If you did not select either sendmail or Postfix as the mail transfer agent (MTA) during PureMessage installation, use the instructions below to set up PureMessage to work with an existing MTA. This section describes configuring PureMessage for external versions of sendmail, Sendmail Switch and Postfix.
Note: As external/third party versions of sendmail and Postfix are not quality-assured for integration with PureMessage, Sophos reserves the right not to provide support for an issue that appears to be related to any such custom configuration,
and may recommend that you install a version of sendmail or Postfix that is bundled with PureMessage to further a resolution.
If you are using Oracle Communications Messaging Exchange Server, you can configure a direct connection with the PureMessage milter as described in “Configuring PureMessage for Oracle Communications Messaging Exchange Server”
in the Sophos Knowledgebase.
Configuring an External Sendmail Installation
PureMessage can be configured to use either an external sendmail or Sendmail Switch installation. ("sendmail" is the open source freeware distribution; "Sendmail Switch" is the commercial version.) See either “Configuring Sendmail” or
“Configuring Sendmail Switch” for instructions.
Important: Regardless of whether you are using sendmail or Sendmail Switch, you must configure sendmail aliases for quarantine digests if you intend to use PureMessage's Quarantine Digest functionality.
Configuring Sendmail
To configure a sendmail installation built from source (as opposed to installing the sendmail distributed with PureMessage), you must first build and install sendmail with milter support, and then connect sendmail with PureMessage.
To configure Sendmail:
1. Build milter support using the method appropriate for your version of sendmail. Sendmail must be built and installed with milter support. For further information on sendmail's milter functionality, see libmilter/README in the sendmail source distribution.
• Sendmail versions earlier than 8.12.0
In sendmail versions prior to v8.12.0, milter support was not enabled by default in the sendmail sources. It must be explicitly enabled by adding the following lines to devtools/Site/site.config.m4 in the sendmail distribution, prior to building sendmail:
dnl Milter
APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_MILTER=1') APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER=1') If this file does not exist, create it and then add the lines above.
For sendmail versions prior to v8.12.0, you must add the following line near the beginning of the m4 configuration file (typically sendmail.mc) used to generate your sendmail.cf. Locate the VERSIONID line in sendmail.mc, and add the following line right below it:
define(`_FFR_MILTER',`1')dnl
Note the use of the backtick and apostrophe characters as opening and closing quotes. Ensure that the added text exactly matches the example above.
• Sendmail versions 8.12.0 or later
In sendmail versions v8.12.0 and later, you must enable milter support by adding the following lines to the devtools/Site/site.config.m4 file in the sendmail distribution, prior to building sendmail:
dnl Milter
APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER=1')
Note the use of the backtick and apostrophe characters as opening and closing quotes. Ensure that the added text exactly matches the example above.
2. To compile the sendmail sources, you typically run the following command at the top level of the sendmail source distribution:
% sh Build -c
3. Copy the sendmail binary to its usual location on your platform, typically /usr/sbin/sendmail and/or /usr/lib/sendmail, and then generate the sendmail configuration files as described in sendmail/INSTALL.
4. Connect sendmail and PureMessage:
a) Modify sendmail.mc
PureMessage milters are defined in the file pmx.conf, in the etc directory below the PureMessage installation location. For each PureMessage milter you want to set up for processing mail, sendmail must be told how to contact it.
In the directory sendmail/cf/cf/, select a configuration file that matches your system configuration. Add a line like the following to sendmail.mc before generating sendmail.cf:
INPUT_MAIL_FILTER(`Policy', `S=inet:3366@localhost,F=T,T=C:5m;E:8m;R:4m;S:2m')
The above assumes PureMessage is listening on port 3366 on the same host where sendmail is running. If PureMessage is running on a different host and port, substitute the hostname for localhost (for example
S=inet:[email protected]).
The name assigned to the INPUT_MAIL_FILTER (`Policy' in the example above) is used by sendmail for tagging messages in the syslog. It can be any descriptive text, such as the same name assigned to the PureMessage milter.
Milter parameter configuration is further described in the topic “Configuring milter parameters for sendmail” in the Sophos Knowledgebase.
Sendmail calls your milters in the same order specified with INPUT_MAIL_FILTER lines.
Sendmail will then contact the filter at the specified port and host every time it handles an SMTP connection.
b) Regenerate sendmail.cf
Regenerate your sendmail.cf file from the sendmail.mc file. To regenerate your sendmail.cf file, run the following commands (replacing the paths to the files appropriately):
cd /etc/mail
m4 sendmail_source_dir/cf/m4/cf.m4 /path/to/sendmail.mc > sendmail.cf
Configuring Sendmail Switch
1. Log into your Sendmail Switch web configuration program.
2. If you don't have an existing configuration, click New Configuration. Create a new configuration before continuing.
Click Edit Existing Configuration.
