How To Install PolicyD on Zimbra 8.5

Posted by

What is Policyd?

Policyd is an anti spam plugin. Policyd have some module like quotas, access control, spf check, greylisting and others.

Zimbra Collaboration Suite is an email server who use Postfix as engine for MTA. By default, policyd have been bundled with Zimbra from Zimbra version 7.

Why we must use Policyd?

Policyd have module quotas. This module can use for limit sending/receipt email. As example just allow sending/receipt email 200 emails/hours/users. If your email server attacked by spam or compromised password some users and used by spammer, the maximum email can be sent as many as 200 emails per hour. This policy will safe your IP public from blacklist on RBL. Besides, you can check who user send email with many email

How To Install Policyd on Zimbra 8.5?

This guidance is step by step how to install policyd on Zimbra 8.5 and latest

# Activate Policyd

su - zimbra
zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd

# Activate Policyd WebUI

– For Zimbra 8.5/8.6

Run the following command as root

cd /opt/zimbra/httpd/htdocs/
ln -s ../../cbpolicyd/share/webui .

Edit file /opt/zimbra/cbpolicyd/share/webui/includes/config.php and putting “#” on front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER.

$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";

See the following example

#$DB_DSN="mysql:host=localhost;dbname=cluebringer";
$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
$DB_USER="root";

Update 18 May 2017

– For Zimbra 8.7.x/8.8.x

Run the following command as root

cd /opt/zimbra/data/httpd/htdocs/
ln -s /opt/zimbra/common/share/webui/ .

Edit file /opt/zimbra/common/share/webui/includes/config.php and putting “#” on front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER.

$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";

See the following example

#$DB_DSN="mysql:host=localhost;dbname=cluebringer";
$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
$DB_USER="root";

Restart Zimbra service  and Zimbra Apache service

su - zimbra -c "zmcontrol restart"
su - zimbra -c "zmapachectl restart"

You can now access the Policyd Webui with browser at URL http://IPZimbra:7780/webui/index.php

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

283 comments

  1. Hi!

    I’m trying to use cbpolicy but I’m unable to create any accounting rule or to configure the Amavis integration (Array ( [0] => HY000 [1] => 1 [2] => no such table: amavis_rules )).

    Is it just me or this happens to you too?

    Release 8.5.0_GA_3042.RHEL6_64_20140828192109 RHEL6_64 NETWORK edition, Patch 8.5.0_P2.
    CentOS release 6.6 (Final)

    Thanks for your blog 🙂
    Sebas

  2. Hi Sebastian,

    By default, no tables of module accounting. If you want to enable it, you can try this guidance :

    cd /opt/zimbra/cbpolicyd/share/database/
    ./convert-tsql sqlite accounting.tsql > /tmp/accounting.sql
    vi /tmp/accounting.sql

    Delete all lines starting with # (comment) and saved. Inject database to sqlite, enable CBPolicyD accounting module and restart CBPolicyD

    sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb < /tmp/accounting.sql zmprov ms `zmhostname` zimbraCBPolicydAccountingEnabled TRUE zmcbpolicydctl restart If you want enabled on amavis module, you can repeat again step of above

  3. my system use Ubuntu server 12.04LTS with zimbra 8.50+latest patch. i’ve installed cbpolicyd according to this site provided.
    my problem is, sometime i have to restart cbpolicyd service because my zimbra log says : connect to 127.0.0.1:10031: Connection time out

    after restart with : zmcbpolicydctl restart , seems everything works fine, buat after that, in random time, zimbra log say : onnect to 127.0.0.1:10031: Connection time out ( again ) .

    my cbpolicyd config is :
    min_servers=8
    min_spare_servers=8
    max_spare_servers=16
    max_servers=64
    max_requests=1000

    thanks in advanced

    1. Hello,

      Maybe CBPolicyD working hard and make it timeout connect to 127.0.0.1:10031. Also maybe to much rule and request from users/clients

  4. This is a great site and obviously very helpful for zimbra server. Please help me to enable all the module in policyd. and give an example to content filtering using Access control.

  5. Thank you bro for your responce. Need one more help , Please help me to do filter email content using polilyd.

  6. Hello,

    having a multi server install, with MTA on his own, no WEBUI, I installed the stock apache.
    (centos 7)
    yum -y install php httpd
    cd /var/www/html
    ln -s /opt/zimbra/cbpolicyd/share/webui
    systemctl start httpd
    systemctl enable httpd
    and bingo !!
    (care about SELINUX)

  7. Error connecting to Policyd v2 DB: could not find driver

    After upgrading from 8.5 to 8.6 installed php-pdo but error
    PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib64/php/modules/pdo.so’ – /usr/lib64/php/modules/pdo.so: undefined symbol: compiler_globals in Unknown on line 0

    any idea about it

  8. Hi Vikram,

    Please check file /opt/zimbra/cbpolicyd/share/webui/includes/config.php and make sure has been using DB like below :

    $DB_DSN=”sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb”;

  9. Your step:

    zmprov mcf +zimbraMtaRestriction “check_policy_service inet:127.0.0.1:10031”

    is incorrect, and has no effect.

