Zimbra Tips : How To Configure Rate Limit Sending Message on PolicyD

Posted by

Yesterday, i have been wrote article about how to install/enable Policyd on Zimbra 8.5. The following article can read at this link https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/. Now., i am will describe how to configure rate limit sending message with Policyd.

Why we must configuring rate limit sending message?

If there user have compromised password, spammer will sending email to outside with random email address receipt  and very much email have been sent. Usually, public IP address will have blacklisted on any RBL and cannot sending email to outside. To prevent it, we can use Policyd and configure rate limit sending message with quotas modules on Policyd. Quotas modules can prevent user@domain or other configuration can sending some email per minutes or per hours. For example, per users can sending maximum 200 emails per hours

How to configure it?

This is step by step how to configure it. Assuming you have been install/enable Policyd. If not, you can following this guidance https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/

Access Policyd WebUI via browser http://zimbraserver:7780/webui/index.php. Ensure your Zimbra service apache have been running

Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups

policyd-groups

Select Policies | Main. Create new policy and give name rate limit sending message. See the following example

policyd-new-poliyc

Select new policy has been made. On action, select members and fill with the group that has previously been made. Ensure disabled is no. See the following example

member-policy

policyd-policy-2

Select Quotas | Configure. Select action | add. fill with the following example

Name : Rate Limit
Track : sender:user@domain
Period : 3600
Link to policy : Rate Limit Sending Message
Verdict : Defer (delay)
Data : information who give to users if policy have been meet or you can empty. Example : Sorry, your quotas to sending email has been full. please try again later

policyd-new-quotas

If all selection has been configured, click Submit Query. Select new quotas that has previously been made | select action | Limits. Add limit and configure. See the following example

policyd-quotas-limit

Ensure disabled status is no

policyd-quotas-information

Above configuration will limit sending message from domain local to outside and outside to any domain with maximum message 200 email/user/hour. Please try to sending message to other domain and see the log information on /opt/zimbra/log/cbpolicyd.log

[2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=create, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_create, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=1.00/200 (0.5%)
[2014/09/08-21:32:39 - 4871] [CBPOLICYD] INFO: Got request #2 (pipelined)
[2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=update, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=2.00/200 (1.0%)

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

188 comments

  1. Hi!
    Your install script worked great! – Thank you!

    In testing .. (from a customer point of view) I received a pop-up.
    The Policy IS working .. but the message displayed thru the web browser is . . for the non technical confusing at best, and would make them think that email was broken.

    Is there any way to get a nice clean error message pop-up ?
    You can see my custom message below in the details (buried and difficult to interpret for an end user)

    ————————
    Zimbra
    Message not sent; one or more addresses were not accepted.
    Rejected addresses: myaddress@gmail.com

    —————————
    The details are as below:
    Details:

    method: [unknown]
    msg: Invalid address: myaddress@gmail.com. com.zimbra.cs.mailbox.MailSender$SafeSendFailedException: MESSAGE_NOT_DELIVERED; chained exception is: com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient myaddress@gmail.com: 554 5.7.1 : Sender address rejected: We regret to inform you that you have exceeded the Maximum number of Outbound eMails sent from your account in the past (1) hour. This could mean that your eMail account has been compromised. Please contact our Support Team As-Soon-As- Possible to assist you.
    code: mail.SEND_ABORTED_ADDRESS_FAILURE
    detail: soap:Sender
    trace: qtp509886383-1200:https://10.33.0.10:8443/service/soap/SendMsgRequest:1418768691079:60ca411d62d88290
    request:
    Body: {
    SendMsgRequest: {
    _jsns: “urn:zimbraMail”,
    m: {
    e: [
    // [0]:
    {
    a: “myaddress@gmail.com”,
    t: “t”
    },
    // [1]:
    {
    a: “myaddress@mydomain.com”,
    p: “Gregory”,
    t: “f”
    }
    ],
    idnt: “e07958b1-c890-4a0c-b0d2-98ee333558c2”,
    mp: [
    // [0]:
    {
    ct: “multipart/alternative”,
    mp: [
    // [0]:
    {
    content: {
    _content: ”


