Posted by What is Policyd?
Policyd is an anti spam plugin. Policyd have some module like quotas, access control, spf check, greylisting and others.
Zimbra Collaboration Suite is an email server who use Postfix as engine for MTA. By default, policyd have been bundled with Zimbra from Zimbra version 7.
Why we must use Policyd?
Policyd have module quotas. This module can use for limit sending/receipt email. As example just allow sending/receipt email 200 emails/hours/users. If your email server attacked by spam or compromised password some users and used by spammer, the maximum email can be sent as many as 200 emails per hour. This policy will safe your IP public from blacklist on RBL. Besides, you can check who user send email with many email
How To Install Policyd on Zimbra 8.5?
This guidance is step by step how to install policyd on Zimbra 8.5 and latest
# Activate Policyd
su - zimbra zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd
# Activate Policyd WebUI
– For Zimbra 8.5/8.6
Run the following command as root
cd /opt/zimbra/httpd/htdocs/ ln -s ../../cbpolicyd/share/webui .
Edit file /opt/zimbra/cbpolicyd/share/webui/includes/config.php and putting “#” on front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER.
$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
See the following example
#$DB_DSN="mysql:host=localhost;dbname=cluebringer"; $DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb"; $DB_USER="root";
Update 18 May 2017
– For Zimbra 8.7.x/8.8.x
Run the following command as root
cd /opt/zimbra/data/httpd/htdocs/ ln -s /opt/zimbra/common/share/webui/ .
Edit file /opt/zimbra/common/share/webui/includes/config.php and putting “#” on front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER.
$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
See the following example
#$DB_DSN="mysql:host=localhost;dbname=cluebringer"; $DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb"; $DB_USER="root";
Restart Zimbra service and Zimbra Apache service
su - zimbra -c "zmcontrol restart" su - zimbra -c "zmapachectl restart"
You can now access the Policyd Webui with browser at URL http://IPZimbra:7780/webui/index.php
Good luck and hopefully useful 😀
Let’s See the Video on Youtube
When I connected to http://IPZimbra:7780/webui/index.php, an error occur “Error connecting to Policyd v2 DB: could not find driver”.How to solve the problem?
Hi phphy,
What Operating system you are using? what type Zimbra mail server you are using? single server or multi server?
Centos 7 and single server.
Hi phppy,
Try to install php53-sqlite on your system and try again to access WebUI
Yes,I have solved this issue.
vim /opt/zimbra/conf/php.ini
extension=pdo.so
extension=pdo_sqlite.so
Hi phphy,
Thanks for your information. Confirm and noted
Hi!
I’m trying to use cbpolicy but I’m unable to create any accounting rule or to configure the Amavis integration (Array ( [0] => HY000 [1] => 1 [2] => no such table: amavis_rules )).
Is it just me or this happens to you too?
Release 8.5.0_GA_3042.RHEL6_64_20140828192109 RHEL6_64 NETWORK edition, Patch 8.5.0_P2.
CentOS release 6.6 (Final)
Thanks for your blog 🙂
Sebas
Hi Sebastian,
By default, no tables of module accounting. If you want to enable it, you can try this guidance :
cd /opt/zimbra/cbpolicyd/share/database/
./convert-tsql sqlite accounting.tsql > /tmp/accounting.sql
vi /tmp/accounting.sql
Delete all lines starting with # (comment) and saved. Inject database to sqlite, enable CBPolicyD accounting module and restart CBPolicyD
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb < /tmp/accounting.sql zmprov ms `zmhostname` zimbraCBPolicydAccountingEnabled TRUE zmcbpolicydctl restart If you want enabled on amavis module, you can repeat again step of above
Very Good Article. Nice Inpo…
my system use Ubuntu server 12.04LTS with zimbra 8.50+latest patch. i’ve installed cbpolicyd according to this site provided.
my problem is, sometime i have to restart cbpolicyd service because my zimbra log says : connect to 127.0.0.1:10031: Connection time out
after restart with : zmcbpolicydctl restart , seems everything works fine, buat after that, in random time, zimbra log say : onnect to 127.0.0.1:10031: Connection time out ( again ) .
my cbpolicyd config is :
min_servers=8
min_spare_servers=8
max_spare_servers=16
max_servers=64
max_requests=1000
thanks in advanced
Hello,
Maybe CBPolicyD working hard and make it timeout connect to 127.0.0.1:10031. Also maybe to much rule and request from users/clients
Asallamoalikum Ahmad,
Very good article! Keep up the good work.
