What is Proxmox Mail Gateway (PMG)?

Proxmox as a managed service - WZ-IT designs, builds and operates Proxmox environments including the Mail Gateway: front-line spam and virus protection, quarantine, clustering and clean monitoring. Book a meeting · More on Proxmox

Proxmox Mail Gateway (PMG) is an open-source email security solution from Proxmox Server Solutions GmbH that acts as a mail proxy in front of your actual mail server. PMG receives all inbound and outbound email traffic, filters out spam, viruses, phishing and unwanted attachments, and forwards only clean messages to the mail server behind it. The software is licensed under the GNU AGPLv3 and is fully free to use; an optional subscription provides the stable enterprise repository and vendor support.

The key point to understand: PMG is not a mail server. It does not store mailboxes and does not manage accounts. It sits as a filtering layer between the internet and your mail system. The actual delivery, storage and access via IMAP or Exchange remain with your existing platform.

What Proxmox Mail Gateway actually does

In the mail chain, PMG typically sits between the firewall and the internal mail server. The domain's MX record points to the gateway rather than directly to the mail server, so every inbound message passes through PMG first:

1. Acceptance and pre-checks: Postfix accepts the connection and already applies SMTP-level checks such as greylisting, DNS blocklists (RBL/DNSBL) and SPF.
2. Content analysis: SpamAssassin scores headers and content, ClamAV scans for viruses and malicious code, and rules inspect attachments and senders.
3. Decision: These signals produce a spam score. Depending on the threshold, the message is delivered, moved to quarantine or rejected.
4. Delivery: Clean messages go to the downstream mail server (Exchange, Postfix, Mailcow, Zimbra and others).

Outbound traffic flows through PMG as well. This makes it possible to detect compromised internal systems before they harm your domain reputation, and to sign outgoing mail with DKIM.

Core features at a glance

PMG bundles established open-source building blocks into a single, centrally managed gateway. The most important capabilities:

• Spam filtering: Multi-stage scoring from SpamAssassin rules, statistical (Bayesian) analysis, greylisting, SPF/DKIM/DMARC, DNS blocklists and checks such as SMTP whitelisting and sender verification. The result is a numeric spam score.
• Virus scanning: ClamAV inspects every message and attachment for viruses, trojans and malware. Commercial virus scanners can be integrated as well.
• Quarantine: Suspicious spam, virus and attachment mails land in separate quarantines instead of the inbox. Users receive configurable quarantine reports and can release individual messages themselves, without admin intervention.
• Rule system: A flexible framework of object groups (who, what, when) and actions enables fine-grained policies, for example blocking certain file types, adding disclaimers or selectively rerouting messages.
• Whitelists and blacklists: Senders, domains and IPs can be placed on allow or block lists per domain and per user.
• Clustering: Several PMG nodes form a cluster with synchronized configuration and a shared quarantine database. This delivers high availability, load balancing and scaling into the range of millions of mails per day.
• Message Tracking Center: A central search shows exactly what happened to each individual message, from acceptance to delivery or rejection.
• Statistics and reporting: Dashboards and reports on spam volume, viruses, top senders and recipients.
• LDAP / Active Directory integration: Users and groups can be synced from the directory service to drive rules and quarantine access.

Administration, quarantine release and configuration run through a web interface, complemented by a REST API and the command line.

PMG is not a mail server: the clear distinction

This distinction often causes confusion in practice. PMG does not replace a mail server or a groupware suite. It handles only the filtering and transport layer in front of it.

In short: PMG protects the mail server but does not replace it. The two usually run as separate systems, often as virtual machines on a Proxmox VE environment. For what Proxmox VE delivers as a virtualization platform, see our article What is Proxmox?.

Who is Proxmox Mail Gateway for?

PMG is attractive for organizations that want to run their email protection themselves rather than outsource it to a cloud service:

• Companies with their own mail server that need a dedicated, front-line spam and virus filter.
• MSPs and hosters securing many domains and tenants from a single central platform.
• Public sector and regulated industries where data sovereignty and GDPR compliance are decisive, because mail metadata and quarantine contents stay in house or with an EU hoster.
• Organizations reducing VMware or Microsoft dependencies and shifting their infrastructure to open-source building blocks.

The price for this control is operational effort: updates, rule tuning, monitoring and the clean interplay with DNS, SPF, DKIM and DMARC all need ongoing care.

Is Proxmox Mail Gateway free?

Yes. PMG is fully licensed under the GNU AGPLv3. There is no feature gating and no limit on domains or users. The difference between free and paid use lies in the repository and support, not in the feature set. Without a subscription you use the no-subscription repository with current but less heavily tested updates; with a subscription you get the stable enterprise repository and vendor support.

The subscription is billed per host and year, including unlimited users and domains. The official tiers (as of June 2026):

The stated response times are guaranteed first responses to critical requests within business hours. Prices are net plus VAT where applicable.

Current version: Proxmox Mail Gateway 9.1

The current release is Proxmox Mail Gateway 9.1, published on 11 June 2026. It is based on Debian 13.5 (Trixie) with Linux kernel 7.0 as the new default and bundles ZFS 2.4, PostgreSQL 17, SpamAssassin 4.0.2 with updated rulesets and ClamAV 1.4.4, among others. The most notable changes:

• Improved quarantine: Mails can be marked as seen in shared mailboxes, and the summed positive and negative spam scores are visible at a glance.
• Client-side backup encryption with key management and an optional master key for recovery.
• Pre-login consent banner and optional audit logging of mail envelope headers for traceability and compliance.

PMG can be installed on bare metal or as a virtual machine, for example inside a Proxmox VE environment.

Operations and support

A front-line mail filter only delivers value through careful tuning and reliable operations: correctly set spam thresholds, well-maintained rules, working DKIM and DMARC configuration, and monitoring that keeps an eye on quarantine and delivery. That is exactly where we come in. WZ-IT designs, builds and operates Proxmox environments including the Mail Gateway, from the first cluster design to ongoing managed service. Learn more on our Proxmox as a managed service page or in a no-obligation initial consultation.