How To Install PolicyD on Zimbra 8.5

Home » Zimbra » How To Install PolicyD on Zimbra 8.5
Zimbra 141 Comments

What is Policyd?

Policyd is an anti spam plugin. Policyd have some module like quotas, access control, spf check, greylisting and others.

Zimbra Collaboration Suite is an email server who use Postfix as engine for MTA. By default, policyd have been bundled with Zimbra from Zimbra version 7.

Why we must use Policyd?

Policyd have module quotas. This module can use for limit sending/receipt email. As example just allow sending/receipt email 200 emails/hours/users. If your email server attacked by spam or compromised password some users and used by spammer, the maximum email can be sent as many as 200 emails per hour. This policy will safe your IP public from blacklist on RBL. Besides, you can check who user send email with many email

How To Install Policyd on Zimbra 8.5?

This guidance is step by step how to install policyd on Zimbra 8.5.

# Activate Policyd

su - zimbra
zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd

# Activate Policyd WebUI

– For Zimbra 8.5/8.6

Run the following command as root

cd /opt/zimbra/httpd/htdocs/
ln -s ../../cbpolicyd/share/webui .

Edit file /opt/zimbra/cbpolicyd/share/webui/includes/config.php and putting “#” on front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER.

$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";

See the following example

#$DB_DSN="mysql:host=localhost;dbname=cluebringer";
$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
$DB_USER="root";

Update 18 May 2017

– For Zimbra 8.7.x

Run the following command as root

cd /opt/zimbra/data/httpd/htdocs/
ln -s /opt/zimbra/common/share/webui/ .

Edit file /opt/zimbra/common/share/webui/includes/config.php and putting “#” on front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER.

$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";

See the following example

#$DB_DSN="mysql:host=localhost;dbname=cluebringer";
$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
$DB_USER="root";

Restart Zimbra service  and Zimbra Apache service

su - zimbra -c "zmcontrol restart"
su - zimbra -c "zmapachectl restart"

You can now access the Policyd Webui with browser at URL http://IPZimbra:7780/webui/index.php

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

141 thoughts on - How To Install PolicyD on Zimbra 8.5

  • Thanks Iman,

    I added the whitelist as a sender IP.

    I have another question.. My Network Consist of 3 Network

    10.10.10.x – DMZ where my zimbra server resides and have different Public IP/ISP provider
    192.168.2.xx/23- LAN – different Public IP provider – 222.33.44.55
    192.168.1.x/24 – LAN – different Public IP provider – example 111.22.23.234

    our IP in LAN was blacklisted and a lot of users can’t send email to other mail server specially gmail/yahoo..
    my email server public IP have a good reputation, how can I resolve and prevent this?

    here is my zimbra MTA
    [zimbra@mail sysadmin]$ postconf mynetworks
    mynetworks = 127.0.0.0/8 10.10.10.0/24 [::1]/128 [fe80::]/64

    Thanks!

    • Hello Ferjun,

      – Please make trusted network become 127.0.0.0/8 10.10.10.x/32 -> x is IP of your Zimbra
      – Block all connection port 25 from LAN to Internet and only allow from your Zimbra server

  • Hi,

    I not able to find httpd folder in ubuntu 14.04 and zimbra 8.7. Kindly guide to configure policyd. And i want to restrict user can send upto 10 email id at the time

  • Hello Iman,

    CBPolicyD GUI for Zimbra 8.7 why is not compatible?
    The script (for Zimbra 8.5) makes the instalation until the end, but I don’t have access with GUI.
    I can’t see the folder “cbpolicyd” under: /opt/zimbra/.
    Can You help me?

  • Hi Iman,

    Most of our email user encounter error below:

    450 4.7.1 : Sender address rejected: Access denied

    our zimbra have multidomain setup, when they send to multiple recipient this error occured..

    appreciate your help..
    Thanks!

  • Hi Iman,
    when I run
    egrep ‘(reject|warning|error|fatal|panic):’ /var/log/zimbra.log

    i have a lot of warning can’t resolve to 111.55.XX.XX – is my public IP
    I follow your installation guide, using split DNS

    Aug 10 22:06:28 mail postfix/smtpd[11548]: warning: hostname mail.mydomain.com does not resolve to address 111.55.XX.XX
    Aug 10 22:07:06 mail postfix/smtpd[12061]: warning: hostname mail.mydomain.com does not resolve to address 111.55.XX.XX
    Aug 10 22:07:41 mail postfix/smtpd[8742]: warning: hostname mail.mydomain.com does not resolve to address 1111.55.XX.XX
    Aug 10 22:09:09 mail postfix/smtpd[8742]: warning: hostname mail.mydomain.com does not resolve to address 1111.55.XX.XX
    Aug 10 22:09:09 mail postfix/smtpd[11548]: warning: hostname mail.mydomain.com does not resolve to address 1111.55.XX.XX
    Aug 10 22:09:24 mail postfix/smtpd[8742]: warning: hostname mail.mydomain.com does not resolve to address 111.55.XX.XX
    Aug 10 22:10:24 mail postfix/smtpd[11548]: warning: hostname mail.mydomain.com does not resolve to address 111.55.XX.XX

    Thanks!