This is a great site and obviously very helpful for zimbra server. Please help me to enable all the module in policyd. and give an example to content filtering using Access control.
Hi Nahid,
For example the use of CBPolicyD, you can see at the following link :
1. https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/
2. https://imanudin.net/2014/09/09/zimbra-tips-how-to-configure-rate-limit-sending-message-on-policyd/
3. https://imanudin.net/2014/12/01/how-to-limit-sendingreceipt-email-per-day-per-week-or-per-month/
4. https://imanudin.net/2014/10/13/restricting-users-to-send-mails-to-certain-domains-on-zimbra-8-5/
5. https://imanudin.net/2014/09/11/improving-anti-spam-reject-unlisted-domain-on-zimbra-8-5/
Thanks for visit
Thank you bro for your responce. Need one more help , Please help me to do filter email content using polilyd.
Hi Nahid,
Did you mean to filter contents email such as subject, body or other? if yes, you can do that by AmavisD
Hello,
having a multi server install, with MTA on his own, no WEBUI, I installed the stock apache.
(centos 7)
yum -y install php httpd
cd /var/www/html
ln -s /opt/zimbra/cbpolicyd/share/webui
systemctl start httpd
systemctl enable httpd
and bingo !!
(care about SELINUX)
Wow,
Good Job bro 😀
Error connecting to Policyd v2 DB: could not find driver
After upgrading from 8.5 to 8.6 installed php-pdo but error
PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib64/php/modules/pdo.so’ – /usr/lib64/php/modules/pdo.so: undefined symbol: compiler_globals in Unknown on line 0
any idea about it
Hi Vikram,
Please check file /opt/zimbra/cbpolicyd/share/webui/includes/config.php and make sure has been using DB like below :
$DB_DSN=”sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb”;
Gr8 it worked that was the issue
Your step:
zmprov mcf +zimbraMtaRestriction “check_policy_service inet:127.0.0.1:10031”
is incorrect, and has no effect.
Hi Master,
Thanks for your information. And thanks also has been visit to my blog Master 😀
Thank you
For your support I had configured zimbra mail server. when I am using same url for sending or receiving mails it’s working fine. but when I’m sending mail to other domain using zimbra mail are not getting send.
My outgoing mails are not working on other domain like gmail, rediff.com etc.
plz help me out there for outgoing mail.
Hi Vikram,
Please tracking status of sending email via zmmsgtrace. Example command :
/opt/zimbra/libexec/zmmsgtrace -s sender -r recipient.
Please send to me the result of above command
Hi Iman,
Thanks for your nice guide. I have followed your guide and install CBPolicyd using your script but still my Zimbra server not greylisting in effect, can you please let me know what I can do next to enable greylisting. My server spec as below:
OS: Ubuntu 14.04 LTS (Single server)
Zimbra: 8.6 (p2) open source
Thanks,
Hamid
Hi Russel,
By default, CBPolicyD greylisting is disabled. Please try this command for enabled it
Note : Please change mail.imanudin.net with your hostname of Zimbra
I installed in my server (Centos 6.6) using those steps, and the Policyd allows me to configure it, but don’t check anything.
With “zmcontrol status”, it says cbpolicyd is running, but through the Zimbra Admin interface it says cbpolicyd is not running.
If I connect the policyd database, the rules I create in policyd web interface are there, but nothing apears in quotas_tracking, even with all configuration enabled.
It appears that policyd is not receiving mail data do verify…
Any suggestions?
Hi Carlos,
Are you has been make sure all policy you are created has enabled? by default, all policy still disabled
Yes, I am sure.
I configured in other mailserver and it works, but not in this new one. The policyd configuration for both is the same.
