Zimbra Tips : How To Configure Rate Limit Sending Message on PolicyD

Home » Zimbra » Zimbra Tips : How To Configure Rate Limit Sending Message on PolicyD
Zimbra 85 Comments

Yesterday, i have been wrote article about how to install/enable Policyd on Zimbra 8.5. The following article can read at this link http://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/. Now., i am will describe how to configure rate limit sending message with Policyd.

Why we must configuring rate limit sending message?

If there user have compromised password, spammer will sending email to outside with random email address receipt  and very much email have been sent. Usually, public IP address will have blacklisted on any RBL and cannot sending email to outside. To prevent it, we can use Policyd and configure rate limit sending message with quotas modules on Policyd. Quotas modules can prevent user@domain or other configuration can sending some email per minutes or per hours. For example, per users can sending maximum 200 emails per hours

How to configure it?

This is step by step how to configure it. Assuming you have been install/enable Policyd. If not, you can following this guidance http://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/

Access Policyd WebUI via browser http://zimbraserver:7780/webui/index.php. Ensure your Zimbra service apache have been running

Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups

policyd-groups

Select Policies | Main. Create new policy and give name rate limit sending message. See the following example

policyd-new-poliyc

Select new policy has been made. On action, select members and fill with the group that has previously been made. Ensure disabled is no. See the following example

member-policy

policyd-policy-2

Select Quotas | Configure. Select action | add. fill with the following example

Name : Rate Limit
Track : sender:user@domain
Period : 3600
Link to policy : Rate Limit Sending Message
Verdict : Defer (delay)
Data : information who give to users if policy have been meet or you can empty. Example : Sorry, your quotas to sending email has been full. please try again later

policyd-new-quotas

If all selection has been configured, click Submit Query. Select new quotas that has previously been made | select action | Limits. Add limit and configure. See the following example

policyd-quotas-limit

Ensure disabled status is no

policyd-quotas-information

Above configuration will limit sending message from domain local to outside and outside to any domain with maximum message 200 email/user/hour. Please try to sending message to other domain and see the log information on /opt/zimbra/log/cbpolicyd.log

[2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=create, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_create, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=1.00/200 (0.5%)
[2014/09/08-21:32:39 - 4871] [CBPOLICYD] INFO: Got request #2 (pipelined)
[2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=update, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=2.00/200 (1.0%)

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

85 thoughts on - Zimbra Tips : How To Configure Rate Limit Sending Message on PolicyD

  • Hi!
    Your install script worked great! – Thank you!

    In testing .. (from a customer point of view) I received a pop-up.
    The Policy IS working .. but the message displayed thru the web browser is . . for the non technical confusing at best, and would make them think that email was broken.

    Is there any way to get a nice clean error message pop-up ?
    You can see my custom message below in the details (buried and difficult to interpret for an end user)

    ————————
    Zimbra
    Message not sent; one or more addresses were not accepted.
    Rejected addresses: myaddress@gmail.com

    —————————
    The details are as below:
    Details:

    method: [unknown]
    msg: Invalid address: myaddress@gmail.com. com.zimbra.cs.mailbox.MailSender$SafeSendFailedException: MESSAGE_NOT_DELIVERED; chained exception is: com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient myaddress@gmail.com: 554 5.7.1 : Sender address rejected: We regret to inform you that you have exceeded the Maximum number of Outbound eMails sent from your account in the past (1) hour. This could mean that your eMail account has been compromised. Please contact our Support Team As-Soon-As- Possible to assist you.
    code: mail.SEND_ABORTED_ADDRESS_FAILURE
    detail: soap:Sender
    trace: qtp509886383-1200:https://10.33.0.10:8443/service/soap/SendMsgRequest:1418768691079:60ca411d62d88290
    request:
    Body: {
    SendMsgRequest: {
    _jsns: “urn:zimbraMail”,
    m: {
    e: [
    // [0]:
    {
    a: “myaddress@gmail.com”,
    t: “t”
    },
    // [1]:
    {
    a: “myaddress@mydomain.com”,
    p: “Gregory”,
    t: “f”
    }
    ],
    idnt: “e07958b1-c890-4a0c-b0d2-98ee333558c2”,
    mp: [
    // [0]:
    {
    ct: “multipart/alternative”,
    mp: [
    // [0]:
    {
    content: {
    _content: ”