3. Load the Sendmail Switch configuration file. An example configuration file may resemble the following:
sendmail_switch.m4.
4. Scroll down to the bottom of the page. On the sidebar, click Mail Filtering.
5. Click Add to include a new filter.
6. There are two input fields: one is Filter Name, the other is Filter Equates. Type Policy into the Filter Name field.
Type S=inet:[email protected],F=T,T=C:5m;E:8m;R:4m;S:2m into the Filter Equates field. Milter parameter configuration is further described in the topic “Configuring milter parameters for sendmail” in the Sophos Knowledgebase.
7. Click Apply.
8. Once the changes are applied, click Deploy to update the sendmail.cf file.
9. From the lower right side of the page, click Deploy.
A confirmation screen with deployment results is displayed.
Configuring Sendmail Aliases for Quarantine Digests
To use the PureMessage Quarantine Digest function, you must add an alias to the sendmail alias file that matches the address specified in PureMessage. This is specified in the approve_addr field of the pmx-qdigest.conf configuration file (or on the Digest Options page on the Users pane of the PureMessage Manager). By default, this address is
1. Sendmail aliases are stored in the 'aliases' file (usually in the /etc/mail directory. Create an entry in the aliases file similar to the following:
pmx-auto-approve: |/opt/pmx6/bin/pmx-qdigest-approve
2. After adding the alias, run the newaliases program (which must be run as root) to regenerate the aliases database file.
Configuring IP Blocking (External Sendmail Version)
PureMessage IP blocking can be configured for an external version of sendmail. To enable IP blocking, you must add an m4 file to your sendmail installation. The required file, sockmap.m4, is included in the version of sendmail that is bundled with PureMessage. You must temporarily install PureMessage sendmail, and then copy the sockmap.m4 file to your existing sendmail installation. Follow the steps in the order they are described below.
Note: As external/third party versions of sendmail are not quality-assured for integration with PureMessage, Sophos reserves the right not to provide support for an issue that appears to be related to any such custom configuration, and may recommend that you install the version of sendmail bundled with PureMessage to further a resolution.
1. Check Sendmail Compilation: You must ensure that your version of sendmail has been compiled with the SOCKETMAP option. To check if SOCKETMAP was included, as the root user run:
sendmail -d0.1 -bt < /dev/null
If SOCKETMAP is included, it will be displayed among the list of compile options. If, however, SOCKETMAP is not there, you will need to recompile sendmail to enable SOCKETMAP support. Before you rebuild sendmail, add the following line to the /devtools/Site/site.config.m4 file:
APPENDEF('confMAPDEF', '-DSOCKETMAP') 2. Install PureMessage sendmail
a) At the command line, as the root user, run:
pmx-setup
The PureMessage installer is launched.
b) Select Install Additional Components, and press Enter .
c) Under Select additional roles that should be installed, select Mail Transfer Agent.
d) Select Install these roles, and press Enter .
e) Select Sendmail, and then select Next Question. Ignore the sendmail configuration prompts, and continue selecting Next Question until sendmail has been installed.
f) Select Back to main menu.
g) Select Exit the installer.
3. Copy the m4 file to your existing sendmail installation
a) Copy /opt/pmx6/sendmail/cf/feature/sockmap.m4 from the version of PureMessage sendmail that you have just installed to the corresponding directory in your pre-existing sendmail installation.
b) Add the following line to $PREFIX/sendmail/etc/mail/sendmail.mc. FEATURE(`sockmap',`inet:4466@localhost',,)
If PureMessage is running on a different host, replace localhost with the hostname of the machine on which PureMessage is installed. This hostname must match the one that is specified in /opt/etc/pmx.d/blocklist.conf on the server that is running the IP Blocker service.
4. Uninstall PureMessage sendmail
a) Select Uninstall PureMessage Components.
b) Select PureMessage Sendmail, and then select Uninstall these components.
c) If prompted to stop PureMessage, select Yes.
d) Click Yes to confirm the removal. When removal is complete, select OK.
e) Exit the installer.
5. Update the configuration cache by running pmx-config --validate-cache.
6. Start the PureMessage IP Blocker service by running pmx-blocker start. 7. Recompile sendmail with the following command:
m4 sendmail.mc > /etc/sendmail.cf 8. Restart sendmail.
