How To Configure Promox VE To Send Email Alerts

Nov 24, 2023 · 7 mins read
How To Configure Promox VE To Send Email Alerts

In the video below, we show you how to configure Proxmox VE so you can receive email alerts


As you configure Proxmox VE you’ll probably notice it can send emails, for example you can send alerts when a backup job has run

But, in order to be able to send emails, you need to configure support for an SMTP server

Checking the documentation we can see that Proxmox VE relies on the sendmail binary and this is something provided with Postfix

So in this video we go over how to configure Postifx so that Proxmox VE can send you email notifications

Useful links:
https://pve.proxmox.com/pve-docs/pve-admin-guide.html#notification_targets
https://www.postfix.org/documentation.html
https://www.postfix.org/postconf.5.html

Configure Postfix:
As far as I’m aware there isn’t a means to configure Postifx from within the GUI, so we’ll have to do this from the CLI

And to do that you could select a hypervisor node and open a Shell session, or SSH into it for example

Either way, what we then need to do is to edit the Postfix config file

nano /etc/postfix/main.cf

Look for the for the following line

relayhost =

And comment it out to make it easier to add the settings that we need

# relayhost =
Now you need to append the configuration details for your email server

I use mailrise, so my configuration looks like this

relayhost = [mailrise.homelab.lan]:8025
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_tls_security_level = secure
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

The other settings can be left as is, but what these extra settings mean for me are as follows

relayhost = [mailrise.homelab.lan]:8025
Send emails to the server mailrise.homelab.lan using TCP port 8025

TIP: The server name is enclosed in [] to avoid MX lookups in DNS. For one thing we’ve specified the server to use anyway but relying on MX record lookups can pose a risk

smtp_use_tls = yes
Use TLS if the server announces support for STARTTLS

smtp_sasl_auth_enable = yes
Authenticate with the server

smtp_sasl_security_options = noanonymous
Allow plaintext authentication, but not anonymous authentication

TIP: This does lower security and it would be better to not add this line and use the defaults. However, I’m using mailrise and authentication fails if this setting is not present as plain text authentication is the only one available

smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
Use the hash file /etc/postfix/sasl/sasl_passwd.db for username/password lookups

smtp_tls_security_level = secure
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop, dot-nexthop
These three combined are to make sure we use TLS 1.2 or above, use high level ciphers for TLS and match on the nexthop domain or subdomain

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Use the /etc/ssl/certs/ca-certificates.crt file for CA certificate lookups

TIP: This is the OS root store in Linux and only needs to be updated if your using your own certificates

Configure Password File:
Although you could configure a static username and password in the main.cf file, it’s better to store credentials in a separate file

This reduces the risk if you ever need to handover the configuration file to a third party to help with troubleshooting for instance

First we need to create a plain text file

nano /etc/postfix/sasl/sasl_passwd

And add in the details of the server along with the user credentials

[mailrise.homelab.lan]:8025 smtpuser:smtp9876

Now save and exit

Basically we’ve defined the server and TCP port, just the same as in the main.cf file, and what follows is the username and password to authenticate with

Now what you put here depends on your server and the name for instance might be an email address rather a username

NOTE: I’m just trying to make this easier to understand, but do use something less obvious and more complicated than this username and password

In any case, Postifx is expecting a database so we need to create one from our password file using the following command

postmap /etc/postfix/sasl/sasl_passwd

As we have passwords in plain text, it makes sense to restrict their access to the root account only

chmod 0600 /etc/postfix/sasl/sasl_passwd*

Install SASL 2 Modules:
Now it is possible to run into authentication problems. For instance I was getting an error like this when connecting to mailrise
“SASL authentication failure: No worth mechs found”

That’s because the two computers couldn’t agree on an authenticaton mechanism to use

To avoid this, we need to install the libsasl2 modules

apt update
apt install libsasl2-modules

This is for the Cyrus SASL method which oddly enough Postifx will use by default

For our changes to take effect, the last thing to do is to reload Postfix

postfix reload

With that done, Postfix is now configured and ready to use

Trust Private Root CA:
If you’re using a Public email server or your server is using a certificate signed by a Public CA you can skip this section

But if you have your own Root CA you’ll want to update the root certificate store as the server needs to trust the email server certificate

First we’ll create a new folder

mkdir /usr/share/ca-certificates/extra

Next we’ll update the config file with details of our root certificate

nano /etc/ca-certificates.conf

In my case it’s called root-ca.crt

extra/root-ca.crt

Now save and exit

You will then need to upload your root certificate to /usr/share/ca-certificates/extra

In my case I just create the file

nano /usr/share/ca-certificates/extra/root-ca.crt

Then copy and paste the contents

And save and exit

Finally, we need to update the root store

update-ca-certificates

This basically just appends our own root CA certificate to the Public ones that are already in there

Testing:
In the grand scheme of things we want to be receiving emails from PVE when a backup job has completed for instance

But it makes sense to first check if Postfix is working

One way to do that is to run a command like this

echo "pve sample message" | mail -s "pve email test" slack@mailrise.xyz

This uses the echo command to create the message, that is then forwarded to the mail command

We use the -s parameter to specify the subject and then define the email address to send this to

In my case, I want mailrise to send an alert to Slack

But you’ll probably want to change that email address to something more suitable for you

TIP: Expect to receive emails from root and with a domain name that is defined by the myhostname entry in the /etc/postfix/main.cf file

Once you know that Postfix is working, you can configure the correct email address in say a backup job, and you should now receive emails

Troublehooting:
Sometimes things don’t go to plan, and to help find out what’s broken, you should check the log files

Aside from checking the logs on the email server you should also check the logs on Proxmox VE

In the GUI, select the server then navigate to System | Syslog

Prior to Debian 12 you could check Syslog from the command line, for exmaple, to show the last 20 lines

tail -n 20 /var/log/syslog

Going forward you can use the following command instead

journalctl -xe

If you’re not receiving messages and want to check if an email has been sent, you can check the email queue on the Proxmox VE server with the following command

mailq

If you are seeing problems resolving hostnames check the following files
/etc/resolv.conf
/var/spool/postfix/etc/resolv.conf

I’ve noticed that if you change the DNS server in the GUI, the latter file needs to be updated manually and that’s what Postfix is using for DNS lookups

Summary:
What we’ve done here is to configure Proxmox VE to be able to send us email alerts and that’s an extremely useful feature

Granted you have to do this through the command line, as Postifx isn’t something Proxmox themselves are providing

Instead they’re taking advantage of software that’s included with the Debian operating system

Bear in mind though, if you have a cluster, you’ll need to complete this process on every node

Sharing is caring!