    },
    ct: “text/plain”
    },
    // [1]:
    {
    content: {
    _content: “”
    },
    ct: “text/html”
    }
    ]
    }
    ],
    su: {
    _content: “cbPolicyd TEST @ 325p”
    }
    },
    suid: 1418768690803
    }
    },
    Header: {
    context: {
    _jsns: “urn:zimbra”,
    account: {
    _content: “myaddress@mydomain.com”,
    by: “name”
    },
    authToken: “(removed)”,
    csrfToken: “0_cf8bf65f29d38112d0ccac0337e31f60ed2c9efc”,
    notify: {
    seq: 90
    },
    session: {
    _content: 12,
    id: 12
    },
    userAgent: {
    name: “ZimbraWebClient – GC39 (Mac)”,
    version: “8.5.1_GA_3056”
    }
    }
    }

    • Hi Gregory,

      I have not know how to change error message. But user can take error message on this section has been your created :

      Sender address rejected: We regret to inform you that you have exceeded the Maximum number of Outbound eMails sent from your account in the past (1) hour. This could mean that your eMail account has been compromised. Please contact our Support Team As-Soon-As- Possible to assist you.

      • For the records, I was able to implement my needs, by creating a quota restriction on message count for a group of users for small period of time (say 30 sec for example).
        Thus, when a users sends a message to more than X recipients he will get his message rejected.

  • Hi,

    Successfully implemented Policyd on ZImbra 8.5 based on your tutorial. I have some doubts.

    1- Quota is counting 1 e-mail message as 2 (one for reason=create and another one is for reason=update), so if i set 200 as quota limit i can send only 100 e-mails based on this scenario. How to make policyd count 1 mail message (to one recipient) as 1 quota count?

    2- I have 6 domains configured in zimbra (eg. a.com, b.com, c.com). Some of the domains are 90% communicating with external customers (so that domain users need to send more external mails) I have 1 policy for all users which is having quota limit of 50 external mails per day (Policy Member are Source- % abc_domains and Destination- !%abc_domains)
    And i have another Policy (group with external communicating domains) which is having a quota limit of 200 external mails per day (Policy Members are Source – %special_users and Destination – !%abc_domains)

    After Creating this new Policy for special users i have added exception in 1st policy as below, (This Policy have priority of 10 and special users policy have priority 8)
    Source – %abc_domains,!%special_users and the destination – !%abc_domains

    My aim is to make all users can send 50 mails to external domain per day and special users/domains can send 200 mails to external domain per day.

    Thanks in advance.

    Regards,

    Nashi Backer.

    • Hi Nashi,

      1. If using Webmail for sending email, PolicyD will counting 2 email for 1 email sending. If using email clients such as Thunderbird, Outlook and other, PolicyD will counting only 1. You can check it
      2. Wow, nice idea and good purpose. You also can make 2 Policy like this :
      – for special account
      special_account -> !%abc_domains
      – for all account
      !special_account -> !%abc_domains

  • Hi, thanks for your tutorial. I have implemented this on my server but the log report only:
    [2015/05/13-11:30:55 – 5832] [CBPOLICYD] INFO: Got request #31 (pipelined)

    nothing about: [CORE] INFO: module=Quotas, mode=update,…
    Can you help me?

    • Hi Stefano,

      Sorry for a late response. Are you have been make sure all policy you are create already changed disable from yes into no?

  • Hi Iman,

    Thanks for you quick reply.
    Second point is success but i’m using MS Outlook 2013 still its counting as 2 for 1 mail.

    Thank you very much for the 2nd point.

