Sophos

Online support

Product maintenance

Contact support

Support services

PureMessage for UNIX: Configuring SMTP Authentication with the MTA IP Blocker (Postfix only)

Sophos recommends enabling the MTA-level IP Blocker as part of an overall strategy to optimize PureMessage performance. If you want to authenticate connections using SMTP-AUTH while MTA-level blocking is enabled, you must modify PureMessage Postfix (SMTP-AUTH is not supported for external Postfix installations nor for any version of sendmail).

When configured as described below, your system permits access for any IP address contained in the $mynetworks parameter, and then checks to see if it's an authenticated connection. If authentication is successful, messages are delivered without further testing. If authentication fails, messages are passed along to the MTA IP Blocker to begin testing.

Since SMTP-AUTH alone is not secure (it sends usernames and passwords over the internet in plain text format), it is recommended that you use SMTP-AUTH in conjunction with Transport Layer Security (TLS), so that this information is encrypted.

What to do

  1. In /opt/pmx/postfix/etc/main.cf, edit the the smtpd_client_restrictions option so that it appears as follows:

      smtpd_client_restrictions = permit_mynetworks,
        permit_sasl_authenticated,    ignore_policy_error,
        check_policy_service inet:localhost:4466

    The contents of the entry must be in exactly the order that is shown above.

  2. Support for Dovecot protocol version 1 (server only) was enabled as of PureMessage 5.3.1. Other SASL authentication programs are not supported. See the Dovecot website for installation and configuration instructions.

    Add the following lines to main.cf to enable SASL authentication:

      smtpd_sasl_type = dovecot

      smtpd_sasl_path = private/auth

      smtpd_sasl_auth_enable = yes

      smtpd_sasl_authenticated_header = yes

      smtpd_sasl_security_options = noanonymous

  3. When configuring SMTP-AUTH to work with TLS, also add the following lines:

      smtpd_tls_auth_only = yes

      smtpd_tls_cert_file = PathToServerCertificateFile

      smtpd_tls_key_file = PathToPrivateKeyFile

      smtpd_use_tls = yes

      smtpd_tls_loglevel = 1

      smtpd_tls_received_header = yes

      smtpd_tls_session_cache_database = btree:PathToSessionCacheFile

      smtp_tls_session_cache_database = btree:PathToSessionCacheFile

    For details about any of these settings, see the "Postfix Configuration Parameters" documentation on the Postfix website.

If you need more information or guidance, then please contact technical support.