Zimbra :: Tech Center:Cluebringer Policy Daemon: Difference between revisions
No edit summary |
No edit summary |
||
Line 91: | Line 91: | ||
greylisting_autowhitelist session_tracking | greylisting_autowhitelist session_tracking | ||
greylisting_tracking | greylisting_tracking | ||
== Examining defined policies for a given table == | |||
You can use a select statement to view the defined policies for a given table. | |||
For our example, we will examine the quota (rate limiting) policies that are installed by default. | |||
The Quota (rate-limiting) policy consists of two separate tables. | |||
The first table is named "quotas", the second table is named "quotas_limits". | |||
sqlite> select * from quotas; | |||
1|5|Recipient quotas|Recipient:user@domain|3600|REJECT||0||0 | |||
2|5|Quota on all /24s|SenderIP:/24|3600|REJECT||0||0 | |||
The first column is the identifier for the quota policy (used in quota_limits for reference back). | |||
The fifth column is the time interval for the policy. In this case, they both default to 3600 seconds. | |||
sqlite> select * from quotas_limits; | |||
1|1|MessageCount|10||0 | |||
2|1|MessageCumulativeSize|8000||0 | |||
3|2|MessageCount|12||0 | |||
The second column is referring to the identifier in the quota table. More than one rule can be defined per quota identifier as seen above. | |||
The fourth column is the "rate limit". For example, in the 3rd row, "12" is the max number of hits coming from a specific sender IP within 3600 seconds. | |||
== Example policy definitions via the command line == | == Example policy definitions via the command line == |
Revision as of 01:14, 25 June 2013
Article Information |
---|
This article applies to the following ZCS versions. |
Postfix Cluebringer Policyd in Zimbra
Policyd is an anti-spam policy daemon for Postfix (written in C) that does Greylisting, Sender-(envelope, SASL or host / ip)-based throttling (on messages and/or volume per defined time unit), Recipient rate limiting, Spamtrap monitoring / blacklisting, HELO auto blacklisting and HELO randomization preventation.
It is included as a part of the Zimbra package, but it is not enabled by default.
Enabling policyd
First ensure sqlite is installed (It is listed as a suggested install).
To enable policyd, simply tell the Zimbra installation you want it enabled:
zmprov ms <mta server> +zimbraServiceEnabled cbpolicyd
After 1 to 2 minutes the zmconfigd process will detect that you want this service enabled, and automatically install the database and start the service.
- cbpolicyd_pid_file - location of PID file.
- cbpolicyd_log_file - location of log file.
- cbpolicyd_db_file - location of SQLite database
- cbpolicyd_cache_file - location of cache
- cbpolicyd_log_level - loglevel (default 3)
- cbpolicyd_log_mail - Default is main. Log to policyd's main log mechanism, accepts NO args
- cbpolicyd_log_detail - What detail of logging to provide. Default "modules"
- cbpolicyd_bind_port - Bind port for cbpolicyd. default 10031
- cbpolicyd_timeout - Timeout when talking to clients. Default 120 seconds. ZCS7 and ZCS 8 < ZCS8.0.4
- cbpolicyd_timeout_idle - Idle timeout. Defaults to 1020 seconds. ZCS8.0.4 and higher
- cbpolicyd_timeout_busy - Busy timeout. Defaults to 120 seconds. ZCS8.0.4 and higher
- cbpolicyd_bypass_timeout - Bypass timeout. Defaults to 30 seconds.
- cbpolicyd_bypass_mode - Bypass fail mode. Default is "tempfail"
- cbpolicyd_module_accesscontrol - Enable Access Control module. Default 0 (disabled)
- cbpolicyd_module_greylisting - Enable greylisting. Default 0 (disabled)
- cbpolicyd_module_greylisting_training - If greylisting is enabled, whether or not to run in training mode. Default 0 (Do not run in training mode). ZCS8 only
- cbpolicyd_module_greylisting_defer_msg - Message to give when deferring email. Default "Greylisting in effect, please come back later". ZCS8 only
- cbpolicyd_module_greylisting_blacklist_msg - Message to give when client is on blacklist. Default "Greylisting in effect, sending server blacklisted". ZCS8 only
- cbpolicyd_module_checkhelo - Enable checkhelo module. Default 0 (disabled)
- cbpolicyd_module_checkspf - Enable CheckSPF module. Default 0 (disabled)
- cbpolicyd_module_quotas - Enable Quotas module. Default 1 (enabled)
- cbpolicyd_module_amavis - Enable amavis module. Default 0 (disabled) ZCS8.0.4 and higher.
- cbpolicyd_module_accounting - Enable accounting module. Default 0 (disabled). ZCS8.0.4 and higher.