9. At the command line, as the “pmx6” user, run pmx start to restart PureMessage.
Note: By default, if sendmail is unable to contact PureMessage's IP Blocker service, the message is passed through. To change this behavior so that messages are tempfailed instead, see the comments in the sockmap.m4 file.
Configuring an External Postfix Installation
Postfix is the mail transfer agent (MTA) installed during a "Full Install" of PureMessage. You can also configure PureMessage to work with an existing version of Postfix.
While PureMessage will work with any version of Postfix that has content-filtering enabled, older versions of Postfix have security problems. Version 2.1.5 or later is recommended.
The Postfix content-filtering mechanism relies on passing messages via SMTP to PureMessage (the pmx-milter program specifically). PureMessage can then modify and/or re-inject the message back into Postfix, quarantine the message, or take other actions based on the policy. The FILTER_README document included with Postfix provides an overview of the model.
Obtaining Postfix
Source distributions of Postfix are available from http://www.postfix.org.
Postfix is also available in various Linux and Unix package formats. Several Linux distributions ship with Postfix. Packages are also available from http://www.postfix.org/packages.html.
To get Postfix:
1. Download the current official release and save it to a convenient directory.
Instructions for compiling and installing Postfix from source the are available in the INSTALL file contained in the source tarball.
2. Create dedicated “postfix” and “postdrop” user accounts to make Postfix functional. These accounts do not require login access.
Configuring Postfix
Once installed, you may need to edit main.cf to set appropriate values for myorigin, mydestination, and mynetworks. These settings are described in the main.cf file. When this is complete, make sure you are able to start Postfix by running postfix start and are able to send and receive mail through the system
The following figure (adapted from the Postfix documentation) shows the required setup for filtering email using PureMessage:
To create the pictured message flow:
1. Set Content Filter Port. In postfix/etc/main.cf, set content_filter to the port PureMessage will be listening on. The default is:
content_filter=pmx:127.0.0.1:10025
2. Set Interfaces to Non-Postfix Software. In postfix/etc/master.cf, add the following:
pmx unix - - n - 10 smtp localhost:10026 inet n - n - 10 smtpd -o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o myhostname=localhost -o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8
The smtp line defines an interface to use to send messages that have not yet been filtered.
The smtpd section defines the port on which to receive messages that have already been filtered.
3. Restart Postfix. Run the postfix stop and postfix start commands or the postfix reload command to make the new settings take effect.
Configuring Postfix to Enable Digest Release by Email
To enable users to release the messages listed in their quarantine digests by email:
1. Open the postfix/main.cf for editing.
2. Set the following line:
recipient_delimiter=+
If this is not done, postfix will look for a username something like "pmx-auto-approve+ffd3b6c7fa2c684f8d6fb1481d7e1297", which usually does not exist.
Configuring Postfix Aliases for Quarantine Digests
To use the PureMessage Quarantine Digest function, you must add an alias to the alias file that matches the address specified in the approve_addr field of the pmx-qdigest.conf configuration file (or on the Digest Options page of the Quarantine tab in the PureMessage Manager). By default, this address [email protected].
Sendmail aliases are stored in the 'aliases' file (usually in the postfix/etc/ directory).
To configure Postfix aliases for quarantine digests:
1. Create an entry in the aliases file similar to the following:
pmx-auto-approve: |/opt/pmx6/bin/pmx-qdigest-approve
2. run the newaliases program (which must be run as root) to regenerate the aliases database file.
Configuring IP Blocking (External Postfix Version)
PureMessage IP blocking can be configured for an external version of Postfix.
Note: As external/third party versions of Postfix are not quality-assured for integration with PureMessage, Sophos reserves the right not to provide support for an issue that appears to be related to any such custom configuration, and may recommend that you install the version of Postfix that is bundled with PureMessage to further a resolution.
1. As the root user, add the following line to <InstallDirectory>/postfix/etc/main.cf:
smtpd_client_restrictions=check_policy_service inet:localhost:4466
If PureMessage is running on a different host, replace localhost with the hostname of the machine on which PureMessage is installed. The hostname must match the one specified in /opt/pmx6/etc/pmx.d/blocklist.conf on the server that is running the IP Blocker service.
2. At the command line, as the PureMessage user (“pmx6” by default), run pmx-blocker start. 3. As the root user, restart Postfix.
Although the version of Postfix bundled with PureMessage can be configured to either pass messages through or tempfail messages when the IP Blocker service is unavailable, external Postfix installations can only tempfail messages.