Enabling or Disabling MTA IP Blocking

MTA-level IP blocking rejects messages originating from IP addresses contained in SophosLabs block lists and custom block lists. Enabling this option is recommended; it improves performance by blocking spam before it reaches more complex tests in the policy.

Important Whether you choose to block IP addresses by enabling MTA-level IP blocking or by using the PureMessage policy, PureMessage requires that the IP Blocker Service be enabled. This service is enabled by default. If you opt to block IP addresses using only the PureMessage policy, enabling the block_dynamic option described on the blocklist.conf man page will cause the additional tests to occur earlier in policy processing, thus improving efficiency.

With block_dynamic enabled, PureMessage rejects messages that are sent "Direct-to-MX," a method spammers sometimes use to bypass the sending MTA (and any intermediate MTAs), and send messages directly to the machines hosting the MX records for the intended recipients.

This makes it possible to block spam from hosts that have not yet established a reputation, but are very likely to be sending spam. These additional checks, which make use of the Sophos Sender Genotype, are referred to as proactive protection control because they allow PureMessage to reject connections from servers with dynamic IP addresses.

For an explanation of Sophos Labs IP address classifications, see the Sophos website.

The block_dynamic option can only be enabled from the command line. See the blocklist.conf man page for more information.

Messages are blocked based on the latest data from Sophos Labs, and any IP addresses or fully qualified hostnames that have been specified in the IP Blocking Exception List and IP Blocking Exclusion List. For more about these lists, see “About PureMessage Default Lists” in the Manager Reference.

The Local Services: MTA IP Blocking page of the Local Services tab allows you to enable/disable IP blocking.

Note MTA-level IP blocking must be enabled or disabled manually on each server in multi-server deployments (not on the Central Server Manager).

To set MTA IP blocking:

  1. On the MTA IP Blocking page of the Local Services tab, select the Enable check box.
  2. You are prompted to restart both your mail transfer agent (MTA) and the Scheduler Service. Click the Restart now buttons next to each of these prompts.
  • If you want to configure IP blocking with an external or third party version of sendmail or Postfix, manual steps are required. See the appropriate “Configuring IP Blocking” section in the Getting Started Guide for more information.
  • If you want to authenticate connections using SMTP-AUTH while MTA-level blocking is enabled, you must modify PureMessage Postfix. For instructions, see “Configuring SMTP Authentication with the MTA IP Blocker” in the Sophos Knowledgebase. SMTP-AUTH is not supported for external Postfix installations nor for any type of sendmail installation.