How To Install PolicyD on Zimbra 8.5

Home » Zimbra » How To Install PolicyD on Zimbra 8.5
Zimbra 120 Comments

What is Policyd?

Policyd is an anti spam plugin. Policyd have some module like quotas, access control, spf check, greylisting and others.

Zimbra Collaboration Suite is an email server who use Postfix as engine for MTA. By default, policyd have been bundled with Zimbra from Zimbra version 7.

Why we must use Policyd?

Policyd have module quotas. This module can use for limit sending/receipt email. As example just allow sending/receipt email 200 emails/hours/users. If your email server attacked by spam or compromised password some users and used by spammer, the maximum email can be sent as many as 200 emails per hour. This policy will safe your IP public from blacklist on RBL. Besides, you can check who user send email with many email

How To Install Policyd on Zimbra 8.5?

This guidance is step by step how to install policyd on Zimbra 8.5.

# Activate Policyd

su - zimbra
zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd

# Activate Policyd WebUI
Run the following command as root

cd /opt/zimbra/httpd/htdocs/ && ln -s ../../cbpolicyd/share/webui

Edit file /opt/zimbra/cbpolicyd/share/webui/includes/config.php and putting “#” on front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER.


See the following example


Restart Zimbra service  and Zimbra Apache service

su - zimbra -c "zmcontrol restart"
su - zimbra -c "zmapachectl restart"

You can now access the Policyd Webui with browser at URL http://IPZimbra:7780/webui/index.php

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

120 thoughts on - How To Install PolicyD on Zimbra 8.5

  • […] If you have email server with domain, email server should be sending email to outside with domain, if not, then it should be rejected. This article, will describe step by step how to reject unlisted domain on Zimbra with Policyd. Assuming you have install and enable Policyd. If not, you can following this article to enable it : […]

  • Hi!

    I’m trying to use cbpolicy but I’m unable to create any accounting rule or to configure the Amavis integration (Array ( [0] => HY000 [1] => 1 [2] => no such table: amavis_rules )).

    Is it just me or this happens to you too?

    Release 8.5.0_GA_3042.RHEL6_64_20140828192109 RHEL6_64 NETWORK edition, Patch 8.5.0_P2.
    CentOS release 6.6 (Final)

    Thanks for your blog 🙂

  • Hi Sebastian,

    By default, no tables of module accounting. If you want to enable it, you can try this guidance :

    cd /opt/zimbra/cbpolicyd/share/database/
    ./convert-tsql sqlite accounting.tsql > /tmp/accounting.sql
    vi /tmp/accounting.sql

    Delete all lines starting with # (comment) and saved. Inject database to sqlite, enable CBPolicyD accounting module and restart CBPolicyD

    sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb < /tmp/accounting.sql zmprov ms `zmhostname` zimbraCBPolicydAccountingEnabled TRUE zmcbpolicydctl restart If you want enabled on amavis module, you can repeat again step of above

  • my system use Ubuntu server 12.04LTS with zimbra 8.50+latest patch. i’ve installed cbpolicyd according to this site provided.
    my problem is, sometime i have to restart cbpolicyd service because my zimbra log says : connect to Connection time out

    after restart with : zmcbpolicydctl restart , seems everything works fine, buat after that, in random time, zimbra log say : onnect to Connection time out ( again ) .

    my cbpolicyd config is :

    thanks in advanced

  • This is a great site and obviously very helpful for zimbra server. Please help me to enable all the module in policyd. and give an example to content filtering using Access control.

  • Hello,

    having a multi server install, with MTA on his own, no WEBUI, I installed the stock apache.
    (centos 7)
    yum -y install php httpd
    cd /var/www/html
    ln -s /opt/zimbra/cbpolicyd/share/webui
    systemctl start httpd
    systemctl enable httpd
    and bingo !!
    (care about SELINUX)

  • Error connecting to Policyd v2 DB: could not find driver

    After upgrading from 8.5 to 8.6 installed php-pdo but error
    PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib64/php/modules/’ – /usr/lib64/php/modules/ undefined symbol: compiler_globals in Unknown on line 0

    any idea about it

  • Hi Vikram,

    Please check file /opt/zimbra/cbpolicyd/share/webui/includes/config.php and make sure has been using DB like below :


  • Your step:

    zmprov mcf +zimbraMtaRestriction “check_policy_service inet:”

    is incorrect, and has no effect.