  • We are having 2 domains in same server & having total of 1600 users & 25 (DL) distribution list having 10 to 30 users added in each DL . I have implemented cbpolicyd bcoz of spamming. after some days users complaining us, that they are not able to send group mail i.e. DL.

    So tell me how can I set unlimited mail to internal domain or particular domain

    • Hi Rafi,

      The default configuration in this article is nothing limitation for sending/receive from domain local. If you have other domain, you only need to add in group list_domain

  • Hello,
    Excellent article .
    I would like to implement the following rule:
    Limit sending emails from my domain per minute , but apply a rule to release some email send without restriction.
    How could ride this rule ?
    Thank you!

  • hello, good afternoon, I just finished configure my mail server after one entire day, everything works fine, but when i tried to configure policyd, i get an error. policyd does not start never. is the only service not running, i can access to the webgui but service never start. I appreciatte if you know something about this issue.

    • Hi,

      Please paste the result of above command :

      su - zimbra
      zmcontrol status
      zmprov gs mail.imanudin.net | grep -i zimbraserviceinstall
      zmprov gs mail.imanudin.net | grep -i zimbraserviceenable
      

      Note : Please change mail.imanudin.net with your hostname

  • Hi, thanks for this clear manual!
    I am trying to create an exeption for this rule, so that some users can send 1000 messages per hour to outside (any)
    I created a new policy and group (domain_users_1000) , with some individual email addresses.
    I added this policy member:
    %domain_users_1000 destination any
    I have set the priority to 10, and for list_domains to 20
    But it is stil not working fine….
    What am i doing wrong?

    • I did not make a exeption in the first rule…

      So now the first rule has thes policy memebers:
      Source: %list_domain,!%domain_users_1000
      Destination: !list_domain

      Now it is is working fine!

  • Jan 28 12:34:57 mail amavis[2172]: (02172-01) 7PKs2UOlKm7u FWD from -> , BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8DCCF7C2296
    Jan 28 12:34:57 mail amavis[2172]: (02172-01) Passed CLEAN {RelayedInbound}, -> , Message-ID: , mail_id: 7PKs2UOlKm7u, Hits: -1.9, size: 438, queued_as: 8DCCF7C2296, 1231 ms
    Jan 28 12:34:57 mail postfix/smtp[4721]: 4D61D7C2345: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.09/0.06/0.01/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8DCCF7C2296)

  • Can the webui be password protect to prevent unauthorized access? If not, how do we disable webui after we are done?

  • I also realize that the delay does not work and function like reject once the quota is reach. Instead of delay, an email that exceed the quota simply get rejected.

    • Hi,

      I agree with you for this statement. I think this caused you are is normal user, not as spammer.

      If you have simple program for send bulk mail, all email will delay after get maximum email/hours 😉

  • Thanks a lot for the tutorials on Policyd. Working just fine for me! Before this rules I had problems with users that compromised their passwords.

  • Is there any way to set password to this administration panel?. Also at “Sender:user@domain” do i need to add my domain instead of “domain”?.

  • Hi,

    I my mails are in Deferred Queues for long time, It is taking 2 to 3 hours to deliver. Can any one help me with this why it is taking too time to deliver the Mail.

  • Hi Iman,
    Thank you for you post. It worked perfect on webmail.
    But when I config accounts on Microsoft Outlook, and then sent email from outlook.
    and “cat /opt/zimbra/log/cbpolicyd.log”, there’s no any log for that email.
    I have check & see that: there’s a different from webmail & outlook, webmail using port 25 to send mail, outlook use port 587 to send mail, maybe that’s problem.
    please help checking this issue, I want to count all emails from webmail and outlook both.

