Zimbra :: Tech Center:Cluebringer Policy Daemon

Revision as of 23:38, 24 June 2013 by Quanah (talk | contribs)
Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0 ZCS 7.0 Article ZCS 7.0

Postfix Cluebringer Policyd in Zimbra

Policyd is an anti-spam policy daemon for Postfix (written in C) that does Greylisting, Sender-(envelope, SASL or host / ip)-based throttling (on messages and/or volume per defined time unit), Recipient rate limiting, Spamtrap monitoring / blacklisting, HELO auto blacklisting and HELO randomization preventation.

It is included as a part of the Zimbra package, but it is not enabled by default.

Enabling policyd

First ensure sqlite is installed (It is listed as a suggested install).

To enable policyd, simply tell the Zimbra installation you want it enabled:

zmprov ms <mta server> +zimbraServiceEnabled cbpolicyd

After 1 to 2 minutes the zmconfigd process will detect that you want this service enabled, and automatically install the database and start the service.

Localconfig keys related to policyd

  • cbpolicyd_pid_file - location of PID file.
  • cbpolicyd_log_file - location of log file.
  • cbpolicyd_db_file - location of SQLite database
  • cbpolicyd_cache_file - location of cache
  • cbpolicyd_log_level - loglevel (default 3)
  • cbpolicyd_log_mail - Default is main. Log to policyd's main log mechanism, accepts NO args
  • cbpolicyd_log_detail - What detail of logging to provide. Default "modules"
  • cbpolicyd_bind_port - Bind port for cbpolicyd. default 10031
  • cbpolicyd_timeout - Timeout when talking to clients. Default 120 seconds. ZCS7 and ZCS 8 < ZCS8.0.4
  • cbpolicyd_timeout_idle - Idle timeout. Defaults to 1020 seconds. ZCS8.0.4 and higher
  • cbpolicyd_timeout_busy - Busy timeout. Defaults to 120 seconds. ZCS8.0.4 and higher
  • cbpolicyd_bypass_timeout - Bypass timeout. Defaults to 30 seconds.
  • cbpolicyd_bypass_mode - Bypass fail mode. Default is "tempfail"
  • cbpolicyd_module_accesscontrol - Enable Access Control module. Default 0 (disabled)
  • cbpolicyd_module_greylisting - Enable greylisting. Default 0 (disabled)
  • cbpolicyd_module_greylisting_training - If greylisting is enabled, whether or not to run in training mode. Default 0 (Do not run in training mode) ZCS8 only
  • cbpolicyd_module_greylisting_defer_msg - Message to give when deferring email. Default "Greylisting in effect, please come back later" ZCS8 only
  • cbpolicyd_module_greylisting_blacklist_msg - Message to give when client is on blacklist. Default "Greylisting in effect, sending server blacklisted" ZCS8 only
  • cbpolicyd_module_checkhelo - Enable checkhelo module. Default 0 (disabled)
  • cbpolicyd_module_checkspf - Enable CheckSPF module. Default 0 (disabled)
  • cbpolicyd_module_quotas - Enable Quotas module. Default 1 (enabled)
  • cbpolicyd_module_amavis - Enable amavis module. Default 0 (disabled) ZCS8.0.4 and higher.
  • cbpolicyd_module_accounting - Enable accounting module. Default 0 (disabled). ZCS8.0.4 and higher.

Example policy definitions via the command line

The following examples show how to implement various policies via the command line

Defining a rate-limit (quota) with cbpolicyd

By default "quota" or "rate limiting" is enabled, but there is no policy defining how it should behave. The below example adds two policies :

  • Rate limit any sender from sending more then 20 emails every 60 seconds. Messages beyond this limit are deferred.
  • Rate limit any @domain from receiving more then 50 emails in a 60 second period. Messages beyond this rate are rejected.

First, create a file called rate-limit.sql with the following contents

BEGIN TRANSACTION;
INSERT INTO "policies" VALUES(6, 'Zimbra', 0, 'Zimbra QA Test Policy', 0);
DELETE FROM sqlite_sequence;
INSERT INTO "sqlite_sequence" VALUES('policies', 6);
INSERT INTO "sqlite_sequence" VALUES('policy_members', 6);
INSERT INTO "sqlite_sequence" VALUES('policy_groups', 2);
INSERT INTO "sqlite_sequence" VALUES('policy_group_members', 3);
INSERT INTO "sqlite_sequence" VALUES('quotas', 4);
INSERT INTO "sqlite_sequence" VALUES('quotas_limits', 5);
INSERT INTO "sqlite_sequence" VALUES('checkhelo_blacklist', 4);
INSERT INTO "policy_members" VALUES(6, 6, 'any', 'any', , 0);
INSERT INTO "quotas" VALUES(3, 6, 'Sender:user@domain','Sender:user@domain', 60, 'DEFER', 'Deferring: Too many messages from sender in last 60', , 0);
INSERT INTO "quotas" VALUES(4, 6, 'Recipient:@domain', 'Recipient:@domain', 60, 'REJECT', , , 0);
INSERT INTO "quotas_limits" VALUES(4, 3, 'MessageCount', 20, , 0);
INSERT INTO "quotas_limits" VALUES(5, 4, 'MessageCount', 50, , 0);
COMMIT;

Database cleanup for cbpolicyd

Old and outdated entries are not automatically purged from CBPolicyd's database. Thanks to Cine @ Zextras for noting this. A tool called "cbpadmin" is provided to take care of this operation, so one may wish to schedule a cronjob on the MTAs to do this

35 3 * * * /opt/zimbra/cbpolicyd/bin/cbpadmin --config=/opt/zimbra/conf/cbpolicyd.conf  --cleanup >/dev/null

Disabling cbpolicyd

Disabling cbpolicyd is as simple as removing it as an enabled service:

  • zmprov ms <mta server> -zimbraServiceEnabled cbpolicyd

This will trigger zmconfigd to rewrite the postfix configuration and shut down cbpolicyd.

See Also

Detailed cbpolicyd for zimbra information

Verified Against: ZCS 8.0, ZCS 7.0 Date Created: 2/26/2013
Article ID: https://wiki.zimbra.com/index.php?title=Cluebringer_Policy_Daemon Date Modified: 2013-06-24



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search