  • Thank you

    For your support I had configured zimbra mail server. when I am using same url for sending or receiving mails it’s working fine. but when I’m sending mail to other domain using zimbra mail are not getting send.

    My outgoing mails are not working on other domain like gmail, etc.

    plz help me out there for outgoing mail.

    • Hi Vikram,

      Please tracking status of sending email via zmmsgtrace. Example command :

      /opt/zimbra/libexec/zmmsgtrace -s sender -r recipient.

      Please send to me the result of above command

  • Hi Iman,

    Thanks for your nice guide. I have followed your guide and install CBPolicyd using your script but still my Zimbra server not greylisting in effect, can you please let me know what I can do next to enable greylisting. My server spec as below:

    OS: Ubuntu 14.04 LTS (Single server)
    Zimbra: 8.6 (p2) open source


    • Hi Russel,

      By default, CBPolicyD greylisting is disabled. Please try this command for enabled it

      zmprov ms zimbraCBPolicydGreylistingEnabled TRUE
      zmprov ms zimbraCBPolicydGreylistingTrainingEnabled TRUE

      Note : Please change with your hostname of Zimbra

  • I installed in my server (Centos 6.6) using those steps, and the Policyd allows me to configure it, but don’t check anything.

    With “zmcontrol status”, it says cbpolicyd is running, but through the Zimbra Admin interface it says cbpolicyd is not running.

    If I connect the policyd database, the rules I create in policyd web interface are there, but nothing apears in quotas_tracking, even with all configuration enabled.

    It appears that policyd is not receiving mail data do verify…

    Any suggestions?

  • I want to thank you for your excellent Article.
    I have installed Zimbra 8.6 OSE on CentOS7. Everything is running properly except 8443 port, POP & IMAP is not accessible from WAN. Guess I need to configure properly the Zimbra Proxy. Can you please help me in this regard.

    Thanks in advance.

    • Hi Suman,

      Please try to run the following command

      /opt/zimbra/libexec/zmproxyconfig -e -w -m -H `zmhostname`
      zmprov -l ms `zmhostname` zimbraMailReferMode reverse-proxied zimbraMailProxyPort 80 zimbraMailSSLProxyPort 443 zimbraReverseProxyHttpEnabled TRUE zimbraReverseProxyMailMode both zimbraImapBindPort 7143 zimbraImapProxyBindPort 143 zimbraImapSSLBindPort 7993 zimbraImapSSLProxyBindPort 993 zimbraPop3BindPort 7110 zimbraPop3ProxyBindPort 110 zimbraPop3SSLBindPort 7995 zimbraPop3SSLProxyBindPort 995 zimbraReverseProxyMailEnabled TRUE
      zmcontrol restart
  • Hello iman,
    I’m trying to change the performance settings in the file /opt/zimbra/conf/cbpolicyd.conf but when I restart the polycid the back standards.
    What am I doing wrong ? Thank you!

    • Hi Leonardo,

      All configuration should be configured by CLI. Please try this command to grep all parameters for modify Policyd

      zmprov gs | grep -i policyd

      After you got what you need, you can execute as the following example

      zmprov ms zimbraCBPolicydAccessControlEnabled TRUE

      In the above command, i want to enable PolicyD Access Control with parameter i found from grep command

  • hai mas imanuddin, is it posible to using policyD as content filter? for example if user send email but its containt some badwords, so zimbra automatically block or redirect email to admin?

    thanks before

  • thanks mas iman, but your article just for email external coming to our servers, or is it posible to filter email form our server to external, it means from our client to others mail server, so what the our client create email, and they want send to others external mail server can be filtered, for example our client email contents some badwords, so we must block this email or we must redirect this email to admin.. please your explain.. thanks before,.. or do you have solution for condition above… ?

    • Hi Thanh,

      If using Multi server, please install and configure in MTA Server. Please make sure while install MTA server choose also Zimbra Apache/Apache by system for PolicyD WebUI

  • Hi Iman,

    Thank you for your response. Other question : How to install and configure policyd if having 2 mta ?

    Many thanks,

  • Hi,
    Thank-you for the article.
    I`m configured as you write but it isn`t working.
    I`m using zimbraMtaRelayHost pointing to antispam (assp), do you think it coud be a problema?
    Thank-you again

  • Hi Iman, I messed up with the PolicyD DB ¿Exist a way to reset to default state the DB?

