CBpolicyd: Difference between revisions

Line 92: Line 92:
  all options support negation using !<key>
  all options support negation using !<key>


To get these values for the any of the tables, you can run that command:
To get these values for any of the tables, you can run that command:


  sqlite> .schema policy_members
  sqlite> .schema policy_members
Line 135: Line 135:


  sqlite> insert into policy_group_members(PolicyGroupID,Member,Disabled) VALUES (1,'testuser@mydomain',0);
  sqlite> insert into policy_group_members(PolicyGroupID,Member,Disabled) VALUES (1,'testuser@mydomain',0);
  sqlite> insert into policy_group_members(PolicyGroupID,Member,Disabled) VALUES (1,'%group2',0);
  sqlite> insert into policy_group_members(PolicyGroupID,Member,Disabled) VALUES (1,'192.168.56.10/24',0);


And the result is:
And the result is:


  sqlite> select * from policy_group_members;
  sqlite> select * from policy_group_members;
  ID|PolicyGroupID|Member          |Disabled|Comment
  ID|PolicyGroupID   |Member          |Disabled|Comment
   1|1           |testuser@mydomain|0      |
   1|1               |testuser@mydomain|0      |
   2|1           |%group2          |0      |
   2|1               |192.168.56.10/24 |0      |
 
 




The above is showing that all quotas, pointing to policy ID 1, will be forcing their rules on testuser@mydomain, machine with ip 192.168.56.10 and user@mydomain.com, specified as ID 2 in the policy_members table. Also as in the previous example, the PolicyGroupID is pointing to a specific policy_groups entry ID. In our case it's pointing to ID 1.





Revision as of 14:43, 10 November 2014

How to configure quotas for cbpolicyd (sqlite).

PolicyD v2 (codenamed "cluebringer") is a multi-platform policy server for popular MTAs. The main goal is to implement as many spam combating and email compliance features as possible. The configuration of cbpolicyd under Zimbra is done by editing the sqlite database as shown in the examples below.

Sqlite contains couple of tables, which are used for the configuration of cbpolicyd:

sqlite> .tables
access_control             greylisting_tracking
accounting                 greylisting_whitelist
accounting_tracking        policies
checkhelo                  policy_group_members
checkhelo_blacklist        policy_groups
checkhelo_tracking         policy_members
checkhelo_whitelist        quotas
checkspf                   quotas_limits
greylisting                quotas_tracking
greylisting_autoblacklist  session_tracking
greylisting_autowhitelist


We will predominantly work with the policies, policy_members, policy_groups, policy_group_members, quotas and quotas_limits tables. First, we need to navigate to and enter the sqlite database:

$ cd /opt/zimbra/data/cbpolicyd/db/
$ sqlite3 cbpolicyd.sqlitedb
SQLite version 3.6.20
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite>


To configure cbpolicyd is important to understand the logic flow and the schema structure of the tables, as it might be confusing at the beginning. With the examples below I will also include the schema structure to understand the flow better. There are two possibilities: to configure policy with groups or without groups.

For both possibilities we need to create the following:

1. Create a policy in the policies tables. 
2. Configure the policy members of the newly created policy in the policy_members table.
a) If we are not to use groups, then after configuring the policy and policy members, we edit the quota and quotas_limits tables. 
b) If you are to configure groups, then after configuring the policies, we configure the groups and then the quotas. 

Creating policy

The following command creates policy with name "test_policy", with priority 0 and is enabled:

sqlite> insert into policies(Name,Priority,Disabled) VALUES ('test_policy',0,0);


Priority 0, means it will be picked up first from the list of the policies. The priorities goes as 1, then 2 and so on.

Example of our newly created policy (the ID,Name etc are not included in the normal view, but I put them to see the column name and corresponding data):

sqlite> select * from policies;
ID|Name       |Priority|Description |Disabled
 1|test_policy|0       |            |0

Creating policy members:


The next thing to do is to edit the policy_members table, to specify the members that will be included in the policy. We will give two examples: one using group and without.

+ group

sqlite> insert into policy_members(PolicyID,Source,Destination,Disabled) VALUES (1,'%test_group','any',0);


- group

sqlite> insert into policy_members(PolicyID,Source,Destination,Disabled) VALUES (1,'user@mydomain.com','any',0);

The result from these two commands is:

sqlite> select * from policy_members;
ID|PolicyID|Source           |Destination |Comment|Disabled
 1|1       |%test_group      |any         |       |0
 2|1       |user@mydomain.com|any         |       |0

Important to note here is the second column of the policy_members table. It points to the ID number of the policies table. In this case, both entries in the policies_members table point to the same policy: 1, from the policies table.

Here are the possible options that can be in the Source and Destination columns:

NULL = any
a.b.c.d/e = IP address with optional /e
@domain = domain specification,
%xyz = xyz group,
abc@domain = abc user specification
all options support negation using !<key>

To get these values for any of the tables, you can run that command:

sqlite> .schema policy_members
CREATE TABLE policy_members (
       ID                      INTEGER PRIMARY KEY AUTOINCREMENT,
       PolicyID                INT8,
       /*
               Format of key:
               NULL = any
               a.b.c.d/e = IP address with optional /e
               @domain = domain specification,
               %xyz = xyz group,
               abc@domain = abc user specification
               all options support negation using !<key>
       */
       Source                  TEXT,
       Destination             TEXT,
       Comment                 VARCHAR(1024),
       Disabled                SMALLINT NOT NULL DEFAULT '0',
       FOREIGN KEY (PolicyID) REFERENCES policies(ID)
);

Adding group/s

1. Adding group is similar to adding policies, just the table columns' names are different. In our previous example, we have entered a group (test_group) in the policy_members table. However the group is not created yet. Here is how to:

sqlite> insert into policy_groups(Name,Disabled) VALUES ('test_group',0);

Here is the group in sqlite:

sqlite> select * from policy_groups;
ID|Name      |Disabled|Comment
 1|test_group|0       |

2. The next step is to create the members for the test_group. Below is a part of the .schema command for this table, which shows us the correct syntax for the policy_group_members table:

/* Format of member: a.b.c.d/e = ip,  @domain = domain, %xyz = xyz group, abc@domain = abc user */

To add couple of members, we can run the following commands:

sqlite> insert into policy_group_members(PolicyGroupID,Member,Disabled) VALUES (1,'testuser@mydomain',0);
sqlite> insert into policy_group_members(PolicyGroupID,Member,Disabled) VALUES (1,'192.168.56.10/24',0);

And the result is:

sqlite> select * from policy_group_members;
ID|PolicyGroupID   |Member           |Disabled|Comment
 1|1               |testuser@mydomain|0       |
 2|1               |192.168.56.10/24 |0       |


The above is showing that all quotas, pointing to policy ID 1, will be forcing their rules on testuser@mydomain, machine with ip 192.168.56.10 and user@mydomain.com, specified as ID 2 in the policy_members table. Also as in the previous example, the PolicyGroupID is pointing to a specific policy_groups entry ID. In our case it's pointing to ID 1.



--IN PROGRESS--

Jump to: navigation, search