    },
    ct: “text/plain”
    },
    // [1]:
    {
    content: {
    _content: “”
    },
    ct: “text/html”
    }
    ]
    }
    ],
    su: {
    _content: “cbPolicyd TEST @ 325p”
    }
    },
    suid: 1418768690803
    }
    },
    Header: {
    context: {
    _jsns: “urn:zimbra”,
    account: {
    _content: “myaddress@mydomain.com”,
    by: “name”
    },
    authToken: “(removed)”,
    csrfToken: “0_cf8bf65f29d38112d0ccac0337e31f60ed2c9efc”,
    notify: {
    seq: 90
    },
    session: {
    _content: 12,
    id: 12
    },
    userAgent: {
    name: “ZimbraWebClient – GC39 (Mac)”,
    version: “8.5.1_GA_3056”
    }
    }
    }

    1. Hi Gregory,

      I have not know how to change error message. But user can take error message on this section has been your created :

      Sender address rejected: We regret to inform you that you have exceeded the Maximum number of Outbound eMails sent from your account in the past (1) hour. This could mean that your eMail account has been compromised. Please contact our Support Team As-Soon-As- Possible to assist you.

      1. For the records, I was able to implement my needs, by creating a quota restriction on message count for a group of users for small period of time (say 30 sec for example).
        Thus, when a users sends a message to more than X recipients he will get his message rejected.

  2. Hi,

    Successfully implemented Policyd on ZImbra 8.5 based on your tutorial. I have some doubts.

    1- Quota is counting 1 e-mail message as 2 (one for reason=create and another one is for reason=update), so if i set 200 as quota limit i can send only 100 e-mails based on this scenario. How to make policyd count 1 mail message (to one recipient) as 1 quota count?

    2- I have 6 domains configured in zimbra (eg. a.com, b.com, c.com). Some of the domains are 90% communicating with external customers (so that domain users need to send more external mails) I have 1 policy for all users which is having quota limit of 50 external mails per day (Policy Member are Source- % abc_domains and Destination- !%abc_domains)
    And i have another Policy (group with external communicating domains) which is having a quota limit of 200 external mails per day (Policy Members are Source – %special_users and Destination – !%abc_domains)

    After Creating this new Policy for special users i have added exception in 1st policy as below, (This Policy have priority of 10 and special users policy have priority 8)
    Source – %abc_domains,!%special_users and the destination – !%abc_domains

    My aim is to make all users can send 50 mails to external domain per day and special users/domains can send 200 mails to external domain per day.

    Thanks in advance.

    Regards,

    Nashi Backer.

    1. Hi Nashi,

      1. If using Webmail for sending email, PolicyD will counting 2 email for 1 email sending. If using email clients such as Thunderbird, Outlook and other, PolicyD will counting only 1. You can check it
      2. Wow, nice idea and good purpose. You also can make 2 Policy like this :
      – for special account
      special_account -> !%abc_domains
      – for all account
      !special_account -> !%abc_domains

      1. As for “PolicyD will count 2 emails for 1 email sent from webmail” I noticed it’s true for Zimbra v.8 (mine is 64-bit version on Ubuntu), but it regularly counts just 1 mail for Zimbra v.7 (mine is 32-bit version on Centos).

  3. Hi, thanks for your tutorial. I have implemented this on my server but the log report only:
    [2015/05/13-11:30:55 – 5832] [CBPOLICYD] INFO: Got request #31 (pipelined)

    nothing about: [CORE] INFO: module=Quotas, mode=update,…
    Can you help me?

    1. Hi Stefano,

      Sorry for a late response. Are you have been make sure all policy you are create already changed disable from yes into no?

  4. Hi Iman,

    Thanks for you quick reply.
    Second point is success but i’m using MS Outlook 2013 still its counting as 2 for 1 mail.

    Thank you very much for the 2nd point.

  5. We are having 2 domains in same server & having total of 1600 users & 25 (DL) distribution list having 10 to 30 users added in each DL . I have implemented cbpolicyd bcoz of spamming. after some days users complaining us, that they are not able to send group mail i.e. DL.

    So tell me how can I set unlimited mail to internal domain or particular domain

    1. Hi Rafi,

      The default configuration in this article is nothing limitation for sending/receive from domain local. If you have other domain, you only need to add in group list_domain

  6. Hello,
    Excellent article .
    I would like to implement the following rule:
    Limit sending emails from my domain per minute , but apply a rule to release some email send without restriction.
    How could ride this rule ?
    Thank you!

