Zimbra Tips : How To Configure Rate Limit Sending Message on PolicyD

Posted by

Yesterday, i have been wrote article about how to install/enable Policyd on Zimbra 8.5. The following article can read at this link https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/. Now., i am will describe how to configure rate limit sending message with Policyd.

Why we must configuring rate limit sending message?

If there user have compromised password, spammer will sending email to outside with random email address receipt  and very much email have been sent. Usually, public IP address will have blacklisted on any RBL and cannot sending email to outside. To prevent it, we can use Policyd and configure rate limit sending message with quotas modules on Policyd. Quotas modules can prevent user@domain or other configuration can sending some email per minutes or per hours. For example, per users can sending maximum 200 emails per hours

How to configure it?

This is step by step how to configure it. Assuming you have been install/enable Policyd. If not, you can following this guidance https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/

Access Policyd WebUI via browser http://zimbraserver:7780/webui/index.php. Ensure your Zimbra service apache have been running

Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups

policyd-groups

Select Policies | Main. Create new policy and give name rate limit sending message. See the following example

policyd-new-poliyc

Select new policy has been made. On action, select members and fill with the group that has previously been made. Ensure disabled is no. See the following example

member-policy

policyd-policy-2

Select Quotas | Configure. Select action | add. fill with the following example

Name : Rate Limit
Track : sender:user@domain
Period : 3600
Link to policy : Rate Limit Sending Message
Verdict : Defer (delay)
Data : information who give to users if policy have been meet or you can empty. Example : Sorry, your quotas to sending email has been full. please try again later

policyd-new-quotas

If all selection has been configured, click Submit Query. Select new quotas that has previously been made | select action | Limits. Add limit and configure. See the following example

policyd-quotas-limit

Ensure disabled status is no

policyd-quotas-information

Above configuration will limit sending message from domain local to outside and outside to any domain with maximum message 200 email/user/hour. Please try to sending message to other domain and see the log information on /opt/zimbra/log/cbpolicyd.log

[2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=create, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_create, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=1.00/200 (0.5%)
[2014/09/08-21:32:39 - 4871] [CBPOLICYD] INFO: Got request #2 (pipelined)
[2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=update, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=2.00/200 (1.0%)

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

152 comments

  1. Recipient address rejected: Sorry, your quotas for sending email has been full. please contact IT immediately; from= to= proto=ESMTP helo=

    How can i exclude the spam maibox from the rate limits?

  2. just wanted to confirm I did it correctly. because I am still seeing the alert:

    Sorry, your quotas for sending email has been full. please contact IT immediately; from= to=

    I made my policy member like this:

    source destination Disabled
    any !spam.zkz8xgy52w@itltc.net no

  3. Hi Imanudin,

    Thank you for an article, it works wonders.

    Please suggest how to make a user an exception in policy, e.g. user1@mydomain.com & user2@mydomain.com should be allowed to send unlimited mails within hour. Whereas on rest users (in domain) rate limit should be applied.

    In same policy, I tried by adding following in Policy Members
    Source Destination Disabled
    !user1@mydomain.com any no
    !user2@mydomain.com any no

    No Luck, still policy is getting applied on both. Please help with details steps to add exclusion.
    Regards
    Vivek

  4. Hi,

    I have a few domains and just need to prevent my server sending spam messages to outbound. I need to configure policyd such that, there should be a general quota for all the users of all my domains in terms of number of messages sent per day, and exceptions for only a few user accounts.

    I have installed cbpolicyd v2 and deleted all the configuration like “internal_ips”, “internal_domains”, “Default Outbound” etc. Instead, I created the following for one of my domains as a test;

    PoliciesMain:
    username@mydomain.com (Priority:10, member: source:username@mydomain.com, destination:ANY)
    @mydomain.com (Priority:20, member: source:@mydomain.com, destination:ANY)

    PoliciesGroup:
    username@mydomain.com (member: username@mydomain.com)
    @mydomain.com (member: @mydomain.com)

    Quotas:
    username@mydomain.com (LinkToPolicy: username@mydomain.com, Track:Sender:user@domain, Period:3600, Verdict:Reject, StopProcessingHere:Yes)
    – limit: MessageCount:100
    @mydomain.com (LinkToPolicy: @mydomain.com, Track:Sender:user@domain, Period:86400, Verdict:Reject, StopProcessingHere:Yes)
    – limit: MessageCount:4

    Policyd permits messages from the domain until its limit (4), and then rejects the rest, even the ones coming from the username@mydomain.com. I can see from the log that these messages are matched with the domains policy and not the users policy.

    Am I missing something ?

