Policy Overview
1. If the spam probability for the message is 50% or more:
• An X-PerlMx-Spam header is added (or altered, if it already exists) that contains details of the scan, including the spam probability and the anti-spam rules violated by the message.
• A copy of the message is written to the quarantine with the reason "Spam".
• A mark is added to the message log indicating that the message is considered to be spam .
• The subject header in the message is prefixed by the text PMX: and a # symbol for every 10% that the message's spam probability exceeds 50%.
• The message is delivered.
• Message processing stops.
2. Otherwise:
• An X-PerlMx-Spam header is added (or altered, if it already exists) that contains details of the scan, including the spam probability and the anti-spam rules violated by the message.
• The message is delivered.
• A mark is added to the message log indicating that the message indicating that it is legitimate mail.
• Message processing stops.
Default PureMessage Policy Script
This is the default policy enabled for PureMessage. To view the Sieve code, click see the source on the Policy tab of the PureMessage Manager. To edit the Sieve code directly, open the policy.siv file found in /opt/pmx6/etc.
require "PureMessage";
# The 'pmx-test-mark' command is needed for the sample messages sent
# by the pmx-test program to be recognized. For sites running with
# high-mail volumes it might be a good idea to disable this action as
# it prevents the relay tests from running as early as they otherwise
# could. See 'perldoc pmx-policy' for details about this command.
pmx_test_mark;
# Mark the subject (for both incoming and outgoing messages) pmx_mark "S" "%%SUBJECT:h_utf8%%";
# attr NAME=Mail from internal hosts if pmx_relay :memberof "internal-hosts" {
# The 'pmx-mlog-watch' depends on this to know which messages # are outgoing and which are not.
pmx_mark1 "i";
# attr NAME=Check for mail containing viruses if pmx_virus {
# attr LICENSE=PureMessage::Policy::Virus
# attr NAME=Allow unscannable messages to pass through if pmx_virus_cantscan {
pmx_replace_header :index 0 "X-PMX-Virus" "Unscannable";
pmx_replace_header :index 0 "Subject" "[POTENTIAL VIRUS] %%SUBJECT%%";
pmx_mark "pmx_reason" "Unscannable";
# attr NAME=Mail from external hosts else {
pmx_add_header "X-PMX-Version" "%%PMX_VERSION%%";
pmx_mark "Size" "%%MESSAGE_SIZE%%";
# attr NAME=Quarantine blocked IP addresses (Sophos Blocklist) if pmx_blocklist {
pmx_mark "pmx_reason" "Block List";
pmx_quarantine "Blocked";
stop;
}
# attr NAME=Check for mail containing viruses if pmx_virus {
# attr LICENSE=PureMessage::Policy::Virus
# attr NAME=Allow unscannable messages to pass through if pmx_virus_cantscan {
pmx_replace_header :index 0 "X-PMX-Virus" "Unscannable";
pmx_replace_header :index 0 "Subject" "[POTENTIAL VIRUS] %%SUBJECT%%";
pmx_mark "pmx_reason" "Unscannable";
} }
# attr NAME=Quarantine mail containing suspicious attachments if pmx_suspect_attachment :tft {
pmx_mark "pmx_reason" "Suspect";
pmx_quarantine "Suspect";
stop;
}
# attr NAME=Deliver mail from whitelisted hosts and senders if anyof(pmx_relay :memberof "whitelisted-hosts",
address :all :memberof "From" "whitelisted-senders", envelope :memberof "From" "whitelisted-senders",
address :all :memberof "From" "whitelisted-senders-per-user", envelope :memberof "From" "whitelisted-senders-per-user") {
pmx_mark "pmx_reason" "Allow List";
keep;
stop;
}
# attr NAME=Deliver mail to anti-spam opt-outs if envelope :memberof "to" "anti-spam-optouts" { pmx_mark "pmx_reason" "Opt Out";
keep;
stop;
}
# attr NAME=Quarantine mail from blacklisted hosts and senders if anyof(pmx_relay :memberof "blacklisted-hosts",
address :all :memberof "From" "blacklisted-senders", envelope :memberof "From" "blacklisted-senders",
address :all :memberof "From" "blacklisted-senders-per-user", envelope :memberof "From" "blacklisted-senders-per-user") {
# attr NAME=Copy to quarantine and deliver if spam probability is 50% or more if not pmx_spam_prob :under 50 {
pmx_replace_header :index 0 "X-PMX-Spam" "Gauge=%%SGAUGE%%%%IGAUGE%%, Probability=%%PROB%%, Report='%%HITS%%'";
pmx_mark "pmx_reason" "Spam";
pmx_file "Spam";
pmx_replace_header :index 0 "Subject" "[SPAM:%%GAUGE%%] %%SUBJECT%%";
stop;
}
# attr NAME=Add X-Header and deliver messages else {
pmx_mark "pmx_reason" "Legitimate";
pmx_replace_header :index 0 "X-PMX-Spam" "Gauge=%%SGAUGE%%%%IGAUGE%%, Probability=%%PROB%%, Report='%%HITS%%'";
stop;
} }
Policy Rules
Policies consist of rules; rules consist of tests and actions.