    1. Hi Leonardo,

      You can create Main Policy with content source : some user and destination : user/domain. You can create as many as you need

  7. hello, good afternoon, I just finished configure my mail server after one entire day, everything works fine, but when i tried to configure policyd, i get an error. policyd does not start never. is the only service not running, i can access to the webgui but service never start. I appreciatte if you know something about this issue.

    1. Hi,

      Please paste the result of above command :

      su - zimbra
      zmcontrol status
      zmprov gs mail.imanudin.net | grep -i zimbraserviceinstall
      zmprov gs mail.imanudin.net | grep -i zimbraserviceenable
      

      Note : Please change mail.imanudin.net with your hostname

  8. Hi, thanks for this clear manual!
    I am trying to create an exeption for this rule, so that some users can send 1000 messages per hour to outside (any)
    I created a new policy and group (domain_users_1000) , with some individual email addresses.
    I added this policy member:
    %domain_users_1000 destination any
    I have set the priority to 10, and for list_domains to 20
    But it is stil not working fine….
    What am i doing wrong?

    1. I did not make a exeption in the first rule…

      So now the first rule has thes policy memebers:
      Source: %list_domain,!%domain_users_1000
      Destination: !list_domain

      Now it is is working fine!

  9. Jan 28 12:34:57 mail amavis[2172]: (02172-01) 7PKs2UOlKm7u FWD from -> , BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8DCCF7C2296
    Jan 28 12:34:57 mail amavis[2172]: (02172-01) Passed CLEAN {RelayedInbound}, -> , Message-ID: , mail_id: 7PKs2UOlKm7u, Hits: -1.9, size: 438, queued_as: 8DCCF7C2296, 1231 ms
    Jan 28 12:34:57 mail postfix/smtp[4721]: 4D61D7C2345: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.09/0.06/0.01/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8DCCF7C2296)

  10. Can the webui be password protect to prevent unauthorized access? If not, how do we disable webui after we are done?

  11. I also realize that the delay does not work and function like reject once the quota is reach. Instead of delay, an email that exceed the quota simply get rejected.

    1. Hi,

      I agree with you for this statement. I think this caused you are is normal user, not as spammer.

      If you have simple program for send bulk mail, all email will delay after get maximum email/hours 😉

  12. Thanks a lot for the tutorials on Policyd. Working just fine for me! Before this rules I had problems with users that compromised their passwords.

  13. Is there any way to set password to this administration panel?. Also at “Sender:user@domain” do i need to add my domain instead of “domain”?.

  14. Hi,

    I my mails are in Deferred Queues for long time, It is taking 2 to 3 hours to deliver. Can any one help me with this why it is taking too time to deliver the Mail.

  15. Hi Iman,
    Thank you for you post. It worked perfect on webmail.
    But when I config accounts on Microsoft Outlook, and then sent email from outlook.
    and “cat /opt/zimbra/log/cbpolicyd.log”, there’s no any log for that email.
    I have check & see that: there’s a different from webmail & outlook, webmail using port 25 to send mail, outlook use port 587 to send mail, maybe that’s problem.
    please help checking this issue, I want to count all emails from webmail and outlook both.

      1. I have ran that command, but It was the same. I send 1 email from outlook and take that logs:
        [2016/07/25-08:26:28 – 30292] [CBPOLICYD] WARNING: Client closed connection => Peer: 127.0.0.1:52271, Local: 127.0.0.1:10031
        [2016/07/25-08:26:28 – 30287] [CORE] INFO: Killing “1” children
        [2016/07/25-08:26:43 – 30287] [CORE] INFO: Starting “1” children
        [2016/07/25-08:26:43 – 91933] [CORE] INFO: 2016/07/25-08:26:43 CONNECT TCP Peer: “[127.0.0.1]:52308” Local: “[127.0.0.1]:10031”
        [2016/07/25-08:26:43 – 91933] [CBPOLICYD] INFO: Got request #1

          1. Hi iman,
            Here’s the result:
            smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031
            smtpd_recipient_restrictions = check_policy_service inet:localhost:10031, reject_non_fqdn_recipient, permit_mynetworks, reject_unlisted_recipient, reject_non_fqdn_sender, permit

          2. Hello,

            Please try this guidance :

            su - zimbra
            vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
            

            Add the following line on the top

            %%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%
            
            zmcontrol restart
            
      2. Hi imanudin,
        I have the save problem and i added ”%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%” the following line on the top of file ”smtpd_sender_restrictions.cf”
        But that not fix my problems.
        This is my server infomation:
        [zimbra@ zmconfigd]$ zmprov gacf | grep -i 10031
        zimbraCBPolicydBindPort: 10031
        zimbraMtaRestriction: check_policy_service inet:127.0.0.1:10031
        [zimbra@ zmconfigd]$ postconf | grep -i 10031
        smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031
        smtpd_recipient_restrictions = check_policy_service inet:localhost:10031, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, permit
        [zimbra@zmconfigd]$ zmcontrol -v
        Release 8.8.12_GA_3794.RHEL6_64_20190329045002 RHEL6_64 FOSS edition, Patch 8.8.12_P1 proxy.
        Please help me!!

        1. Hello,
          You can open file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line at the first line

          check_policy_service inet:localhost:10031
          
  16. Beside that,
    I don’t know why the counter is so confused, It automatically reset so the counter is just 1 for all, please check these logs:
    [2016/07/25-08:39:02 – 30287] [CORE] INFO: Starting “1” children
    [2016/07/25-08:39:02 – 30290] [CORE] INFO: 2016/07/25-08:39:02 CONNECT TCP Peer: “[127.0.0.1]:52381” Local: “[127.0.0.1]:10031”
    [2016/07/25-08:39:02 – 30290] [CBPOLICYD] INFO: Got request #1
    Use of uninitialized value in multiplication (*) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 181.
    Use of uninitialized value in subtraction (-) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 186.
    Use of uninitialized value in addition (+) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 262.
    Use of uninitialized value in addition (+) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 318.
    [2016/07/25-08:39:02 – 30290] [CORE] INFO: module=Quotas, mode=update, host=210.245.27.184, helo=phunp3.fptdata.net, from=hahlv@phunp3.fptdata.net, to=ha.hoang@itt.vn, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:hahlv@phunp3.fptdata.net, counter=MessageCount, quota=1.00/3 (33.3%)
    [2016/07/25-08:39:03 – 30290] [CBPOLICYD] INFO: Got request #2 (pipelined)
    [2016/07/25-08:39:30 – 30290] [CBPOLICYD] INFO: Got request #3 (pipelined)
    Use of uninitialized value in multiplication (*) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 181.
    Use of uninitialized value in subtraction (-) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 186.
    Use of uninitialized value in addition (+) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 262.
    Use of uninitialized value in addition (+) at /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules/Quotas.pm line 318.
    [2016/07/25-08:39:30 – 30290] [CORE] INFO: module=Quotas, mode=update, host=210.245.27.184, helo=phunp3.fptdata.net, from=hahlv@phunp3.fptdata.net, to=ha.hoang@itt.vn, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:hahlv@phunp3.fptdata.net, counter=MessageCount, quota=1.00/3 (33.3%)
    [2016/07/25-08:39:30 – 30290] [CBPOLICYD] INFO: Got request #4 (pipelined)

  17. Hello Iman, do you know how to limit smtp connections on zimbra, because my ISP is always blocking my outgoing mail because there is too many concurrent connections. and they told me to set this to 10

  18. Hello Iman, is there any option that allow me to limit emails send by user to like 100 per hour and if they reach limit then all other emails go to hold queue. And after one hour it requeue another 100 mails of that user ?

    1. Hi mas,

      Panduan ini merujuk pada nama domain. Jika 10 user tersebut domainnya sama, maka akan secara otomatis terkena limitasi juga. Jika nama domainnya berbeda-beda, silakan tambahkan domain yang kedua dan seterusnya pada group list_domain

      1. Hai mas Iman

        Terima kasih atas pencerahannya bermanfat sekali soalnya IP saya sering diblock ISP karena diaggap broadcast spam. Fitur keamanan apa lagi yah mas yang cukup efektif untuk masalah ini?

