Yesterday, i have been wrote article about how to install/enable Policyd on Zimbra 8.5. The following article can read at this link https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/. Now., i am will describe how to configure rate limit sending message with Policyd.
Why we must configuring rate limit sending message?
If there user have compromised password, spammer will sending email to outside with random email address receipt and very much email have been sent. Usually, public IP address will have blacklisted on any RBL and cannot sending email to outside. To prevent it, we can use Policyd and configure rate limit sending message with quotas modules on Policyd. Quotas modules can prevent user@domain or other configuration can sending some email per minutes or per hours. For example, per users can sending maximum 200 emails per hours
How to configure it?
This is step by step how to configure it. Assuming you have been install/enable Policyd. If not, you can following this guidance https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/
Access Policyd WebUI via browser http://zimbraserver:7780/webui/index.php. Ensure your Zimbra service apache have been running
Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups
Select Policies | Main. Create new policy and give name rate limit sending message. See the following example
Select new policy has been made. On action, select members and fill with the group that has previously been made. Ensure disabled is no. See the following example
Select Quotas | Configure. Select action | add. fill with the following example
Name : Rate Limit Track : sender:user@domain Period : 3600 Link to policy : Rate Limit Sending Message Verdict : Defer (delay) Data : information who give to users if policy have been meet or you can empty. Example : Sorry, your quotas to sending email has been full. please try again later
If all selection has been configured, click Submit Query. Select new quotas that has previously been made | select action | Limits. Add limit and configure. See the following example
Ensure disabled status is no
Above configuration will limit sending message from domain local to outside and outside to any domain with maximum message 200 email/user/hour. Please try to sending message to other domain and see the log information on /opt/zimbra/log/cbpolicyd.log
[2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=create, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_create, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=1.00/200 (0.5%) [2014/09/08-21:32:39 - 4871] [CBPOLICYD] INFO: Got request #2 (pipelined) [2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=update, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=2.00/200 (1.0%)
Good luck and hopefully useful 😀
Let’s See the Video on Youtube
Recipient address rejected: Sorry, your quotas for sending email has been full. please contact IT immediately; from= to= proto=ESMTP helo=
How can i exclude the spam maibox from the rate limits?
Hello,
You can fill in the source like below
just wanted to confirm I did it correctly. because I am still seeing the alert:
Sorry, your quotas for sending email has been full. please contact IT immediately; from= to=
I made my policy member like this:
source destination Disabled
any !spam.zkz8xgy52w@itltc.net no
Hello,
Your configuration will not trap if the recipient is spam.zkz8xgy52w@itltc.net
attached mail slow delivery in zimbra , please help me
Hi,
If you sent email with attachment, Zimbra need bandwidth to sent them into destination. So, i think it’s normal
Hi Imanudin,
Thank you for an article, it works wonders.
Please suggest how to make a user an exception in policy, e.g. user1@mydomain.com & user2@mydomain.com should be allowed to send unlimited mails within hour. Whereas on rest users (in domain) rate limit should be applied.
In same policy, I tried by adding following in Policy Members
Source Destination Disabled
!user1@mydomain.com any no
!user2@mydomain.com any no
No Luck, still policy is getting applied on both. Please help with details steps to add exclusion.
Regards
Vivek
Hello,
Please try with single line
source : !user1,!user2
Hello! It’s not work to me. I can’t except users from this rule
Hi,
I have a few domains and just need to prevent my server sending spam messages to outbound. I need to configure policyd such that, there should be a general quota for all the users of all my domains in terms of number of messages sent per day, and exceptions for only a few user accounts.
