How To Install PolicyD on Zimbra 8.5

Posted by

What is Policyd?

Policyd is an anti spam plugin. Policyd have some module like quotas, access control, spf check, greylisting and others.

Zimbra Collaboration Suite is an email server who use Postfix as engine for MTA. By default, policyd have been bundled with Zimbra from Zimbra version 7.

Why we must use Policyd?

Policyd have module quotas. This module can use for limit sending/receipt email. As example just allow sending/receipt email 200 emails/hours/users. If your email server attacked by spam or compromised password some users and used by spammer, the maximum email can be sent as many as 200 emails per hour. This policy will safe your IP public from blacklist on RBL. Besides, you can check who user send email with many email

How To Install Policyd on Zimbra 8.5?

This guidance is step by step how to install policyd on Zimbra 8.5 and latest

# Activate Policyd

su - zimbra
zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd

# Activate Policyd WebUI

– For Zimbra 8.5/8.6

Run the following command as root

cd /opt/zimbra/httpd/htdocs/
ln -s ../../cbpolicyd/share/webui .

Edit file /opt/zimbra/cbpolicyd/share/webui/includes/config.php and putting “#” on front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER.

$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";

See the following example

#$DB_DSN="mysql:host=localhost;dbname=cluebringer";
$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
$DB_USER="root";

Update 18 May 2017

– For Zimbra 8.7.x/8.8.x

Run the following command as root

cd /opt/zimbra/data/httpd/htdocs/
ln -s /opt/zimbra/common/share/webui/ .

Edit file /opt/zimbra/common/share/webui/includes/config.php and putting “#” on front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER.

$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";

See the following example

#$DB_DSN="mysql:host=localhost;dbname=cluebringer";
$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
$DB_USER="root";

Restart Zimbra service  and Zimbra Apache service

su - zimbra -c "zmcontrol restart"
su - zimbra -c "zmapachectl restart"

You can now access the Policyd Webui with browser at URL http://IPZimbra:7780/webui/index.php

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

283 comments

  1. hi
    i am facing this error can you please guide me what is this :

    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:2/Name:Default Outbound]: Error while processing source item ‘%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:3/Name:Default Inbound]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:3/Name:Default Inbound]: Error while processing source item ‘!%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:4/Name:Default Internal]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:4/Name:Default Internal]: Error while processing source item ‘%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [CBPOLICYD] INFO: Got request #21 (pipelined)
    [2019/09/18-12:22:55 – 60713] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.8, helo=mail2.hbfcl.com, from=hbl.estatement@hbl.com, to=rashid.ahmed@hbfc.com.pk, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:hbl.estatement@hbl.com, counter=MessageCount, quota=4.93/1000 (0.5%)
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:2/Name:Default Outbound]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:2/Name:Default Outbound]: Error while processing source item ‘%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:3/Name:Default Inbound]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:3/Name:Default Inbound]: Error while processing source item ‘!%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:4/Name:Default Internal]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
    [2019/09/18-12:22:55 – 60713] [POLICIES] WARNING: [ID:4/Name:Default Internal]: Error while processing source item ‘%internal_ips’, skipping…
    [2019/09/18-12:22:55 – 60713] [CBPOLICYD] INFO: Got request #22 (pipelined)

  2. Hi Ahmad,

    Thank You for this very comprehensive guide. I was able to sucessfully implement it. I just have a question is it possible if I get a notification if an email is already using 50% of the allocated quota?

    Thank You.

  3. mas Iman, mohon bantuannya, cbpolicyd nya error spt ini :

    [TRACKING] ERROR: Failed to select session tracking info: awitpt::db::dblayer::DBSelect(126): Error executing select: database is locked

    cara memperbaikinya gimana yah mas ? awalnya sy ikutin tutorial mas iman di zimbra 8.6, working nicely,
    kemudian sy migrasi mail server sy dari sles11 zimbra 8.6 ke centos 7 , zimbra 8.8.15.

    tp untuk cbpolicyd nya error spt diatas,
    mohon pencerahan dari mas Iman,

    Terimakasih.

