Difference between revisions of "Zimbra :: Tech Center talk:Cluebringer Policy Daemon"

(How to install policyd for postfix.)
 
Line 1: Line 1:
[http://policyd.sourceforge.net/ Policyd] is an anti-spam policy daemon for Postfix (written in C) that does Greylisting, Sender-(envelope, SASL or host / ip)-based throttling (on messages and/or volume per defined time unit), Recipient rate limiting, Spamtrap monitoring / blacklisting, HELO auto blacklisting and HELO randomization preventation.
 
  
It's a great addition to a Zimbra installation.
 
 
Since policyd needs a mysql database, you can use the zimbra packaged version of mysql.  You will likely have to install the policyd database manual as a result.
 
 
The following instructions were tried on a Debian install of zimbra.  Though it should work roughly the same on other  distros as well.
 
 
You can install postfix-policyd from source, or as a package.  In Debian it's as simple as:
 
 
<code>
 
root# apt-get install postfix-policyd
 
</code>
 
 
Since policyd needs a mysql database, you can use the zimbra packaged version of mysql.  You will likely have to install the policyd database manual as a result.
 
 
<code>
 
root# su - zimbra
 
zimbra$ mysqladmin create policyd
 
zimbra$ mysql
 
GRANT ALL PRIVILEGES ON `policyd`.* TO `postfix`@`localhost` IDENTIFIED BY 'p0stf1x';
 
quit
 
zimbra$ mysql policyd < DATABASE.mysql
 
</code>
 
 
There may also be a couple of extra SQL files which can also be added at this time.  These will give your whitelist and helo blacklist a bit of a head start.
 
 
<code>
 
root# su - zimbra
 
zimbra$ mysql policyd < whitelist.sql
 
zimbra$ mysql policyd < blacklist_helo.sql
 
</code>
 
 
Now edit the policyd configuration file (/etc/postfix-policyd.conf on Debian) to suit your tastes.  It should be well documented and pretty easy to understand.
 
 
At this point you should restart the policyd daemon.
 
 
<code>
 
root# /etc/init.d/postfix-policyd restart
 
</code>
 
 
Now you need to tell the zimbra MTA (postfix) to use policyd.
 
 
First you need to hack the zimbra recipient restrictions file for postfix.  Apply this patch to /opt/zimbra/conf/postfix_recipient_restrictions.cf
 
 
<code>
 
--- /opt/zimbra/conf/postfix_recipient_restrictions.cf-orig    2006-05-22 19:21:01.000000000 -0400
 
+++ /opt/zimbra/conf/postfix_recipient_restrictions.cf  2006-05-22 19:04:43.000000000 -0400
 
@@ -15,5 +15,6 @@
 
  %%contains VAR:zimbraMtaRestriction reject_rbl_client dnsbl.sorbs.net%%
 
  %%contains VAR:zimbraMtaRestriction reject_rbl_client sbl.spamhaus.org%%
 
  %%contains VAR:zimbraMtaRestriction reject_rbl_client relays.mail-abuse.org%%
 
+%%contains VAR:zimbraMtaRestriction check_policy_service inet:127.0.0.1:10031%%
 
  reject_unauth_destination
 
  permit
 
</code>
 
 
Save the above to a file, and then do the following:
 
<code>
 
root# patch -p0 -s < file.patch
 
</code>
 
 
Now as the zimbra user, update zimbraMtaRestriction.  I've added all the other restrictions that Zimbra suggests to add as well, including several Realtime Blackhole Lists (RBL).  The important one is at the end.
 
 
<code>
 
root# su - zimbra
 
zimbra$ zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non-fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" zimbraMtaRestriction "reject_rbl_client opm.blitzed.org" zimbraMtaRestriction "reject_rbl_client relays.ordb.org" zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org"  zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" zimbraMtaRestriction "check_policy_service inet:127.0.0.1:10031"
 
</code>
 
 
Now restart zimbra, and it should all just work!
 
 
<code>
 
root# su - zimbra
 
zimbra$ zmcontrol stop
 
zimbra$ zmcontrol start
 
</code>
 
 
Good luck, and enjoy.
 

Revision as of 02:06, 30 June 2006

Jump to: navigation, search