Introduction
Proxmox Mail Gateway is an open-source email security solution that acts as a layer between users and your origin mail server. It helps eliminate incoming or outgoing spam or email threats. In addition, it comes with a user-friendly web-based management interface that allows you to control everything easily.
This article explains the installation of Proxmox Mail Gateway, using Nginx as a reverse proxy to serve the management interface & securing the management interface with an SSL certificate on a Debian 11 machine.
Prerequisites
To complete this guide, you will need to:
- Deploy a fresh Debian 11 Server
- Point a subdomain to your server
Change Hostname
You are required to point a subdomain to your server using A record. The same subdomain will be used throughout the article. For example,
mailgateway.domain.tld
. Add hostname in/etc/hostname
.# nano /etc/hostname
Overwrite the existing content with your subdomain and save the file using Ctrl + X then Enter. Add hostname in
/etc/hosts
.# nano /etc/hosts
Paste the following line below
127.0.0.1 localhost
and save the file using Ctrl + X then Enter.127.0.0.1 your_subdomain
Reboot the server to ensure everything works.
# reboot
Verify Hostname
After your server is up and running, run the following command and check if the output matches with your subdomain
# hostname
Expected output
your_subdomain
Add Required Repository
Add repository in
/etc/apt/sources.list
.# nano /etc/apt/sources.list
Add the following line and save the file using Ctrl + X then Enter.
deb http://download.proxmox.com/debian/pmg bullseye pmg-no-subscription
Add GPG key to the APT sources keyring.
# wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
Refresh the package information.
# apt update
Install the
proxmox-mailgateway
package.# apt install -y proxmox-mailgateway
Select "Internet with smarthost" in Postfix installation wizard & leave the rest set as default.
Reboot the server to ensure everything works
# reboot
Verify PMG Installation
After your server is up and running, you can verify if the installation was done successfully by opening the following link in your web browser
https://your_subdomain:8006/
You can log into the management interface using the same credentials you use for SSH
Serving the Management Interface with Nginx
Some environments do not allow connections to non-standard ports and it is not recommended to change PMG's port configuration. Using Nginx is the best solution for port standardization and handling high traffic.
Install Nginx
# apt install -y nginx
Add a vhost file to the
sites-available
directory.# nano /etc/nginx/sites-available/pmg
Paste the following content (replace your_subdomain with your actual subdomain) and save the file using Ctrl + X then Enter
server { listen 80; server_name your_subdomain; proxy_redirect off; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass https://localhost:8006; proxy_buffering off; client_max_body_size 0; proxy_connect_timeout 3600s; proxy_read_timeout 3600s; proxy_send_timeout 3600s; send_timeout 3600s; } }
Add a soft link of the vhost file in
sites-enabled
directory# ln -s /etc/nginx/sites-available/pmg /etc/nginx/sites-enabled/pmg
Test the configuration.
# nginx -t
Expected output:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Reload Nginx.
# systemctl reload nginx
Verify the Accessibility. You can verify if the reverse proxy is working properly or not by opening the following link in your web browser.
http://your_subdomain/
Restrict Direct Access. After you've verified that your reverse proxy works, you can change the listener IP of the management interface to restrict direct access. Add a listener IP in
/etc/default/pmgproxy
.# nano /etc/default/pmgproxy
Paste the following line and save the file using Ctrl + X then Enter
LISTEN_IP="127.0.0.1"
Restart the
pmgproxy
servicesystemctl restart pmgproxy
Secure the Management Interface with an SSL Certificate
We will use Let's Encrypt to obtain an SSL Certificate for free. Please make sure you have pointed your subdomain to the server's IP address. The steps given below will only work if you are serving the management interface using Nginx.
Install Certbot.
apt install -y certbot python3-certbot-nginx
Install Certificate on Nginx. You will be asked to enter your email address when you run the following command, please enter your email address and leave the rest set as default.
certbot --nginx -d your_subdomain
Verify the accessibility. You can verify if the SSL Certificate is configured properly or not by opening the following link in your web browser.
https://your_subdomain/
Test auto-renewal. Let's Encrypt certificates are only valid for 90 days, but since we are using certbot, it will handle auto-renewals for us. You can verify if the auto-renewal works by running the following command.
certbot renew --dry-run
If the above command doesn't throw an error, it means your SSL certificate will be renewed automatically without any issues.
Conclusion
In this article, you installed Proxmox Mail Gateway, used Nginx as a reverse proxy for PMG's management interface & installed an SSL Certificate using certbot
. If you're new to Proxmox Mail Gateway and don't know how it works, their official documentation is a good place to start.