  4. Hello Sir,

    I have implemented policyd services with above procedure and thanks for that,
    my policyd services is not running and getting following error in cbpolicyd.log

    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: Process Backgrounded
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: PolicyD v2 / Cluebringer – v2.1.x-201205100639
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: Initializing system modules.
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: System modules initialized.
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: Module load started…
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => AccessControl: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => Accounting: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => Amavis: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => CheckHelo: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => CheckSPF: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => Greylisting: disabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => Quotas: enabled
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: => Protocol(Postfix): enabled
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: Module load done.
    [2020/03/02-16:14:37 – 23524] [CBPOLICYD] NOTICE: Session tracking is ENABLED.
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: 2020/03/02-16:14:37 cbp (type Net::Server::PreFork) starting! pid(23524)
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: Resolved [localhost]:10031 to [127.0.0.1]:10031, IPv4
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: Binding to TCP port 10031 on host 127.0.0.1 with IPv4
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: Setting gid to “982 982”
    [2020/03/02-16:14:37 – 23524] [CORE] INFO: Setting up serialization via flock
    [2020/03/02-16:14:37 – 23524] [CORE] INFO: Beginning prefork (4 processes)
    [2020/03/02-16:14:37 – 23524] [CORE] INFO: Starting “4” children
    [2020/03/02-16:14:37 – 23526] [CORE] ERROR: 2020/03/02-16:14:37 Couldn’t open lock file “./XK_T_QrltO”[Permission denied]
    at line 213 in file /opt/zimbra/common/lib/perl5/Net/Server/PreFork.pm
    [2020/03/02-16:14:37 – 23527] [CORE] ERROR: 2020/03/02-16:14:37 Couldn’t open lock file “./XK_T_QrltO”[Permission denied]
    at line 213 in file /opt/zimbra/common/lib/perl5/Net/Server/PreFork.pm
    [2020/03/02-16:14:37 – 23528] [CORE] ERROR: 2020/03/02-16:14:37 Couldn’t open lock file “./XK_T_QrltO”[Permission denied]
    at line 213 in file /opt/zimbra/common/lib/perl5/Net/Server/PreFork.pm
    [2020/03/02-16:14:37 – 23524] [CORE] NOTICE: 2020/03/02-16:14:37 Server closing!

    1. Hi Sandip,
      Please try to stop Zimbra sevices and run fixperms

      su - zimbra -c 'zmcontrol stop'
      /opt/zimbra/libexec/zmfixperms -e -v
      
  5. Iman: hi! Great manual, i hardly wait to use it. But before doing modification (just don’t wanna break something) i just wannt to ask you if i can apply your manual to FOSS (community version of Zimbra) or it is only for commercial version of Zimbra? I still use Zimbra 8.5.1 FOSS (community) edition and would like to apply your manual on it.

    Thank you!

  6. Hi,
    Can we add sender bcc in policyd? I’ve created a group in policyd, if members in the group sends email then a copy of that email should send to manager ID. Kindly check and advice.

  7. very helpful guide, I’ve installed cbpolicyd, the service is running but I can’t access the webui, I get a 404 error on zimbra 8.8.15

    1. Hi Cliff,
      Please make sure you can access Zimbra Apache first on port 7780 (http://ipzimbra:7780). If it appears it works, the Zimbra Apache services already running. Then, you can check step by step to enable PolicyD WebUI

      1. Hi iman,
        I have the same problem. policyD service is running but cant access webui. zmapachectl is running and listening on 0.0.0.0:7780. If i try ti access zimbra apache on this port the result is the same – the site cant be reached.
        Thanks for your help.

  8. mas iman saya pas su – zimbra disuruh masukin password, nah saya tidak tau harus menggunakan password yg mana yah? soalnya pake password adminnya gamasuk. mohon pencerahanya yah mas

    1. Hi mas Rizal,
      Pastikan ketika melakukan su – zimbra, posisinya sedang login sebagai user ROOT. Untuk cek user yang sedang digunakan apa, bisa dicek dengan perintah id. Jika sudah sebagai user Zimbra, tidak perlu lagi untuk menjalankan perintah su – zimbra

  9. Hello and thank you for the comprehensive guide. I followed you steps but the policy does not seem to be working. Any suggestions?

  10. Hi
    I have a problem after the installation.
    I tried to configure the policy group but it data doesnt appear after I add and submit it. I
    Its a completely blank page
    Thanks,

  11. Hi Imanudin
    I am having some serious issue with cbpolicyd. I have sucessfully installed and configured cbpolicyd in my zimbra server. Everything was working normal and policy was also working. Then after we upgraded our zimbra to 8.8.15. Then after we started having problem with cbpolicyd. When cbpolicyd is enabled mails start queuing up in the mail queue after which zimbra users cannot even send mail. There is only one policy in the cbpolicy to block a particular domain.
    We have already optimized the cbpolicyd as mentioned in
    https://wiki.zimbra.com/wiki/How-to_for_cbpolicyd (performance tuning)
    Yes our mail server is large serving around 1700 mail accounts.
    Resources of server is 10 core , 32GB RAM
    We were not experiencing the problem before on zimbra 8.8.10 with same number of users and same server.
    We also tried creating new db cbpolicyd.sqlitedb. But also same result.
    Is it that cbpolicy is not able to handle the flow of emails of 1700 users? But it was working fine in 8.8.10.
    Does anybody have any idea how can I get cbpolicy working. When error occurs there error log also shows that the databased is locked.

