Zimbra :: Tech Center:Cluebringer Policy Daemon: Difference between revisions
No edit summary |
|||
Line 108: | Line 108: | ||
2|5|Quota on all /24s|SenderIP:/24|3600|REJECT||0||0 | 2|5|Quota on all /24s|SenderIP:/24|3600|REJECT||0||0 | ||
The first column is the identifier for the quota policy (used in quota_limits for reference back). | * The first column is the identifier for the quota policy (used in quota_limits for reference back). | ||
The fifth column is the time interval for the policy. In this case, they both default to 3600 seconds. | * The fifth column is the time interval for the policy. In this case, they both default to 3600 seconds. | ||
sqlite> select * from quotas_limits; | sqlite> select * from quotas_limits; | ||
Line 116: | Line 116: | ||
3|2|MessageCount|12||0 | 3|2|MessageCount|12||0 | ||
The second column is referring to the identifier in the quota table. More than one rule can be defined per quota identifier as seen above. | * The second column is referring to the identifier in the quota table. More than one rule can be defined per quota identifier as seen above. | ||
The fourth column is the "rate limit". For example, in the 3rd row, "12" is the max number of hits coming from a specific sender IP within 3600 seconds. | * The fourth column is the "rate limit". For example, in the 3rd row, "12" is the max number of hits coming from a specific sender IP within 3600 seconds. | ||
== Example policy definitions via the command line == | == Example policy definitions via the command line == |
Revision as of 02:12, 25 June 2013
Article Information |
---|
This article applies to the following ZCS versions. |
Postfix Cluebringer Policyd in Zimbra
Policyd is an anti-spam policy daemon for Postfix (written in C) that does Greylisting, Sender-(envelope, SASL or host / ip)-based throttling (on messages and/or volume per defined time unit), Recipient rate limiting, Spamtrap monitoring / blacklisting, HELO auto blacklisting and HELO randomization preventation.
It is included as a part of the Zimbra package, but it is not enabled by default.
Enabling policyd
First ensure sqlite is installed (It is listed as a suggested install).
To enable policyd, simply tell the Zimbra installation you want it enabled:
zmprov ms <mta server> +zimbraServiceEnabled cbpolicyd
After 1 to 2 minutes the zmconfigd process will detect that you want this service enabled, and automatically install the database and start the service.
- cbpolicyd_pid_file - location of PID file.
- cbpolicyd_log_file - location of log file.
- cbpolicyd_db_file - location of SQLite database
- cbpolicyd_min_servers - Minimum number of servers to have running. ZCS8.0.5 and higher
- cbpolicyd_min_spare_servers - Minimum number of spare servers to have on hand. ZCS8.0.5 and higher
- cbpolicyd_max_spare_servers - Maximum number of spare servers to have on hand. ZCS8.0.5 and higher
- cbpolicyd_max_servers - Maximum number of servers to allow. ZCS8.0.5 and higher
- cbpolicyd_max_requests - Maximum number of requests to process at one time. ZCS8.0.5 and higher
- cbpolicyd_cache_file - location of cache
- cbpolicyd_log_level - loglevel (default 3)
- cbpolicyd_log_mail - Default is main. Log to policyd's main log mechanism, accepts NO args
- cbpolicyd_log_detail - What detail of logging to provide. Default "modules"
- cbpolicyd_bind_port - Bind port for cbpolicyd. default 10031
- cbpolicyd_timeout - Timeout when talking to clients. Default 120 seconds. ZCS7 and ZCS 8 < ZCS8.0.4
- cbpolicyd_timeout_idle - Idle timeout. Defaults to 1020 seconds. ZCS8.0.4 and higher
- cbpolicyd_timeout_busy - Busy timeout. Defaults to 120 seconds. ZCS8.0.4 and higher
- cbpolicyd_bypass_timeout - Bypass timeout. Defaults to 30 seconds.
- cbpolicyd_bypass_mode - Bypass fail mode. Default is "tempfail"
- cbpolicyd_module_accesscontrol - Enable Access Control module. Default 0 (disabled)
- cbpolicyd_module_greylisting - Enable greylisting. Default 0 (disabled)
- cbpolicyd_module_greylisting_training - If greylisting is enabled, whether or not to run in training mode. Default 0 (Do not run in training mode). ZCS8 only
- cbpolicyd_module_greylisting_defer_msg - Message to give when deferring email. Default "Greylisting in effect, please come back later". ZCS8 only
- cbpolicyd_module_greylisting_blacklist_msg - Message to give when client is on blacklist. Default "Greylisting in effect, sending server blacklisted". ZCS8 only
- cbpolicyd_module_checkhelo - Enable checkhelo module. Default 0 (disabled)
- cbpolicyd_module_checkspf - Enable CheckSPF module. Default 0 (disabled)
- cbpolicyd_module_quotas - Enable Quotas module. Default 1 (enabled)
- cbpolicyd_module_amavis - Enable amavis module. Default 0 (disabled) ZCS8.0.4 and higher.
- cbpolicyd_module_accounting - Enable accounting module. Default 0 (disabled). ZCS8.0.4 and higher.