Lists are used to configure domains or addresses that should be treated differently within a policy rule.
Address maps are used to associate one email address with another, either for the purpose of redirecting notifications, such as Quarantine Digests, or for the purpose of assigning one user's email preferences to other accounts, as it is with the End User Web Interface.
The applications and configuration files used to configure lists and maps from the command line are:
• /opt/pmx6/bin/pmx-list: Utility for manipulating lists.
• /opt/pmx6/bin/pmx-ldap-sync: Creates a list or map from an LDAP service.
• /opt/pmx6/bin/pmx-makemap: Compiles a standard list or map, or a list of members of a PureMessage administrative group, into a CDB list or map.
Lists & Maps Related Configuration Files
• /opt/pmx6/etc/lists.conf: Declares the named predefined lists available PureMessage.
• /opt/pmx6/etc/multilists.conf: Declares the named multidimensional lists available to PureMessage.
• /opt/pmx6/etc/maps.conf: Declares the named predefined maps available to PureMessage.
Tests
Tests define the characteristics of the message that must be matched in order for the action to be executed. Multiple tests can be configured within a single rule. See the “About Tests” in the Manager Reference, or the pmx-policy man page, for a list of tests. To see which modules are licensed on your system, see the View Licensed Components page on the Support tab of the PureMessage Manager.
The components of a test are:
• Message Characteristic: Specifies the component of the message that is being tested, such as the number of attachments or the percentage of 8-bit characters.
• Operator: Defines the comparison between the specified message characteristic and the specified test expression. For example, if the message characteristic being analyzed is the number of attachments, the operator specifies a numerical test, such as "Is over" or "Is under".
• Test Expressions: Specifies the value that is compared to the message characteristic.
Actions
Actions are the components of rules that determine what happens to a message that passes the test. Multiple actions can be specified. See “About Actions” in the Manager Reference, or the pmx-policy man page for a list of actions. To see which modules are licensed on your system, see the View Licensed Components page on the Support tab in the PureMessage Manager.
Lists
Lists are used to configure domains or addresses that should be treated differently within a policy rule. For example, in the default PureMessage policy, the first rule checks the message relay against the relays configured in the Internal Hosts list.
To handle messages differently for members in each list, add a new list, and then apply it within the policy script. For example, to create a list of users who receive spam headers for messages with a spam rating of 50% or more, build a custom list (or use an existing list), and then create a rule that adds a header only if the recipient is a member of the list.
Some message characteristics, such as “Recipient's address” and “Envelope to”, provide the option of using the match operators “Is a member of” and “Is not a member of” to compare the message characteristic with items in a specified list.
Once the new list is created, it becomes available for selection in a Policy Constructor drop-down list that is displayed when you are configuring a test that includes the “Is a member of” or “Is not a member of” match operator.
Note: Every item in a list is evaluated independently, so the order of the items within a list does not matter.
Note: Although PureMessage supports the creation of LDAP-based lists and maps, these lists and maps are read-only;
you must use LDAP tools to edit them.
