POPFile on pfsense



  • Hi,

    Before replacing my Linksys with pfsense I had popfile running on a separate machine used as a filtering machine.
    When I discovered pfsense and the fact that you can add plugins to it I posted a sugestion in the thread
    http://forum.pfsense.org/index.php/topic,43.0.html for including popfile as a package.

    I'm posting this with the hope that someone who has a better understanding of how packages are created can work it and
    include popfile (Automatic Email Classification) http://getpopfile.org in the available packages.

    The way that I did it was to manually install popfile from repositories and then create the menu entries in the webconfigurator.

    1- Install popfile from command line
        pkg_add -r popfile
        It will start downloading and install some extra perl modules needed for popfile to function.
        Once finished you will see in the /usr/local/share the new directory called popfile
    2- Create the exec that will launch popfile.This is what webconfigurator services page use to start the service
        using winscp I connected to my pfsense and created a new file in the /usr/local/etc/rc.d called exec_popfile.sh
        cut and paste between the lines(do not include them),save the file and change permissions on it to be 777
        ====================================
        #!/bin/sh
        rc_start() {
                    export POPFILE_USER_DEFAULT=/usr/local/share/popfile
                    export POPFILE_ROOT=/usr/local/share/popfile
                    export POPFILE_USER=/usr/local/share/popfile
                    cd "${POPFILE_USER}"
                    /usr/local/bin/perl /usr/local/share/popfile/popfile.pl >/dev/null 2>&1 &
      }
      rc_stop() {
            /usr/bin/killall popfile.pl
      }
      case $1 in
            start)
                    rc_start
                    ;;
            stop)
                    rc_stop
                    ;;
            restart)
                    rc_stop
                    rc_start
                    ;;
      esac
      =================================
    3- By default popfile has the initial config to allow connection to it's own webpage on port 8080 only from localhost
        This cause a problem since pfsense is not used as a desktop machine and there is no X display on it.
        To overcome this edit /usr/local/share/popfile/UI/HTTP.pm file and remove the checks for localhost
        First copy HTTP.pm as HTTP-orig.pm just in case you need a backup
        With winscp right click on it and edit the HTTP.pm file
        in sub start comment out line 67 with a #
        you end up with this
        $self->{server_} = IO::Socket::INET->new( Proto    => 'tcp',            # PROFILE BLOCK START
    **                            #  $self->config_( 'local' )  == 1 ? (LocalAddr => '127.0.0.1') : (),**
                                        LocalPort => $self->config_( 'port' ),
                                        Listen    => SOMAXCONN,
                                        Reuse    => 1 );                                                    # PROFILE BLOCK STOP
      in sub service replace the checks around line 139 and 140
                if ( ( $self->config_( 'local' ) == 0 ) ||                      # PROFILE BLOCK START
                    ( $remote_host eq inet_aton( "127.0.0.1" ) ) ) {  # PROFILE BLOCK STOP
                to
                if ( 0 == 0 )          # PROFILE BLOCK START
                      {                # PROFILE BLOCK STOP

      Save the file as HTTP.pm
    4- Make sure that all the .pl file in the /usr/local/share/popfile are executable
        if not make them with chmod 777 /usr/local/share/popfile/.pl*
    5- You are done with configuring popfile
        You need now to add entries in the webconfig menu in pfsense interface
        Save a copy of /cf/conf/config.xml before
        Edit /cf/conf/config.xml and add the entries for POPFlie in the menu section and service section
        look for apair and add yours after it

    <menu>
    <name>POPFile report</name>
    <tooltiptext>Status
    <url>http://:8080$myurl</url></tooltiptext> </menu>

    The same for adding an entry in the service status page
        <service><name>POPFile</name>
    <rcfile>exec_popfile.sh</rcfile>
    <executable>popfile.pl</executable>
    <description>POPFile email archiver</description></service>
      Save the config.xml and delete config.cache from /tmp to have the system reload your new entries
      You can start now the service and access the webpage to configure the buckets
      Keep in mind that the initial setup use port 8080.
      If you use it for something else I suggest to stop that service start popfile and change the webport to something else
      or edit /usr/local/share/popfile/popfile.cfg and change html_port to an unused port
      Don't forget to modify your menu entry for the new port.

    The popfile webpage list the latest version of it as ver 1.1.0
    The pkg from repository that pkg_add command install is at 0.22.5
    You can download the cross platform version, extract it on your computer and copy the content of it
    over your already installed package in /usr/local/share/popfile.
    Keep in mind to save somewhere your modified HTTP.pm or modify the same entries in the new version

    Mishou



  • I have used POPFile in the past, both on client side as well as installed as server daemon (Mercury/32 mail server) and know it's a marvelous piece of software.

    I am however quite concerned about putting too much processing and non-firewall services into the firewall. And even though the same can be said about several packages already in place (and I am also using a few packages myself) I do feel that this type of often busy service and exposed one too, perhaps should not reside in the fw itself.

    In practice you'd have pfs acting as the MX receiving any and all bits from the outside destined to the receiving mail server then.

    I'm not saying it's incorrect - people's opinions varies - and there are other software putting all eggs in the basket (like Untangle?) but I think many like firewalls to not do any and all services, by design, and personally I would not like that, from various security and stability perspectives etc.

    I'd be interested in hearing other views on this though.

    Cheers,


Locked