Deployment Guide
5/21/2010 MailGatewayDeploymentGuide-V1.8.docx
www.proxmox.com
Proxmox Server Solutions GmbH reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the latest version of this document, which is available from http://www.proxmox.com. NOTE: A license to the Proxmox Software usually includes the right to product updates for one (1) year from the date of purchase. Maintenance can be renewed on an annual basis. All other product or company names different from Proxmox may be trademarks or registered trademarks of their owners. Copyright 2010 Proxmox Server Solutions GmbH. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Proxmox.
49
www.proxmox.com
Table of Contents
1 2 Introduction .................................................................................................... 5 Proxmox Mail Gateway Integration ..................................................................... 6 2.1 E-mail system without Proxmox ................................................................... 6 2.2 E-mail system with Proxmox ........................................................................ 6 2.3 Proxmox in the Intranet .............................................................................. 8 2.3.1 Default port settings ............................................................................ 8 2.3.2 Alternative port settings (e.g. for MS Exchange) ..................................... 8 2.4 Proxmox in DMZ (demilitarized zone) ...........................................................10 2.5 Proxmox with multiple e-mail server and mail domains ..................................11 Performance Tuning ........................................................................................12 3.1 Hardware benchmarks ...............................................................................12 3.2 Backup MX ...............................................................................................12 3.3 Local DNS cache........................................................................................12 3.4 Blocking Emails on SMTP level ....................................................................13 3.4.1 Greylisting.........................................................................................13 3.4.2 Sender Policy Framework SPF ...........................................................14 3.4.3 Real time Blacklists (RBL)....................................................................14 3.4.4 Local DNS RBL cache Spamhaus Datafeed Service ...............................15 3.4.4.1 Configuring local DNS blacklist caches ............................................15 3.4.5 Receiver Verification ...........................................................................16 3.4.5.1 Proxmox Solutions .......................................................................16 3.4.5.2 Enabling Verify Receivers ..............................................................17 3.4.5.2.1 Settings for Exchange 2003 SP2 ..................................................18 3.4.5.2.2 Settings for Exchange 2007 SP1 ..................................................21 Rule System ...................................................................................................22 4.1 Default Rules ............................................................................................24 4.1.1 Block Viruses .....................................................................................24 4.1.2 Virus Alert .........................................................................................24 4.1.3 Block Dangerous Files .........................................................................25 4.1.4 Mark Spam ........................................................................................25 4.2 Custom Rules............................................................................................26 4.2.1 Enable Spam and Virus quarantine .......................................................26 4.2.2 Enable Spam quarantine for just a selection of users ..............................26 4.2.3 Enable Spam quarantine for existing LDAP users ....................................27 4.2.4 Block Spam e-mails with a score higher 10 ............................................29 4.2.5 BCC object An simple archive solution ................................................33 4.2.6 Block Video and Audio Attachments ......................................................33 4.2.7 Add Admin Notification to Rules ...........................................................34 4.2.8 Preventing directory harvesting attacks with LDAP object ........................34 4.2.9 Block Video and Audio Attachments for LDAP Groups ..............................35 Proxmox HA Cluster High availability ..............................................................37 5.1 Load Balancing with MX Records..................................................................38 5.2 Multiple Address Records ............................................................................39 5.3 Using third party Firewall features ...............................................................39 Hardware selection and Virtualization ................................................................40 6.1 Physical Hardware .....................................................................................40 6.1.1 Certified Hardware .............................................................................40 6.2 Proxmox VE (http://pve.proxmox.com) ........................................................40 6.3 VMware .................................................................................................40 6.3.1 Settings for VMware ESX, ESXi and vSphere .......................................41 6.3.1.1 Settings for the Proxmox Mail Gateway Virtual Machine ....................41 6.3.1.1.1 RAM settings .............................................................................41 6.3.1.1.2 VMware Tools............................................................................41 6.3.1.1.3 Enable VMI Paravirtualization ......................................................41 6.3.1.1.4 Enable time synchronization .......................................................42
3
49
www.proxmox.com
6.3.2 Settings for a VMware Server 2 .........................................................42 6.3.2.1 Host memory settings...................................................................42 6.3.2.2 Settings for Proxmox Mail Gateway Virtual Machine ..........................43 6.3.2.2.1 RAM settings .............................................................................43 6.3.2.2.2 VMware Tools............................................................................43 6.3.2.2.3 Enable VMI Paravirtualization ......................................................43 6.3.2.2.4 Enable time synchronization .......................................................44 6.4 OpenVZ....................................................................................................45 7 Troubleshooting and technical support ...............................................................47 8 Table of figures ...............................................................................................48 9 Appendix .......................................................................................................49
49
www.proxmox.com
1 Introduction
The huge amount of e-mail traffic is a challenge for every e-mail environment. The daily e-mail routine brings along some major problems, this includes: performance, reliability, regulation under public law and e-mail threads like viruses or Phishing attacks. E-mail is an essential service for any organization, and professionally managed e-mail improves organizational workflow and customer satisfaction. A missed e-mail could mean a lost opportunity, or it could cause a public-relations problem that no organization would want. How does Proxmox work? When an e-mail arrives at the Proxmox Mail Gateway, it is analyzed and forwarded to your e-mail server which is responsible for sending the e-mail to the receiver. If the email server is not working, Proxmox Mail Gateway temporarily stores the message in the e-mail queue for later transfer. The process works similar for outgoing e-mails. This document covers samples and deployment information how to integrate and customize Proxmox in your e-mail environment. Note: See also the Proxmox Mail Gateway Administration Guide for a detailed product description.
