Zimbra :: Tech Center:Cluebringer Policy Daemon
Article Information |
---|
This article applies to the following ZCS versions. |
Postfix Cluebringer Policyd in Zimbra
Policyd is an anti-spam policy daemon for Postfix (written in C) that does Greylisting, Sender-(envelope, SASL or host / ip)-based throttling (on messages and/or volume per defined time unit), Recipient rate limiting, Spamtrap monitoring / blacklisting, HELO auto blacklisting and HELO randomization preventation.
It is included as a part of the Zimbra package, but it is not enabled by default.
Enabling policyd
First ensure sqlite is installed (It is listed as a suggested install).
To enable policyd, simply tell the Zimbra installation you want it enabled:
zmprov ms <mta server> +zimbraServiceEnabled cbpolicyd
After 1 to 2 minutes the zmconfigd process will detect that you want this service enabled, and automatically install the database and start the service.
- cbpolicyd_pid_file - location of PID file.
- cbpolicyd_log_file - location of log file.
- cbpolicyd_db_file - location of SQLite database
- cbpolicyd_cache_file - location of cache
- cbpolicyd_log_level - loglevel (default 3)
- cbpolicyd_log_mail - Default is main. Log to policyd's main log mechanism, accepts NO args
- cbpolicyd_log_detail - What detail of logging to provide. Default "modules"
- cbpolicyd_bind_port - Bind port for cbpolicyd. default 10031
- cbpolicyd_timeout - Timeout when talking to clients. Default 120 seconds. ZCS7 and ZCS 8 < ZCS8.0.4
- cbpolicyd_timeout_idle - Idle timeout. Defaults to 1020 seconds. ZCS8.0.4 and higher
- cbpolicyd_timeout_busy - Busy timeout. Defaults to 120 seconds. ZCS8.0.4 and higher
- cbpolicyd_bypass_timeout - Bypass timeout. Defaults to 30 seconds.
- cbpolicyd_bypass_mode - Bypass fail mode. Default is "tempfail"
- cbpolicyd_module_accesscontrol - Enable Access Control module. Default 0 (disabled)
- cbpolicyd_module_greylisting - Enable greylisting. Default 0 (disabled)
- cbpolicyd_module_greylisting_training - If greylisting is enabled, whether or not to run in training mode. Default 0 (Do not run in training mode). ZCS8 only
- cbpolicyd_module_greylisting_defer_msg - Message to give when deferring email. Default "Greylisting in effect, please come back later". ZCS8 only
- cbpolicyd_module_greylisting_blacklist_msg - Message to give when client is on blacklist. Default "Greylisting in effect, sending server blacklisted". ZCS8 only
- cbpolicyd_module_checkhelo - Enable checkhelo module. Default 0 (disabled)
- cbpolicyd_module_checkspf - Enable CheckSPF module. Default 0 (disabled)
- cbpolicyd_module_quotas - Enable Quotas module. Default 1 (enabled)
- cbpolicyd_module_amavis - Enable amavis module. Default 0 (disabled) ZCS8.0.4 and higher.
- cbpolicyd_module_accounting - Enable accounting module. Default 0 (disabled). ZCS8.0.4 and higher.
Table data for cbpolicyd
- Tables available in ZCS8.0.5 and later:
sqlite> .tables access_control greylisting_autowhitelist accounting greylisting_tracking accounting_tracking greylisting_whitelist amavis_rules policies checkhelo policy_group_members checkhelo_blacklist policy_groups checkhelo_tracking policy_members checkhelo_whitelist quotas checkspf quotas_limits greylisting quotas_tracking greylisting_autoblacklist session_tracking
- Tables available in ZCS8.0.4 and previous:
sqlite> .tables access_control greylisting_whitelist checkhelo policies checkhelo_blacklist policy_group_members checkhelo_tracking policy_groups checkhelo_whitelist policy_members checkspf quotas greylisting quotas_limits greylisting_autoblacklist quotas_tracking greylisting_autowhitelist session_tracking greylisting_tracking
Example policy definitions via the command line
The following examples show how to implement various policies via the command line
Defining a rate-limit (quota) with cbpolicyd
By default "quota" or "rate limiting" is enabled, but there is no policy defining how it should behave. The below example adds two policies :
- Rate limit any sender from sending more then 20 emails every 60 seconds. Messages beyond this limit are deferred.
- Rate limit any @domain from receiving more then 50 emails in a 60 second period. Messages beyond this rate are rejected.
As Zimbra:
- Create a file called rate-limit.sql with the following contents
BEGIN TRANSACTION; INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra Rate Limit', 0, 'Zimbra Quota Policy'); DELETE FROM sqlite_sequence; INSERT INTO "sqlite_sequence" VALUES('policies', 6); INSERT INTO "sqlite_sequence" VALUES('policy_members', 6); INSERT INTO "sqlite_sequence" VALUES('policy_groups', 2); INSERT INTO "sqlite_sequence" VALUES('policy_group_members', 3); INSERT INTO "sqlite_sequence" VALUES('quotas', 4); INSERT INTO "sqlite_sequence" VALUES('quotas_limits', 5); INSERT INTO "sqlite_sequence" VALUES('checkhelo_blacklist', 4); INSERT INTO "policy_members" (PolicyID,Source,Destination) VALUES(6, 'any', 'any'); INSERT INTO "quotas" (PolicyID,Name,Track,Period,Verdict,Data) VALUES (6, 'Sender:user@domain','Sender:user@domain', 60, 'DEFER', 'Deferring: Too many messages from sender in last 60'); INSERT INTO "quotas" (PolicyID,Name,Track,Period,Verdict) VALUES (6, 'Recipient:@domain', 'Recipient:@domain', 60, 'REJECT'); INSERT INTO "quotas_limits" (QuotasID,Type,CounterLimit) VALUES(3, 'MessageCount', 20); INSERT INTO "quotas_limits" (QuotasID,Type,CounterLimit) VALUES(4, 'MessageCount', 50); COMMIT;
- Import the rules into cbpolicyd:
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb < rate-limit.sql
Database cleanup for cbpolicyd
Old and outdated entries are not automatically purged from CBPolicyd's database. Thanks to Cine @ Zextras for noting this. A tool called "cbpadmin" is provided to take care of this operation, so one may wish to schedule a cronjob on the MTAs to do this
35 3 * * * /opt/zimbra/cbpolicyd/bin/cbpadmin --config=/opt/zimbra/conf/cbpolicyd.conf --cleanup >/dev/null
Disabling cbpolicyd
Disabling cbpolicyd is as simple as removing it as an enabled service:
- zmprov ms <mta server> -zimbraServiceEnabled cbpolicyd
This will trigger zmconfigd to rewrite the postfix configuration and shut down cbpolicyd.
See Also
Detailed cbpolicyd for zimbra information