Table data for cbpolicyd
The ".tables" command will display the tables that currently exist in the sqlite DB for cbpolicyd policies. There is also a "master" table named sqlite_sequence that counts the policies:
- Master table with no added policies. Default amavis_rules policy only exists in ZCS8.0.5 and higher:
sqlite> select * from sqlite_sequence; policies|5 policy_members|5 policy_groups|2 policy_group_members|3 quotas|2 quotas_limits|3 checkhelo_blacklist|4 amavis_rules|1
The above shows that there are:
5 policies 5 policy members 2 policy groups 3 policy group members 2 quota policies 2 quota limit policies 4 checkhelo_blacklist policies 1 amavis rules policy
- Policy tables available in ZCS8.0.5 and later:
sqlite> .tables access_control greylisting_autowhitelist accounting greylisting_tracking accounting_tracking greylisting_whitelist amavis_rules policies checkhelo policy_group_members checkhelo_blacklist policy_groups checkhelo_tracking policy_members checkhelo_whitelist quotas checkspf quotas_limits greylisting quotas_tracking greylisting_autoblacklist session_tracking
- Policy tables available in ZCS8.0.4 and previous:
sqlite> .tables access_control greylisting_whitelist checkhelo policies checkhelo_blacklist policy_group_members checkhelo_tracking policy_groups checkhelo_whitelist policy_members checkspf quotas greylisting quotas_limits greylisting_autoblacklist quotas_tracking greylisting_autowhitelist session_tracking greylisting_tracking
Examining defined policies for a given table
You can use a select statement to view the defined policies for a given table.
For our example, we will examine the quota (rate limiting) policies that are installed by default. The Quota (rate-limiting) policy consists of two separate tables. The first table is named "quotas", the second table is named "quotas_limits".
sqlite> select * from quotas; 1|5|Recipient quotas|Recipient:user@domain|3600|REJECT||0||0 2|5|Quota on all /24s|SenderIP:/24|3600|REJECT||0||0
The first column is the identifier for the quota policy (used in quota_limits for reference back). The fifth column is the time interval for the policy. In this case, they both default to 3600 seconds.
sqlite> select * from quotas_limits; 1|1|MessageCount|10||0 2|1|MessageCumulativeSize|8000||0 3|2|MessageCount|12||0
The second column is referring to the identifier in the quota table. More than one rule can be defined per quota identifier as seen above. The fourth column is the "rate limit". For example, in the 3rd row, "12" is the max number of hits coming from a specific sender IP within 3600 seconds.
Example policy definitions via the command line
The following examples show how to implement various policies via the command line
Defining a rate-limit (quota) with cbpolicyd
By default "quota" or "rate limiting" is enabled, but there is no policy defining how it should behave. The below example adds two policies :
- Rate limit any sender from sending more then 20 emails every 60 seconds. Messages beyond this limit are deferred.
- Rate limit any @domain from receiving more then 50 emails in a 60 second period. Messages beyond this rate are rejected.
As Zimbra:
- Create a file called rate-limit.sql with the following contents. If ZCS8.0.4 or previous, remove the amavis_rules line.
BEGIN TRANSACTION; INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra Rate Limit', 0, 'Zimbra Quota Policy'); DELETE FROM sqlite_sequence; INSERT INTO "sqlite_sequence" VALUES('policies', 6); INSERT INTO "sqlite_sequence" VALUES('policy_members', 6); INSERT INTO "sqlite_sequence" VALUES('policy_groups', 2); INSERT INTO "sqlite_sequence" VALUES('policy_group_members', 3); INSERT INTO "sqlite_sequence" VALUES('quotas', 4); INSERT INTO "sqlite_sequence" VALUES('quotas_limits', 5); INSERT INTO "sqlite_sequence" VALUES('checkhelo_blacklist', 4); INSERT INTO "sqlite_sequence" VALUES('amavis_rules', 1); INSERT INTO "policy_members" (PolicyID,Source,Destination) VALUES(6, 'any', 'any'); INSERT INTO "quotas" (PolicyID,Name,Track,Period,Verdict,Data) VALUES (6, 'Sender:user@domain','Sender:user@domain', 60, 'DEFER', 'Deferring: Too many messages from sender in last 60'); INSERT INTO "quotas" (PolicyID,Name,Track,Period,Verdict) VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 60, 'REJECT'); INSERT INTO "quotas_limits" (QuotasID,Type,CounterLimit) VALUES(3, 'MessageCount', 20); INSERT INTO "quotas_limits" (QuotasID,Type,CounterLimit) VALUES(4, 'MessageCount', 50); COMMIT;
- Import the rules into cbpolicyd:
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb < rate-limit.sql
Database cleanup for cbpolicyd
Old and outdated entries are not automatically purged from CBPolicyd's database. Thanks to Cine @ Zextras for noting this. A tool called "cbpadmin" is provided to take care of this operation, so one may wish to schedule a cronjob on the MTAs to do this
35 3 * * * /opt/zimbra/cbpolicyd/bin/cbpadmin --config=/opt/zimbra/conf/cbpolicyd.conf --cleanup >/dev/null
Disabling cbpolicyd
Disabling cbpolicyd is as simple as removing it as an enabled service:
- zmprov ms <mta server> -zimbraServiceEnabled cbpolicyd
This will trigger zmconfigd to rewrite the postfix configuration and shut down cbpolicyd.
See Also
Detailed cbpolicyd for zimbra information