  10. Thank you

    For your support I had configured zimbra mail server. when I am using same url for sending or receiving mails it’s working fine. but when I’m sending mail to other domain using zimbra mail are not getting send.

    My outgoing mails are not working on other domain like gmail, rediff.com etc.

    plz help me out there for outgoing mail.

    1. Hi Vikram,

      Please tracking status of sending email via zmmsgtrace. Example command :

      /opt/zimbra/libexec/zmmsgtrace -s sender -r recipient.

      Please send to me the result of above command

  11. Hi Iman,

    Thanks for your nice guide. I have followed your guide and install CBPolicyd using your script but still my Zimbra server not greylisting in effect, can you please let me know what I can do next to enable greylisting. My server spec as below:

    OS: Ubuntu 14.04 LTS (Single server)
    Zimbra: 8.6 (p2) open source

    Thanks,
    Hamid

    1. Hi Russel,

      By default, CBPolicyD greylisting is disabled. Please try this command for enabled it

      zmprov ms mail.imanudin.net zimbraCBPolicydGreylistingEnabled TRUE
      zmprov ms mail.imanudin.net zimbraCBPolicydGreylistingTrainingEnabled TRUE

      Note : Please change mail.imanudin.net with your hostname of Zimbra

  12. I installed in my server (Centos 6.6) using those steps, and the Policyd allows me to configure it, but don’t check anything.

    With “zmcontrol status”, it says cbpolicyd is running, but through the Zimbra Admin interface it says cbpolicyd is not running.

    If I connect the policyd database, the rules I create in policyd web interface are there, but nothing apears in quotas_tracking, even with all configuration enabled.

    It appears that policyd is not receiving mail data do verify…

    Any suggestions?

      1. Yes, I am sure.

        I configured in other mailserver and it works, but not in this new one. The policyd configuration for both is the same.

        I perceived now that it’s not receiving anything at port 10031 (with tcpdump). It seems that postfix is not sending mail info to policyd…

  13. I want to thank you for your excellent Article.
    I have installed Zimbra 8.6 OSE on CentOS7. Everything is running properly except 8443 port, POP & IMAP is not accessible from WAN. Guess I need to configure properly the Zimbra Proxy. Can you please help me in this regard.

    Thanks in advance.
    Suman

    1. Hi Suman,

      Please try to run the following command

      /opt/zimbra/libexec/zmproxyconfig -e -w -m -H `zmhostname`
      zmprov -l ms `zmhostname` zimbraMailReferMode reverse-proxied zimbraMailProxyPort 80 zimbraMailSSLProxyPort 443 zimbraReverseProxyHttpEnabled TRUE zimbraReverseProxyMailMode both zimbraImapBindPort 7143 zimbraImapProxyBindPort 143 zimbraImapSSLBindPort 7993 zimbraImapSSLProxyBindPort 993 zimbraPop3BindPort 7110 zimbraPop3ProxyBindPort 110 zimbraPop3SSLBindPort 7995 zimbraPop3SSLProxyBindPort 995 zimbraReverseProxyMailEnabled TRUE
      zmcontrol restart
      
  14. Hello iman,
    I’m trying to change the performance settings in the file /opt/zimbra/conf/cbpolicyd.conf but when I restart the polycid the back standards.
    What am I doing wrong ? Thank you!

    1. Hi Leonardo,

      All configuration should be configured by CLI. Please try this command to grep all parameters for modify Policyd

      zmprov gs mail.imanudin.net | grep -i policyd
      

      After you got what you need, you can execute as the following example

      zmprov ms mail.imanudin.net zimbraCBPolicydAccessControlEnabled TRUE
      

      In the above command, i want to enable PolicyD Access Control with parameter i found from grep command

  15. hai mas imanuddin, is it posible to using policyD as content filter? for example if user send email but its containt some badwords, so zimbra automatically block or redirect email to admin?

    thanks before

    1. when i config policyd with webui

      i see Verdict: defer, hold, drop, redirect…

      I really wanna use redirect, but i don’t know which email Policyd will redirect to.

      Please help me

  16. thanks mas iman, but your article just for email external coming to our servers, or is it posible to filter email form our server to external, it means from our client to others mail server, so what the our client create email, and they want send to others external mail server can be filtered, for example our client email contents some badwords, so we must block this email or we must redirect this email to admin.. please your explain.. thanks before,.. or do you have solution for condition above… ?

