I
inselboy
Verified
- #1
Hi,
I've been running PowerMTA (PMTA) for a few years now with a complex setup involving a monitor server with PMTA and HAProxy,
along with multiple VPS slaves. This setup allows me to send emails using a PMTA pickup directory, distributing the emails
to different hosts, rewriting headers, setting up DKIM on the VPS slaves, and ensuring the emails are sent out efficiently.
For incoming connections, I have a standard Postfix server on port 25 to collect late bounces. On a high port, I run the
PMTA service to process bounces and feedback loop (FBL) reports directly using a bounce handler PHP script.
These processed bounces and FBLs are then sent directly to my monitor server via an API connection.
I've been involved in email marketing for quite some time, starting back in 1999. Over the years, I've used various tools
from DarkMailer, LightSpeed Nexus, SendSafe, and MailerKing, to my current setup with PMTA, HAProxy, and MailWizz.
I want to give some tutorials back. Lets get started.
1. Migrating an RPM Package to a DEB File with Alien
Over the weekend i upgraded all my machines from centos7 to ubuntu24.
This might be helpful:
sudo apt update
sudo apt install -y alien
#convert to deb
sudo cp /home/ubuntu/repositories/PowerMTA-5.0r3.rpm /tmp/
cd /tmp
sudo alien --scripts -d PowerMTA-5.0r3.rpm
cp /tmp/powermta_5.0r3-*amd64.deb /home/ubuntu/
cd /home/ubuntu/
#install
sudo dpkg -i /home/ubuntu/powermta_5.0r3-*amd64.deb
2. Now a small tutorial to secure your pmta monitor:
I use haproxy18 (an old version but working on my current pmta version).
Number One:
sudo nano /etc/haproxy18/powermta_users
admin:mickeymouse555
Number Two:
(Check what port you use in /etc/pmta/config, lets say: http-mgmt-port 14000, put ssl cert in /etc/haproxy18/cert/)
We want to connect to with haproxy password authentication and close later 14000 from outside.
nano /etc/haproxy18/haproxy.cfg
frontend pmta_frontend
bind *:14001 ssl crt /etc/haproxy18/cert/
mode http
option http-server-close
acl auth_required http_auth(pmta_users)
http-request auth realm PowerMTA if !auth_required
default_backend pmta_backend
backend pmta_backend
mode http
timeout http-keep-alive 3000
timeout server 1m
timeout connect 10s
server pmta_server 127.0.0.1:14000 ssl verify none
userlist pmta_users
user admin insecure-password mickeymouse555
Number Three:
sudo systemctl restart haproxy18
sudo systemctl status haproxy18
If you can connect to monitor on then we block port 14000. I run firewalld (in ubuntu 24)
sudo firewall-cmd --zone=public --add-port=14001/tcp --permanent
sudo firewall-cmd --zone=public --remove-port=14000/tcp
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" port port="14000" protocol="tcp" reject'
sudo firewall-cmd --runtime-to-permanent
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
Now we run pmta monitor still on 14000 but have haproxy connection
from 14001 to internal 14000 and we block 14000 outside connections.
This provides additional security and ensures that no one can see
that you are running the PMTA monitor.
I am still looking for PMTA 5.5r6. If anyone can help, please send me a message.
Auch gerne in deutscher Sprache
Best regards
I've been running PowerMTA (PMTA) for a few years now with a complex setup involving a monitor server with PMTA and HAProxy,
along with multiple VPS slaves. This setup allows me to send emails using a PMTA pickup directory, distributing the emails
to different hosts, rewriting headers, setting up DKIM on the VPS slaves, and ensuring the emails are sent out efficiently.
For incoming connections, I have a standard Postfix server on port 25 to collect late bounces. On a high port, I run the
PMTA service to process bounces and feedback loop (FBL) reports directly using a bounce handler PHP script.
These processed bounces and FBLs are then sent directly to my monitor server via an API connection.
I've been involved in email marketing for quite some time, starting back in 1999. Over the years, I've used various tools
from DarkMailer, LightSpeed Nexus, SendSafe, and MailerKing, to my current setup with PMTA, HAProxy, and MailWizz.
I want to give some tutorials back. Lets get started.
1. Migrating an RPM Package to a DEB File with Alien
Over the weekend i upgraded all my machines from centos7 to ubuntu24.
This might be helpful:
sudo apt update
sudo apt install -y alien
#convert to deb
sudo cp /home/ubuntu/repositories/PowerMTA-5.0r3.rpm /tmp/
cd /tmp
sudo alien --scripts -d PowerMTA-5.0r3.rpm
cp /tmp/powermta_5.0r3-*amd64.deb /home/ubuntu/
cd /home/ubuntu/
#install
sudo dpkg -i /home/ubuntu/powermta_5.0r3-*amd64.deb
2. Now a small tutorial to secure your pmta monitor:
I use haproxy18 (an old version but working on my current pmta version).
Number One:
sudo nano /etc/haproxy18/powermta_users
admin:mickeymouse555
Number Two:
(Check what port you use in /etc/pmta/config, lets say: http-mgmt-port 14000, put ssl cert in /etc/haproxy18/cert/)
We want to connect to with haproxy password authentication and close later 14000 from outside.
nano /etc/haproxy18/haproxy.cfg
frontend pmta_frontend
bind *:14001 ssl crt /etc/haproxy18/cert/
mode http
option http-server-close
acl auth_required http_auth(pmta_users)
http-request auth realm PowerMTA if !auth_required
default_backend pmta_backend
backend pmta_backend
mode http
timeout http-keep-alive 3000
timeout server 1m
timeout connect 10s
server pmta_server 127.0.0.1:14000 ssl verify none
userlist pmta_users
user admin insecure-password mickeymouse555
Number Three:
sudo systemctl restart haproxy18
sudo systemctl status haproxy18
If you can connect to monitor on then we block port 14000. I run firewalld (in ubuntu 24)
sudo firewall-cmd --zone=public --add-port=14001/tcp --permanent
sudo firewall-cmd --zone=public --remove-port=14000/tcp
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" port port="14000" protocol="tcp" reject'
sudo firewall-cmd --runtime-to-permanent
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
Now we run pmta monitor still on 14000 but have haproxy connection
from 14001 to internal 14000 and we block 14000 outside connections.
This provides additional security and ensures that no one can see
that you are running the PMTA monitor.
I am still looking for PMTA 5.5r6. If anyone can help, please send me a message.
Auch gerne in deutscher Sprache
Best regards
