|
|
(3 intermediate revisions by 2 users not shown) |
Line 1: |
Line 1: |
| [http://policyd.sourceforge.net/ Policyd] is an anti-spam policy daemon for Postfix (written in C) that does Greylisting, Sender-(envelope, SASL or host / ip)-based throttling (on messages and/or volume per defined time unit), Recipient rate limiting, Spamtrap monitoring / blacklisting, HELO auto blacklisting and HELO randomization preventation.
| | Which version of ZCS was this tested against? |
|
| |
|
| It's a great addition to a Zimbra installation.
| | [[User:Cfremon|Cfremon]] 23:03, 7 December 2009 (UTC) |
|
| |
|
| Since policyd needs a mysql database, you can use the zimbra packaged version of mysql. You will likely have to install the policyd database manual as a result.
| | I don't have a specific list of versions, but I have used it with every version of zcs I've used since 2006. I am currently using 5.0.13... I haven't upgraded very often this year it seems. |
|
| |
|
| The following instructions were tried on a Debian install of zimbra. Though it should work roughly the same on other distros as well.
| | [[User:Behanw|Behanw]] Fri, 18 Dec 2009 07:39:40 -0500 |
| | |
| You can install postfix-policyd from source, or as a package. In Debian it's as simple as:
| |
| | |
| <code>
| |
| root# apt-get install postfix-policyd
| |
| </code>
| |
| | |
| Since policyd needs a mysql database, you can use the zimbra packaged version of mysql. You will likely have to install the policyd database manual as a result.
| |
| | |
| <code>
| |
| root# su - zimbra
| |
| zimbra$ mysqladmin create policyd
| |
| zimbra$ mysql
| |
| GRANT ALL PRIVILEGES ON `policyd`.* TO `postfix`@`localhost` IDENTIFIED BY 'p0stf1x';
| |
| quit
| |
| zimbra$ mysql policyd < DATABASE.mysql
| |
| </code>
| |
| | |
| There may also be a couple of extra SQL files which can also be added at this time. These will give your whitelist and helo blacklist a bit of a head start.
| |
| | |
| <code>
| |
| root# su - zimbra
| |
| zimbra$ mysql policyd < whitelist.sql
| |
| zimbra$ mysql policyd < blacklist_helo.sql
| |
| </code>
| |
| | |
| Now edit the policyd configuration file (/etc/postfix-policyd.conf on Debian) to suit your tastes. It should be well documented and pretty easy to understand.
| |
| | |
| At this point you should restart the policyd daemon.
| |
| | |
| <code>
| |
| root# /etc/init.d/postfix-policyd restart
| |
| </code>
| |
| | |
| Now you need to tell the zimbra MTA (postfix) to use policyd.
| |
| | |
| First you need to hack the zimbra recipient restrictions file for postfix. Apply this patch to /opt/zimbra/conf/postfix_recipient_restrictions.cf
| |
| | |
| <code>
| |
| --- /opt/zimbra/conf/postfix_recipient_restrictions.cf-orig 2006-05-22 19:21:01.000000000 -0400
| |
| +++ /opt/zimbra/conf/postfix_recipient_restrictions.cf 2006-05-22 19:04:43.000000000 -0400
| |
| @@ -15,5 +15,6 @@
| |
| %%contains VAR:zimbraMtaRestriction reject_rbl_client dnsbl.sorbs.net%%
| |
| %%contains VAR:zimbraMtaRestriction reject_rbl_client sbl.spamhaus.org%%
| |
| %%contains VAR:zimbraMtaRestriction reject_rbl_client relays.mail-abuse.org%%
| |
| +%%contains VAR:zimbraMtaRestriction check_policy_service inet:127.0.0.1:10031%%
| |
| reject_unauth_destination
| |
| permit
| |
| </code>
| |
| | |
| Save the above to a file, and then do the following:
| |
| <code>
| |
| root# patch -p0 -s < file.patch
| |
| </code>
| |
| | |
| Now as the zimbra user, update zimbraMtaRestriction. I've added all the other restrictions that Zimbra suggests to add as well, including several Realtime Blackhole Lists (RBL). The important one is at the end.
| |
| | |
| <code>
| |
| root# su - zimbra
| |
| zimbra$ zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non-fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" zimbraMtaRestriction "reject_rbl_client opm.blitzed.org" zimbraMtaRestriction "reject_rbl_client relays.ordb.org" zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" zimbraMtaRestriction "check_policy_service inet:127.0.0.1:10031"
| |
| </code>
| |
| | |
| Now restart zimbra, and it should all just work!
| |
| | |
| <code>
| |
| root# su - zimbra
| |
| zimbra$ zmcontrol stop
| |
| zimbra$ zmcontrol start
| |
| </code>
| |
| | |
| Good luck, and enjoy.
| |
Which version of ZCS was this tested against?
Cfremon 23:03, 7 December 2009 (UTC)
I don't have a specific list of versions, but I have used it with every version of zcs I've used since 2006. I am currently using 5.0.13... I haven't upgraded very often this year it seems.
Behanw Fri, 18 Dec 2009 07:39:40 -0500