49
www.proxmox.com
49
www.proxmox.com
Many mail filter solutions do not scan outgoing mails. Opposed to that Proxmox Mail Gateway is designed to scan both incoming and outgoing mails. This has two major advantages:
Figure 2-3 Outgoing with Proxmox Mail Gateway 1. Proxmox is able to detect viruses sent from an internal host. I many countries you are liable for not sending viruses to other people. Proxmox outgoing e-mail scanning feature is an additional protection to avoid that. 2. Proxmox can gather statistics about outgoing e-mails too. Statistics about incoming e-mails looks nice, but they are quite useless. Consider two users, user1 receives 10 mails from news portals and wrote 1 mail to a person you never heard from. While user-2 receiver 5 mails from a customer and sent 5 mails back. Which user do you consider more active? I am sure its user-2, because he communicates with your customers. Proxmox advanced address statistics can show you this important information. Solution which does not scan outgoing mail cant do that.
49
www.proxmox.com
Figure 2-4 Incoming default port settings (port 25) Outgoing Mails: Configure your mail server to send all e-mails to the Proxmox Mail Gateway, port 26. Note: Proxmox receives the outgoing e-mails on port 26, so Proxmox knows its internal trusted e-mail. After processing, Proxmox sends the e-mails to Internet, using standard port 25.
49
www.proxmox.com
Figure 2-6 Incoming alternative port settings (port 26) With MS Exchange you should not use port 26 for outgoing so you have to switch these two values (25 and 26). In the end you have to use port 25 for outgoing and port 26 for incoming mails.
49
www.proxmox.com
10
49
www.proxmox.com
Figure 2-9 Multiple e-mail servers Note: you need for each domain an appropriate license, otherwise it will not work!
11
49
www.proxmox.com
3 Performance Tuning
3.1 Hardware benchmarks
Please use the command line tool proxperf to get an overview about your hardware and DNS performance. Note: Never run proxperf if the system is under load. Here is a sample output of proxperf: proxmox:~# proxperf CPU BOGOMIPS: 8489.64 REGEX/SECOND: 410814 HD SIZE: 6.89 GB (/dev/sda2) BUFFERED READS: 116.38 MB/sec AVERAGE SEEK TIME: 8.09 ms FSYNCS/SECOND: 1084.51 DNS EXT: 46.26 ms DNS INT: 1.05 ms (domain.com) DNSBL: 35.47 ms (zen.spamhaus.org) proxmox:~# Please compare your results against this reference. If you get lower results please analyze your hardware and DNS setup for comments email your results to support@proxmox.com.
3.2 Backup MX
Using your ISPs mail server is not a good idea, because many ISPs do not use advanced spam prevention techniques. And spammers know this and they use your ISP backup MX to work around your Proxmox spam filtering. Additionally, you can never benefit of blocking spam messages on SMTP level. If you need redundancy, it is recommended to run a second Proxmox server in HA Cluster mode to avoid lower spam detection rates
12
49
www.proxmox.com
3.4.1 Greylisting
Typically, a server that utilizes Greylisting will record the following three pieces of information (referred to as triplet) for all incoming e-mail. The IP address of the connecting host The envelope sender address The envelope recipient address
The client is checked against the mail server's internal whitelists (if any) first. Then, if the triplet has never been seen before, it is greylisted for a period of time (how much time is dependent on the server configuration). The e-mail is rejected with a temporary error. The assumption is that since temporary failures are built into the RFC specifications for e-mail delivery, a legitimate server will attempt to connect again later on to deliver the e-mail. Greylisting is effective because many mass e-mail tools utilized by spammers are not set up to handle temporary failures (or any failures for that matter) so the Spam is never received. This feature can reduce e-mail traffic up to 50%. Greylisted e-mails never reach your mail server and your mail server will stop sending useless "Non Delivery Reports" to spammers, filling up the queue. If a sender has a valid SPF record, he will never be greylisted.