I have installed cbpolicyd v2 and deleted all the configuration like “internal_ips”, “internal_domains”, “Default Outbound” etc. Instead, I created the following for one of my domains as a test;
PoliciesMain:
username@mydomain.com (Priority:10, member: source:username@mydomain.com, destination:ANY)
@mydomain.com (Priority:20, member: source:@mydomain.com, destination:ANY)
PoliciesGroup:
username@mydomain.com (member: username@mydomain.com)
@mydomain.com (member: @mydomain.com)
Quotas:
username@mydomain.com (LinkToPolicy: username@mydomain.com, Track:Sender:user@domain, Period:3600, Verdict:Reject, StopProcessingHere:Yes)
– limit: MessageCount:100
@mydomain.com (LinkToPolicy: @mydomain.com, Track:Sender:user@domain, Period:86400, Verdict:Reject, StopProcessingHere:Yes)
– limit: MessageCount:4
Policyd permits messages from the domain until its limit (4), and then rejects the rest, even the ones coming from the username@mydomain.com. I can see from the log that these messages are matched with the domains policy and not the users policy.
Am I missing something ?
Hello,
Please see an example from this comment : https://imanudin.net/2014/09/09/zimbra-tips-how-to-configure-rate-limit-sending-message-on-policyd/comment-page-1/#comment-13576
Salam
I followed your tutorial and it works perfectly
But this configuration works for sending and receiving emails
I am looking for configured only sending emails
Can you please help us
Thank you in advance and good luck
Hi,
I followed the procedure exactly as you described, but it is not working, I get the message saying
” No group members for source group ‘lisf_domain” and its end bay “Killing “1” children”
I am sure that I added 3 domain members
See the log below after doing:
tail //opt/zimbra/log/cbpolicyd.log, I gedt the following
” INFO: Starting “1” children
[2019/03/30-15:00:06 – 5434] [CORE] INFO: 2019/03/30-15:00:06 CONNECT TCP Peer: “[127.0.0.1]:57500” Local: “[127.0.0.1]:10031”
[2019/03/30-15:00:06 – 5434] [POLICIES] WARNING: [ID:7/Name:rate limit sending message]: No group members for source group ‘lisf_domain’
[2019/03/30-15:00:06 – 5434] [CBPOLICYD] INFO: Got request #1
[2019/03/30-15:00:06 – 5434] [CORE] INFO: module=Quotas, mode=update, host=10.1.31.150, helo=localhost.localdomain, from=admin@zimbra-dev01.avancie.com, to=admin@zimbra-dev01.avancie.com, reason=quota_update, policy=6, quota=4, limit=5, track=Sender:admin@zimbra-dev01.avancie.com, counter=MessageCount, quota=1.00/3 (33.3%)
[2019/03/30-15:00:06 – 5434] [POLICIES] WARNING: [ID:7/Name:rate limit sending message]: No group members for source group ‘lisf_domain’
[2019/03/30-15:00:06 – 5434] [CBPOLICYD] INFO: Got request #2 (pipelined)
[2019/03/30-15:00:06 – 5434] [CORE] INFO: module=Quotas, mode=update, host=10.1.31.150, helo=localhost.localdomain, from=admin@zimbra-dev01.toto.com, to=admin@zimbra-dev01.avancie.com, reason=quota_update, policy=6, quota=4, limit=5, track=Sender:admin@zimbra-dev01.avancie.com, counter=MessageCount, quota=2.00/3 (66.7%)
[2019/03/30-15:00:06 – 5434] [CBPOLICYD] INFO: Got request #3 (pipelined)
[2019/03/30-15:01:46 – 31885] [CORE] INFO: Killing “1” children”
Hello,
Please paste the results from the following command
Or you can try to change in the policy members to any
Hi, good tutorial, but I dont understand quota, I want to config 1 domain send 200 mails, 50 mails per user to send each day, how do I config ? thanks
Hello,
Please try this one : https://imanudin.net/2014/12/01/how-to-limit-sendingreceipt-email-per-day-per-week-or-per-month/
Thank you iman sir but I want to know how to filter incoming spam mail .
please sir help me
Thanks and regards
Hello,
You can use a separate server for your incoming email. Such as Mailborder, Proxmox Mail Gateway and other
hi om, setelah mengikuti tutorialnya , saya cb kirim imel internmal maupun external dapat error ini :
salah nya dimana ya? mohon pencerahan, terima kasih :
Message not sent; one or more addresses were not accepted.
