Enabling or Disabling MTA IP Blocking

MTA-level IP blocking rejects messages originating from IP addresses contained in SophosLabs block lists and custom block lists. Enabling this option is recommended; it improves performance by blocking spam before it reaches more complex tests in the policy.

Important: Whether you choose to block IP addresses by enabling MTA-level IP blocking or by using the PureMessage policy, PureMessage requires that the IP Blocker Service be enabled. This service is enabled by default. If you opt to block IP addresses using only the PureMessage policy, enabling the block_dynamic option described on the blocklist.conf man page will cause the additional tests to occur earlier in policy processing, thus improving efficiency.

The IP Blocker performs both DNS and, optionally, reverse DNS (RDNS) checks. These additional checks, which make use of the Sophos Sender Genotype, are referred to as proactive protection control because they allow PureMessage to reject connections from servers with dynamic IP addresses.

If RDNS checking is enabled, PureMessage can block connections attempted by servers with dynamically assigned IP addresses. Many servers of this type are members of "botnets," which are collections of zombie computers that can be used to deliver spam. With proactive connection control, even new or unknown IP addresses that have not previously sent spam can be blocked.

For an explanation of SophosLabs IP address classifications, see the Sophos website.

RDNS checking can only be enabled from the command line. See the blocklist.conf man page for more information.

Messages are blocked based on the latest data from SophosLabs, and any IP addresses or fully qualified hostnames that have been specified in the IP Blocking Exception List and IP Blocking Exclusion List. For more about these lists, see "About PureMessage Default Lists" in the Manager Reference.

The Local Services: MTA IP Blocking page of the Local Services tab allows you to enable/disable IP blocking.

Note: MTA-level IP blocking must be enabled or disabled manually on each server in multi-server deployments (not on the Central Server Manager).

To set MTA IP blocking:

  1. On the MTA IP Blocking page of the Local Services tab, select the Enable check box.
  2. You are prompted to restart both your mail transfer agent (MTA) and the Scheduler Service. Click the Restart now buttons next to each of these prompts.
Note:
  • If you want to configure IP blocking with an external or third party version of sendmail or Postfix, manual steps are required. See the appropriate "Configuring IP Blocking" section in the Getting Started Guide for more information.
  • If you want to authenticate connections using SMTP-AUTH while MTA-level blocking is enabled, you must modify PureMessage Postfix. For instructions, see "Configuring SMTP Authentication with the MTA IP Blocker" in the Sophos Knowledgebase. SMTP-AUTH is not supported for external Postfix installations nor for any type of sendmail installation.
Related concepts
About PureMessage Default Lists
Related tasks
Configuring IP Blocking (External Sendmail Version)
Configuring IP Blocking (External Postfix Version)
Related information
pmx-blocker
pmx-blocklist
blocklist.conf
Configuring SMTP Authentication with the MTA IP Blocker