A firewall system generally controls what TCP/IP communications are allowed between internal networks and the external world. Firewalls prevent packets considered to be unsafe from passing through. Most firewalls have a messaging component but few implement many of the messaging components of PMDF. Most utilize only a few features, thereby inhibiting the ability to take advantage of PMDF's full functionality.
Additionally, firewall products generally implement a small subset of the SMTP commands available and do not support ESMTP (Enhanced SMTP) features. Generally, the firewall vendor provides a version of sendmail for the SMTP server. Historically sendmail has had many security problems and as such modifications have substantially reduced the functionality in an attempt to make sendmail more secure.
PMDF, a full function SMTP server that implements ESMTP, can be used either in conjunction with a firewall or on the firewall itself to dramatically improve the functionality and performance of a messaging firewall. PMDF provides configuration tools to assist with either operating with a firewall or acting as a messaging firewall itself.
PMDF can replace the modified version of sendmail providing a secure messaging server and a great deal more features. PMDF has no relationship, history or code base with sendmail. PMDF has been engineered with security in mind, and our customers have a great deal of confidence in PMDF's ability to operate on a firewall.
There are several ways to setup the operation of PMDF in conjunction with a firewall. Some of these recommendations may require features more common to a router using packet filtering techniques.
You can list these individual users by issuing the following command:
# pmdf password -show -user='*'
Note that the command works on UNIX either with or without the quotation marks.
Yes, the new Verisign certificates require a patch to the PMDF library. Once that is applied you should all be concatenate the chained certificates into the same file. The local server certificate should be first, followed by one or more intermediary certificates, and finally the root certificate. Make sure all of the separators (e.g., -----BEGIN CERTIFICATE----
) remain intact.
For PMDF, the concatenated chain should be in the server_pub.pem
file.
You can use the same files for both products. For PreciseMail, just define the configuration variables to point to the .PEM
files, wherever you put them (in PMDF_TABLE:
, for example).
ptsmtp_tls_public_cert pmdf_table:server-pub.pem ptsmtp_tls_private_cert pmdf_table:server-priv.pem
And, typically how should the DISPATCHER.CNF
file in PMDF and the PMAS_CONFIG.DAT
file in PMAS be configured so they can work together?
A working example of a pair of these files showing the [SERVICE=####]
sections in the DISPATCHER.CNF
file and the values of the TLS-related parameters in the PMAS_CONFIG.DAT
file helps in understanding how to configure files.
For PreciseMail, the PMAS_CONFIG.DAT
file has comments for all of the TLS-related variables (and using the admin GUI is even easier).
If you're not using PTSMTP, then there's nothing you have to do for PreciseMail. If you are, then you need to define the following variables:
ptsmtp_listen_host_tls * ptsmtp_listen_port_tls 465 ptsmtp_mailserver_host_tls 127.0.0.1 ptsmtp_mailserver_port_tls 465 ptsmtp_enable_starttls yes ptsmtp_tls_public_cert pmas_data:server-pub.pem ptsmtp_tls_private_cert pmas_data:server-priv.pem
On the PMDF side, the only thing that needs to be added to the PMDF.CNF
file is the keyword maytls
to the appropriate TCP_*
channels.