{"id":100484,"date":"2026-02-14T21:49:27","date_gmt":"2026-02-14T20:49:27","guid":{"rendered":"https:\/\/dyb.fr\/?p=100484"},"modified":"2026-02-14T21:49:28","modified_gmt":"2026-02-14T20:49:28","slug":"personnaliser-le-ehlo-sur-proxmox-mail-gateway-sans-modifier-le-domaine-interne-de-la-vm","status":"publish","type":"post","link":"https:\/\/dyb.eu\/blog\/personnaliser-le-ehlo-sur-proxmox-mail-gateway-sans-modifier-le-domaine-interne-de-la-vm\/","title":{"rendered":"Personnaliser le EHLO sur Proxmox Mail Gateway (sans modifier le domaine interne de la VM)"},"content":{"rendered":"<figure class=\"wp-block-post-featured-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1536\" height=\"1024\" src=\"https:\/\/dyb.eu\/blog\/wp-content\/uploads\/2026\/02\/ehlo-pmg.png\" class=\"attachment-post-thumbnail size-post-thumbnail wp-post-image\" alt=\"\" style=\"object-fit:cover;\" srcset=\"https:\/\/dyb.eu\/blog\/wp-content\/uploads\/2026\/02\/ehlo-pmg.png 1536w, https:\/\/dyb.eu\/blog\/wp-content\/uploads\/2026\/02\/ehlo-pmg-1280x853.png 1280w, https:\/\/dyb.eu\/blog\/wp-content\/uploads\/2026\/02\/ehlo-pmg-980x653.png 980w, https:\/\/dyb.eu\/blog\/wp-content\/uploads\/2026\/02\/ehlo-pmg-480x320.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) and (max-width: 1280px) 1280px, (min-width: 1281px) 1536px, 100vw\" \/><\/figure>\n\n\n<p class=\"wp-block-paragraph\">Quand on d\u00e9ploie un <strong>Proxmox Mail Gateway<\/strong>, on se retrouve souvent avec un hostname interne (genre <code>pmg01.lan<\/code>) qui ne correspond pas au FQDN public attendu par les serveurs SMTP distants.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">R\u00e9sultat ?<br>Des warnings type :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Hostname does not resolve to IP<\/code><\/li>\n\n\n\n<li><code>Reverse DNS mismatch<\/code><\/li>\n\n\n\n<li>ou pire\u2026 une r\u00e9putation qui prend cher.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Bonne nouvelle : <strong>pas besoin de changer le domaine interne de la VM<\/strong> pour corriger le EHLO. On peut surcharger proprement le template Postfix utilis\u00e9 par PMG.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Voici la m\u00e9thode propre et durable (compatible cluster).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83c\udfaf Objectif<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Forcer le <code>myhostname<\/code> (et \u00e9ventuellement <code>mydomain<\/code>) utilis\u00e9 par Postfix pour l\u2019EHLO, sans toucher :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>au hostname syst\u00e8me<\/li>\n\n\n\n<li>au domaine AD interne<\/li>\n\n\n\n<li>\u00e0 la config DNS locale<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83e\uddf1 \u00c9tape 1 \u2013 Cr\u00e9er le dossier de templates personnalis\u00e9s<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Sur le <strong>n\u0153ud master<\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir -p \/etc\/pmg\/templates\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udcc4 \u00c9tape 2 \u2013 Copier le template Postfix par d\u00e9faut<\/h1>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/var\/lib\/pmg\/templates\/main.cf.in \/etc\/pmg\/templates\/\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">PMG utilise des templates g\u00e9n\u00e9r\u00e9s automatiquement.<br>On va cr\u00e9er une version custom qui sera prioritaire.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u270f\ufe0f \u00c9tape 3 \u2013 Modifier le template<\/h1>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/pmg\/templates\/main.cf.in\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Vers la ligne 22, vous trouverez :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mydomain = &#91;% dns.domain %]\nmyhostname = &#91;% dns.hostname %].&#91;% dns.domain %]\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">On remplace par une version personnalis\u00e9e.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83c\udd70\ufe0f Cas 1 \u2013 Un seul PMG<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Si vous avez <strong>un seul serveur PMG<\/strong>, la config est simple :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Custom EHLO configuration\nmydomain = domainxyz.net\nmyhostname = pmg10.domainxyz.net\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udc49 Ici :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>domainxyz.net<\/code> = votre domaine public<\/li>\n\n\n\n<li><code>pmg10.domainxyz.net<\/code> = FQDN qui doit correspondre :\n<ul class=\"wp-block-list\">\n<li>\u00e0 l\u2019IP publique<\/li>\n\n\n\n<li>au reverse DNS<\/li>\n\n\n\n<li>\u00e0 l\u2019enregistrement A<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">C\u2019est la m\u00e9thode la plus propre si vous n\u2019avez pas de cluster.