    1. Hi,
      I recommend you to use multi server if have users 1700. With 32 GB of RAM, you can create 1 LDAP, 1 Mailbox, 1 mta+proxy and 1 mta server. The single MTA can be configured as incoming/outgoing email. Below are the details

      LDAP : 4 GB
      MBOX : 12 GB
      Proxy : 8 GB
      MTA : 6 GB
      

      Then, cbpolicyd can be installed and configured on MTA server. For internal MTA, you can use proxy+mta

      1. Thanks Imanudin I will try to work on it. But at current situation I cannot bring my zimbra mail server down. Are there any other temporary fixes to make cbpolicyd working.

          1. Already configured to high volume servers. No luck.
            cbpolicyd_min_servers=8
            cbpolicyd_min_spare_servers=8
            cbpolicyd_max_spare_servers=16
            cbpolicyd_max_servers=64
            cbpolicyd_max_requests=1000

          2. Please use this command

            zmprov ms `zmhostname` zimbraCBPolicydMinServers 8
            zmprov ms `zmhostname` zimbraCBPolicydMinSpareServers 8
            zmprov ms `zmhostname` zimbraCBPolicydMaxSpareServers 16
            zmprov ms `zmhostname` zimbraCBPolicydMaxServers 64
            zmprov ms `zmhostname` zimbraCBPolicydMaxRequests 1000
            
    2. Tried you given commands but no luck. I am now trying to change cbpolicyd sqlite db to mysql . Hope this will help.

  12. I am stuck in web ui saying error connecting to database. I have uploaded the sqlite db to mysql. Configured backend connection for database in /opt/zimbra/common/share/webui/includes/config.php . Also defined database connection in /opt/zimbra/conf/cbpolicyd.conf. Done on the basis of following links
    https://apuntestuxianos.blogspot.com/2015/06/cbpolicyd-en-zimbra.html
    https://computingforgeeks.com/install-cbpolicyd-on-centos-7/

    Tried installing php-pdo module to fix the connection.

      1. No I was unable to use MySQL database in cbpolicyd. I will be extremely grateful if you could create a tutorial on installing cbpolicyd on MySQL i.e. changing from default SQLite.

  13. Hi Iman,

    You are doing great job, your articles are very clear and helpful. Many thanks for doing this.

    I’m using zimbra version 8.8.15 (open source). I’m getting spoofed emails from address as user@example.com to user@example.com. Is there any way I can reject those emails.

    Thanks,
    Ramesh

  14. Hi Iman, how are you? I wanted to consult you since I am trying to install cbpolicyd in zimbra 8.8.15 and it does not apply the quota when I send from webmail but if when I send from smtp, will it be necessary to add something? Greetings

      1. Hello Magnet, I give you the result of the command. Greetings

        smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031
        smtpd_recipient_restrictions = check_policy_service inet:localhost:10031, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unknown_client_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client spam.spamrats.com, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_client multi.surbl.org, reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender multi.surbl.org, permit
        smtpd_sender_restrictions = check_policy_service inet:localhost:10031, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re

        1. Hi Mariano,
          I see your policyd has been registered in smtpd_end_of_data_restrictions,smtpd_recipient_restrictions and smtpd_sender_restrictions

  15. mas iman,

    mas sy dah berhasil install policyD nya include dengan proteksi dengan username dan passwordnya … tetap knapa ya ketika sy add policy group tidak ada result nya , hanya kosong gitu aja , padahal ngga ada pesan error sama sekali … kira kira knapa ya
    saya menggunakan ubuntu 18 dan zimbra Zimbra 8.8.15_GA_4173 (build 20211022125231)

    terima kasih

  16. zimbra@mail:~/data/httpd/htdocs$ ln -s /opt/zimbra/common/share/webui/ .
    ln: failed to create symbolic link ‘./webui’: Permission denied

    am getting this error on zimbra 8.8 am using ubuntu 18.04

  17. hi, mas Iman

    mas saya menggunakan zimbra 8.6 sebelumnya pakai OS Sles11, skrg sudah di migrasi ke centos 7 ,
    seinget saya dulu sy pernah implementasikan cbpolicyd nya di OS sles11,
    setelah migrasi ke centos 7 , saya tidak bisa akses ke http://ipmailserver:7780/webui/index.php
    ” This site can’t be reached ” .
    cara perbaikinya gimana yah mas ? agar bisa di akses kembali ,
    kl sy “tail -f /opt/zimbra/log/cbpolicyd.log” , saya lihat jalan rate limit sending nya mas .
    tp sy ga bisa akses ke webui nya ,
    sy mau implementasikan check spf di cbpolicyd yang tutorialnya ada di web mas iman juga ,

    Salam ,
    Ernest

  18. hi i have configure cbpolicy is working fine but is not blocking mail when reach the limit which i have set 200. power hour

    my self i have change limit to 3 for testing by send more than 4 mail and all mail delivered what was wrong.