    Also in another MTA I Tried to enable policyD but the DB are empty. It’s a brand new MTA.

    Thanks in advance

  • Hi, Iman!
    Thank you.
    I have a question.. i’ve installed zimbra 8.6 and enable PolicyD.. it seems that everything is ok.. i can access a main page via http://ipserver:port/webui/policy-main.php.. when i’m trying to create new policy goups (quotas,ac.. etc) it creates.. but i don’t see them by the interface (web admin).. when i select from the bd through the terminal i see them.. can help me to solve it please

      • thanks for the attention Iman.. could you please give the cue how to add/insert the screenshot here? Or may be i’ll send a message by e-mail? but i don’t know your e-mail address(

      • recently i tried to disable/enable policyd.. now i get another problem.. i can’t access DB through the terminal.. it get message:
        sqlite> .tables
        Error: unable to open database “cbpolicyd.sqlitedb”: unable to open database file.
        When i try to create policy goups via Policyd Web Administration.. it seems it’s succesfully created.. but still i don’t see them on “http://ipserver:port/webui/policy-group-main.php” page.. if i try to create the same policy group i recieve message:
        “Failed to create policy group
        Array ( [0] => 23000 [1] => 19 [2] => column Name is not unique ) “..
        thanks in advance

        • the problem with:
          Error: unable to open database “cbpolicyd.sqlitedb”: unable to open database file
          is resolved. Before i disable/enable policyd i was using:
          sqlite3 cbpolicyd.sqlitedb
          and can work with DB.. now i can access DB with:
          sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb.
          and it works fine.
          i still can’t see any changes on “http://ipserver:port/webui/policy-group-main.php” page.. when add/delete policies

  • Hi,

    After following above guidelince for policyd configuration , My zimbra policyd webui interface not opening. even i have allow port 7780 in firewall. what should i do ? please help me.

    • Hi,

      Please try to check whether port 7780 already open in your server? you can check by the following command :

      netstat -atupn | grep -i 7780

      If you not see port 7780, please try to check Zimbra Apache services

      su - zimbra -c "zmapachectl status"
  • I have this problem, the page: http://myserverI:7780/webui/index.php

    opens, but none of the links work. I get this error:
    Error connecting to Policyd v2 DB: invalid data source name

    I have checked several times path to the DB file, and checked from sqlite3 CLI there is tables in DB but it just dont work.

    Any ideas?

    • Hi Damir,

      It seems strange to me :D. The problem indication that your path is not correct. Please give me configuration about your conf.

      Please check also my Video about configure PolicyD 😉

  • Terima kasih tuan. Alhamdulillah, ilmu yang tuan beri ini sungguh bermanfaat. Server saya tidak lagi overload sebab incoming SPF record sudah di setting. Load average 1.77, 1.51, 1.27

    Semoga Allah s.w.t memberi rezeki yang halal, di sihatkan tubuh badan dan di mudahkan segala urusan

    Dari Malaysia 🙂

    • Alhamdulillah Brother,

      Terima kasih atas doanya. Semoga Allah SWT memberi rezeki yang halal, di sihatkan tubuh badan dan di mudahkan segala urusan brother juga.

      Salam dari Indonesia

  • Hi, good article, it helped me but I have one question – can I setup cbpolicyd to send me an email notification when somebody achieves the quota ?

  • Hi thank you for sharing your zimbra expertise i followed all your zimbra instructions and successfully activate policyd on my servers one thing i notice is one of my servers become slow. and users when sending email to a save email addresses it bounce and get error messages but when i retype the email forget the save email address the email is sent.
    Also is policyd whitelist and blacklist is already activated or do i need to activate it first?

    thank you,

  • Policyd is new to me and i usually use default spam-assassin default config and just filter incoming mail on it. I also use rejecting email on smtp level. now that i configure policyd would you recommend to remove my other config and trust on policyd. because i notice the slowdown of the server when i activate policyd. can you help me on creating rules on whitelist and blacklist on policyd? or would you recommend a opensource spamserver and just disable the spam filtering on zimbra. thanks!

