How To Install PolicyD on Zimbra 8.5

Posted by

What is Policyd?

Policyd is an anti spam plugin. Policyd have some module like quotas, access control, spf check, greylisting and others.

Zimbra Collaboration Suite is an email server who use Postfix as engine for MTA. By default, policyd have been bundled with Zimbra from Zimbra version 7.

Why we must use Policyd?

Policyd have module quotas. This module can use for limit sending/receipt email. As example just allow sending/receipt email 200 emails/hours/users. If your email server attacked by spam or compromised password some users and used by spammer, the maximum email can be sent as many as 200 emails per hour. This policy will safe your IP public from blacklist on RBL. Besides, you can check who user send email with many email

How To Install Policyd on Zimbra 8.5?

This guidance is step by step how to install policyd on Zimbra 8.5 and latest

# Activate Policyd

su - zimbra
zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd

# Activate Policyd WebUI

– For Zimbra 8.5/8.6

Run the following command as root

cd /opt/zimbra/httpd/htdocs/
ln -s ../../cbpolicyd/share/webui .

Edit file /opt/zimbra/cbpolicyd/share/webui/includes/config.php and putting “#” on front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER.

$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";

See the following example

#$DB_DSN="mysql:host=localhost;dbname=cluebringer";
$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
$DB_USER="root";

Update 18 May 2017

– For Zimbra 8.7.x/8.8.x

Run the following command as root

cd /opt/zimbra/data/httpd/htdocs/
ln -s /opt/zimbra/common/share/webui/ .

Edit file /opt/zimbra/common/share/webui/includes/config.php and putting “#” on front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER.

$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";

See the following example

#$DB_DSN="mysql:host=localhost;dbname=cluebringer";
$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
$DB_USER="root";

Restart Zimbra service  and Zimbra Apache service

su - zimbra -c "zmcontrol restart"
su - zimbra -c "zmapachectl restart"

You can now access the Policyd Webui with browser at URL http://IPZimbra:7780/webui/index.php

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

253 comments

  1. hi
    i am facing this error can you please guide me what is this :

    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:2/Name:Default Outbound]: Error while processing source item ‘%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:3/Name:Default Inbound]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:3/Name:Default Inbound]: Error while processing source item ‘!%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:4/Name:Default Internal]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:4/Name:Default Internal]: Error while processing source item ‘%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [CBPOLICYD] INFO: Got request #21 (pipelined)
    [2019/09/18-12:22:55 – 60713] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.8, helo=mail2.hbfcl.com, from=hbl.estatement@hbl.com, to=rashid.ahmed@hbfc.com.pk, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:hbl.estatement@hbl.com, counter=MessageCount, quota=4.93/1000 (0.5%)
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:2/Name:Default Outbound]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:2/Name:Default Outbound]: Error while processing source item ‘%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:3/Name:Default Inbound]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:3/Name:Default Inbound]: Error while processing source item ‘!%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:4/Name:Default Internal]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:4/Name:Default Internal]: Error while processing source item ‘%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [CBPOLICYD] INFO: Got request #22 (pipelined)

  2. Hi Ahmad,

    Thank You for this very comprehensive guide. I was able to sucessfully implement it. I just have a question is it possible if I get a notification if an email is already using 50% of the allocated quota?

    Thank You.

  3. mas Iman, mohon bantuannya, cbpolicyd nya error spt ini :

    [TRACKING] ERROR: Failed to select session tracking info: awitpt::db::dblayer::DBSelect(126): Error executing select: database is locked

    cara memperbaikinya gimana yah mas ? awalnya sy ikutin tutorial mas iman di zimbra 8.6, working nicely,
    kemudian sy migrasi mail server sy dari sles11 zimbra 8.6 ke centos 7 , zimbra 8.8.15.

    tp untuk cbpolicyd nya error spt diatas,
    mohon pencerahan dari mas Iman,

    Terimakasih.

  4. Hello Sir,

    I have implemented policyd services with above procedure and thanks for that,
    my policyd services is not running and getting following error in cbpolicyd.log

    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: Process Backgrounded
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: PolicyD v2 / Cluebringer – v2.1.x-201205100639
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: Initializing system modules.
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: System modules initialized.
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: Module load started…
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => AccessControl: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => Accounting: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => Amavis: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => CheckHelo: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => CheckSPF: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => Greylisting: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => Quotas: enabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => Protocol(Postfix): enabled
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: Module load done.
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: Session tracking is ENABLED.
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: 2020/03/02-16:14:37 cbp (type Net::Server::PreFork) starting! pid(23524)
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: Resolved [localhost]:10031 to [127.0.0.1]:10031, IPv4
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: Binding to TCP port 10031 on host 127.0.0.1 with IPv4
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: Setting gid to “982 982”
    [2020/03/02-16:14:37 – 23524] [CORE] INFO: Setting up serialization via flock
    [2020/03/02-16:14:37 – 23524] [CORE] INFO: Beginning prefork (4 processes)
    [2020/03/02-16:14:37 – 23524] [CORE] INFO: Starting “4” children
    [2020/03/02-16:14:37 – 23526] [CORE] ERROR: 2020/03/02-16:14:37 Couldn’t open lock file “./XK_T_QrltO”[Permission denied]
    at line 213 in file /opt/zimbra/common/lib/perl5/Net/Server/PreFork.pm
    [2020/03/02-16:14:37 – 23527] [CORE] ERROR: 2020/03/02-16:14:37 Couldn’t open lock file “./XK_T_QrltO”[Permission denied]
    at line 213 in file /opt/zimbra/common/lib/perl5/Net/Server/PreFork.pm
    [2020/03/02-16:14:37 – 23528] [CORE] ERROR: 2020/03/02-16:14:37 Couldn’t open lock file “./XK_T_QrltO”[Permission denied]
    at line 213 in file /opt/zimbra/common/lib/perl5/Net/Server/PreFork.pm
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: 2020/03/02-16:14:37 Server closing!