Address Maps
Address maps are used to associate one email address with another, either for the purpose of redirecting notifications generated by PureMessage (such as Quarantine Digests), or for the purpose of assigning one user's email preferences to other accounts (for End User Web Interface usage).
The default address maps (the Notifications Address Map and the Recipient Aliases Map) are implemented automatically;
they are not explicitly implemented in the policy script. To use these maps, simply populate them with the desired values.
Custom address maps must be implemented via a policy rule.
PureMessage processes the contents of address maps from top to bottom. Within a map, if two mappings apply to a single address, the first mapping is used. For example, if the first entry maps sales*@example.com to [email protected], and
the second entry maps [email protected] to [email protected], all messages with addresses beginning with
"sales" are mapped to Joe, not to Mary.
PureMessage is distributed with two address maps:
• Notifications Address Map: Accessible from the Quarantine or Policy tab in the PureMessage Manager, or by editing the notifications file, located in the etc directory beneath the root PureMessage installation directory.
Note: The /opt/pmx6/etc/notifications file is a shared resource. If you edit this file, you must sync it to the database with the following command (run as the PureMessage user):
pmx-profile sync-to-db --resource=notifications --force
The Notifications Address Map redirects PureMessage notifications (such as quarantine digests and virus notices) from the original message recipient to the recipient specified in the map. For example, the address [email protected] might be administered by a user called [email protected]. An entry in the Notifications Address Map that maps [email protected] to [email protected] ensures that messages generated by PureMessage to the address [email protected] are sent to [email protected]. (Note that the Notifications Address Map does not consolidate digests; see Consolidating Quarantine Digests in the Quarantine Manager chapter for instructions on that feature.)
• Recipient Aliases Map: Accessible from the Policy tab in the PureMessage Manager, or by editing the recipient-aliases file, located in the etc directory beneath the root PureMessage installation directory.
Note: The /opt/pmx6/etc/recipient-aliases file is a shared resource. If you edit this file, you must sync it to the database with the following command (run as the PureMessage user):
pmx-profile sync-to-db --resource=recipient-aliases --force
The Recipient Aliases Map replaces the original message recipient with another recipient for the purpose of applying user preferences (such as per-user whitelists and blacklists, as well as viewing messages in the End User Web Interface).
For example, if the address [email protected] is administered by the user [email protected], the recipient alias map could be used to assign the preferences associated with [email protected] to the address
[email protected]. While this does not alter the actual recipient address (that is, the message is delivered to [email protected]), the PureMessage policy uses the preferences set for [email protected] while processing the message.
When recipient alias mapping is enabled for a user, per-user whitelist and blacklist entries made via the End User Web Interface (or via the End User Whitelist and End User Blacklist options on the Quarantine tab of the PureMessage Manager), they are only applied for the destination of the recipient alias map, not the source. For example, if
[email protected] is mapped to [email protected]. End User Blacklist and Whitelist entries for [email protected] are ignored; instead, user preferences for [email protected] are applied, and [email protected] will also be able to view the messages for [email protected] in the End User Web Interface.
For information about populating map contents, or for information about configuring custom maps, see “Creating Lists or Maps”. Also see the “Operators” and “Wildcard Usage” sections for information on matching email addresses, hostnames and IP addresses.
CDB Lists and Maps
PureMessage supports lists and maps in CDB format. This on-disk format is useful for large lists and maps (that is, 5,000 entries or more), where the default plain text format can cause excessive memory consumption and latency.
To convert lists or maps to CDB format:
1. Edit the list or map configuration file manually. Replace 'source = file:' with 'source = cdbfile:'. The match_type for CDB lists and maps must be either 'is' or 'mail-parts'. For example, in pmx/etc/lists.conf:
<list internal-hosts>
name = "Internal hosts"
description = "Relay hosts regarded as internal"
precious = yes
source = cdbfile:internal-hosts match_type = is
</list>
In pmx/etc/maps.conf:
<map notifications>
name = "Notifications address map"
description = "Notifications about messages processed by PureMessage..."
source = cdbfile:notifications match_type = mail-parts
</map>
Note: The 'mail-parts' match type is a simple substring match that does not accept regular expressions or wildcards.