Rejected addresses: admin
method: [unknown]
msg: Invalid address: admin . com.zimbra.cs.mailbox.MailSender$SafeSendFailedException: MESSAGE_NOT_DELIVERED; chained exception is: com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient admin@itsm-gmf.asyst.co.id: 451 4.3.5 Server configuration problem
code: mail.SEND_ABORTED_ADDRESS_FAILURE
detail: soap:Sender
trace: qtp509886383-6859:https://172.25.207.117:8443/service/soap/SendMsgRequest:1556248696309:a054201c4d5eaa2d
request:
Body: {
SendMsgRequest: {
_jsns: “urn:zimbraMail”,
m: {
did: “521”,
e: [
// [0]:
{
a: “admin@itsm-gmf.asyst.co.id”,
p: “admin”,
t: “t”
},
// [1]:
{
a: “ridwan@itsm-gmf.asyst.co.id”,
t: “f”
}
],
id: “521”,
idnt: “d0c96fc4-304d-4280-933a-d677d160a82d”,
mp: [
// [0]:
{
ct: “multipart/alternative”,
mp: [
// [0]:
{
content: {
_content: “1011
”
},
ct: “text/plain”
},
// [1]:
{
content: {
_content: “<html><body>1011</body></html>”
},
ct: “text/html”
}
]
}
],
su: {
_content: “1011”
}
},
suid: 1556248617831
}
},
Header: {
context: {
_jsns: “urn:zimbra”,
account: {
_content: “ridwan@itsm-gmf.asyst.co.id”,
by: “name”
},
authToken: “(removed)”,
csrfToken: “0_fb8dcc0fc3deefe7ca129c7fafbc0d0afcf210bf”,
notify: {
seq: 8
},
session: {
_content: 1197,
id: 1197
},
userAgent: {
name: “ZimbraWebClient – GC73 (Win)”,
version: “8.6.0_GA_1153”
}
}
}
Hide Details
OK
Hi mas,
Pesan “51 4.3.5 Server configuration problem” biasanya servicesnya tidak UP. Coba direstart services Zimbra nya
thanks mas for quick response 🙂
klo saya cek semua service UP kecuali service cbpolicyd nya, sudah saya cb start tp masih failed 🙁
tp klo saya cb akses kesini : http://zimbraserver:7780/webui/index.php. sudah bisa,
jd skrg saya rollback dl ke config sebelumnya, krena ga bisa sama sekali kirim email 🙁
Om Iman,
waktu coba mengikuti https://wiki.zimbra.com/wiki/How-to_for_cbpolicyd#Performance_tuning
bagian optimasi rebuild db nya
$ /usr/bin/sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb ‘vacuum;’
Error: database is locked
apa ini berarti kita harus stop dulu service cbpolicyd nya?
Hi mas,
Jika datanya besar, biasanya bisa problem ke services-nya juga. Jadi rekomendasi dilakukan after office hours
iya betul data nya 1.5GB
berhasil setelah di stop dulu cbpolicyd nya
zmcbpolicydctl stop
/usr/bin/sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb ‘vacuum;’
zmcbpolicydctl start
hasilnya jadi 10MB saja
Salam
I followed your tutorial and it works perfectly
But this configuration works for sending and receiving emails
I am looking for configured only sending emails…can you please let me now in detail how can i achieve this
Can you please help us
Thank you in advance and good luck
Waalaikumussalam,
You can remove policy members
hi
i hope you are fine. policy is working fine . i have step sending rate limit is 5. so when i created a new message and put 5 email account in “TO ” its shows me error that you cann’t send email .its seems its count one send email as 2 . can you let me know. how can i resolve this issue .