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83c\udd71\ufe0f Cas 2 \u2013 Cluster PMG (multi-n\u0153uds)<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Si vous avez plusieurs PMG (par exemple <code>pmg10<\/code>, <code>pmg11<\/code>, <code>pmg13<\/code>), on peut utiliser un <code>SWITCH<\/code> dynamique bas\u00e9 sur le hostname :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Custom EHLO configuration (cluster mode)\nmydomain = domainxyz.net\n\n&#91;% SWITCH dns.hostname %]\n&#91;% CASE 'pmg10' %]\nmyhostname = pmg10.domainxyz.net\n&#91;% CASE 'pmg11' %]\nmyhostname = pmg11.domainxyz.net\n&#91;% CASE 'pmg13' %]\nmyhostname = pmg13.domainxyz.net\n&#91;% CASE %]\nmyhostname = pmgErreur.domainxyz.net\n&#91;% END %]\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Avantages :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Un seul template pour tout le cluster<\/li>\n\n\n\n<li>Adaptation automatique selon le n\u0153ud<\/li>\n\n\n\n<li>Propre et maintenable<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Le <code>CASE<\/code> final sert de fallback de s\u00e9curit\u00e9.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd04 \u00c9tape 4 \u2013 Synchroniser la configuration<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Ensuite, on force la synchronisation vers les n\u0153uds esclaves :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pmgconfig sync --restart 1\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u26a0\ufe0f Le message :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>could not change directory to \"\/root\": Permission denied\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">est sans importance.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cela va :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>cr\u00e9er <code>\/etc\/pmg\/templates<\/code> sur chaque n\u0153ud<\/li>\n\n\n\n<li>synchroniser <code>main.cf.in<\/code><\/li>\n\n\n\n<li>r\u00e9g\u00e9n\u00e9rer la configuration Postfix<\/li>\n\n\n\n<li>red\u00e9marrer les services<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\u2705 V\u00e9rifier que \u00e7a fonctionne<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Sur un n\u0153ud :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>postconf myhostname\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Puis tester en externe :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>telnet votre_ip_publique 25\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Vous devriez voir :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>220 pmg10.domainxyz.net ESMTP Postfix\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udca1 Pourquoi cette m\u00e9thode est importante<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Modifier directement <code>\/etc\/postfix\/main.cf<\/code> est une mauvaise id\u00e9e :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PMG \u00e9crase les fichiers \u00e0 chaque sync<\/li>\n\n\n\n<li>Les mises \u00e0 jour peuvent annuler vos modifs<\/li>\n\n\n\n<li>Le cluster ne sera pas coh\u00e9rent<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">La surcharge via <code>\/etc\/pmg\/templates\/<\/code> est <strong>la m\u00e9thode propre et support\u00e9e<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83c\udfaf Bonnes pratiques SMTP<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Pour \u00e9viter les probl\u00e8mes de d\u00e9livrabilit\u00e9 :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u2714 FQDN public coh\u00e9rent<br>\u2714 Reverse DNS correspondant<br>\u2714 SPF valide<br>\u2714 DKIM activ\u00e9<br>\u2714 PTR propre<br>\u2714 Certificat TLS correspondant au hostname<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83c\udfe2 Chez DYB<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Chez <strong>DYB<\/strong>, on met en place des infrastructures mail s\u00e9curis\u00e9es pour PME, cabinets comptables, banques et environnements multi-sites :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Proxmox Mail Gateway clusteris\u00e9<\/li>\n\n\n\n<li>SPF \/ DKIM \/ DMARC avanc\u00e9s<\/li>\n\n\n\n<li>Protection anti-phishing<\/li>\n\n\n\n<li>Haute disponibilit\u00e9<\/li>\n\n\n\n<li>Monitoring r\u00e9putation IP<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Si vous voulez un audit de votre stack mail ou fiabiliser votre d\u00e9livrabilit\u00e9, on en parle \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Quand on d\u00e9ploie un Proxmox Mail Gateway, on se retrouve souvent avec un hostname interne (genre pmg01.lan) qui ne correspond pas au FQDN public attendu par les serveurs SMTP distants. R\u00e9sultat ?Des warnings type : Bonne nouvelle : pas besoin de changer le domaine interne de la VM pour corriger le EHLO. On peut surcharger [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":100486,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[21,29,50],"class_list":["post-100484","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-adminsys","tag-cybersecurite","tag-linux","tag-network"],"_links":{"self":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/100484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/comments?post=100484"}],"version-history":[{"count":2,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/100484\/revisions"}],"predecessor-version":[{"id":100487,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/100484\/revisions\/100487"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/media\/100486"}],"wp:attachment":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/media?parent=100484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/categories?post=100484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/tags?post=100484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}