POPFile on pfsense

mishou

Hi,

Before replacing my Linksys with pfsense I had popfile running on a separate machine used as a filtering machine.
When I discovered pfsense and the fact that you can add plugins to it I posted a sugestion in the thread
http://forum.pfsense.org/index.php/topic,43.0.html for including popfile as a package.

I'm posting this with the hope that someone who has a better understanding of how packages are created can work it and
include popfile (Automatic Email Classification) http://getpopfile.org in the available packages.

The way that I did it was to manually install popfile from repositories and then create the menu entries in the webconfigurator.

1- Install popfile from command line
    pkg_add -r popfile
    It will start downloading and install some extra perl modules needed for popfile to function.
    Once finished you will see in the /usr/local/share the new directory called popfile
2- Create the exec that will launch popfile.This is what webconfigurator services page use to start the service
    using winscp I connected to my pfsense and created a new file in the /usr/local/etc/rc.d called exec_popfile.sh
    cut and paste between the lines(do not include them),save the file and change permissions on it to be 777
    ====================================
    #!/bin/sh
    rc_start() {
                export POPFILE_USER_DEFAULT=/usr/local/share/popfile
                export POPFILE_ROOT=/usr/local/share/popfile
                export POPFILE_USER=/usr/local/share/popfile
                cd "${POPFILE_USER}"
                /usr/local/bin/perl /usr/local/share/popfile/popfile.pl >/dev/null 2>&1 &
  }
  rc_stop() {
        /usr/bin/killall popfile.pl
  }
  case $1 in
        start)
                rc_start
                ;;
        stop)
                rc_stop
                ;;
        restart)
                rc_stop
                rc_start
                ;;
  esac
  =================================
3- By default popfile has the initial config to allow connection to it's own webpage on port 8080 only from localhost
    This cause a problem since pfsense is not used as a desktop machine and there is no X display on it.
    To overcome this edit /usr/local/share/popfile/UI/HTTP.pm file and remove the checks for localhost
    First copy HTTP.pm as HTTP-orig.pm just in case you need a backup
    With winscp right click on it and edit the HTTP.pm file
    in sub start comment out line 67 with a #
    you end up with this
    $self->{server_} = IO::Socket::INET->new( Proto    => 'tcp',            # PROFILE BLOCK START
**                            #  $self->config_( 'local' )  == 1 ? (LocalAddr => '127.0.0.1') : (),**
                                    LocalPort => $self->config_( 'port' ),
                                    Listen    => SOMAXCONN,
                                    Reuse    => 1 );                                                    # PROFILE BLOCK STOP
  in sub service replace the checks around line 139 and 140
            if ( ( $self->config_( 'local' ) == 0 ) ||                      # PROFILE BLOCK START
                ( $remote_host eq inet_aton( "127.0.0.1" ) ) ) {  # PROFILE BLOCK STOP
            to
            if ( 0 == 0 )          # PROFILE BLOCK START
                  {                # PROFILE BLOCK STOP
  Save the file as HTTP.pm
4- Make sure that all the .pl file in the /usr/local/share/popfile are executable
    if not make them with chmod 777 /usr/local/share/popfile/*.pl
5- You are done with configuring popfile
    You need now to add entries in the webconfig menu in pfsense interface
    Save a copy of /cf/conf/config.xml before
    Edit /cf/conf/config.xml and add the entries for POPFlie in the menu section and service section
    look for apair and add yours after it

<menu>
<name>POPFile report</name>
<tooltiptext>Status
<url>http://$myurl:8080</url></tooltiptext> </menu>

The same for adding an entry in the service status page
    <service><name>POPFile</name>
<rcfile>exec_popfile.sh</rcfile>
<executable>popfile.pl</executable>
<description>POPFile email archiver</description></service>
  Save the config.xml and delete config.cache from /tmp to have the system reload your new entries
  You can start now the service and access the webpage to configure the buckets
  Keep in mind that the initial setup use port 8080.
  If you use it for something else I suggest to stop that service start popfile and change the webport to something else
  or edit /usr/local/share/popfile/popfile.cfg and change html_port to an unused port
  Don't forget to modify your menu entry for the new port.

The popfile webpage list the latest version of it as ver 1.1.0
The pkg from repository that pkg_add command install is at 0.22.5
You can download the cross platform version, extract it on your computer and copy the content of it
over your already installed package in /usr/local/share/popfile.
Keep in mind to save somewhere your modified HTTP.pm or modify the same entries in the new version

Mishou

0tt0

I have used POPFile in the past, both on client side as well as installed as server daemon (Mercury/32 mail server) and know it's a marvelous piece of software.

I am however quite concerned about putting too much processing and non-firewall services into the firewall. And even though the same can be said about several packages already in place (and I am also using a few packages myself) I do feel that this type of often busy service and exposed one too, perhaps should not reside in the fw itself.

In practice you'd have pfs acting as the MX receiving any and all bits from the outside destined to the receiving mail server then.

I'm not saying it's incorrect - people's opinions varies - and there are other software putting all eggs in the basket (like Untangle?) but I think many like firewalls to not do any and all services, by design, and personally I would not like that, from various security and stability perspectives etc.

I'd be interested in hearing other views on this though.

Cheers,