      • I have ran that command, but It was the same. I send 1 email from outlook and take that logs:
        [2016/07/25-08:26:28 – 30292] [CBPOLICYD] WARNING: Client closed connection => Peer: 127.0.0.1:52271, Local: 127.0.0.1:10031
        [2016/07/25-08:26:28 – 30287] [CORE] INFO: Killing “1” children
        [2016/07/25-08:26:43 – 30287] [CORE] INFO: Starting “1” children
        [2016/07/25-08:26:43 – 91933] [CORE] INFO: 2016/07/25-08:26:43 CONNECT TCP Peer: “[127.0.0.1]:52308” Local: “[127.0.0.1]:10031”
        [2016/07/25-08:26:43 – 91933] [CBPOLICYD] INFO: Got request #1

          • Hi iman,
            Here’s the result:
            smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031
            smtpd_recipient_restrictions = check_policy_service inet:localhost:10031, reject_non_fqdn_recipient, permit_mynetworks, reject_unlisted_recipient, reject_non_fqdn_sender, permit

          • Hello,

            Please try this guidance :

            su - zimbra
            vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
            

            Add the following line on the top

            %%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%
            
            zmcontrol restart
            
  • Beside that,
    I don’t know why the counter is so confused, It automatically reset so the counter is just 1 for all, please check these logs:
    [2016/07/25-08:39:02 – 30287] [CORE] INFO: Starting “1” children
    [2016/07/25-08:39:02 – 30290] [CORE] INFO: 2016/07/25-08:39:02 CONNECT TCP Peer: “[127.0.0.1]:52381” Local: “[127.0.0.1]:10031”
    [2016/07/25-08:39:02 – 30290] [CBPOLICYD] INFO: Got request #1
    Use of uninitialized value in multiplication (*) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 181.
    Use of uninitialized value in subtraction (-) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 186.
    Use of uninitialized value in addition (+) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 262.
    Use of uninitialized value in addition (+) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 318.
    [2016/07/25-08:39:02 – 30290] [CORE] INFO: module=Quotas, mode=update, host=210.245.27.184, helo=phunp3.fptdata.net, from=hahlv@phunp3.fptdata.net, to=ha.hoang@itt.vn, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:hahlv@phunp3.fptdata.net, counter=MessageCount, quota=1.00/3 (33.3%)
    [2016/07/25-08:39:03 – 30290] [CBPOLICYD] INFO: Got request #2 (pipelined)
    [2016/07/25-08:39:30 – 30290] [CBPOLICYD] INFO: Got request #3 (pipelined)
    Use of uninitialized value in multiplication (*) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 181.
    Use of uninitialized value in subtraction (-) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 186.
    Use of uninitialized value in addition (+) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 262.
    Use of uninitialized value in addition (+) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 318.
    [2016/07/25-08:39:30 – 30290] [CORE] INFO: module=Quotas, mode=update, host=210.245.27.184, helo=phunp3.fptdata.net, from=hahlv@phunp3.fptdata.net, to=ha.hoang@itt.vn, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:hahlv@phunp3.fptdata.net, counter=MessageCount, quota=1.00/3 (33.3%)
    [2016/07/25-08:39:30 – 30290] [CBPOLICYD] INFO: Got request #4 (pipelined)

  • Hello Iman, do you know how to limit smtp connections on zimbra, because my ISP is always blocking my outgoing mail because there is too many concurrent connections. and they told me to set this to 10

  • Hello Iman, is there any option that allow me to limit emails send by user to like 100 per hour and if they reach limit then all other emails go to hold queue. And after one hour it requeue another 100 mails of that user ?

  • Hello iman,

    i have followed your manual and successfully got it running. but for testing i have set the sender limit to 5 but it is still sending out without any message or action taken.

    i get in the log only that:

    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:1/Name:Default]: Source matching result: matched=1
    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:1/Name:Default]: Destination matching result: matched=1
    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:2/Name:Default Outbound]: Source matching result: matched=0
    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:3/Name:Default Inbound]: Source matching result: matched=0
    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:4/Name:Default Internal]: Source matching result: matched=0
    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:5/Name:Test]: Source matching result: matched=0
    [2016/11/18-13:27:14 – 3907] [CBPOLICYD] INFO: Got request #2 (pipelined)
    [2016/11/18-13:27:14 – 3907] [CBPOLICYD] INFO: Got request #3 (pipelined)

      • Hi iman,

        thanks, i just overlooked some “disabled” and changed it to “enable”

        now it is working and zimbra passes me the message from the MTA which i have set.

        thank you – very good manual

          • Hi Iman,

            sorry to bother again; i have 1 more question:

            1) how can i exclude single users from policies?

            as we want to set a limit for outbound messages per hour but we need to exclude single users from that.