For example:
[email protected] someuser
@example.com
Without an @ sign, the list entry matches a username (ignoring the domain name).
2. Check to make sure that the list or map does not contain syntax that is not supported by the match_type used.
3. Use pmx-makemap to compile the CDB files:
pmx-makemap --all
When lists and maps from a central server are synchronized to edge servers in multi-server deployments (using either pmx-profile or publications), a scheduled job must be created, or an existing job modified, to compile the CDB lists locally with pmx-makemap after synchronization. For example, the resource-sync scheduled job can be modified as follows:
pmx-profile sync-from-db --clean; pmx-makemap --all
The resource-sync job will only synchronize files if they have changed on the central server, and pmx-makemap will only compile when the local file has changed.
Policy Repository
The Policy Repository stores Sieve rules that can be added to the PureMessage policy script. By default, the repository contains a number of general-purpose snipppets that can be copied and pasted to the PureMessage policy. Conversely, snippets can be added to the Policy Repository by copying and pasting rules from the PureMessage policy to the Clipboard or by adding Sieve files from the command line. The Policy Repository can be used to store complete Sieve scripts as well as snippets. For more about working with snippets, see “Managing the Repository” in the Manager Reference.
Populating Lists and Maps via LDAP
Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for accessing online directory services. Directory services are structured repositories of information on people and resources within an organization (for example, a list of names and email addresses). LDAP defines a protocol for updating and searching these directory services running over TCP/IP. For information on configuring an LDAP directory service see the following resources:
• LDAP RFC 1777, Request for Comments documentation.
• OpenLDAP.org, the open source implementation of the Lightweight Directory Access Protocol.
Use the pmx-ldap-sync program to synchronize the existing LDAP directory service to a PureMessage list (for example, a whitelist or blacklist) or map. Depending on options specified on the command line, the pmx-ldap-sync program creates either a flat file or a Berkeley database from an LDAP directory service. Use Perl regular expressions to evaluate list content and filter it based on specific criteria. The pmx-ldap-sync program can be run as a scheduled job from the Manager; see
“Managing Scheduled Jobs” in the Manager Reference for more information.
Important: Sophos highly recommends that only administrators with advanced LDAP configuration and query experience use the pmx-ldap-sync program. Administrators must also be familiar with Perl and regular expressions. Accessing LDAP directory services and writing LDAP queries is not included in the Sophos PureMessage support agreement.
Customizing Policies
PureMessage policy configuration can be easily tailored to meet your corporate needs. When customizing policy rules, be aware of the following considerations:
• Backup: Before editing a policy, it is strongly advised that you make a backup of the current policy.
• Committing Changes: When using the PureMessage Manager to edit policies, you must "commit" changes before testing or enabling the policy.
• Rule Order: Rules are processed in the order they are configured. When a message triggers the "stop" action in a rule, the message is no longer processed. Thus, the rule order and the placement of "stop" actions impact the efficiency of the policy.
• Testing: It is advisable to test policies before enabling them.
The file /opt/pmx6/bin/pmx-policy provides an interface to the PureMessage policy engine.
Example: Check Messages for Offensive Words
Rules can be configured to implement policies that reduce liability from inappropriate communications. The following rule checks messages originating from internal sources against a defined list of offensive words, and it quarantines any messages found to contain those words. (Note that this example assumes that you are using the default PureMessage Policy
configuration.)
The Offensive Words list is pre-configured with several hundred words and phrases that are generally considered to be unacceptable in corporate communications. Before creating a rule that uses the Offensive Words list, review the contents of the list, adding words and phrases specific to your organization and removing words and phrases that are not applicable.
The following test uses the Message contains word or phrase test, which is part of the PureMessage Policy bundle. If you do not have a license for the Policy bundle, use the Message has offensive content test, which also uses the Offensive Words list, and which is included with the Anti-Spam license.
To create a "check messages for offensive words" rule using the PureMessage Manager: