Zimbra Tips : How To Configure Rate Limit Sending Message on PolicyD

Posted by

Yesterday, i have been wrote article about how to install/enable Policyd on Zimbra 8.5. The following article can read at this link https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/. Now., i am will describe how to configure rate limit sending message with Policyd.

Why we must configuring rate limit sending message?

If there user have compromised password, spammer will sending email to outside with random email address receipt  and very much email have been sent. Usually, public IP address will have blacklisted on any RBL and cannot sending email to outside. To prevent it, we can use Policyd and configure rate limit sending message with quotas modules on Policyd. Quotas modules can prevent user@domain or other configuration can sending some email per minutes or per hours. For example, per users can sending maximum 200 emails per hours

How to configure it?

This is step by step how to configure it. Assuming you have been install/enable Policyd. If not, you can following this guidance https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/

Access Policyd WebUI via browser http://zimbraserver:7780/webui/index.php. Ensure your Zimbra service apache have been running

Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups

policyd-groups

Select Policies | Main. Create new policy and give name rate limit sending message. See the following example

policyd-new-poliyc

Select new policy has been made. On action, select members and fill with the group that has previously been made. Ensure disabled is no. See the following example

member-policy

policyd-policy-2

Select Quotas | Configure. Select action | add. fill with the following example

Name : Rate Limit
Track : sender:user@domain
Period : 3600
Link to policy : Rate Limit Sending Message
Verdict : Defer (delay)
Data : information who give to users if policy have been meet or you can empty. Example : Sorry, your quotas to sending email has been full. please try again later

policyd-new-quotas

If all selection has been configured, click Submit Query. Select new quotas that has previously been made | select action | Limits. Add limit and configure. See the following example

policyd-quotas-limit

Ensure disabled status is no

policyd-quotas-information

Above configuration will limit sending message from domain local to outside and outside to any domain with maximum message 200 email/user/hour. Please try to sending message to other domain and see the log information on /opt/zimbra/log/cbpolicyd.log

[2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=create, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_create, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=1.00/200 (0.5%)
[2014/09/08-21:32:39 - 4871] [CBPOLICYD] INFO: Got request #2 (pipelined)
[2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=update, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=2.00/200 (1.0%)

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

188 comments

  1. Recipient address rejected: Sorry, your quotas for sending email has been full. please contact IT immediately; from= to= proto=ESMTP helo=

    How can i exclude the spam maibox from the rate limits?

  2. just wanted to confirm I did it correctly. because I am still seeing the alert:

    Sorry, your quotas for sending email has been full. please contact IT immediately; from= to=

    I made my policy member like this:

    source destination Disabled
    any !spam.zkz8xgy52w@itltc.net no

  3. Hi Imanudin,

    Thank you for an article, it works wonders.

    Please suggest how to make a user an exception in policy, e.g. user1@mydomain.com & user2@mydomain.com should be allowed to send unlimited mails within hour. Whereas on rest users (in domain) rate limit should be applied.

    In same policy, I tried by adding following in Policy Members
    Source Destination Disabled
    !user1@mydomain.com any no
    !user2@mydomain.com any no

    No Luck, still policy is getting applied on both. Please help with details steps to add exclusion.
    Regards
    Vivek

  4. Hi,

    I have a few domains and just need to prevent my server sending spam messages to outbound. I need to configure policyd such that, there should be a general quota for all the users of all my domains in terms of number of messages sent per day, and exceptions for only a few user accounts.

    I have installed cbpolicyd v2 and deleted all the configuration like “internal_ips”, “internal_domains”, “Default Outbound” etc. Instead, I created the following for one of my domains as a test;

    PoliciesMain:
    username@mydomain.com (Priority:10, member: source:username@mydomain.com, destination:ANY)
    @mydomain.com (Priority:20, member: source:@mydomain.com, destination:ANY)

    PoliciesGroup:
    username@mydomain.com (member: username@mydomain.com)
    @mydomain.com (member: @mydomain.com)

    Quotas:
    username@mydomain.com (LinkToPolicy: username@mydomain.com, Track:Sender:user@domain, Period:3600, Verdict:Reject, StopProcessingHere:Yes)
    – limit: MessageCount:100
    @mydomain.com (LinkToPolicy: @mydomain.com, Track:Sender:user@domain, Period:86400, Verdict:Reject, StopProcessingHere:Yes)
    – limit: MessageCount:4

    Policyd permits messages from the domain until its limit (4), and then rejects the rest, even the ones coming from the username@mydomain.com. I can see from the log that these messages are matched with the domains policy and not the users policy.

    Am I missing something ?

  5. Salam
    I followed your tutorial and it works perfectly
    But this configuration works for sending and receiving emails
    I am looking for configured only sending emails
    Can you please help us
    Thank you in advance and good luck

  6. Hi,
    I followed the procedure exactly as you described, but it is not working, I get the message saying
    ” No group members for source group ‘lisf_domain” and its end bay “Killing “1” children”
    I am sure that I added 3 domain members
    See the log below after doing:
    tail //opt/zimbra/log/cbpolicyd.log, I gedt the following

    ” INFO: Starting “1” children
    [2019/03/30-15:00:06 – 5434] [CORE] INFO: 2019/03/30-15:00:06 CONNECT TCP Peer: “[127.0.0.1]:57500” Local: “[127.0.0.1]:10031”
    [2019/03/30-15:00:06 – 5434] [POLICIES] WARNING: [ID:7/Name:rate limit sending message]: No group members for source group ‘lisf_domain’
    [2019/03/30-15:00:06 – 5434] [CBPOLICYD] INFO: Got request #1
    [2019/03/30-15:00:06 – 5434] [CORE] INFO: module=Quotas, mode=update, host=10.1.31.150, helo=localhost.localdomain, from=admin@zimbra-dev01.avancie.com, to=admin@zimbra-dev01.avancie.com, reason=quota_update, policy=6, quota=4, limit=5, track=Sender:admin@zimbra-dev01.avancie.com, counter=MessageCount, quota=1.00/3 (33.3%)
    [2019/03/30-15:00:06 – 5434] [POLICIES] WARNING: [ID:7/Name:rate limit sending message]: No group members for source group ‘lisf_domain’
    [2019/03/30-15:00:06 – 5434] [CBPOLICYD] INFO: Got request #2 (pipelined)
    [2019/03/30-15:00:06 – 5434] [CORE] INFO: module=Quotas, mode=update, host=10.1.31.150, helo=localhost.localdomain, from=admin@zimbra-dev01.toto.com, to=admin@zimbra-dev01.avancie.com, reason=quota_update, policy=6, quota=4, limit=5, track=Sender:admin@zimbra-dev01.avancie.com, counter=MessageCount, quota=2.00/3 (66.7%)
    [2019/03/30-15:00:06 – 5434] [CBPOLICYD] INFO: Got request #3 (pipelined)
    [2019/03/30-15:01:46 – 31885] [CORE] INFO: Killing “1” children”

    1. Hello,
      Please paste the results from the following command

      sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb
      select * from quotas_limits;
      select * from policy_groups;
      select * from policy_members;
      

      Or you can try to change in the policy members to any

      Source : any
      Destination : any
      
  7. Hi, good tutorial, but I dont understand quota, I want to config 1 domain send 200 mails, 50 mails per user to send each day, how do I config ? thanks

  8. hi om, setelah mengikuti tutorialnya , saya cb kirim imel internmal maupun external dapat error ini :
    salah nya dimana ya? mohon pencerahan, terima kasih :

    Message not sent; one or more addresses were not accepted.
    Rejected addresses: admin
    method: [unknown]
    msg: Invalid address: admin . com.zimbra.cs.mailbox.MailSender$SafeSendFailedException: MESSAGE_NOT_DELIVERED; chained exception is: com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient admin@itsm-gmf.asyst.co.id: 451 4.3.5 Server configuration problem
    code: mail.SEND_ABORTED_ADDRESS_FAILURE
    detail: soap:Sender
    trace: qtp509886383-6859:https://172.25.207.117:8443/service/soap/SendMsgRequest:1556248696309:a054201c4d5eaa2d
    request:
    Body: {
    SendMsgRequest: {
    _jsns: “urn:zimbraMail”,
    m: {
    did: “521”,
    e: [
    // [0]:
    {
    a: “admin@itsm-gmf.asyst.co.id”,
    p: “admin”,
    t: “t”
    },
    // [1]:
    {
    a: “ridwan@itsm-gmf.asyst.co.id”,
    t: “f”
    }
    ],
    id: “521”,
    idnt: “d0c96fc4-304d-4280-933a-d677d160a82d”,
    mp: [
    // [0]:
    {
    ct: “multipart/alternative”,
    mp: [
    // [0]:
    {
    content: {
    _content: “1011

    },
    ct: “text/plain”
    },
    // [1]:
    {
    content: {
    _content: “<html><body>1011</body></html>”
    },
    ct: “text/html”
    }
    ]
    }
    ],
    su: {
    _content: “1011”
    }
    },
    suid: 1556248617831
    }
    },
    Header: {
    context: {
    _jsns: “urn:zimbra”,
    account: {
    _content: “ridwan@itsm-gmf.asyst.co.id”,
    by: “name”
    },
    authToken: “(removed)”,
    csrfToken: “0_fb8dcc0fc3deefe7ca129c7fafbc0d0afcf210bf”,
    notify: {
    seq: 8
    },
    session: {
    _content: 1197,
    id: 1197
    },
    userAgent: {
    name: “ZimbraWebClient – GC73 (Win)”,
    version: “8.6.0_GA_1153”
    }
    }
    }
    Hide Details
    OK

      1. thanks mas for quick response 🙂

        klo saya cek semua service UP kecuali service cbpolicyd nya, sudah saya cb start tp masih failed 🙁

        tp klo saya cb akses kesini : http://zimbraserver:7780/webui/index.php. sudah bisa,
        jd skrg saya rollback dl ke config sebelumnya, krena ga bisa sama sekali kirim email 🙁

      1. iya betul data nya 1.5GB
        berhasil setelah di stop dulu cbpolicyd nya
        zmcbpolicydctl stop
        /usr/bin/sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb ‘vacuum;’
        zmcbpolicydctl start

        hasilnya jadi 10MB saja

  9. Salam
    I followed your tutorial and it works perfectly
    But this configuration works for sending and receiving emails
    I am looking for configured only sending emails…can you please let me now in detail how can i achieve this
    Can you please help us
    Thank you in advance and good luck

  10. hi

    i hope you are fine. policy is working fine . i have step sending rate limit is 5. so when i created a new message and put 5 email account in “TO ” its shows me error that you cann’t send email .its seems its count one send email as 2 . can you let me know. how can i resolve this issue .

    ERROR LOG:

    [2020/01/03-10:10:16 – 30788] [POLICIES] WARNING: [ID:2/Name:Default Outbound]: Error while processing source item ‘%internal_ips’, skipping…
    [2020/01/03-10:10:16 – 30788] [CBPOLICYD] INFO: Got request #1
    [2020/01/03-10:10:16 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=fayazlinux@gmail.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=1.00/5 (20.0%)
    [2020/01/03-10:10:16 – 30788] [CBPOLICYD] INFO: Got request #2 (pipelined)
    [2020/01/03-10:10:16 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=fayazlinux@gmail.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=2.00/5 (40.0%)
    [2020/01/03-10:10:17 – 30788] [CBPOLICYD] INFO: Got request #3 (pipelined)
    [2020/01/03-10:10:17 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=fayaz.khan@cubexsweatherly.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=3.00/5 (60.0%)
    [2020/01/03-10:10:17 – 30788] [CBPOLICYD] INFO: Got request #4 (pipelined)
    [2020/01/03-10:10:17 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=fayaz.khan@cubexsweatherly.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=4.00/5 (80.0%)
    [2020/01/03-10:10:17 – 30788] [CBPOLICYD] INFO: Got request #5 (pipelined)
    [2020/01/03-10:10:17 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=syed.wajihali@cubexsweatherly.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=5.00/5 (100.0%)
    [2020/01/03-10:10:17 – 30788] [CBPOLICYD] INFO: Got request #6 (pipelined)
    [2020/01/03-10:10:17 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=syed.wajihali@cubexsweatherly.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=6.00/5 (120.0%)
    [2020/01/03-10:10:17 – 30788] [CBPOLICYD] INFO: Got request #7 (pipelined)
    [2020/01/03-10:10:17 – 30788] [CORE] INFO: module=Quotas, action=defer, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=tariq.shabbir@cubexsweatherly.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=7.00/5 (140.0%)

  11. Hi,
    Great tutorial and works perfectly, any suggestion on how to send an email to the administrator about the exceed limit?
    Thanks
    Luigi

  12. Hi,

    have you experienced that hitting a rate limit is causing the server to randomly not accepting connections? After rate limiting hit one of our domains, nobody was able to connect to server till I switched the service off… Maybe I’ve misconfigured something? Any ideas?

    Cheers,
    Janos

  13. Hi, great tutorial, thanks. I have a problem with this rate limit subject. I want to rate limit sending messages except for internal domains. Also, these rules limit incoming emails, I just want to limit outgoing emails except internal domains.

  14. Hi,

    I have enabled policyd recently and put below limits for incoming.
    Rate limit any @domain from receiving more than 125 emails in a 60 second period. Messages beyond this rate are rejected.

    So this limit is applicable for one user and over all server. ??

    Means if it is for overall server then server can receive only 125 emails in one minutes.
    Or if it is for one user then one user can receive 100 emails in one minutes .

    Please help me in this confusion.

    1. Hi Gautam Kumar,
      It depends on your configuration. If you define @domain, it refers to all user on that domain. If you define user@domain, it refers to a single user on a domain

  15. Hello Iman
    Assalamu-alaikum

    Please tell me how can I send mail as bulk 500 mail at a time from zimbra server…?

      1. Dear Iman
        Thanks for your quick reply. Don’t my IP felt into black list, if I send 500 mail at a time …? To avoid black list how can I solve this ?

    1. Hi,
      Yes. By default like that. You should have a second MTA to get deferred. So, the topology will be like this

      mta1 -> mta2 (with policyd)

  16. Assalamualaikum,
    Mas Iman, saya tidak bisa menambahkan Record. setelah submit query, halaman seperti refresh saja. tidak ada yang tersimpan
    mohon arahannya

  17. Hello!

    hello,

    thank you for your tutorial. I have a zimbra collaboration version 8.8.15 mail server that gets phishing attacks all the time. I did some research to find out how to limit the sending of emails. I discovered that there is a component that exists policyd. Then I continued research to find how to configure it. The best tutorial I’ve found is yours.
    I applied your tutorial on the limitation of sending emails to the letter, but it doesn’t work for me. Here is the output of the tail -f /opt/zimbra/log/cbpolicyd.log command:

    zimbra@srvlabzimbra:~/data/cbpolicyd/db$ tail -f /opt/zimbra/log/cbpolicyd.log
    [2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Running module: Greylisting Plugin
    [2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Module ‘Greylisting Plugin’ returned CBP_SKIP
    [2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Running module: Quotas Plugin
    [2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Module ‘Quotas Plugin’ returned CBP_CONTINUE
    [2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Running module: Accounting Plugin
    [2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Module ‘Accounting Plugin’ returned CBP_SKIP
    [2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Done with modules
    [2022/06/09-13:58:40 – 128093] [CBPOLICYD] DEBUG: Client closed connection => Peer: 127.0.0.1:48670, Local: 127.0.0.1:10031
    [2022/06/09-13:58:40 – 128038] [CORE] INFO: Killing “1” children
    [2022/06/09-13:58:40 – 128094] [CBPOLICYD] DEBUG: Shutting down caching engine (128094)
    ———————————————————————————————————
    [2022/06/09-14:00:16 – 128096] [CORE] INFO: 2022/06/09-14:00:16 CONNECT TCP Peer: “[127.0.0.1]:49016” Local: “[127.0.0.1]:10031”
    [2022/06/09-14:00:16 – 128038] [CORE] INFO: Starting “1” children
    [2022/06/09-14:00:16 – 128096] [POLICIES] WARNING: [ID:4/Name:Default Internal]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
    [2022/06/09-14:00:16 – 128096] [POLICIES] WARNING: [ID:4/Name:Default Internal]: Error while processing source item ‘%internal_ips’, skipping…

  18. Hi Iman,
    Thanks for the Good document, it really is helpful.
    I have a small issue here, the mail sending quota is working perfectly. The below message does not come on Web Interface of zimbra after the quota is completed.

    Sorry, your quota to send email has been full. please try again later after 1 hour (This is not working, I am only getting access denied, this will confuse the users, how to resolve this issue, please let me know.

    Thanks
    HR

    1. Hello,
      Its normal if you are using single server. When you reached the quota, the verdict become reject (even though you choose delay/defer). I usually use second MTA and apply policyd on that
      My Zimbra -> My Second MTA (Zimbra+policyd)

  19. Hello, Can you please tell me how can I exclude a user from a Policy, beacuse I tried with !user@domain and I still receive logs for quotas

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.