  5. Salam
    I followed your tutorial and it works perfectly
    But this configuration works for sending and receiving emails
    I am looking for configured only sending emails
    Can you please help us
    Thank you in advance and good luck

  6. Hi,
    I followed the procedure exactly as you described, but it is not working, I get the message saying
    ” No group members for source group ‘lisf_domain” and its end bay “Killing “1” children”
    I am sure that I added 3 domain members
    See the log below after doing:
    tail //opt/zimbra/log/cbpolicyd.log, I gedt the following

    ” INFO: Starting “1” children
    [2019/03/30-15:00:06 – 5434] [CORE] INFO: 2019/03/30-15:00:06 CONNECT TCP Peer: “[127.0.0.1]:57500” Local: “[127.0.0.1]:10031”
    [2019/03/30-15:00:06 – 5434] [POLICIES] WARNING: [ID:7/Name:rate limit sending message]: No group members for source group ‘lisf_domain’
    [2019/03/30-15:00:06 – 5434] [CBPOLICYD] INFO: Got request #1
    [2019/03/30-15:00:06 – 5434] [CORE] INFO: module=Quotas, mode=update, host=10.1.31.150, helo=localhost.localdomain, from=admin@zimbra-dev01.avancie.com, to=admin@zimbra-dev01.avancie.com, reason=quota_update, policy=6, quota=4, limit=5, track=Sender:admin@zimbra-dev01.avancie.com, counter=MessageCount, quota=1.00/3 (33.3%)
    [2019/03/30-15:00:06 – 5434] [POLICIES] WARNING: [ID:7/Name:rate limit sending message]: No group members for source group ‘lisf_domain’
    [2019/03/30-15:00:06 – 5434] [CBPOLICYD] INFO: Got request #2 (pipelined)
    [2019/03/30-15:00:06 – 5434] [CORE] INFO: module=Quotas, mode=update, host=10.1.31.150, helo=localhost.localdomain, from=admin@zimbra-dev01.toto.com, to=admin@zimbra-dev01.avancie.com, reason=quota_update, policy=6, quota=4, limit=5, track=Sender:admin@zimbra-dev01.avancie.com, counter=MessageCount, quota=2.00/3 (66.7%)
    [2019/03/30-15:00:06 – 5434] [CBPOLICYD] INFO: Got request #3 (pipelined)
    [2019/03/30-15:01:46 – 31885] [CORE] INFO: Killing “1” children”

    1. Hello,
      Please paste the results from the following command

      sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb
      select * from quotas_limits;
      select * from policy_groups;
      select * from policy_members;
      

      Or you can try to change in the policy members to any

      Source : any
      Destination : any
      
  7. Hi, good tutorial, but I dont understand quota, I want to config 1 domain send 200 mails, 50 mails per user to send each day, how do I config ? thanks

  8. hi om, setelah mengikuti tutorialnya , saya cb kirim imel internmal maupun external dapat error ini :
    salah nya dimana ya? mohon pencerahan, terima kasih :

    Message not sent; one or more addresses were not accepted.
    Rejected addresses: admin
    method: [unknown]
    msg: Invalid address: admin . com.zimbra.cs.mailbox.MailSender$SafeSendFailedException: MESSAGE_NOT_DELIVERED; chained exception is: com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient admin@itsm-gmf.asyst.co.id: 451 4.3.5 Server configuration problem
    code: mail.SEND_ABORTED_ADDRESS_FAILURE
    detail: soap:Sender
    trace: qtp509886383-6859:https://172.25.207.117:8443/service/soap/SendMsgRequest:1556248696309:a054201c4d5eaa2d
    request:
    Body: {
    SendMsgRequest: {
    _jsns: “urn:zimbraMail”,
    m: {
    did: “521”,
    e: [
    // [0]:
    {
    a: “admin@itsm-gmf.asyst.co.id”,
    p: “admin”,
    t: “t”
    },
    // [1]:
    {
    a: “ridwan@itsm-gmf.asyst.co.id”,
    t: “f”
    }
    ],
    id: “521”,
    idnt: “d0c96fc4-304d-4280-933a-d677d160a82d”,
    mp: [
    // [0]:
    {
    ct: “multipart/alternative”,
    mp: [
    // [0]:
    {
    content: {
    _content: “1011

    },
    ct: “text/plain”
    },
    // [1]:
    {
    content: {
    _content: “<html><body>1011</body></html>”
    },
    ct: “text/html”
    }
    ]
    }
    ],
    su: {
    _content: “1011”
    }
    },
    suid: 1556248617831
    }
    },
    Header: {
    context: {
    _jsns: “urn:zimbra”,
    account: {
    _content: “ridwan@itsm-gmf.asyst.co.id”,
    by: “name”
    },
    authToken: “(removed)”,
    csrfToken: “0_fb8dcc0fc3deefe7ca129c7fafbc0d0afcf210bf”,
    notify: {
    seq: 8
    },
    session: {
    _content: 1197,
    id: 1197
    },
    userAgent: {
    name: “ZimbraWebClient – GC73 (Win)”,
    version: “8.6.0_GA_1153”
    }
    }
    }
    Hide Details
    OK

      1. thanks mas for quick response 🙂

        klo saya cek semua service UP kecuali service cbpolicyd nya, sudah saya cb start tp masih failed 🙁

        tp klo saya cb akses kesini : http://zimbraserver:7780/webui/index.php. sudah bisa,
        jd skrg saya rollback dl ke config sebelumnya, krena ga bisa sama sekali kirim email 🙁

      1. iya betul data nya 1.5GB
        berhasil setelah di stop dulu cbpolicyd nya
        zmcbpolicydctl stop
        /usr/bin/sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb ‘vacuum;’
        zmcbpolicydctl start

        hasilnya jadi 10MB saja

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.