figure 5-4 Preview of a quarantined Spam e-mail...26 Figure 5-5 Preview of a quarantined Spam e-mail with spam info...27 Figure 5-6 Preview of a quarantined Phishing e-mail...28 Figure 5-7 Message Tracking Center...30 Figure 5-8 Message Tracking Center: RBL rejects (Spamhaus.org)...30 Figure 5-9 Real time log...31 Figure 5-10 Display Mail Queue...32 Figure 6-1 LDAP Server settings: Create new LDAP Profile 1...33 Figure 6-2 LDAP Server settings: Create new LDAP Profile 2...34 Figure 6-3 LDAP Server settings: Three profiles configured...34 Figure 7-1 Exchange: Port settings for use with Exchange...35 Figure 7-2 Exchange: SMTP Connector (Define smart host: Proxmox Mail Gateway)...36 Figure 7-3 Exchange: SMTP connector Address space...37 Figure 10-1 Proxmox HA Cluster...40 Figure 13-1 Configure scheduled backup Windows share...49 21.05.2010 Proxmox Server Solutions GmbH 44 51

13 Appendix 13.1 Available macros for rule system It is possible to use macros inside most fields of action objects. That way it is possible to access and include data contained in the original mail, get envelope sender and receivers addresses or include additional information about Viruses and Spam. Currently the following macros are defined: Macro SENDER RECEIVERS ADMIN TARGETS SUBJECT MSGID RULE RULE_INFO VIRUS_INFO SPAMLEVEL SPAM_INFO SENDER_IP VERSION FILENAME SPAMSTARS Comment (envelope) sender mail address (envelope) receiver mail address list Email address of the administrator Subset of receivers matched by the rule Subject of the message The message ID Name of the matching rule Additional information about the matching rule Additional information about detected viruses Computed spam level Additional information why message is spam IP address of sending host The current software version (proxmox mail gateway) Attachment file name A series of "*" charactes where each one represents a full score ( SPAMLEVEL ) point A simple example is the Modify Spam Subject action which adds SPAM: to the original message subject. To achieve this just use SPAM: SUBJECT as value for that action object. 13.2 Individual SpamAssassin configuration This is only for advanced users. To add/change configuration of the Proxmox SpamAssassin please login to the console via SSH. Go to /etc/mail/spamassasin/. In this directory there are two files (init.pre, local.cf) do not change this. To add your special configuration, you have to create a new file and name it custom.cf (in this directory). Now you can add your configuration to custom.cf, be aware to use the SpamAssassin syntax. For more information see http://spamassassin.apache.org/ The custom.cf file is also synchronized in a HA Cluster environment. 13.3 Customized daily spam reports It s possible to customize the daily spam reports. The report generator uses a simple HTML template file which may contain macros. To activate customized reports you need to generate such template file and copy it to /etc/proxmox/spamreport.tmpl. Two examples can be found in /var/lib/proxmox/templates/spamreport-verbose.tmpl or /var/lib/proxmox/templates/spamreport-short.tmpl those templates are actually used to generate the default spam reports. You also need to select the Custom report style on the web interface to use the custom template (Configuration/Spam/Quarantine/ReportStyle). The following macros are currently defined: Macro global Comment 21.05.2010 Proxmox Server Solutions GmbH 45 51

SENDER No (envelope) sender mail address RECEIVER No (envelope) receiver mail address SUBJECT No subject of the message FROM No from field DATE Yes message arrival date or report date TIME No message arrival time TICKET Yes authorization ticket BYTES No message size SPAMLEVEL No spam level of message SPAMINFO No additional information about why it is spam PMAIL Yes primary mail address of receiver HREF No href to view message WLHREF NO href to whitelist sender BLHREF NO href to blacklist sender DELETEHREF NO href to delete message DELIVERHREF NO href to deliver message PROTOCOL Yes selected protocol (http or https) FQDN Yes fully qualified domain name of quarantine host HOSTNAME Yes quarantine host hostname DOMAIN Yes quarantine host domain ACTIONHREF Yes href to perform various actions MAILCOUNT Yes number of mails MSG_XXXX Yes Standard messages use by standard reports (translated to various languages) A detailed report usually displays information about each mail. Inside the template everything between <!--start entry--> and <!--end entry--> is repeated for every mail. Most macros are only defined inside those marks. Only the global macros are available outside those marks. Note: A template has to be correct html. You can use any html editor for easy and fast editing. 13.4 Using Regular Expressions A regular expression is a string of characters which tells us which string you are looking for. The following is a short introduction in the syntax of regular expressions linked to editing Who Objects. If you are familiar with Perl, you already know the syntax. 13.4.1 Simple Regular Expressions In its simplest form, a regular expression is just a word or phrase to search for. Mail would match the string Mail. The search is case sensitive so MAIL, Mail, mail would not be matched. 13.4.2 Metacharacters Some characters have a special meaning. These characters are called metacharacters. The Period (.) is a commonly used metacharacter. It matches exactly one character, regardless of what the character is. e.mail would match either e-mail or e-mail or e2mail but not e-some-mail. The question mark (?) indicates that the character immediately preceding it either zero times ore one time. e?mail would match either email or mail but not e-mail 21.05.2010 Proxmox Server Solutions GmbH 46 51

Another metacharacter is the star (*). This indicates that the character immediately to its left may repeated any number of times, including zero. e*mail would match either email or mail or eeemail. The plus (+) metacharacter does the same as the star (*) excluding zero. So e+mail do not match mail. Metacharacters may be combined. A common combination includes the period and star metacharacters, with the star immediately following the period. This is used to match an arbitrary string of any length, including the null string. For example:.*company.* matches company@domain.com or company@domain.co.uk or department.company@domain.com. For more information take a look at the references 13.4.3 References Mastering Regular Expressions Powerful Techniques for Perl and Other Tools By Jeffrey E. F. Friedl First Edition Januar 1997 ISBN 1-56592-257-3 13.5 Managing Software RAID Software RAID is managed on the console with the unix command mdadm. Please see the manual pages for more information (man mdadm). To view the RAID status use: And mdadm --detail /dev/md0 cat /proc/mdstat To add a new disk after a crash: (Assuming /dev/sdb2 is the newly created partition on a new disk, please use fdisk to partition harddisks)): mdadm --manage /dev/md0 -add /dev/sdb2 After success, please type lilo to rewrite the boot information to both harddisks. lilo To initialize the swap partitions, type: mkswap /dev/sda1 (assuming that sda1 is a swap) mkswap /dev/sdb1 (assuming that sdb1 is a swap) swapon a Finally reboot the machine and check all services. 13.5.1 Repair boot-loader (grub) on Software Raid Beginning with Proxmox Mail Gateway 2.3, grub is used as boot loader instead of lilo. If the Mail Gateway is installed on Software Raid, the boot loader is only installed on the first drive. Therefore, if the first drive is in trouble or removed, the system does not boot anymore as no boot loader is on the remaining disk. 21.05.2010 Proxmox Server Solutions GmbH 47 51

To reinstall grub, boot the system from the Proxmox Mail Gateway ISO CD and type raidboot on the boot prompt. The system boots now from the remaining hard disk and you can run grub-install hd0 to fix the bootloader. 21.05.2010 Proxmox Server Solutions GmbH 48 51

13.6 Backup considerations 13.6.1 Scheduled Backup Scheduled backups can be configured to store the backup data to a FTP host or Windows share. Old backup files can be deleted automatically. The following data will be stored via scheduled backups: System configuration Rule configuration Statistic database License Log files and quarantined emails are never in the backup. A backup can only restored to an identical version of Proxmox. Figure 13-1 Configure scheduled backup Windows share 13.6.2 Backup via console You can use the command line utility proxbackup to backup the whole database including statistical data: proxbackup -s full-backup.tgz Please see the manual page for more information (man proxbackup). 21.05.2010 Proxmox Server Solutions GmbH 49 51

13.6.3 Restore via console In order to restore system configuration, rules database and statistical data you need to restore on the console. proxbackup -c d -s -r full-backup.tgz After restore you need to reboot to activate changes. 13.6.4 Bacula client (http://www.bacula.org) Bacula is an open source network based backup solution. You can use the Bacula client to backup the whole system. Note: You need an extra Bacula server which is not included For details please see the documentation section of http://www.bacula.org. 13.7 Avira SAV Antivirus Integration Proxmox supports Avira SAV engine as an additional virus scanner. Please check http://www.proxmox.com for details and pricing. 13.8 SSL Certificate Access to the administration web interface is always done via https. The default certificate is never valid for your browser and you get always warnings. You can safely ignore these warnings. If you want to get rid of these warnings, you have to generate a valid certificate for your server. Login to your Proxmox via ssh or use the console: openssl req -newkey rsa:1024 -nodes -keyout key.pem -out req.pem Follow the instructions on the screen, see this example: Country Name (2 letter code) [AU]: AT State or Province Name (full name) [Some-State]:Vienna Locality Name (eg, city) []:Vienna Organization Name (eg, company) [Internet Widgits Pty Ltd]: Proxmox GmbH Organizational Unit Name (eg, section) []:Proxmox Mail Gateway Common Name (eg, YOUR name) []: yourproxmox.yourdomain.com Email Address []:support@yourdomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: not necessary An optional company name []: not necessary After you finished this certificate request you have to send the file req.pem to your CA (Certification Authority). The CA will issue the certificate (BASE64 encoded) based on your request save this file as cert.pem to your Proxmox. To activate the new certificate, do the following on your Proxmox: 21.05.2010 Proxmox Server Solutions GmbH 50 51

cat key.pem cert.pem >/etc/apache2/apache.pem /etc/init.d/apache2 restart Test your new certificate by using your browser. Note: To transfer files from and to your Proxmox, you can use secure copy: If you desktop is Linux, you can use scp if your desktop PC is windows, please use a scp client like WinSCP (see http://winscp.net/) 13.9 Port Scans (nmap) Nmap is designed to allow system administrators to scan large networks to determine which hosts are up and what services they are offering. You can use nmap to test your firewall setting, for example to see if the required ports are open. Test Razor port (tcp port 2703): nmap -P0 -ss -p 2703 c101.cloudmark.com See the manual page (man nmap) for more information about nmap. - End of document - 21.05.2010 Proxmox Server Solutions GmbH 51 51