I perceived now that it’s not receiving anything at port 10031 (with tcpdump). It seems that postfix is not sending mail info to policyd…
now I see that there is no configuration in main.cf or master.cf indicating the use of policyd or port 10031. So, I read the script available in: https://imanudin.net/2014/09/30/script-automatic-configure-cbpolicyd-on-zimbra-8-5/ and see that there is important commands there, like:
su – zimbra -c “zmprov mcf +zimbraMtaRestriction ‘check_policy_service inet:127.0.0.1:10031′”
Now It’s working fine!
Hi Carlos,
Glad to hear that 😀
mantab dah bisa akses via web pake zimbra 7.2.1
thanks mas ahmad
Siip. Sekalian di share ya mas 😀
I want to thank you for your excellent Article.
I have installed Zimbra 8.6 OSE on CentOS7. Everything is running properly except 8443 port, POP & IMAP is not accessible from WAN. Guess I need to configure properly the Zimbra Proxy. Can you please help me in this regard.
Thanks in advance.
Suman
Hi Suman,
Please try to run the following command
Hello iman,
I’m trying to change the performance settings in the file /opt/zimbra/conf/cbpolicyd.conf but when I restart the polycid the back standards.
What am I doing wrong ? Thank you!
Hi Leonardo,
All configuration should be configured by CLI. Please try this command to grep all parameters for modify Policyd
After you got what you need, you can execute as the following example
In the above command, i want to enable PolicyD Access Control with parameter i found from grep command
Hi Iman,
It worked perfectly now.
Thank you!
hai mas imanuddin, is it posible to using policyD as content filter? for example if user send email but its containt some badwords, so zimbra automatically block or redirect email to admin?
thanks before
Hi mas,
I don’t know and not yet found how to do that in PolicyD. But you could try this guidance to achieve it : https://imanudin.net/2015/02/13/zimbra-tips-blacklist-email-based-on-body-email/
when i config policyd with webui
i see Verdict: defer, hold, drop, redirect…
I really wanna use redirect, but i don’t know which email Policyd will redirect to.
Please help me
thanks mas iman, but your article just for email external coming to our servers, or is it posible to filter email form our server to external, it means from our client to others mail server, so what the our client create email, and they want send to others external mail server can be filtered, for example our client email contents some badwords, so we must block this email or we must redirect this email to admin.. please your explain.. thanks before,.. or do you have solution for condition above… ?
Hi mas,
The guidance valid for internal and external
Hi Iman,
How to activate PolicyD on Zimbra Collaboration multi-server installation ?
Thanks,
Thanh
Hi Thanh,
If using Multi server, please install and configure in MTA Server. Please make sure while install MTA server choose also Zimbra Apache/Apache by system for PolicyD WebUI
Hi Iman,
Thank you for your response. Other question : How to install and configure policyd if having 2 mta ?
Many thanks,
Thanh
Hi Thanh,
install PolicyD in 2 mta same as usually if install in 1 mta. For configuration, it depends what you want to achieve
Hi,
Thank-you for the article.
I`m configured as you write but it isn`t working.
I`m using zimbraMtaRelayHost pointing to antispam (assp), do you think it coud be a problema?
Thank-you again
Hi Elton,
You recently install PolicyD. These are a few articles on how to use CBPolicyD
1. https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/
2. https://imanudin.net/2014/09/09/zimbra-tips-how-to-configure-rate-limit-sending-message-on-policyd/
3. https://imanudin.net/2014/12/01/how-to-limit-sendingreceipt-email-per-day-per-week-or-per-month/
4. https://imanudin.net/2014/10/13/restricting-users-to-send-mails-to-certain-domains-on-zimbra-8-5/
5. https://imanudin.net/2014/09/11/improving-anti-spam-reject-unlisted-domain-on-zimbra-8-5/
I found this error
warning: problem talking to server localhost:10031: Connection timed out
[root@mail imapsync]# nmap -sS -P0 -p 10031 localhost
Starting Nmap 5.51 ( http://nmap.org ) at 2015-11-15 09:41 BRST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
10031/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
—-
[root@mail imapsync]# lsof -i:10031
..