Table data for cbpolicyd
The ".tables" command will display the tables that currently exist in the sqlite DB for cbpolicyd policies. There is also a "master" table named sqlite_sequence that counts the policies:
- Master table with no added policies. Default amavis_rules policy only exists in ZCS8.0.5 and higher:
sqlite> select * from sqlite_sequence; policies|5 policy_members|5 policy_groups|2 policy_group_members|3 quotas|2 quotas_limits|3 checkhelo_blacklist|4 amavis_rules|1
The above shows that there are:
5 policies 5 policy members 2 policy groups 3 policy group members 2 quota policies 2 quota limit policies 4 checkhelo_blacklist policies 1 amavis rules policy
- Policy tables available in ZCS8.0.5 and later:
sqlite> .tables access_control greylisting_autowhitelist accounting greylisting_tracking accounting_tracking greylisting_whitelist amavis_rules policies checkhelo policy_group_members checkhelo_blacklist policy_groups checkhelo_tracking policy_members checkhelo_whitelist quotas checkspf quotas_limits greylisting quotas_tracking greylisting_autoblacklist session_tracking
- Policy tables available in ZCS8.0.4 and previous:
sqlite> .tables access_control greylisting_whitelist checkhelo policies checkhelo_blacklist policy_group_members checkhelo_tracking policy_groups checkhelo_whitelist policy_members checkspf quotas greylisting quotas_limits greylisting_autoblacklist quotas_tracking greylisting_autowhitelist session_tracking greylisting_tracking
Examining defined policies for a given table
You can use a select statement to view the defined policies for a given table.
For our example, we will examine the quota (rate limiting) policies that are installed by default. The Quota (rate-limiting) policy consists of two separate tables. The first table is named "quotas", the second table is named "quotas_limits".
sqlite> select * from quotas; 1|5|Recipient quotas|Recipient:user@domain|3600|REJECT||0||0 2|5|Quota on all /24s|SenderIP:/24|3600|REJECT||0||0
- The first column is the identifier for the quota policy (used in quota_limits for reference back).
- The fifth column is the time interval for the policy. In this case, they both default to 3600 seconds.
sqlite> select * from quotas_limits; 1|1|MessageCount|10||0 2|1|MessageCumulativeSize|8000||0 3|2|MessageCount|12||0
- The second column is referring to the identifier in the quota table. More than one rule can be defined per quota identifier as seen above.
- The fourth column is the "rate limit". For example, in the 3rd row, "12" is the max number of hits coming from a specific sender IP within 3600 seconds.
Example policy definitions via the command line
The following examples show how to implement various policies via the command line
Defining a rate-limit (quota) with cbpolicyd
By default "quota" or "rate limiting" is enabled, but there is no policy defining how it should behave. The below example adds two policies :
- Rate limit any sender from sending more then 20 emails every 60 seconds. Messages beyond this limit are deferred.
- Rate limit any @domain from receiving more then 50 emails in a 60 second period. Messages beyond this rate are rejected.
As Zimbra:
- Create a file called rate-limit.sql with the following contents. If ZCS8.0.4 or previous, remove the amavis_rules line.
BEGIN TRANSACTION; INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra Rate Limit', 0, 'Zimbra Quota Policy'); DELETE FROM sqlite_sequence; INSERT INTO "sqlite_sequence" VALUES('policies', 6); INSERT INTO "sqlite_sequence" VALUES('policy_members', 6); INSERT INTO "sqlite_sequence" VALUES('policy_groups', 2); INSERT INTO "sqlite_sequence" VALUES('policy_group_members', 3); INSERT INTO "sqlite_sequence" VALUES('quotas', 4); INSERT INTO "sqlite_sequence" VALUES('quotas_limits', 5); INSERT INTO "sqlite_sequence" VALUES('checkhelo_blacklist', 4); INSERT INTO "sqlite_sequence" VALUES('amavis_rules', 1); INSERT INTO "policy_members" (PolicyID,Source,Destination) VALUES(6, 'any', 'any'); INSERT INTO "quotas" (PolicyID,Name,Track,Period,Verdict,Data) VALUES (6, 'Sender:user@domain','Sender:user@domain', 60, 'DEFER', 'Deferring: Too many messages from sender in last 60'); INSERT INTO "quotas" (PolicyID,Name,Track,Period,Verdict) VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 60, 'REJECT'); INSERT INTO "quotas_limits" (QuotasID,Type,CounterLimit) VALUES(3, 'MessageCount', 20); INSERT INTO "quotas_limits" (QuotasID,Type,CounterLimit) VALUES(4, 'MessageCount', 50); COMMIT;
- Import the rules into cbpolicyd:
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb < rate-limit.sql
Database cleanup for cbpolicyd
Old and outdated entries are not automatically purged from CBPolicyd's database. Thanks to Cine @ Zextras for noting this. A tool called "cbpadmin" is provided to take care of this operation, so one may wish to schedule a cronjob on the MTAs to do this
35 3 * * * /opt/zimbra/cbpolicyd/bin/cbpadmin --config=/opt/zimbra/conf/cbpolicyd.conf --cleanup >/dev/null
Performance tuning
In ZCS 8.0.5, you can easily tune the cbpolicyd daemon for high volume MTAs. By default it is tuned for medium volume servers.
For a large volume server:
zmlocalconfig -e cbpolicyd_min_servers=8 zmlocalconfig -e cbpolicyd_min_spare_servers=8 zmlocalconfig -e cbpolicyd_max_spare_servers=16 zmlocalconfig -e cbpolicyd_max_servers=64 zmlocalconfig -e cbpolicyd_max_requests=1000
Disabling cbpolicyd
Disabling cbpolicyd is as simple as removing it as an enabled service:
- zmprov ms <mta server> -zimbraServiceEnabled cbpolicyd
This will trigger zmconfigd to rewrite the postfix configuration and shut down cbpolicyd.
See Also
Detailed cbpolicyd for zimbra information