Sophos recommends enabling the MTA-level IP Blocker as part of an overall strategy to optimize PureMessage performance. If you want to authenticate connections using SMTP-AUTH while MTA-level blocking is enabled, you must modify PureMessage Postfix (SMTP-AUTH is not supported for external Postfix installations nor for any version of sendmail).
When configured as described below, your system permits access for any IP address contained in the
$mynetworks parameter, and then checks to see if it's an authenticated connection. If authentication is successful, messages are delivered without further testing. If authentication fails, messages are passed along to the MTA IP Blocker to begin testing.
Since SMTP-AUTH alone is not secure (it sends usernames and passwords over the internet in plain text format), it is recommended that you use SMTP-AUTH in conjunction with Transport Layer Security (TLS), so that this information is encrypted.
What to do
/opt/pmx/postfix/etc/main.cf, edit the the
smtpd_client_restrictions option so that it appears as follows:
smtpd_client_restrictions = permit_mynetworks,
The contents of the entry must be in exactly the order that is shown above.
- Support for Dovecot protocol version 1 (server only) was enabled as of PureMessage 5.3.1. Other SASL authentication programs are not supported. See the Dovecot website for installation and configuration instructions.
Add the following lines to
main.cf to enable SASL authentication:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
- When configuring SMTP-AUTH to work with TLS, also add the following lines:
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = PathToServerCertificateFile
smtpd_tls_key_file = PathToPrivateKeyFile
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:PathToSessionCacheFile
smtp_tls_session_cache_database = btree:PathToSessionCacheFile
For details about any of these settings, see the "Postfix Configuration Parameters" documentation on the Postfix website.