smtpd 23662 postfix 16u IPv4 148907508 0t0 TCP localhost:40806->localhost:10031 (ESTABLISHED)
smtpd 27302 postfix 17u IPv4 148900337 0t0 TCP localhost:40772->localhost:10031 (ESTABLISHED)
smtpd 27305 postfix 17u IPv4 148908836 0t0 TCP localhost:40834->localhost:10031 (ESTABLISHED)
cbpolicyd 32252 zimbra 5u IPv6 148729179 0t0 TCP localhost:10031 (LISTEN)
cbpolicyd 32252 zimbra 6u IPv4 148729181 0t0 TCP localhost:10031 (LISTEN)
cbpolicyd 32254 zimbra 0u IPv4 148856046 0t0 TCP localhost:10031->localhost:40279 (ESTABLISHED)
cbpolicyd 32254 zimbra 1u IPv4 148856046 0t0 TCP localhost:10031->localhost:40279 (ESTABLISHED)
cbpolicyd 32254 zimbra 5u IPv6 148729179 0t0 TCP localhost:10031 (LISTEN)
cbpolicyd 32254 zimbra 6u IPv4 148729181 0t0 TCP localhost:10031 (LISTEN)
cbpolicyd 32254 zimbra 11u IPv4 14885
…
Iman,
I found the problem.
The email address from, which is reported to the policyd process, is “from=prvs=376156bdfd=eiti.gustavo@xxxxx.com.br” due to BATV(https://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation).
I just did not figure out yet who is tagging it with BATV, if is the zimbra mail server or the assp (My ASSP is configured to use it).
Thank-you anyway.
Hi Elton,
Please check log in /opt/zimbra/log/cbpolicyd.log. Is there problem while starting PolicyD or not or something else
Hi iman,
The last problem about the no filtering match was resolved.
The problem now is similar to what iwan reported.
The mail sending process stops to work and I can`t send emails using webmail or mail client.
If I restart the policyd service, it backs to work.
Hi Elton,
How about your resources? such as RAM, CPU and other resources
Hi Iman, I messed up with the PolicyD DB ¿Exist a way to reset to default state the DB?
Also in another MTA I Tried to enable policyD but the DB are empty. It’s a brand new MTA.
Thanks in advance
Hi Miquel.
Please repeat install and configure PolicyD. This tips usually work for me 😀
Hi, Iman!
Thank you.
I have a question.. i’ve installed zimbra 8.6 and enable PolicyD.. it seems that everything is ok.. i can access a main page via http://ipserver:port/webui/policy-main.php.. when i’m trying to create new policy goups (quotas,ac.. etc) it creates.. but i don’t see them by the interface (web admin).. when i select from the bd through the terminal i see them.. can help me to solve it please
Hi Xavin,
Could you please screenshot the display from CBPolicyD that not shown?
thanks for the attention Iman.. could you please give the cue how to add/insert the screenshot here? Or may be i’ll send a message by e-mail? but i don’t know your e-mail address(
Hi Xavin,
Please sent email to iman@imanudin.net 🙂
recently i tried to disable/enable policyd.. now i get another problem.. i can’t access DB through the terminal.. it get message:
sqlite> .tables
Error: unable to open database “cbpolicyd.sqlitedb”: unable to open database file.
When i try to create policy goups via Policyd Web Administration.. it seems it’s succesfully created.. but still i don’t see them on “http://ipserver:port/webui/policy-group-main.php” page.. if i try to create the same policy group i recieve message:
“Failed to create policy group
Array ( [0] => 23000 [1] => 19 [2] => column Name is not unique ) “..
thanks in advance
the problem with:
Error: unable to open database “cbpolicyd.sqlitedb”: unable to open database file
is resolved. Before i disable/enable policyd i was using:
sqlite3 cbpolicyd.sqlitedb
and can work with DB.. now i can access DB with:
sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb.
and it works fine.
i still can’t see any changes on “http://ipserver:port/webui/policy-group-main.php” page.. when add/delete policies
Hi,
After following above guidelince for policyd configuration , My zimbra policyd webui interface not opening. even i have allow port 7780 in firewall. what should i do ? please help me.
Hi,
Please try to check whether port 7780 already open in your server? you can check by the following command :
If you not see port 7780, please try to check Zimbra Apache services
I have this problem, the page: http://myserverI:7780/webui/index.php
opens, but none of the links work. I get this error:
Error connecting to Policyd v2 DB: invalid data source name
I have checked several times path to the DB file, and checked from sqlite3 CLI there is tables in DB but it just dont work.
