Zimbra :: Tech Center:Cluebringer Policy Daemon

Revision as of 16:16, 20 September 2006 by Bobby (talk | contribs)

Policyd is an anti-spam policy daemon for Postfix (written in C) that does Greylisting, Sender-(envelope, SASL or host / ip)-based throttling (on messages and/or volume per defined time unit), Recipient rate limiting, Spamtrap monitoring / blacklisting, HELO auto blacklisting and HELO randomization preventation.

It's a great addition to a Zimbra installation.

Since policyd needs a mysql database, you can use the zimbra packaged version of mysql. You will likely have to install the policyd database manually as a result.

The following instructions were tried on a Debian install of zimbra. Though it should work roughly the same on other distros as well.

You can install postfix-policyd from source, or as a package. In Debian it's as simple as:

root# apt-get install postfix-policyd

Since policyd needs a mysql database, you can use the zimbra packaged version of mysql. You will likely have to install the policyd database manually as a result.

root# su - zimbra
zimbra$ mysqladmin create policyd
zimbra$ mysql
GRANT ALL PRIVILEGES ON `policyd`.* TO `postfix`@`localhost` IDENTIFIED BY 'p0stf1x';
quit
zimbra$ mysql policyd < DATABASE.mysql

There may also be a couple of extra SQL files which can also be added at this time. These will give your whitelist and helo blacklist a bit of a head start.

root# su - zimbra
zimbra$ mysql policyd < whitelist.sql
zimbra$ mysql policyd < blacklist_helo.sql

Now edit the policyd configuration file (/etc/postfix-policyd.conf on Debian) to suit your tastes. It should be well documented and pretty easy to understand.

At this point you should restart the policyd daemon.

root# /etc/init.d/postfix-policyd restart

Now you need to tell the zimbra MTA (postfix) to use policyd.

First you need to hack the zimbra recipient restrictions file for postfix. Apply this patch to /opt/zimbra/conf/postfix_recipient_restrictions.cf

--- /opt/zimbra/conf/postfix_recipient_restrictions.cf-orig     2006-05-22 19:21:01.000000000 -0400
+++ /opt/zimbra/conf/postfix_recipient_restrictions.cf  2006-05-22 19:04:43.000000000 -0400
@@ -15,5 +15,6 @@
 %%contains VAR:zimbraMtaRestriction reject_rbl_client dnsbl.sorbs.net%%
 %%contains VAR:zimbraMtaRestriction reject_rbl_client sbl.spamhaus.org%%
 %%contains VAR:zimbraMtaRestriction reject_rbl_client relays.mail-abuse.org%%
+%%contains VAR:zimbraMtaRestriction check_policy_service inet:127.0.0.1:10031%%
 reject_unauth_destination
 permit

Save the above to a file, and then do the following:

root# patch -p0 -s < file.patch

Now as the zimbra user, update zimbraMtaRestriction. I've added all the other restrictions that Zimbra suggests to add as well, including several Realtime Blackhole Lists (RBL). The important one is at the end.

root# su - zimbra
zimbra$ zmprov mcf zimbraMtaRestriction reject_invalid_hostname \
zimbraMtaRestriction reject_non-fqdn_hostname \
zimbraMtaRestriction reject_non_fqdn_sender \
zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" \
zimbraMtaRestriction "reject_rbl_client opm.blitzed.org" \
zimbraMtaRestriction "reject_rbl_client relays.ordb.org" \
zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \
zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \
zimbraMtaRestriction "check_policy_service inet:127.0.0.1:10031"

Now restart zimbra, and it should all just work!

root# su - zimbra
zimbra$ zmcontrol stop
zimbra$ zmcontrol start

Good luck, and enjoy.

Jump to: navigation, search