How to Install Proxmox Mail Gateway on Debian 11

Updated on February 14, 2022
How to Install Proxmox Mail Gateway on Debian 11 header image

Introduction

Proxmox Mail Gateway is an open-source email security solution that acts as a layer between users and your origin mail server. It helps eliminate incoming or outgoing spam or email threats. In addition, it comes with a user-friendly web-based management interface that allows you to control everything easily.

This article explains the installation of Proxmox Mail Gateway, using Nginx as a reverse proxy to serve the management interface & securing the management interface with an SSL certificate on a Debian 11 machine.

Prerequisites

To complete this guide, you will need to:

  • Deploy a fresh Debian 11 Server
  • Point a subdomain to your server

Change Hostname

  1. You are required to point a subdomain to your server using A record. The same subdomain will be used throughout the article. For example, mailgateway.domain.tld. Add hostname in /etc/hostname.

     # nano /etc/hostname
  2. Overwrite the existing content with your subdomain and save the file using Ctrl + X then Enter. Add hostname in /etc/hosts.

     # nano /etc/hosts
  3. Paste the following line below 127.0.0.1 localhost and save the file using Ctrl + X then Enter.

     127.0.0.1 your_subdomain
  4. Reboot the server to ensure everything works.

     # reboot

Verify Hostname

After your server is up and running, run the following command and check if the output matches with your subdomain

# hostname

Expected output

your_subdomain

Add Required Repository

  1. Add repository in /etc/apt/sources.list.

     # nano /etc/apt/sources.list
  2. Add the following line and save the file using Ctrl + X then Enter.

     deb http://download.proxmox.com/debian/pmg bullseye pmg-no-subscription
  3. Add GPG key to the APT sources keyring.

     # wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
  4. Refresh the package information.

     # apt update
  5. Install the proxmox-mailgateway package.

     # apt install -y proxmox-mailgateway
  6. Select "Internet with smarthost" in Postfix installation wizard & leave the rest set as default.

  7. Reboot the server to ensure everything works

     # reboot

Verify PMG Installation

After your server is up and running, you can verify if the installation was done successfully by opening the following link in your web browser

https://your_subdomain:8006/

You can log into the management interface using the same credentials you use for SSH

Serving the Management Interface with Nginx

Some environments do not allow connections to non-standard ports and it is not recommended to change PMG's port configuration. Using Nginx is the best solution for port standardization and handling high traffic.

  1. Install Nginx

     # apt install -y nginx
  2. Add a vhost file to the sites-available directory.

     # nano /etc/nginx/sites-available/pmg
  3. Paste the following content (replace your_subdomain with your actual subdomain) and save the file using Ctrl + X then Enter

     server {
    
         listen 80;
         server_name your_subdomain;
    
         proxy_redirect off;
         location / {
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade"; 
             proxy_pass https://localhost:8006;
             proxy_buffering off;
             client_max_body_size 0;
             proxy_connect_timeout  3600s;
             proxy_read_timeout  3600s;
             proxy_send_timeout  3600s;
             send_timeout  3600s;
         }
    
     }
  4. Add a soft link of the vhost file in sites-enabled directory

     # ln -s /etc/nginx/sites-available/pmg /etc/nginx/sites-enabled/pmg
  5. Test the configuration.

     # nginx -t

    Expected output:

     nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
     nginx: configuration file /etc/nginx/nginx.conf test is successful
  6. Reload Nginx.

     # systemctl reload nginx
  7. Verify the Accessibility. You can verify if the reverse proxy is working properly or not by opening the following link in your web browser.

     http://your_subdomain/
  8. Restrict Direct Access. After you've verified that your reverse proxy works, you can change the listener IP of the management interface to restrict direct access. Add a listener IP in /etc/default/pmgproxy.

     # nano /etc/default/pmgproxy
  9. Paste the following line and save the file using Ctrl + X then Enter

     LISTEN_IP="127.0.0.1"
  10. Restart the pmgproxy service

     systemctl restart pmgproxy

Secure the Management Interface with an SSL Certificate

We will use Let's Encrypt to obtain an SSL Certificate for free. Please make sure you have pointed your subdomain to the server's IP address. The steps given below will only work if you are serving the management interface using Nginx.

  1. Install Certbot.

     apt install -y certbot python3-certbot-nginx
  2. Install Certificate on Nginx. You will be asked to enter your email address when you run the following command, please enter your email address and leave the rest set as default.

     certbot --nginx -d your_subdomain
  3. Verify the accessibility. You can verify if the SSL Certificate is configured properly or not by opening the following link in your web browser.

     https://your_subdomain/
  4. Test auto-renewal. Let's Encrypt certificates are only valid for 90 days, but since we are using certbot, it will handle auto-renewals for us. You can verify if the auto-renewal works by running the following command.

     certbot renew --dry-run

    If the above command doesn't throw an error, it means your SSL certificate will be renewed automatically without any issues.

Conclusion

In this article, you installed Proxmox Mail Gateway, used Nginx as a reverse proxy for PMG's management interface & installed an SSL Certificate using certbot. If you're new to Proxmox Mail Gateway and don't know how it works, their official documentation is a good place to start.