This article describes how to enable MTA IP Blocking for PureMessage for UNIX. This service allows you to block IP addresses with a bad reputation at the connection-level.
First seen in
PureMessage for Unix
What To Do
The Puremessage Blocklist is not enabled by default on new installations of the product and must be enabled to allow blocking at the MTA level.
Enable IP Blocking data
To enable the IP blocklist data, run the following command as the pmx user:
$ pmx-blocklist --enable
Turn IP blocking ON
Via the PureMessage Manager UI, turn on IP blocking:
- Log in to PureMessage Manager
- Go to 'Local Services > MTA IP Blocking'
- Select the 'Enable' option
Verifying IP blocker is enabled
To verify IP blocker service is running, run the following command:
$ pmx-service status blockerd
When IP blocker has been turned on the following configuration is added to the Postfix
smtpd_client_restrictions = ignore_policy_error,check_policy_service inet:[127.0.0.1]:4466
Verifying IP blocker is working
When IP blocker is working, the following log file will be created:
This log file will show when connections are accepted or rejected based on IP blocking data. For example:
"22.214.171.124 OK" for a connection that was accepted.
"126.96.36.199 REJECT" for an IP address that was listed as a spam source or compromised host.
For more information on configuring IP blocker, see the following sophos.com article:
PureMessage for UNIX: Enabling Sender Genotype for IP Blocker