    1. Hi Thanh,

      If using Multi server, please install and configure in MTA Server. Please make sure while install MTA server choose also Zimbra Apache/Apache by system for PolicyD WebUI

  17. Hi Iman,

    Thank you for your response. Other question : How to install and configure policyd if having 2 mta ?

    Many thanks,
    Thanh

  18. Hi,
    Thank-you for the article.
    I`m configured as you write but it isn`t working.
    I`m using zimbraMtaRelayHost pointing to antispam (assp), do you think it coud be a problema?
    Thank-you again

      1. I found this error
        warning: problem talking to server localhost:10031: Connection timed out

        [root@mail imapsync]# nmap -sS -P0 -p 10031 localhost

        Starting Nmap 5.51 ( http://nmap.org ) at 2015-11-15 09:41 BRST
        Nmap scan report for localhost (127.0.0.1)
        Host is up (0.000070s latency).
        Other addresses for localhost (not scanned): 127.0.0.1
        PORT STATE SERVICE
        10031/tcp open unknown

        Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

        —-

        [root@mail imapsync]# lsof -i:10031
        ..
        smtpd 23662 postfix 16u IPv4 148907508 0t0 TCP localhost:40806->localhost:10031 (ESTABLISHED)
        smtpd 27302 postfix 17u IPv4 148900337 0t0 TCP localhost:40772->localhost:10031 (ESTABLISHED)
        smtpd 27305 postfix 17u IPv4 148908836 0t0 TCP localhost:40834->localhost:10031 (ESTABLISHED)
        cbpolicyd 32252 zimbra 5u IPv6 148729179 0t0 TCP localhost:10031 (LISTEN)
        cbpolicyd 32252 zimbra 6u IPv4 148729181 0t0 TCP localhost:10031 (LISTEN)
        cbpolicyd 32254 zimbra 0u IPv4 148856046 0t0 TCP localhost:10031->localhost:40279 (ESTABLISHED)
        cbpolicyd 32254 zimbra 1u IPv4 148856046 0t0 TCP localhost:10031->localhost:40279 (ESTABLISHED)
        cbpolicyd 32254 zimbra 5u IPv6 148729179 0t0 TCP localhost:10031 (LISTEN)
        cbpolicyd 32254 zimbra 6u IPv4 148729181 0t0 TCP localhost:10031 (LISTEN)
        cbpolicyd 32254 zimbra 11u IPv4 14885

          1. Hi iman,
            The last problem about the no filtering match was resolved.
            The problem now is similar to what iwan reported.
            The mail sending process stops to work and I can`t send emails using webmail or mail client.
            If I restart the policyd service, it backs to work.

  19. Hi Iman, I messed up with the PolicyD DB ¿Exist a way to reset to default state the DB?

    Also in another MTA I Tried to enable policyD but the DB are empty. It’s a brand new MTA.

    Thanks in advance

  20. Hi, Iman!
    Thank you.
    I have a question.. i’ve installed zimbra 8.6 and enable PolicyD.. it seems that everything is ok.. i can access a main page via http://ipserver:port/webui/policy-main.php.. when i’m trying to create new policy goups (quotas,ac.. etc) it creates.. but i don’t see them by the interface (web admin).. when i select from the bd through the terminal i see them.. can help me to solve it please

      1. thanks for the attention Iman.. could you please give the cue how to add/insert the screenshot here? Or may be i’ll send a message by e-mail? but i don’t know your e-mail address(

      2. recently i tried to disable/enable policyd.. now i get another problem.. i can’t access DB through the terminal.. it get message:
        sqlite> .tables
        Error: unable to open database “cbpolicyd.sqlitedb”: unable to open database file.
        When i try to create policy goups via Policyd Web Administration.. it seems it’s succesfully created.. but still i don’t see them on “http://ipserver:port/webui/policy-group-main.php” page.. if i try to create the same policy group i recieve message:
        “Failed to create policy group
        Array ( [0] => 23000 [1] => 19 [2] => column Name is not unique ) “..
        thanks in advance

        1. the problem with:
          Error: unable to open database “cbpolicyd.sqlitedb”: unable to open database file
          is resolved. Before i disable/enable policyd i was using:
          sqlite3 cbpolicyd.sqlitedb
          and can work with DB.. now i can access DB with:
          sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb.
          and it works fine.
          i still can’t see any changes on “http://ipserver:port/webui/policy-group-main.php” page.. when add/delete policies

  21. Hi,

    After following above guidelince for policyd configuration , My zimbra policyd webui interface not opening. even i have allow port 7780 in firewall. what should i do ? please help me.