  • my server is zimbra 8.6.0 multi server environment so how to enable CB policy,SFP enable,DKIM enable etc….is there step by step guide please share….it will be help for me…

      • I am enable cbpolicy in MTA but ..
        this command not working due to apache is MBX server

        cd /opt/zimbra/httpd/htdocs/ && ln -s ../../cbpolicyd/share/webui

        my environment is
        1. LDAP Server

        ldap Running
        snmp Running
        stats Running
        zmconfigd Running)
        2. MBX Server

        Starting zmconfigd…Done.
        Starting logger…Done.
        Starting mailbox…Done.
        Starting snmp…Done.
        Starting spell…Done.
        Starting stats…Done.
        Starting service webapp…Done.
        Starting zimbra webapp…Done.
        Starting zimbraAdmin webapp…Done.
        Starting zimlet webapp…Done.

        3. MTA Server

        amavis Running
        antispam Running
        antivirus Running
        cbpolicyd Running
        memcached Running
        mta Running
        proxy Running
        snmp Running
        stats Running
        zmconfigd Running
        now i am confused how to enable cbplolicy and web admin console
        Advance thanks for reply…

        • Hi Rafiqul Islam,

          You can use Apache or something else from your Linux System. Don’t forget to adjust webui to refer into Document Root on Apache

  • Hi, I’ve got this problem when enable PolicyD:

    “403 Forbiden
    You don’t have permission to access /webui/index.php on this server.”

    My server is Centos 6.4, my zimbra 8.0.5

    • Hi Carl,

      This guidance not same as enable PolicyD in Zimbra 8.0.x. Please use this guidance

      su - zimbra
      zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd
      zmlocalconfig -e postfix_enable_smtpd_policyd=yes
      zmprov mcf +zimbraMtaRestriction "check_policy_service inet:"
      zmlocalconfig -e cbpolicyd_log_level=4; zmlocalconfig -e cbpolicyd_log_detail=modules,tracking,policies; zmlocalconfig -e cbpolicyd_module_accesscontrol=1 cbpolicyd_module_checkhelo=1 cbpolicyd_module_checkspf=1 cbpolicyd_module_greylisting=1 cbpolicyd_module_quotas=1
      zmcontrol restart
  • hi iman,

    how to Whitelist specific sender account using policyd?
    for example I want this sender

    I tried to whitelist senders email but the only option I have under Greylisting is sender IP.

    Appreciate your help..


  • Thanks Iman,

    I added the whitelist as a sender IP.

    I have another question.. My Network Consist of 3 Network

    10.10.10.x – DMZ where my zimbra server resides and have different Public IP/ISP provider
    192.168.2.xx/23- LAN – different Public IP provider –
    192.168.1.x/24 – LAN – different Public IP provider – example

    our IP in LAN was blacklisted and a lot of users can’t send email to other mail server specially gmail/yahoo..
    my email server public IP have a good reputation, how can I resolve and prevent this?

    here is my zimbra MTA
    [zimbra@mail sysadmin]$ postconf mynetworks
    mynetworks = [::1]/128 [fe80::]/64


    • Hello Ferjun,

      – Please make trusted network become 10.10.10.x/32 -> x is IP of your Zimbra
      – Block all connection port 25 from LAN to Internet and only allow from your Zimbra server

  • Hi,

    I not able to find httpd folder in ubuntu 14.04 and zimbra 8.7. Kindly guide to configure policyd. And i want to restrict user can send upto 10 email id at the time

  • Hello Iman,

    CBPolicyD GUI for Zimbra 8.7 why is not compatible?
    The script (for Zimbra 8.5) makes the instalation until the end, but I don’t have access with GUI.
    I can’t see the folder “cbpolicyd” under: /opt/zimbra/.
    Can You help me?

  • Hi Iman,

    Most of our email user encounter error below:

    450 4.7.1 : Sender address rejected: Access denied

    our zimbra have multidomain setup, when they send to multiple recipient this error occured..

    appreciate your help..

