Proxmox VE: Setting up email sending (mail relay / smart host)

·4 min·Andreas Haerter·Frederik Meissner·

Proxmox Virtual Environment (PVE) servers are usually important systems as they are hosts for virtual machines and containers. Nevertheless, there are often installations that are not able to send emails to inform about updates, backup results or the like. On this page, we briefly explain how to configure PVE to allow sending emails via external email server (relay / smart host).

Postfix

Postfix is a Mail Transfer Agent (MTA) and should already be installed on the system. If not, you can simply fix this:

apt-get install postfix
systemctl enable postfix

Basic configuration

With a suitable configuration, Postfix ensures that the emails are accepted by the local system and forwarded to an external mail system via SMTP.

The main configuration file is /etc/postfix/main.cf. First you should make sure that the relay is only usable via localhost by Proxmox or other system services and not by third parties via the network:

myhostname = pve.example.com
mydomain = example.com
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8
inet_interfaces = loopback-only

Replace pve.example.com with the system’s FQDN1 and example.com with the email sender domain. By default, mydestination, mynetworks and inet_interfaces should already have the correct values.

Relay / smart host

Another package is needed for authentication on the external mail server which is used for the actual sending:

apt-get install libsasl2-modules

The relay settings are also set in /etc/postfix/main.cf. The setting relayhost = already exists in the file by default (without value) and can be adapted. Any other options that didn’t already exist in the configuration were simply added at the end of the file:

relayhost = [your-mailserver-on-the-internet.example.com]:587

# [...]

# enable SASL authentication?
smtp_sasl_auth_enable = yes
# disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# TLS transport encryption; may = STARTTLS; encrypt = Enforce TLS
smtp_tls_security_level = may
# where to find CA certificates (smtp_tls_CApath should have same value if existing)
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# maximum amount of memory in bytes for storing a message header (default: 102400)
header_size_limit = 4096000

[your-mailserver-on-the-internet.example.com]:587 has to be replaced with your own mail server and a suitable port (usually 587 or 25). If this server requires a user name and password (→ smtp_sasl_auth_enable = yes), the access data must be saved in the file /etc/postfix/sasl_passwd in the following form:

your-mailserver-on-the-internet.example.com   username:password

After every change to /etc/postfix/sasl_passwd, the associated postfix mapping must be updated:

postmap /etc/postfix/sasl_passwd
systemctl restart postfix.service

The file should only be readable by root as it contains credentials:

chown "root:root" "/etc/postfix/sasl_passwd"
chmod 0600 "/etc/postfix/sasl_passwd"

Enforce correct sender address

A simple configuration can be used to ensure that the sender information for e-mails to the relay is set to do-not-reply@example.com (you must replace @example.com with the valid sender domain in the following / has to be set to the value used for mydomain =).

In /etc/postfix/main.cf:

sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical
smtp_header_checks = regexp:/etc/postfix/header_check

Content of /etc/postfix/sender_canonical:

/.+/    do-not-reply@example.com

After every change to /etc/postfix/sender_canonical, the associated postfix mapping must be updated:

postmap /etc/postfix/sender_canonical

Content of /etc/postfix/header_check:

/From:.*/ REPLACE From: pve.example.com (Proxmox, PVE) <do-not-reply@example.com>

These files should only be readable by root, too:

chown "root:root" "/etc/postfix/sender_canonical"
chmod 0600 "/etc/postfix/sender_canonical"

chown "root:root" "/etc/postfix/header_check"
chmod 0600 "/etc/postfix/header_check"

root alias

Mails for the root user of the system can also be easily forwarded to an admin email address. To do this, add a line to the /etc/aliases file (adjust admin@example.net to a suitable target address):

[...]
root: admin@example.net

After every change to /etc/aliases, the postfix alias database needs to be updated:

postalias /etc/aliases

The appropriate setting is already existing in /etc/postfix/main.cf by default, but you can check this again:

alias_maps = hash:/etc/aliases

Sender and user addresses in PVE

If you have configured Postfix as described above, the sender address will be adjusted or overwritten by the settings in /etc/postfix/sender_canonical and /etc/postfix/header_check. Nevertheless, for the sake of form, you can still set the sender address to the correct value in the web UI at “Datacenter → Options → Email from address”.

In addition, the e-mail addresses of the PVE user accounts can be specified at “Datacenter → Permissions → Users”.

Test and debugging

systemctl restart postfix.service
systemctl status postfix.service

# send test mail to admin@example.com
echo "This is the message" | mail -s "Hello World from $(hostname)" "admin@example.com"

# log
journalctl -f -u postfix*

  1. You can easily get this with hostname -f↩︎