Zimbra :: Tech Center:Cluebringer Policy Daemon

Revision as of 07:49, 5 February 2009 by Elcorazon (talk | contribs)

Policyd is an anti-spam policy daemon for Postfix (written in C) that does Greylisting, Sender-(envelope, SASL or host / ip)-based throttling (on messages and/or volume per defined time unit), Recipient rate limiting, Spamtrap monitoring / blacklisting, HELO auto blacklisting and HELO randomization preventation.

It's a great addition to a Zimbra installation.

The following instructions were tried on a Debian install of zimbra. Though it should work roughly the same on other distros as well. (Confirmed on Ubuntu 8.10 without any problem)

You can install postfix-policyd from source, or as a package. In Debian it's as simple as: 

root# apt-get install postfix-policyd

Setup Database

If you have installed an additional system mysql-server (at least on Ubuntu) you will be asked for your DB-Data in the installation routine and the database is set up fully automatically.

If you want to use the zimbra packaged version of mysql, you will have to install the policyd database manually. In that case you also have to add the following line to policyd.conf (or postfix-policyd.conf) to get it to work with the Zimbra MySQL server: 

MYSQLPORT=7306


root# su - zimbra
zimbra$ mysqladmin create policyd
zimbra$ mysql
GRANT ALL PRIVILEGES ON `policyd`.* TO `postfix`@`localhost` IDENTIFIED BY 'p0stf1x';
quit
zimbra$ mysql policyd < DATABASE.mysql

There may also be a couple of extra SQL files which can also be added at this time. These will give your whitelist and helo blacklist a bit of a head start. 

root# su - zimbra
zimbra$ mysql policyd < whitelist.sql
zimbra$ mysql policyd < blacklist_helo.sql

Edit configuration

Now edit the policyd configuration file (/etc/postfix-policyd.conf on Debian) to suit your tastes. It should be well documented and pretty easy to understand.

At this point you should restart the policyd daemon. 

root# /etc/init.d/postfix-policyd restart

Zimbra integration

Now you need to tell the zimbra MTA (postfix) to use policyd.

First you need to hack the zimbra recipient restrictions file for postfix. Add the following line to /opt/zimbra/conf/postfix_recipient_restrictions.cf (at the end of the %%contains list) 

%%contains VAR:zimbraMtaRestriction check_policy_service inet:127.0.0.1:10031%%

Now as the zimbra user, update zimbraMtaRestriction. I've added all the other restrictions that Zimbra suggests to add as well, including several Realtime Blackhole Lists (RBL). The important one is at the end. 

root# su - zimbra
zimbra$ zmprov mcf zimbraMtaRestriction reject_invalid_hostname \
zimbraMtaRestriction reject_non-fqdn_hostname \
zimbraMtaRestriction reject_non_fqdn_sender \
zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" \
zimbraMtaRestriction "reject_rbl_client opm.blitzed.org" \
zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \
zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \
zimbraMtaRestriction "check_policy_service inet:127.0.0.1:10031"

Now restart zimbra, and it should all just work! 

root# su - zimbra
zimbra$ zmmtactl stop
zimbra$ zmmtactl start

Good luck, and enjoy.

Retrieved from "http://wiki.zimbra.com/index.php?title=Zimbra_::_Tech_Center:Cluebringer_Policy_Daemon&oldid=12646"
Jump to: navigation, search