ERROR LOG:
[2020/01/03-10:10:16 – 30788] [POLICIES] WARNING: [ID:2/Name:Default Outbound]: Error while processing source item ‘%internal_ips’, skipping…
[2020/01/03-10:10:16 – 30788] [CBPOLICYD] INFO: Got request #1
[2020/01/03-10:10:16 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=fayazlinux@gmail.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=1.00/5 (20.0%)
[2020/01/03-10:10:16 – 30788] [CBPOLICYD] INFO: Got request #2 (pipelined)
[2020/01/03-10:10:16 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=fayazlinux@gmail.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=2.00/5 (40.0%)
[2020/01/03-10:10:17 – 30788] [CBPOLICYD] INFO: Got request #3 (pipelined)
[2020/01/03-10:10:17 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=fayaz.khan@cubexsweatherly.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=3.00/5 (60.0%)
[2020/01/03-10:10:17 – 30788] [CBPOLICYD] INFO: Got request #4 (pipelined)
[2020/01/03-10:10:17 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=fayaz.khan@cubexsweatherly.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=4.00/5 (80.0%)
[2020/01/03-10:10:17 – 30788] [CBPOLICYD] INFO: Got request #5 (pipelined)
[2020/01/03-10:10:17 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=syed.wajihali@cubexsweatherly.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=5.00/5 (100.0%)
[2020/01/03-10:10:17 – 30788] [CBPOLICYD] INFO: Got request #6 (pipelined)
[2020/01/03-10:10:17 – 30788] [CORE] INFO: module=Quotas, mode=update, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=syed.wajihali@cubexsweatherly.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=6.00/5 (120.0%)
[2020/01/03-10:10:17 – 30788] [CBPOLICYD] INFO: Got request #7 (pipelined)
[2020/01/03-10:10:17 – 30788] [CORE] INFO: module=Quotas, action=defer, host=202.63.219.55, helo=flynaz.cubexs.net.pk, from=fayaz@flynaz.cubexs.net.pk, to=tariq.shabbir@cubexsweatherly.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:fayaz@flynaz.cubexs.net.pk, counter=MessageCount, quota=7.00/5 (140.0%)
Hello,
By default policyd will count 2 emails even you send a single email. This caused policyd listen on 3 places on Postfix. Please try this one for workaround : https://imanudin.com/2019/02/01/tips-agar-pengiriman-email-dari-webmail-tidak-dihitung-2-kali-pada-policyd/
it’s available in English language.
Is there a report to view report on the rate limits quotas per email and domain?
Hello Oliver,
You can see in the log /opt/zimbra/log/cbpolicyd.log
Hi Iman,
I have 5 zimbra mailservers. Is there an option to send a notification to my email that a user has reach 50% of his/her quota?
Thak You.
Oliver
Hi,
Great tutorial and works perfectly, any suggestion on how to send an email to the administrator about the exceed limit?
Thanks
Luigi
Hello Luigi,
It’s not possible right now. But, you can try to make simple script using cat, grep, awk and sendmail to achieve that
Hi,
have you experienced that hitting a rate limit is causing the server to randomly not accepting connections? After rate limiting hit one of our domains, nobody was able to connect to server till I switched the service off… Maybe I’ve misconfigured something? Any ideas?
Cheers,
Janos
Hi Janos Takacs,
Please see log in /opt/zimbra/log/cbpolicyd.log. I am worried policyd database is locked
Hi, great tutorial, thanks. I have a problem with this rate limit subject. I want to rate limit sending messages except for internal domains. Also, these rules limit incoming emails, I just want to limit outgoing emails except internal domains.
Hi Niyazi Alpay,
The article already fit with your needs 🙂
How to except one or more user@domain reach to limited
Hi Tien Dao, Le
Please see my comment here: https://imanudin.net/2014/09/09/zimbra-tips-how-to-configure-rate-limit-sending-message-on-policyd/comment-page-2/#comment-27199
Hi,
I have enabled policyd recently and put below limits for incoming.
Rate limit any @domain from receiving more than 125 emails in a 60 second period. Messages beyond this rate are rejected.
So this limit is applicable for one user and over all server. ??
Means if it is for overall server then server can receive only 125 emails in one minutes.
Or if it is for one user then one user can receive 100 emails in one minutes .
Please help me in this confusion.
Hi Gautam Kumar,
It depends on your configuration. If you define @domain, it refers to all user on that domain. If you define user@domain, it refers to a single user on a domain
Hello Iman
Assalamu-alaikum
Please tell me how can I send mail as bulk 500 mail at a time from zimbra server…?
