How To Configure Promox VE To Send Email Alerts
In the video below, we show you how to configure Proxmox VE so you can receive email alerts
As you configure Proxmox VE you’ll probably notice it can send emails, for example you can send alerts when a backup job has run
But, in order to be able to send emails, you need to configure support for an SMTP server
Checking the documentation we can see that Proxmox VE relies on the sendmail binary and this is something provided with Postfix
So in this video we go over how to configure Postifx so that Proxmox VE can send you email notifications
Useful links:
https://pve.proxmox.com/pve-docs/pve-admin-guide.html#notification_targets
https://www.postfix.org/documentation.html
https://www.postfix.org/postconf.5.html
Configure Postfix:
As far as I’m aware there isn’t a means to configure Postifx from within the GUI, so we’ll have to do this from the CLI
And to do that you could select a hypervisor node and open a Shell session, or SSH into it for example
Either way, what we then need to do is to edit the Postfix config file
nano /etc/postfix/main.cfLook for the for the following line
relayhost =And comment it out to make it easier to add the settings that we need
# relayhost =I use mailrise, so my configuration looks like this
relayhost = [mailrise.homelab.lan]:8025
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_tls_security_level = secure
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crtThe other settings can be left as is, but what these extra settings mean for me are as follows
relayhost = [mailrise.homelab.lan]:8025
Send emails to the server mailrise.homelab.lan using TCP port 8025
TIP: The server name is enclosed in [] to avoid MX lookups in DNS. For one thing we’ve specified the server to use anyway but relying on MX record lookups can pose a risk
smtp_use_tls = yes
Use TLS if the server announces support for STARTTLS
smtp_sasl_auth_enable = yes
Authenticate with the server
smtp_sasl_security_options = noanonymous
Allow plaintext authentication, but not anonymous authentication
TIP: This does lower security and it would be better to not add this line and use the defaults. However, I’m using mailrise and authentication fails if this setting is not present as plain text authentication is the only one available
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
Use the hash file /etc/postfix/sasl/sasl_passwd.db for username/password lookups
smtp_tls_security_level = secure
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop, dot-nexthop
These three combined are to make sure we use TLS 1.2 or above, use high level ciphers for TLS and match on the nexthop domain or subdomain
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Use the /etc/ssl/certs/ca-certificates.crt file for CA certificate lookups
TIP: This is the OS root store in Linux and only needs to be updated if your using your own certificates
Configure Password File:
Although you could configure a static username and password in the main.cf file, it’s better to store credentials in a separate file
This reduces the risk if you ever need to handover the configuration file to a third party to help with troubleshooting for instance
First we need to create a plain text file
nano /etc/postfix/sasl/sasl_passwdAnd add in the details of the server along with the user credentials
[mailrise.homelab.lan]:8025 smtpuser:smtp9876Now save and exit
Basically we’ve defined the server and TCP port, just the same as in the main.cf file, and what follows is the username and password to authenticate with
Now what you put here depends on your server and the name for instance might be an email address rather a username
NOTE: I’m just trying to make this easier to understand, but do use something less obvious and more complicated than this username and password
In any case, Postifx is expecting a database so we need to create one from our password file using the following command
postmap /etc/postfix/sasl/sasl_passwdAs we have passwords in plain text, it makes sense to restrict their access to the root account only
chmod 0600 /etc/postfix/sasl/sasl_passwd*Install SASL 2 Modules:
Now it is possible to run into authentication problems. For instance I was getting an error like this when connecting to mailrise
“SASL authentication failure: No worth mechs found”
That’s because the two computers couldn’t agree on an authenticaton mechanism to use
To avoid this, we need to install the libsasl2 modules
apt update
apt install libsasl2-modulesThis is for the Cyrus SASL method which oddly enough Postifx will use by default
For our changes to take effect, the last thing to do is to reload Postfix
postfix reloadWith that done, Postfix is now configured and ready to use
Trust Private Root CA:
If you’re using a Public email server or your server is using a certificate signed by a Public CA you can skip this section
But if you have your own Root CA you’ll want to update the root certificate store as the server needs to trust the email server certificate
First we’ll create a new folder
mkdir /usr/share/ca-certificates/extraNext we’ll update the config file with details of our root certificate
nano /etc/ca-certificates.confIn my case it’s called root-ca.crt
extra/root-ca.crtNow save and exit
You will then need to upload your root certificate to /usr/share/ca-certificates/extra
In my case I just create the file
nano /usr/share/ca-certificates/extra/root-ca.crtThen copy and paste the contents
And save and exit
Finally, we need to update the root store
update-ca-certificatesThis basically just appends our own root CA certificate to the Public ones that are already in there
Testing:
In the grand scheme of things we want to be receiving emails from PVE when a backup job has completed for instance
But it makes sense to first check if Postfix is working
One way to do that is to run a command like this
echo "pve sample message" | mail -s "pve email test" slack@mailrise.xyzThis uses the echo command to create the message, that is then forwarded to the mail command
We use the -s parameter to specify the subject and then define the email address to send this to
In my case, I want mailrise to send an alert to Slack
But you’ll probably want to change that email address to something more suitable for you
TIP: Expect to receive emails from root and with a domain name that is defined by the myhostname entry in the /etc/postfix/main.cf file
Once you know that Postfix is working, you can configure the correct email address in say a backup job, and you should now receive emails
Troublehooting:
Sometimes things don’t go to plan, and to help find out what’s broken, you should check the log files
Aside from checking the logs on the email server you should also check the logs on Proxmox VE
In the GUI, select the server then navigate to System | Syslog
Prior to Debian 12 you could check Syslog from the command line, for exmaple, to show the last 20 lines
tail -n 20 /var/log/syslogGoing forward you can use the following command instead
journalctl -xeIf you’re not receiving messages and want to check if an email has been sent, you can check the email queue on the Proxmox VE server with the following command
mailqIf you are seeing problems resolving hostnames check the following files
/etc/resolv.conf
/var/spool/postfix/etc/resolv.conf
I’ve noticed that if you change the DNS server in the GUI, the latter file needs to be updated manually and that’s what Postfix is using for DNS lookups
Summary:
What we’ve done here is to configure Proxmox VE to be able to send us email alerts and that’s an extremely useful feature
Granted you have to do this through the command line, as Postifx isn’t something Proxmox themselves are providing
Instead they’re taking advantage of software that’s included with the Debian operating system
Bear in mind though, if you have a cluster, you’ll need to complete this process on every node
Sharing is caring!