Any ideas?
Hi Damir,
It seems strange to me :D. The problem indication that your path is not correct. Please give me configuration about your conf.
Please check also my Video about configure PolicyD 😉
Terima kasih tuan. Alhamdulillah, ilmu yang tuan beri ini sungguh bermanfaat. Server saya tidak lagi overload sebab incoming SPF record sudah di setting. Load average 1.77, 1.51, 1.27
Semoga Allah s.w.t memberi rezeki yang halal, di sihatkan tubuh badan dan di mudahkan segala urusan
Dari Malaysia 🙂
Alhamdulillah Brother,
Terima kasih atas doanya. Semoga Allah SWT memberi rezeki yang halal, di sihatkan tubuh badan dan di mudahkan segala urusan brother juga.
Salam dari Indonesia
Hi, good article, it helped me but I have one question – can I setup cbpolicyd to send me an email notification when somebody achieves the quota ?
Hi Alex,
No, CBPolicyD not have that feature for this time. But you can create simple script to do that and sending email via CLI
Hi thank you for sharing your zimbra expertise i followed all your zimbra instructions and successfully activate policyd on my servers one thing i notice is one of my servers become slow. and users when sending email to a save email addresses it bounce and get error messages but when i retype the email forget the save email address the email is sent.
Also is policyd whitelist and blacklist is already activated or do i need to activate it first?
thank you,
Hi,
I am never use Blacklist/Whitelist in PolicyD and don’t know how to enable it. Sorry 🙁
Policyd is new to me and i usually use default spam-assassin default config and just filter incoming mail on it. I also use rejecting email on smtp level. now that i configure policyd would you recommend to remove my other config and trust on policyd. because i notice the slowdown of the server when i activate policyd. can you help me on creating rules on whitelist and blacklist on policyd? or would you recommend a opensource spamserver and just disable the spam filtering on zimbra. thanks!
Hi,
I am never use Blacklist/Whitelist in PolicyD and don’t know how to enable it. Sorry ?
You can try to use this one : http://mailborder.com/
my server is zimbra 8.6.0 multi server environment so how to enable CB policy,SFP enable,DKIM enable etc….is there step by step guide please share….it will be help for me…
Hi Rafiqul Islam,
You only need to enable on MTA server. All the step still same like on single server
I am enable cbpolicy in MTA but ..
this command not working due to apache is MBX server
cd /opt/zimbra/httpd/htdocs/ && ln -s ../../cbpolicyd/share/webui
my environment is
1. LDAP Server
ldap Running
snmp Running
stats Running
zmconfigd Running)
2. MBX Server
Starting zmconfigd…Done.
Starting logger…Done.
Starting mailbox…Done.
Starting snmp…Done.
Starting spell…Done.
Starting stats…Done.
Starting service webapp…Done.
Starting zimbra webapp…Done.
Starting zimbraAdmin webapp…Done.
Starting zimlet webapp…Done.
3. MTA Server
amavis Running
antispam Running
antivirus Running
cbpolicyd Running
memcached Running
mta Running
proxy Running
snmp Running
stats Running
zmconfigd Running
now i am confused how to enable cbplolicy and web admin console
Advance thanks for reply…
Hi Rafiqul Islam,
You can use Apache or something else from your Linux System. Don’t forget to adjust webui to refer into Document Root on Apache
Hi, I’ve got this problem when enable PolicyD:
“403 Forbiden
You don’t have permission to access /webui/index.php on this server.”
My server is Centos 6.4, my zimbra 8.0.5
Hi Carl,
This guidance not same as enable PolicyD in Zimbra 8.0.x. Please use this guidance
Hello I tried to install the policyd not zimbra 7
not Send and receive email OR MAY help me ?
thank you
Hi,
Please try this guidance for Zimbra 7 : https://wiki.zimbra.com/wiki/How-to_for_cbpolicyd
hi iman,
how to Whitelist specific sender account using policyd?
for example I want this sender user@example.com.
I tried to whitelist senders email but the only option I have under Greylisting is sender IP.
Appreciate your help..
Thanks
Hi Ferjun,
I have not yet try whitelist/blacklist feature from CBPolicyD