Waalaikumussalam,
You can send it as usual. Like sending email from webmail or email client
Dear Iman
Thanks for your quick reply. Don’t my IP felt into black list, if I send 500 mail at a time …? To avoid black list how can I solve this ?
Hi Ashraf,
You can follow bulk guidance here: https://support.google.com/mail/answer/81126?hl=en
hi nas iman
kalu untuk config rate limit sending exception beberapa user bagai mana ya?
Hi mas,
Bisa gunakan tanda !namauser (tanda seru nama user) dibagian source nya. Misal !namauser,%nama_group
When sending more emails it’s rejecting and not in defer queue
Hi,
Yes. By default like that. You should have a second MTA to get deferred. So, the topology will be like this
mta1 -> mta2 (with policyd)
Hi Iman,
Thank you very much for the excellent article!
Assalamualaikum,
Mas Iman, saya tidak bisa menambahkan Record. setelah submit query, halaman seperti refresh saja. tidak ada yang tersimpan
mohon arahannya
Hi mas Widit,
Bisa coba recreate database policydnya mas: https://imanudin.com/2020/03/27/membuat-ulang-database-policyd/
Hello!
hello,
thank you for your tutorial. I have a zimbra collaboration version 8.8.15 mail server that gets phishing attacks all the time. I did some research to find out how to limit the sending of emails. I discovered that there is a component that exists policyd. Then I continued research to find how to configure it. The best tutorial I’ve found is yours.
I applied your tutorial on the limitation of sending emails to the letter, but it doesn’t work for me. Here is the output of the tail -f /opt/zimbra/log/cbpolicyd.log command:
zimbra@srvlabzimbra:~/data/cbpolicyd/db$ tail -f /opt/zimbra/log/cbpolicyd.log
[2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Running module: Greylisting Plugin
[2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Module ‘Greylisting Plugin’ returned CBP_SKIP
[2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Running module: Quotas Plugin
[2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Module ‘Quotas Plugin’ returned CBP_CONTINUE
[2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Running module: Accounting Plugin
[2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Module ‘Accounting Plugin’ returned CBP_SKIP
[2022/06/09-13:56:59 – 128093] [CBPOLICYD] DEBUG: Done with modules
[2022/06/09-13:58:40 – 128093] [CBPOLICYD] DEBUG: Client closed connection => Peer: 127.0.0.1:48670, Local: 127.0.0.1:10031
[2022/06/09-13:58:40 – 128038] [CORE] INFO: Killing “1” children
[2022/06/09-13:58:40 – 128094] [CBPOLICYD] DEBUG: Shutting down caching engine (128094)
———————————————————————————————————
[2022/06/09-14:00:16 – 128096] [CORE] INFO: 2022/06/09-14:00:16 CONNECT TCP Peer: “[127.0.0.1]:49016” Local: “[127.0.0.1]:10031”
[2022/06/09-14:00:16 – 128038] [CORE] INFO: Starting “1” children
[2022/06/09-14:00:16 – 128096] [POLICIES] WARNING: [ID:4/Name:Default Internal]=>(group:internal_ips): – Resolved source ” to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
[2022/06/09-14:00:16 – 128096] [POLICIES] WARNING: [ID:4/Name:Default Internal]: Error while processing source item ‘%internal_ips’, skipping…
Hi,
Please make sure port 10031 already listen and apply on postfix. You can check with postconf | grep -i 10031 command
Hi Iman,
Thanks for the Good document, it really is helpful.
I have a small issue here, the mail sending quota is working perfectly. The below message does not come on Web Interface of zimbra after the quota is completed.
Sorry, your quota to send email has been full. please try again later after 1 hour (This is not working, I am only getting access denied, this will confuse the users, how to resolve this issue, please let me know.
Thanks
HR
Hello,
Its normal if you are using single server. When you reached the quota, the verdict become reject (even though you choose delay/defer). I usually use second MTA and apply policyd on that
My Zimbra -> My Second MTA (Zimbra+policyd)
Hello, Can you please tell me how can I exclude a user from a Policy, beacuse I tried with !user@domain and I still receive logs for quotas
Hello,
Please try to restart/reload your zmcbpolicyd service