  • Hi Iman,

    [sysadmin@mail ~]$ cat /etc/resolv.conf
    # Generated by NetworkManager
    search mydomain.com
    nameserver 172.16.20.40
    nameserver 8.8.8.8
    [sysadmin@mail ~]$ cat /etc/hosts
    #127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
    #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

    127.0.0.1 localhost
    172.16.20.40 mail.mydomain.com mail

    [sysadmin@mail ~]$ nslookup mail.mydomain.com
    Server: 172.16.20.40
    Address: 172.16.20.40#53

    Name: mail.mydomain.com
    Address: 172.16.20.40

    we also experiencing very slow zimbra webmail..

    • Hello Ferjun,

      Your configuration has been good. Please try to change LMTP with run the following command :

      zmprov mcf zimbraMtaLmtpHostLookup native
      
  • hi iman,

    I already changed mail.cf – lmtp_host_lookup = dns to lmtp_host_lookup = native , but still issue doesn’t resolve.

    I also having permission issue below..

    I tried to fix permission but does not resolve the issue. (run this twice)

    As “root” user:
    1) su – zimbra -c ‘zmcontrol stop’
    2) /opt/zimbra/libexec/zmfixperms -v -e
    3) su – zimbra -c ‘zmcontrol start’

    4 23:17:28 mail zmconfigd[21238]: Exception in bin/zmsaslauthdctl: (Cannot run program “/opt/zimbra/bin/zmsaslauthdctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmmailboxdctl: (Cannot run program “/opt/zimbra/bin/zmmailboxdctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmswatchctl: (Cannot run program “/opt/zimbra/bin/zmswatchctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmspellctl: (Cannot run program “/opt/zimbra/bin/zmspellctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmstatctl: (Cannot run program “/opt/zimbra/bin/zmstatctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmmailboxdctl: (Cannot run program “/opt/zimbra/bin/zmmailboxdctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmmailboxdctl: (Cannot run program “/opt/zimbra/bin/zmmailboxdctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmmailboxdctl: (Cannot run program “/opt/zimbra/bin/zmmailboxdctl” (in directory “/root”): error=13, Permission denied)
    Aug 14 23:17:28 mail zmconfigd[21238]: Exception in bin/zmclamdctl: (Cannot run program “/opt/zimbra/bin/zmclamdctl” (in directory “/root”): error=13, Permission denied)

  • HI iman
    i installed zimbra 8.7 Open source edition on Cent Os 7 – 64 bit.. SIngle server
    Is there any way to Implement Policyd on this.

    A kind request,
    your help is needed

  • Hi iman
    The script (for Zimbra 8.5) makes the installation until the end, but I don’t have access with GUI.
    I can’t see the folder “cbpolicyd” under: /opt/zimbra/.

  • Fro Zimbra 8.7 using this link, and after finished you will get forbidden access but don’t worry, use this link https://imanudin.net/2014/09/12/zimbra-tips-how-to-protect-policyd-webui/
    to create protection but because it’s have different folder I will give my way below ;
    create .htpasswd

    cd /opt/zimbra/common/share/webui/
    vi .htaccess
    fill with the following lines
    view sourceprint?
    AuthUserFile /opt/zimbra/cbpolicyd/share/webui/.htpasswd
    AuthGroupFile /dev/null
    AuthName “User and Password”
    AuthType Basic

    require valid-user

    create htpasswd file, username and password
    view sourceprint?

    touch .htpasswd
    /opt/zimbra/common/bin/htpasswd -cb .htpasswd USERNAME PASSWORD <—– change with your user and password
    change username and password with username/password do you want. Edit httpd.conf Apache Zimbra
    view sourceprint?
    vi /opt/zimbra/conf/httpd.conf
    add the following configuration at the bottom
    view sourceprint?
    Alias /webui /opt/zimbra/common/share/webui/

    # Comment out the following 3 lines to make web ui accessible from anywhere
    AllowOverride AuthConfig
    Order Deny,Allow
    Allow from all

    Restart Apache Zimbra service
    view sourceprint?
    su – zimbra -c “zmapachectl restart”

    • Hello Kamal,

      Please perform the following command

      su - zimbra
      zmprov ms `zmhostname` -zimbraServiceInstalled cbpolicyd -zimbraServiceEnabled cbpolicyd
      zmcontrol restart
      
  • Mas Iman,
    saya menggunakan ubuntu 14.04 zimbra 8.6. ngikutin tutorial diatas, hasilnya setelah zmcontrol restart:
    cbpolicyd stop
    policyd is not running.
    kalo buka webui bisa, tapi pas klik menu muncul ini:
    Error connecting to Policyd v2 DB: invalid data source name.