13
49
www.proxmox.com
14
49
www.proxmox.com
Note: 11,41 stands for the minutes of each hour, please replace these values with the one in your spamhaus datafeed license.
Next, configure the RBLDNS daemon configuration file: nano /etc/default/rbldnsd RBLDNSD="- -r/var/lib/rbldns -f -b127.0.0.2 \ sbl.spamhaus.org:ip4set:sbl \ pbl.spamhaus.org:ip4trie:pbl \ xbl.spamhaus.org:ip4tset:xbl \ zen.spamhaus.org:ip4set:sbl \ zen.spamhaus.org:ip4trie:pbl \ zen.spamhaus.org:ip4tset:xbl \ list.dsbl.org:ip4set:dsbl"
15
49
www.proxmox.com
Start the RBLDNS service: /etc/init.d/rbldnsd start Finally, redirect query to local mirror:
16
49
www.proxmox.com
17
49
www.proxmox.com
18
49
www.proxmox.com
19
49
www.proxmox.com
20
49
www.proxmox.com
Figure 3-10 Exchange 2007 SP1: Install Anti-Spam agent Now you can enable Recipient Filtering on the Anti-Spam agent, please use the Exchange Management Console.
49
www.proxmox.com
4 Rule System
The object-oriented rule system enables custom rules for your domains. Its an easy but very powerful way to define filter rules by user, domains, time frame, content type and resulting action. Who - object For TO and/or FROM Category Example: Mail object - Who is the sender or receiver of the e-mail? When - object Example: When is the e-mail received by Proxmox Mail Gateway? What - object Example: Does the e-mail contain spam? Action - object Example: Mark e-mail with "SPAM:" in the subject.
Every rule has got 5 categories (FROM, TO, WHEN, WHAT, ACTION) which can contain several objects. For example enable Archive Solutions with BCC Object (Blind carbon copy, recipients not visible in the "To" field) to Mailbox or to a Public Folder FROM: Anybody TO: Anybody WHEN: Always WHAT: Mail ACTION: BCC to Publicfolder
In most of the countries worldwide a company has to forward all e-mails to there employees this includes spam e-mails as well.
21.05.2010 Proxmox Server Solutions GmbH 22
49
www.proxmox.com
For example to send Spam mails in quarantine FROM: Anybody TO: Anybody WHEN: Always WHAT: Spam ACTION: Quarantine
With this kind of setup the receiver gets detailed Information about the Spam e-mails. Quarantine can be enabled just for existing LDAP groups or via BCC to Public Folders or Mailboxes. At present the usefulness of e-mail is being threatened by three phenomena: spamming, pishing and e-mail worms. Spamming is unsolicited commercial e-mail. Because of the very low cost of sending email, spammers can send hundreds of millions of e-mail messages each day over an inexpensive internet connection. Hundreds of active spammers sending this volume of mail results in information overload for many computer users who receive tens or even hundreds of junk messages each day. E-mail worms use e-mail as a way of replicating themselves into vulnerable computers. The combination of spam and worm programs results in users receiving a constant drizzle of junk e-mail, which reduces the usefulness of e-mail as a practical tool. To increase the efficiency of e-mail communications the use of anti-spam, anti-pishing and antivirus software is essential. With the deployment of Proxmox Mail Gateway you get the job done. Based on the design as software appliance one of the strengths of Proxmox Mail Gateway is its flexibility. It can be easy integrated in existing E-mail architecture. Its compatible to every type of mail server or MTA (e.g. Microsoft Exchange, Lotus Domino, Postfix ). For example a virus protection looks like this: FROM: Anybody TO: Anybody WHEN: Always WHAT: Virus ACTION: Block
Options range from simple spam and virus filter setups to sophisticated, highly customized configurations blocking certain types of e-mails and generating notifications.
23
49
www.proxmox.com
49
www.proxmox.com
25
49
www.proxmox.com
26
49
www.proxmox.com
49
www.proxmox.com
28
49
www.proxmox.com
29
49
www.proxmox.com
49
www.proxmox.com
49
www.proxmox.com
49
www.proxmox.com
49
www.proxmox.com
3. Add Action Object Block to the rule 4. Final review (still inactive) 5. Activate the rule
34
49
www.proxmox.com
35
49
www.proxmox.com
Figure 4-18 Block video and Audio attachment for LDAP group Staff
36
49
www.proxmox.com
Proxmox uses a unique application level clustering scheme, which provides extremely good performance. Special considerations where taken to make management as easy as possible. Complete Cluster setup is done within minutes, and nodes automatically reintegrate after temporary failures without any operator interaction.
37
49
www.proxmox.com
38
49
www.proxmox.com
39
49
www.proxmox.com
Also known to work (Intel VT or AMD-V needed): Virtualbox XEN (Full virtualized) Citrix XenServer (Full virtualized) Parallels Server Virtualbox Hyper-V
For best performance please use physical hardware or OS virtualization like Proxmox VE (OpenVZ).
