Enabling or Disabling MTA IP Blocking
MTA-level IP blocking rejects messages originating from IP addresses contained in SophosLabs block lists and custom block lists. Enabling this option is recommended; it improves performance by blocking spam before it reaches more complex tests in the policy.
block_dynamicoption described on the blocklist.conf man page will cause the additional tests to occur earlier in policy processing, thus improving efficiency.
block_dynamic enabled, PureMessage rejects messages that are
sent "Direct-to-MX," a method spammers sometimes use to bypass the sending MTA (and
any intermediate MTAs), and send messages directly to the machines hosting the MX
records for the intended recipients.
This makes it possible to block spam from hosts that have not yet established a reputation, but are very likely to be sending spam. These additional checks, which make use of the Sophos Sender Genotype, are referred to as proactive protection control because they allow PureMessage to reject connections from servers with dynamic IP addresses.
For an explanation of SophosLabs IP address classifications, see the Sophos website.
block_dynamic option can only be enabled from the command line.
blocklist.conf man page for more information.
Messages are blocked based on the latest data from SophosLabs, and any IP addresses or fully qualified hostnames that have been specified in the IP Blocking Exception List and IP Blocking Exclusion List. For more about these lists, see "About PureMessage Default Lists" in the Manager Reference.
The Local Services: MTA IP Blocking page of the Local Services tab allows you to enable/disable IP blocking.
To set MTA IP blocking:
- On the MTA IP Blocking page of the Local Services tab, select the Enable check box.
- You are prompted to restart both your mail transfer agent (MTA) and the Scheduler Service. Click the Restart now buttons next to each of these prompts.
- If you want to configure IP blocking with an external or third party version of sendmail or Postfix, manual steps are required. See the appropriate "Configuring IP Blocking" section in the Getting Started Guide for more information.
- If you want to authenticate connections using SMTP-AUTH while MTA-level blocking is enabled, you must modify PureMessage Postfix. For instructions, see "Configuring SMTP Authentication with the MTA IP Blocker" in the Sophos Knowledgebase. SMTP-AUTH is not supported for external Postfix installations nor for any type of sendmail installation.