    Mohon bantuannya Mas.
    Terima kasih

  • My cbpolicyd lock and show this error on log

    [2016/12/15-17:07:29 – 15009] [QUOTAS] ERROR: Failed to update quota_tracking item: awitpt::db::dblayer::DBDo(173): Error executing command ‘
    %09%09%09%09%09UPDATE
    %09%09%09%09%09%09quotas_tracking
    %09%09%09%09%09SET
    %09%09%09%09%09%09Counter = Counter + ?,
    %09%09%09%09%09%09LastUpdate = ?
    %09%09%09%09%09WHERE
    %09%09%09%09%09%09QuotasLimitsID = ?
    %09%09%09%09%09%09AND TrackKey = ?
    %09%09%09%09%09’: database is locked

    what happen ??

  • Hai mas imam,

    Saya coba aktifkan cbpolicyd pada zimbra 8.6 di Ubuntu 14.04 tapi hasilnya ketika dibuka Error connecting to Policyd v2 DB: could not find driver. itu kenapa yah mas?

    terima kasih

    • Hello Nagendra,

      You can perform the following command

      su - zimbra
      zmprov ms `zmhostname` -zimbraServiceInstalled cbpolicyd -zimbraServiceEnabled cbpolicyd
      zmcontrol restart
      
  • Hello Iman,

    I tried to install and enable cbpolicyd but my server stopped sending out mails
    I found following error in zimbra.log
    Apr 8 12:33:29 mail postfix/smtpd[26089]: NOQUEUE: reject: RCPT from mail.mydomain.com[192.168.100.1]: 451 4.3.5 Server configuration problem; from= to= proto=ESMTP helo=

    cbpolicyd.log was throwing.
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: Process Backgrounded
    [2017/04/08-12:28:55 – 18826] [CBPOLICYD] NOTICE: Policyd v2 / Cluebringer – v2.1.x-201205100639
    [2017/04/08-12:28:55 – 18826] [CBPOLICYD] NOTICE: Initializing system modules.
    [2017/04/08-12:28:55 – 18826] [CBPOLICYD] NOTICE: System modules initialized.
    [2017/04/08-12:28:55 – 18826] [CBPOLICYD] NOTICE: Module load started…
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: => AccessControl: disabled
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: => Accounting: disabled
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: => Amavis: disabled
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: => CheckHelo: disabled
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: => CheckSPF: disabled
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: => Greylisting: disabled
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: => Quotas: enabled
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: => Protocol(Postfix): enabled
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: => Protocol(Bizanga): enabled
    [2017/04/08-12:28:55 – 18826] [CBPOLICYD] NOTICE: Module load done.
    [2017/04/08-12:28:55 – 18826] [CBPOLICYD] NOTICE: Session tracking is ENABLED.
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: 2017/04/08-12:28:55 cbp (type Net::Server::PreFork) starting! pid(18826)
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: Resolved [localhost]:10031 to [127.0.0.1]:10031, IPv4
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: Resolved [localhost]:10031 to [::1]:10031, IPv6
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: Binding to TCP port 10031 on host 127.0.0.1 with IPv4
    [2017/04/08-12:28:55 – 18826] [CORE] NOTICE: Binding to TCP port 10031 on host ::1 with IPv6
    [2017/04/08-12:28:55 – 18826] [CORE] ERROR: 2017/04/08-12:28:55 Can’t connect to TCP port 10031 on ::1 [Cannot assign requested address]
    at line 68 in file /opt/zimbra/zimbramon/lib/Net/Server/Proto/TCP.pm

    I did some RnD and found disabling IPv6 can cause that. I had disabled IPv6 on server so I commented out in /etc/hosts like below file and restarted services.

    127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
    #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

    After that it worked like a charm.
    Hope this will help someone with same issue.

  • My policy it works correctly, but there is a problem, i have 2000 accounts in my domain, but two of them send 1600 mails daily. How i can apply the police for all users except my two masive accounts?

    • Hi LeoDelgado,

      You can configure Policy as follows

      Source : !monitoring@imanudin.net,!admin@imanudin.net
      Destination : !@imanudin.net

      The above configuration will pass rate limit if sender from monitoring and admin

  • hi !!
    i trying to configure policyd but facing trouble
    i have configured “zcs-8.7.9_GA_1794.RHEL7_64.20170505054622 ” server on cent 7.

    i tried to follow ur steps ,step 1 and 2 worked
    but from step 3 i am unable to perform…
    error is
    -bash: cd: /opt/zimbra/httpd/htdocs/: No such file or directory

  • Hi Iman Brother,

    I did everything just like this tutorial. But I’m having problem. I can see Policyd Web Administration but I can’t see any rule there and I can’t also add any rule into it. It just happen nothing. and shows nothing. Policies Quotas everything are showing empty.

    I have an idea.. I think my database is not readable or something like this. But I don’t know how to fix this on sqlite.

    Can you please tell me how can I fix it?

    • Hi Serazum Munir,
      Please re-populate database

      cd /opt/zimbra/cbpolicyd/share/database/
      for i in core.tsql access_control.tsql quotas.tsql amavis.tsql checkhelo.tsql checkspf.tsql greylisting.tsql accounting.tsql
      do
      ./convert-tsql sqlite $i
      done > /tmp/db1.sql
      
1 2

LEAVE A COMMENT