6.3 VMware
Proxmox runs perfectly under VMware. For quick deployment Proxmox delivers a ready to run, preconfigured and certified Virtual Appliance. Installation from the ISO-Image is also fully supported and gives the possibility for custom settings, optimized for the VMware Host. Proxmox 2.3 and later supports VMware para-virtualization (Kernel 2.6.27) and we deliver a prebuilt VMware Tools package for installation (already included in the Appliance).
40
49
www.proxmox.com
Figure 6-1 Enable VMI Paravirtualization for Proxmox Mail Gateway on ESX
21.05.2010 Proxmox Server Solutions GmbH 41
49
www.proxmox.com
42
49
www.proxmox.com
43
49
www.proxmox.com
44
49
www.proxmox.com
6.4 OpenVZ
OpenVZ is an Open Source Operating System-level server virtualization solution, built on Linux. For details about OpenVZ, please visit http://openvz.org/. OpenVZ is also used in Proxmox VE (http://pve.proxmox.com). Main advantage from Operating System-level server virtualization is minimum overhead which leads to maximum performance. Proxmox runs on OpenVZ quite as fast as on physical hardware with all advantages from virtualization. OpenVZ supports online migration from a running Proxmox from one hardware node to another without downtime. For running Proxmox on OpenVZ, we launched a wiki page on:
21.05.2010 Proxmox Server Solutions GmbH 45
49
www.proxmox.com
46
49
www.proxmox.com
47
49
www.proxmox.com
8 Table of figures
Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure 2-1 System without Proxmox Mail Gateway ............................................ 6 2-2 Incoming e-mail with Proxmox Mail Gateway................................... 6 2-3 Outgoing with Proxmox Mail Gateway .............................................. 7 2-4 Incoming default port settings (port 25) .......................................... 8 2-5 Outgoing default port settings (port 26) .......................................... 8 2-6 Incoming alternative port settings (port 26) .................................... 9 2-7 Outgoing alternative port settings (port 25) .................................... 9 2-8 Proxmox in DMZ ..............................................................................10 2-9 Multiple e-mail servers ....................................................................11 3-1 Use local DNS Cache ........................................................................12 3-2 Mail proxy whitelist .........................................................................13 3-3 Enable RBL checks ...........................................................................14 3-4 Enable local RLB cache Spamhaus.org and Dsbl.org .....................16 3-5 Enable Verify Receivers ...................................................................17 3-6 Exchange 2003: Filter recipients 1 ..................................................18 3-7 Exchange 2003: Filter recipients 2 ..................................................19 3-8 Exchange 2003: Filter recipients 3 ..................................................20 3-9 Exchange 2003: Filter recipients 4 ..................................................20 3-10 Exchange 2007 SP1: Install Anti-Spam agent ................................21 3-11 Exchange 2007 SP1: Filter recipients 1..........................................21 3-12 Exchange 2007 SP1: Filter recipients 2..........................................22 4-1 Rule: Block Viruses ..........................................................................24 4-2 Rule: Virus Alert ..............................................................................24 4-3 Rule: Block Dangerous Files ............................................................25 4-4 Rule: Mark Spam .............................................................................25 4-5 Add Quarantine action to rule Mark Spam .................................26 4-6 Enable Spam quarantine for just a selection of users ......................27 4-7 Create WHO object Existing LDAP address ...................................27 4-8 Enable Spam quarantine for existing LDAP addresses .....................28 4-9 Add new What Object ......................................................................29 4-10 Add Spam Filter to a What Object ..................................................30 4-11 Set Spam Filter to Level 10 ............................................................30 4-12 Add new Rule ................................................................................31 4-13 Add What Object to a Rule .............................................................31 4-14 Add Action Object to a Rule ...........................................................32 4-15 Final Review of Rule (still inactive) ...............................................32 4-16 Activate Rule .................................................................................33 4-17 Unknown LDAP address rule..........................................................35 4-18 Block video and Audio attachment for LDAP group Staff ............36 5-1 Proxmox HA Cluster with load balanced MX records ........................37 5-2 Load balancing via MX Records........................................................38 5-3 Load balancing Multiple Address Records ........................................39 6-1 Enable VMI Paravirtualization for Proxmox Mail Gateway on ESX ...41 6-2 Enable time synchronization on ESX/ESXi .......................................42 6-3 Memory settings for VMware Server 2 Host .....................................43 6-4 Enable VMI Paravirtualization for Proxmox Mail Gateway ...............44 6-5 Enable time synchronization on VMware Server 2 Host ...................45
48
49
www.proxmox.com
9 Appendix
Reference document: Mail Gateway AdminGuide You can download the latest version from www.proxmox.com - End of document -
49
49