Proxmox Mail Gateway 9.1: Key Changes to Quarantine and Backup Encryption

Proxmox Mail Gateway 9.1 became the latest stable release in June 2026, bringing two notable improvements: a revised quarantine interface and integrated backup encryption. For anyone running a self-hosted mail infrastructure, these changes directly affect how you manage quarantined messages and protect backup data. The update is available through the standard repository, and upgrading from version 8.x or 9.0 is straightforward, though the changelog notes a few compatibility points worth reviewing.

What Happened: The New Features

The quarantine system has been reworked to give administrators per-user release control. Instead of relying solely on a global view, you can now let users release their own quarantined messages without needing to access the admin panel. The interface itself has also been cleaned up, with better filtering and search capabilities. The automated rule engine, used for defining what gets quarantined, now supports more granular conditions, though the exact syntax hasn’t changed drastically.

On the backup side, Proxmox Mail Gateway 9.1 now encrypts backups using AES-256 by default. The encryption keys are managed through the Proxmox VE datacenter if you’re running the gateway on top of Proxmox VE—which is the typical deployment. If you’re using a standalone installation without Proxmox VE, the encryption setup requires additional manual steps. The encryption is applied when creating a backup of the mail gateway’s configuration and quarantine database, not to the actual email content passing through (that’s handled separately via transport encryption).

According to the official changelog on the Proxmox wiki, these are the headline features among several smaller fixes and performance improvements.

Why It Matters

The quarantine improvements reduce administrative overhead. In previous versions, only the admin could release messages, which meant constant small requests from users who needed a false positive retrieved. The per-user release option shifts that responsibility back to the user, assuming you enable it in the gateway’s quarantine settings. It’s a small change, but it can save time in environments with dozens or hundreds of mailboxes.

The backup encryption addresses a longer-standing gap. Without encryption, backup files containing the quarantine database and rule configurations were stored as plain archives. If someone gained access to those backups—through a compromised storage server or an errant file share—they could extract email metadata and even the full content of quarantined messages. AES-256 encryption raises the bar, though the keys themselves need to be managed properly. If you lose the key, the backup is unrecoverable.

There is some uncertainty around how the encryption interacts with automated backup scripts that rely on the Proxmox backup tool. The default behavior is explained in the wiki, but administrators using custom scripts should verify that the encryption flag is correctly applied.

What Readers Can Do

If you’re on Proxmox Mail Gateway 8.x or 9.0, upgrading to 9.1 is done via apt:

apt update
apt dist-upgrade

You should run this on a test system first if your environment is production-critical. After the upgrade, review the quarantine settings under Mail > Quarantine. The per-user release option is off by default. Enable it under Quarantine Options if you want that behavior. Test that users receive the quarantine digest emails and can click through to release messages.

For backup encryption, you need to ensure you have a Proxmox VE datacenter configured. If you’re running the gateway as a standalone virtual machine or on bare metal without Proxmox VE, you’ll need to set up encryption manually using the pmgbackup tool’s --encrypt-key flag, as described in the documentation. The wiki page for Proxmox Mail Gateway 9.1 has the full details under the backup section.

As a best practice after upgrade:

  • Review and tighten the quarantine notification templates, especially if you enabled user release.
  • Set a retention policy for encrypted backups and store the encryption key securely—ideally offline or in a password manager used by the team.
  • Test a full restore from an encrypted backup to confirm the process works as expected.
  • Monitor the system logs for any new warnings related to the quarantine module, as the interface changes may cause minor issues with older custom scripts.

Sources

  • Help Net Security report on Proxmox Mail Gateway 9.1 release (June 11, 2026)
  • Proxmox Mail Gateway 9.1 changelog and documentation, Proxmox Wiki

The full changelog is available at the Proxmox wiki for those who want to see every low-level fix. The release notes are worth reading if you use any custom hooks or API scripts, as a few interface endpoints have been deprecated in favor of the new quarantine API.