  • Hi Iman,
    when I run
    egrep ‘(reject|warning|error|fatal|panic):’ /var/log/zimbra.log

    i have a lot of warning can’t resolve to 111.55.XX.XX – is my public IP
    I follow your installation guide, using split DNS

    Aug 10 22:06:28 mail postfix/smtpd[11548]: warning: hostname does not resolve to address 111.55.XX.XX
    Aug 10 22:07:06 mail postfix/smtpd[12061]: warning: hostname does not resolve to address 111.55.XX.XX
    Aug 10 22:07:41 mail postfix/smtpd[8742]: warning: hostname does not resolve to address 1111.55.XX.XX
    Aug 10 22:09:09 mail postfix/smtpd[8742]: warning: hostname does not resolve to address 1111.55.XX.XX
    Aug 10 22:09:09 mail postfix/smtpd[11548]: warning: hostname does not resolve to address 1111.55.XX.XX
    Aug 10 22:09:24 mail postfix/smtpd[8742]: warning: hostname does not resolve to address 111.55.XX.XX
    Aug 10 22:10:24 mail postfix/smtpd[11548]: warning: hostname does not resolve to address 111.55.XX.XX


  • Hi Iman,

    [sysadmin@mail ~]$ cat /etc/resolv.conf
    # Generated by NetworkManager
    [sysadmin@mail ~]$ cat /etc/hosts
    # localhost localhost.localdomain localhost4 localhost4.localdomain4
    #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 localhost mail

    [sysadmin@mail ~]$ nslookup


    we also experiencing very slow zimbra webmail..

    • Hello Ferjun,

      Your configuration has been good. Please try to change LMTP with run the following command :

      zmprov mcf zimbraMtaLmtpHostLookup native
  • hi iman,

    I already changed – lmtp_host_lookup = dns to lmtp_host_lookup = native , but still issue doesn’t resolve.

    I also having permission issue below..

    I tried to fix permission but does not resolve the issue. (run this twice)

    As “root” user:
    1) su – zimbra -c ‘zmcontrol stop’
    2) /opt/zimbra/libexec/zmfixperms -v -e
    3) su – zimbra -c ‘zmcontrol start’

    4 23:17:28 mail zmconfigd[21238]: Exception in bin/zmsaslauthdctl: (Cannot run program “/opt/zimbra/bin/zmsaslauthdctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmmailboxdctl: (Cannot run program “/opt/zimbra/bin/zmmailboxdctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmswatchctl: (Cannot run program “/opt/zimbra/bin/zmswatchctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmspellctl: (Cannot run program “/opt/zimbra/bin/zmspellctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmstatctl: (Cannot run program “/opt/zimbra/bin/zmstatctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmmailboxdctl: (Cannot run program “/opt/zimbra/bin/zmmailboxdctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmmailboxdctl: (Cannot run program “/opt/zimbra/bin/zmmailboxdctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmmailboxdctl: (Cannot run program “/opt/zimbra/bin/zmmailboxdctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmclamdctl: (Cannot run program “/opt/zimbra/bin/zmclamdctl” (in directory “/root”): error=13, Permission denied)

  • HI iman
    i installed zimbra 8.7 Open source edition on Cent Os 7 – 64 bit.. SIngle server
    Is there any way to Implement Policyd on this.

    A kind request,
    your help is needed

  • Hi iman
    The script (for Zimbra 8.5) makes the installation until the end, but I don’t have access with GUI.
    I can’t see the folder “cbpolicyd” under: /opt/zimbra/.

  • Fro Zimbra 8.7 using this link, and after finished you will get forbidden access but don’t worry, use this link
    to create protection but because it’s have different folder I will give my way below ;
    create .htpasswd

    cd /opt/zimbra/common/share/webui/
    vi .htaccess
    fill with the following lines
    view sourceprint?
    AuthUserFile /opt/zimbra/cbpolicyd/share/webui/.htpasswd
    AuthGroupFile /dev/null
    AuthName “User and Password”
    AuthType Basic

    require valid-user

    create htpasswd file, username and password
    view sourceprint?

    touch .htpasswd
    /opt/zimbra/common/bin/htpasswd -cb .htpasswd USERNAME PASSWORD <—– change with your user and password
    change username and password with username/password do you want. Edit httpd.conf Apache Zimbra
    view sourceprint?
    vi /opt/zimbra/conf/httpd.conf
    add the following configuration at the bottom
    view sourceprint?
    Alias /webui /opt/zimbra/common/share/webui/

    # Comment out the following 3 lines to make web ui accessible from anywhere
    AllowOverride AuthConfig
    Order Deny,Allow
    Allow from all

    Restart Apache Zimbra service
    view sourceprint?
    su – zimbra -c “zmapachectl restart”

    • Hello Kamal,

      Please perform the following command

      su - zimbra
      zmprov ms `zmhostname` -zimbraServiceInstalled cbpolicyd -zimbraServiceEnabled cbpolicyd
      zmcontrol restart