Difference between revisions of "How-to for cbpolicyd"

(Performance tuning)
Line 122: Line 122:
 
  #
 
  #
 
  log_detail=modules
 
  log_detail=modules
 +
 +
===Database===
 +
To access the policyd db :
 +
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb
 +
 +
List of tables :
 +
sqlite> .tables
 +
access_control            greylisting_whitelist
 +
checkhelo                  policies
 +
checkhelo_blacklist        policy_group_members
 +
checkhelo_tracking        policy_groups
 +
checkhelo_whitelist        policy_members
 +
checkspf                  quotas
 +
greylisting                quotas_limits
 +
greylisting_autoblacklist  quotas_tracking
 +
greylisting_autowhitelist  session_tracking
 +
greylisting_tracking
  
 
===Example===
 
===Example===

Revision as of 12:01, 2 April 2013

Introduction

  • Packaged as part of the zimbra-mta package
  • Configured to run as a daemon on 127.0.0.1:10031
  • Integrated with postfix as a check_policy_service
  • Cbpolicyd database uses sqlite
  • Default configuration enables quotas module

Enable/Disable

To enable :

zmprov ms <mta server> +zimbraServiceEnabled cbpolicyd

The following changes get written by zmconfigd to postconf :

smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031
smtpd_recipient_restrictions = check_policy_service inet:localhost:10031, reject_non_fqdn_recipient, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, permit

When the service is enabled the following is logged in /opt/zimbra/log/cbpolicyd.log

[2013/04/02-02:15:39 - 8686] [CORE] NOTICE: 2013/04/02-02:15:39 cbp (type Net::Server::PreFork) starting! pid(8686)
[2013/04/02-02:15:39 - 8686] [CORE] NOTICE: Resolved [localhost]:10031 to [::1]:10031, IPv6
[2013/04/02-02:15:39 - 8686] [CORE] NOTICE: Resolved [localhost]:10031 to [127.0.0.1]:10031,  IPv4
[2013/04/02-02:15:39 - 8686] [CORE] NOTICE: Binding to TCP port 10031 on host ::1 with IPv6
[2013/04/02-02:15:39 - 8686] [CORE] NOTICE: Binding to TCP port 10031 on host 127.0.0.1 with IPv4
[2013/04/02-02:15:39 - 8686] [CORE] NOTICE: Setting gid to "501 501"
[2013/04/02-02:15:39 - 8686] [CORE] INFO: Setting up serialization via flock
[2013/04/02-02:15:39 - 8686] [CORE] INFO: Beginning prefork (4 processes)
[2013/04/02-02:15:39 - 8686] [CORE] INFO: Starting "4" children

Process :

 0:00 /usr/bin/perl /opt/zimbra/cbpolicyd/bin/cbpolicyd --config /opt/zimbra/conf/cbpolicyd.conf


To Disable :

zmprov ms <mta server> -zimbraServiceEnabled cbpolicyd
  • Note: Ideally configd should be removing the postconf entry. If it does not then remove the following line from /opt/zimbra/postfix/conf/main.cf and restart MTA :
smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031


Config file

Config file for the cbpolicyd process :

/opt/zimbra/conf/cbpolicyd.conf.in gets rewritten by configd to /opt/zimbra/conf/cbpolicyd.conf

Configuration of cbpolicyd daemon via localconfig :

 # default log, pid and database files
 cbpolicyd_pid_file
 cbpolicyd_log_file
 cbpolicyd_db_file
 
 # policyd log_level default is 3 for info,notices,warnings and errors
 cbpolicyd_log_level=3            [0-4]
 
 # use cbpolicyd_log_file (main) or syslog (maillog) for logging
 cbpolicyd_log_mail=main          [main|maillog]
 
 # components of policyd to log data
 cbpolicyd_log_detail=modules     [modules,tracking,policies,protocols]
 
 # bind host/port default is 127.0.0.1:10031
 cbpolicyd_bind_host=127.0.0.1   
 cbpolicyd_bind_port=10031
 # timeout in communication with clients
 cbpolicyd_timeout=120
 
 # how many seconds before retrying database connection
 cbpolicyd_bypass_timeout=30
 # what to do when there is a database connection problem
 cbpolicyd_bypass_mode=tempfail   [tempfail|pass]
 
 # enable/disable specific policyd modules
 cbpolicyd_module_accesscontrol=0 [0|1]
 cbpolicyd_module_greylisting=0   [0|1]
 cbpolicyd_module_checkhelo=0     [0|1]
 cbpolicyd_module_checkspf=0      [0|1]
 cbpolicyd_module_quotas=1        [0|1] 

Default config values :

$ zmlocalconfig  | grep -i cbpolicy
cbpolicyd_bind_port = 10031
cbpolicyd_bypass_mode = tempfail
cbpolicyd_bypass_timeout = 30
cbpolicyd_cache_file = ${zimbra_home}/data/cache
cbpolicyd_db_file = ${zimbra_home}/data/cbpolicyd/db/cbpolicyd.sqlitedb
cbpolicyd_log_detail = modules
cbpolicyd_log_file = ${zimbra_log_directory}/cbpolicyd.log
cbpolicyd_log_level = 4
cbpolicyd_log_mail = main
cbpolicyd_module_accesscontrol = 0
cbpolicyd_module_checkhelo = 0
cbpolicyd_module_checkspf = 0
cbpolicyd_module_greylisting = 0
cbpolicyd_module_quotas = 1
cbpolicyd_pid_file = ${zimbra_log_directory}/cbpolicyd.pid
cbpolicyd_timeout = 120

Logging

Log file for Cbpolicyd :

log_file=/opt/zimbra/log/cbpolicyd.log

Log levels can be controlled by LC - "cbpolicyd_log_level", the value can be set to one of the below :

# Log level:
# 0 - Errors only
# 1 - Warnings and errors
# 2 - Notices, warnings, errors
# 3 - Info, notices, warnings, errors
# 4 - Debugging

To log in further detail the below can be set, controlling LC attribute is "cbpolicyd_log_detail"

# modules   - Log detailed module running information
# tracking  - Log detailed tracking information
# policies  - Log policy resolution
# protocols     - Log general protocol info, but detailed
# bizanga   - Log the bizanga protocol
#
# There is no default for this configuration option. Options can be
# separated by commas. ie. protocols,modules
#
log_detail=modules

Database

To access the policyd db :

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb

List of tables :

sqlite> .tables
access_control             greylisting_whitelist
checkhelo                  policies
checkhelo_blacklist        policy_group_members
checkhelo_tracking         policy_groups
checkhelo_whitelist        policy_members
checkspf                   quotas
greylisting                quotas_limits
greylisting_autoblacklist  quotas_tracking
greylisting_autowhitelist  session_tracking
greylisting_tracking

Example

Performance tuning

Default cbpolicyd configuration is not optimized for high traffic environments. For a starters in /opt/zimbra/conf/cbpolicyd.conf.in set :

# Large mailserver: 8, 8, 16, 64, 1000
min_servers=8
min_spare_servers=8
max_spare_servers=16
max_servers=64
max_requests=1000
Jump to: navigation, search