From Zimbra :: Wiki

- This article is a community contribution and may include unsupported customizations for network edition customers.

Policyd is an anti-spam policy daemon for Postfix (written in C) that does Greylisting, Sender-(envelope, SASL or host / ip)-based throttling (on messages and/or volume per defined time unit), Recipient rate limiting, Spamtrap monitoring / blacklisting, HELO auto blacklisting and HELO randomization preventation.

It's a great addition to a Zimbra installation.

The following instructions were tried on a Debian install of zimbra. Though it should work roughly the same on other distros as well. (Confirmed on Ubuntu 8.10 without any problem)

You can install postfix-policyd from source, or as a package. In Debian it's as simple as:

root# apt-get install postfix-policyd

For RHEL & CentOS, it's not so simple. There is no RPM/Yum repository that contains policyd, so you must compile it from source. You can "RPMize" it if you download the bz2 version of the compressed source, as this will help solve any dependency problems while installing. The latest version of policyd is "Cluebringer" (as of January, 2011). You will not find it as "postfix-policyd", but rather "cluebringer-policyd".

Setup Database

If you have installed an additional system mysql-server (at least on Ubuntu) you will be asked for your DB-Data in the installation routine and the database is set up fully automatically.

If you want to use the zimbra packaged version of mysql, you will have to install the policyd database manually. In that case you also have to add the following line to policyd.conf (or postfix-policyd.conf) to get it to work with the Zimbra MySQL server:

MYSQLPORT=7306

root# su - zimbra
zimbra$ mysqladmin create policyd
zimbra$ mysql
GRANT ALL PRIVILEGES ON `policyd`.* TO `postfix`@`localhost` IDENTIFIED BY 'p0stf1x';
quit
zimbra$ mysql policyd < DATABASE.mysql

There may also be a couple of extra SQL files which can also be added at this time. These will give your whitelist and helo blacklist a bit of a head start.

root# su - zimbra
zimbra$ mysql policyd < whitelist.sql
zimbra$ mysql policyd < blacklist_helo.sql

If you downloaded the source of policyd, then your whitelist.sql will be within the tarball extraction. There is no pre-compiled blackist_helo.sql.

Edit configuration

Now edit the policyd configuration file (/etc/postfix-policyd.conf on Debian) to suit your tastes. It should be well documented and pretty easy to understand.

For RHEL and CentOS, you should find it in /etc/cbpolicyd.conf. Note the "cb", which stands for "Cluebringer", which is the latest stable release of policyd.

At this point you should restart the policyd daemon.

root# /etc/init.d/postfix-policyd restart

For CentOS & RHEL:

root# /etc/init.d/cbpolicyd restart

Zimbra Integration

Now you need to tell the zimbra MTA (postfix) to use policyd.

First you need to hack the zimbra recipient restrictions file for postfix. Add the following line to /opt/zimbra/conf/postfix_recipient_restrictions.cf (at the end of the %%contains list)

%%contains VAR:zimbraMtaRestriction check_policy_service inet:127.0.0.1:10031%%

Now as the zimbra user, update zimbraMtaRestriction. I've added all the other restrictions that Zimbra suggests to add as well, including several Realtime Blackhole Lists (RBL). The important one is at the end.

root# su - zimbra
zimbra$ zmprov mcf zimbraMtaRestriction reject_invalid_hostname \
zimbraMtaRestriction reject_non-fqdn_hostname \
zimbraMtaRestriction reject_non_fqdn_sender \
zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" \
zimbraMtaRestriction "reject_rbl_client opm.blitzed.org" \
zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \
zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \
zimbraMtaRestriction "check_policy_service inet:127.0.0.1:10031"

Now restart zimbra, and it should all just work!

root# su - zimbra
zimbra$ zmmtactl stop
zimbra$ zmmtactl start

Good luck, and enjoy.