            Can this be done by adding specific rules for these users?

            thanks a lot

            flunda

  • Hi,

    but then i have to create for every excluded user an own policy right? As i have found that i cannot exclude myaccount from my domain when i have it in the same policy

  • Hi Iman,

    Thank you very much for this tutorial.
    I have deployed this rate limit in my Zimbra 8.7 server but I need an email notification alert when this threshold matched. Can you please let me know how I can achieve this?

    Many Thanks,
    Russel

  • Hi Iman,
    Thank you very much for this useful tutorial.
    Maybe you can help me.
    I configured limit per day. How can I reset the counter, if the need arises? How do I know which user sent most emails?
    Thank you.

    • I’ve installed phpLiteAdmin and open database of PolisyD. So I was able to reset the counter. It is uncomfortable but acceptable way.
      Other question: is there a way to send a message to an administrator if a user has reached the limit?
      Thank you.

      • Hi,

        By default, PolicyD do not have notification feature to sending email if reached the limit. Maybe you can create simple script to do that based on grep the log

    • Finally, I found that the limit applies not only to outgoing messages, but also incoming. In database the addresses of incoming and outgoing in the same list. I have set a limit 4 letter and can not get more than 4 letters. This is unacceptable. We must receive without limit, and limit sending.

  • Hi Iman,

    sorry but finally i also found that excluding seams not to be working or i am doing something wrong?

    I have one policy for limiting the sending rate, but i want to exclude single users from that policy so i have set another policy with higher priority and another sending limit.

    But only the one with limiting the whole domain does work.

    Any advise?

    thanks a lot!!

    • i have just configured only one policy where i am explicitly excluding a user with !username@domain.com and if not this user sends emails, then the policy counts and if the user who is excluded sends, then the policy does not count.
      But this is a bit strange as when i am configuring another policy, the first stopps working.

      What is the proper way to set a limit for only one domain for each user but exclude only one from this policy?

      pls help

      thanks!!!!

    • Hi,

      On the rate limit sending message policy that have been created, you can change policy member so that like below :
      from -> Source : %list_domain
      become -> Source : !excludeuser@yourdomain

  • Apakah dengan menggunakan PolicyD rate limit delay seperti diatas, jika sudah mencapai kuota email yang lainnya akan terkirim automatis setelah batas waktu habis atau kita harus mengirim ulang?

    Terima kasih.

    • Hi mas Angga,

      Jika sudah terkena limit, pengiriman normal akan langsung di reject dan ada pesan. Namun jika pengiriman by robot, tidak ada pesan pada pengirim dan masuk pada antrian email. Jika batas waktu habis, email antrian akan otomatis dikirim kembali

      • maksud nya antrian email queue email yah mas….berarti bisa terkirim dong ke tujuan kalo ada di queue….kalo terkirim berarti spammer berhasil dong kirim email …?

        • Hi mas Rony,

          Benar mas. email akan terkirim ke tujuan jika masih ada di Queue. Tujuannya adalah untuk mempermudah email tersebut dikirim dari user siapa dan user mana yang suspect melakukan spamming. Jika email langsung di drop, untuk ngeceknya agak susah.

  • Thank you Iman, for this article and video.

    I have installed policyd on my zimbra 8.6. and enabled tracking based on user@domain.com.

    If the user is sending one mail to 10 addresses, it is counting as 20 mails. it is creating problem.

    Can you please help me how to rectify this issue. Any help in this regard is highly appreciated.

    Thanks,
    Kondaiah

    • Hi Kondaiah,

      If you sending from webmail, email will counting 2 email on PolicyD. But, if you sending email from email client (Thunderbird, Outlook, etc), the email will counting as one

LEAVE A COMMENT