    1. Hi Sandip,
      Please try to stop Zimbra sevices and run fixperms

      su - zimbra -c 'zmcontrol stop'
      /opt/zimbra/libexec/zmfixperms -e -v
      
  5. Iman: hi! Great manual, i hardly wait to use it. But before doing modification (just don’t wanna break something) i just wannt to ask you if i can apply your manual to FOSS (community version of Zimbra) or it is only for commercial version of Zimbra? I still use Zimbra 8.5.1 FOSS (community) edition and would like to apply your manual on it.

    Thank you!

  6. Hi,
    Can we add sender bcc in policyd? I’ve created a group in policyd, if members in the group sends email then a copy of that email should send to manager ID. Kindly check and advice.

  7. very helpful guide, I’ve installed cbpolicyd, the service is running but I can’t access the webui, I get a 404 error on zimbra 8.8.15

    1. Hi Cliff,
      Please make sure you can access Zimbra Apache first on port 7780 (http://ipzimbra:7780). If it appears it works, the Zimbra Apache services already running. Then, you can check step by step to enable PolicyD WebUI

  8. mas iman saya pas su – zimbra disuruh masukin password, nah saya tidak tau harus menggunakan password yg mana yah? soalnya pake password adminnya gamasuk. mohon pencerahanya yah mas

    1. Hi mas Rizal,
      Pastikan ketika melakukan su – zimbra, posisinya sedang login sebagai user ROOT. Untuk cek user yang sedang digunakan apa, bisa dicek dengan perintah id. Jika sudah sebagai user Zimbra, tidak perlu lagi untuk menjalankan perintah su – zimbra

  9. Hello and thank you for the comprehensive guide. I followed you steps but the policy does not seem to be working. Any suggestions?

  10. Hi
    I have a problem after the installation.
    I tried to configure the policy group but it data doesnt appear after I add and submit it. I
    Its a completely blank page
    Thanks,

  11. Hi Imanudin
    I am having some serious issue with cbpolicyd. I have sucessfully installed and configured cbpolicyd in my zimbra server. Everything was working normal and policy was also working. Then after we upgraded our zimbra to 8.8.15. Then after we started having problem with cbpolicyd. When cbpolicyd is enabled mails start queuing up in the mail queue after which zimbra users cannot even send mail. There is only one policy in the cbpolicy to block a particular domain.
    We have already optimized the cbpolicyd as mentioned in
    https://wiki.zimbra.com/wiki/How-to_for_cbpolicyd (performance tuning)
    Yes our mail server is large serving around 1700 mail accounts.
    Resources of server is 10 core , 32GB RAM
    We were not experiencing the problem before on zimbra 8.8.10 with same number of users and same server.
    We also tried creating new db cbpolicyd.sqlitedb. But also same result.
    Is it that cbpolicy is not able to handle the flow of emails of 1700 users? But it was working fine in 8.8.10.
    Does anybody have any idea how can I get cbpolicy working. When error occurs there error log also shows that the databased is locked.

    1. Hi,
      I recommend you to use multi server if have users 1700. With 32 GB of RAM, you can create 1 LDAP, 1 Mailbox, 1 mta+proxy and 1 mta server. The single MTA can be configured as incoming/outgoing email. Below are the details

      LDAP : 4 GB
      MBOX : 12 GB
      Proxy : 8 GB
      MTA : 6 GB
      

      Then, cbpolicyd can be installed and configured on MTA server. For internal MTA, you can use proxy+mta

      1. Thanks Imanudin I will try to work on it. But at current situation I cannot bring my zimbra mail server down. Are there any other temporary fixes to make cbpolicyd working.

          1. Already configured to high volume servers. No luck.
            cbpolicyd_min_servers=8
            cbpolicyd_min_spare_servers=8
            cbpolicyd_max_spare_servers=16
            cbpolicyd_max_servers=64
            cbpolicyd_max_requests=1000

          2. Please use this command

            zmprov ms `zmhostname` zimbraCBPolicydMinServers 8
            zmprov ms `zmhostname` zimbraCBPolicydMinSpareServers 8
            zmprov ms `zmhostname` zimbraCBPolicydMaxSpareServers 16
            zmprov ms `zmhostname` zimbraCBPolicydMaxServers 64
            zmprov ms `zmhostname` zimbraCBPolicydMaxRequests 1000
            
    2. Tried you given commands but no luck. I am now trying to change cbpolicyd sqlite db to mysql . Hope this will help.

  12. I am stuck in web ui saying error connecting to database. I have uploaded the sqlite db to mysql. Configured backend connection for database in /opt/zimbra/common/share/webui/includes/config.php . Also defined database connection in /opt/zimbra/conf/cbpolicyd.conf. Done on the basis of following links
    https://apuntestuxianos.blogspot.com/2015/06/cbpolicyd-en-zimbra.html
    https://computingforgeeks.com/install-cbpolicyd-on-centos-7/

    Tried installing php-pdo module to fix the connection.

      1. No I was unable to use MySQL database in cbpolicyd. I will be extremely grateful if you could create a tutorial on installing cbpolicyd on MySQL i.e. changing from default SQLite.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.