    1. Hi,

      Please try to check whether port 7780 already open in your server? you can check by the following command :

      netstat -atupn | grep -i 7780
      

      If you not see port 7780, please try to check Zimbra Apache services

      su - zimbra -c "zmapachectl status"
      
  22. I have this problem, the page: http://myserverI:7780/webui/index.php

    opens, but none of the links work. I get this error:
    Error connecting to Policyd v2 DB: invalid data source name

    I have checked several times path to the DB file, and checked from sqlite3 CLI there is tables in DB but it just dont work.

    Any ideas?

    1. Hi Damir,

      It seems strange to me :D. The problem indication that your path is not correct. Please give me configuration about your conf.

      Please check also my Video about configure PolicyD 😉

  23. Terima kasih tuan. Alhamdulillah, ilmu yang tuan beri ini sungguh bermanfaat. Server saya tidak lagi overload sebab incoming SPF record sudah di setting. Load average 1.77, 1.51, 1.27

    Semoga Allah s.w.t memberi rezeki yang halal, di sihatkan tubuh badan dan di mudahkan segala urusan

    Dari Malaysia 🙂

    1. Alhamdulillah Brother,

      Terima kasih atas doanya. Semoga Allah SWT memberi rezeki yang halal, di sihatkan tubuh badan dan di mudahkan segala urusan brother juga.

      Salam dari Indonesia

  24. Hi, good article, it helped me but I have one question – can I setup cbpolicyd to send me an email notification when somebody achieves the quota ?

    1. Hi Alex,

      No, CBPolicyD not have that feature for this time. But you can create simple script to do that and sending email via CLI

  25. Hi thank you for sharing your zimbra expertise i followed all your zimbra instructions and successfully activate policyd on my servers one thing i notice is one of my servers become slow. and users when sending email to a save email addresses it bounce and get error messages but when i retype the email forget the save email address the email is sent.
    Also is policyd whitelist and blacklist is already activated or do i need to activate it first?

    thank you,

  26. Policyd is new to me and i usually use default spam-assassin default config and just filter incoming mail on it. I also use rejecting email on smtp level. now that i configure policyd would you recommend to remove my other config and trust on policyd. because i notice the slowdown of the server when i activate policyd. can you help me on creating rules on whitelist and blacklist on policyd? or would you recommend a opensource spamserver and just disable the spam filtering on zimbra. thanks!

  27. my server is zimbra 8.6.0 multi server environment so how to enable CB policy,SFP enable,DKIM enable etc….is there step by step guide please share….it will be help for me…

      1. I am enable cbpolicy in MTA but ..
        this command not working due to apache is MBX server

        cd /opt/zimbra/httpd/htdocs/ && ln -s ../../cbpolicyd/share/webui

        my environment is
        1. LDAP Server

        ldap Running
        snmp Running
        stats Running
        zmconfigd Running)
        2. MBX Server

        Starting zmconfigd…Done.
        Starting logger…Done.
        Starting mailbox…Done.
        Starting snmp…Done.
        Starting spell…Done.
        Starting stats…Done.
        Starting service webapp…Done.
        Starting zimbra webapp…Done.
        Starting zimbraAdmin webapp…Done.
        Starting zimlet webapp…Done.

        3. MTA Server

        amavis Running
        antispam Running
        antivirus Running
        cbpolicyd Running
        memcached Running
        mta Running
        proxy Running
        snmp Running
        stats Running
        zmconfigd Running
        now i am confused how to enable cbplolicy and web admin console
        Advance thanks for reply…

        1. Hi Rafiqul Islam,

          You can use Apache or something else from your Linux System. Don’t forget to adjust webui to refer into Document Root on Apache

  28. Hi, I’ve got this problem when enable PolicyD:

    “403 Forbiden
    You don’t have permission to access /webui/index.php on this server.”

    My server is Centos 6.4, my zimbra 8.0.5

    1. Hi Carl,

      This guidance not same as enable PolicyD in Zimbra 8.0.x. Please use this guidance

      su - zimbra
      zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd
      zmlocalconfig -e postfix_enable_smtpd_policyd=yes
      zmprov mcf +zimbraMtaRestriction "check_policy_service inet:127.0.0.1:10031"
      zmlocalconfig -e cbpolicyd_log_level=4; zmlocalconfig -e cbpolicyd_log_detail=modules,tracking,policies; zmlocalconfig -e cbpolicyd_module_accesscontrol=1 cbpolicyd_module_checkhelo=1 cbpolicyd_module_checkspf=1 cbpolicyd_module_greylisting=1 cbpolicyd_module_quotas=1
      zmcontrol restart
      
  29. Hello I tried to install the policyd not zimbra 7
    not Send and receive email OR MAY help me ?

    thank you

  30. hi iman,

    how to Whitelist specific sender account using policyd?
    for example I want this sender user@example.com.

    I tried to whitelist senders email but the only option I have under Greylisting is sender IP.

    Appreciate your help..

    Thanks

Leave a Reply to Rocky Cayanong Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.