    [2022/11/29-13:14:42 – 17680] [CORE] INFO: module=Quotas, action=defer, host=40.107.20.95, helo=EUR05-DB8-obe.outbound.protection.outlook.com, from=***@TY.zt, to=victoria.ulula@abc.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:***@TY.zt, counter=MessageCount, quota=201.89/200 (100.9%)
    [2022/11/29-13:14:43 – 16846] [CBPOLICYD] INFO: Got request #21 (pipelined)
    [2022/11/29-13:14:43 – 16846] [CORE] INFO: module=Quotas, action=defer, host=40.107.15.131, helo=EUR01-DB5-obe.outbound.protection.outlook.com, from=***@TY.zt, to=victoria.ulula@abc.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:***@TY.zt, counter=MessageCount, quota=201.84/200 (100.9%)
    [2022/11/29-13:14:43 – 31142] [CBPOLICYD] INFO: Got request #46 (pipelined)
    [2022/11/29-13:14:43 – 31142] [CORE] INFO: module=Quotas, action=defer, host=40.107.247.121, helo=EUR02-AM0-obe.outbound.protection.outlook.com, from=***@TY.zt, to=temba.msemo@abc.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:***@TY.zt, counter=MessageCount, quota=201.84/200 (100.9%)
    [2022/11/29-13:14:43 – 13065] [CBPOLICYD] INFO: Got request #55 (pipelined)
    [2022/11/29-13:14:44 – 13065] [CORE] INFO: module=Quotas, mode=update, host=139.138.45.219, helo=esa.hc644-4.ap.iphmx.com, from=mailer-daemon@esa4.hc644-4.ap.iphmx.com, to=postmaster@abc.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:mailer-daemon@esa4.hc644-4.ap.iphmx.com, counter=MessageCount, quota=1.00/200 (0.5%)
    [2022/11/29-13:14:44 – 7732] [CBPOLICYD] INFO: Got request #59 (pipelined)
    [2022/11/29-13:14:44 – 7732] [CORE] INFO: module=Quotas, action=defer, host=40.107.14.139, helo=EUR01-VE1-obe.outbound.protection.outlook.com, from=***@TY.zt, to=michael.bujiba@abc.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:***@TY.zt, counter=MessageCount, quota=201.78/200 (100.9%)
    [2022/11/29-13:14:44 – 13065] [CBPOLICYD] INFO: Got request #56 (pipelined)
    [2022/11/29-13:14:44 – 13065] [CORE] INFO: module=Quotas, mode=update, host=139.138.45.219, helo=esa.hc644-4.ap.iphmx.com, from=mailer-daemon@esa4.hc644-4.ap.iphmx.com, to=postmaster@abc.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:mailer-daemon@esa4.hc644-4.ap.iphmx.com, counter=MessageCount, quota=2.00/200 (1.0%)
    [2022/11/29-13:14:44 – 16654] [CBPOLICYD] INFO: Got request #15 (pipelined)
    [2022/11/29-13:14:44 – 16654] [CORE] INFO: module=Quotas, mode=update, host=139.138.45.219, helo=esa.hc644-4.ap.iphmx.com, from=mailer-daemon@esa2.hc644-4.ap.iphmx.com, to=postmaster@abc.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:mailer-daemon@esa2.hc644-4.ap.iphmx.com, counter=MessageCount, quota=1.00/200 (0.5%)
    [2022/11/29-13:14:45 – 5969] [CBPOLICYD] INFO: Got request #57 (pipelined)
    [2022/11/29-13:14:45 – 5969] [CORE] INFO: module=Quotas, action=defer, host=40.107.241.94, helo=EUR02-VI1-obe.outbound.protection.outlook.com, from=***@TY.zt, to=temba.msemo@abc.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:***@TY.zt, counter=MessageCount, quota=201.73/200 (100.9%)

  19. Starting cbpolicyd…Failed.
    Starting policyd…failed.

    cbpolicyd can not start do not know why! My zimbra version is 8.8, please tell me the problem! Thanks!

Leave a Reply to zeratul Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.