  19. Hello iman,

    i have followed your manual and successfully got it running. but for testing i have set the sender limit to 5 but it is still sending out without any message or action taken.

    i get in the log only that:

    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:1/Name:Default]: Source matching result: matched=1
    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:1/Name:Default]: Destination matching result: matched=1
    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:2/Name:Default Outbound]: Source matching result: matched=0
    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:3/Name:Default Inbound]: Source matching result: matched=0
    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:4/Name:Default Internal]: Source matching result: matched=0
    [2016/11/18-13:27:14 – 3907] [POLICIES] INFO: [ID:5/Name:Test]: Source matching result: matched=0
    [2016/11/18-13:27:14 – 3907] [CBPOLICYD] INFO: Got request #2 (pipelined)
    [2016/11/18-13:27:14 – 3907] [CBPOLICYD] INFO: Got request #3 (pipelined)

      1. Hi iman,

        thanks, i just overlooked some “disabled” and changed it to “enable”

        now it is working and zimbra passes me the message from the MTA which i have set.

        thank you – very good manual

          1. Hi Iman,

            sorry to bother again; i have 1 more question:

            1) how can i exclude single users from policies?

            as we want to set a limit for outbound messages per hour but we need to exclude single users from that.

            Can this be done by adding specific rules for these users?

            thanks a lot

            flunda

  20. Hi,

    but then i have to create for every excluded user an own policy right? As i have found that i cannot exclude myaccount from my domain when i have it in the same policy

  21. Hi Iman,

    Thank you very much for this tutorial.
    I have deployed this rate limit in my Zimbra 8.7 server but I need an email notification alert when this threshold matched. Can you please let me know how I can achieve this?

    Many Thanks,
    Russel

  22. Hi Iman,
    Thank you very much for this useful tutorial.
    Maybe you can help me.
    I configured limit per day. How can I reset the counter, if the need arises? How do I know which user sent most emails?
    Thank you.

    1. I’ve installed phpLiteAdmin and open database of PolisyD. So I was able to reset the counter. It is uncomfortable but acceptable way.
      Other question: is there a way to send a message to an administrator if a user has reached the limit?
      Thank you.

      1. Hi,

        By default, PolicyD do not have notification feature to sending email if reached the limit. Maybe you can create simple script to do that based on grep the log

    2. Finally, I found that the limit applies not only to outgoing messages, but also incoming. In database the addresses of incoming and outgoing in the same list. I have set a limit 4 letter and can not get more than 4 letters. This is unacceptable. We must receive without limit, and limit sending.

  23. Hi Iman,

    sorry but finally i also found that excluding seams not to be working or i am doing something wrong?

    I have one policy for limiting the sending rate, but i want to exclude single users from that policy so i have set another policy with higher priority and another sending limit.

    But only the one with limiting the whole domain does work.

    Any advise?

    thanks a lot!!

    1. i have just configured only one policy where i am explicitly excluding a user with !username@domain.com and if not this user sends emails, then the policy counts and if the user who is excluded sends, then the policy does not count.
      But this is a bit strange as when i am configuring another policy, the first stopps working.

      What is the proper way to set a limit for only one domain for each user but exclude only one from this policy?

      pls help

      thanks!!!!

    2. Hi,

      On the rate limit sending message policy that have been created, you can change policy member so that like below :
      from -> Source : %list_domain
      become -> Source : !excludeuser@yourdomain

  24. Apakah dengan menggunakan PolicyD rate limit delay seperti diatas, jika sudah mencapai kuota email yang lainnya akan terkirim automatis setelah batas waktu habis atau kita harus mengirim ulang?

    Terima kasih.

    1. Hi mas Angga,

      Jika sudah terkena limit, pengiriman normal akan langsung di reject dan ada pesan. Namun jika pengiriman by robot, tidak ada pesan pada pengirim dan masuk pada antrian email. Jika batas waktu habis, email antrian akan otomatis dikirim kembali

      1. maksud nya antrian email queue email yah mas….berarti bisa terkirim dong ke tujuan kalo ada di queue….kalo terkirim berarti spammer berhasil dong kirim email …?

        1. Hi mas Rony,

          Benar mas. email akan terkirim ke tujuan jika masih ada di Queue. Tujuannya adalah untuk mempermudah email tersebut dikirim dari user siapa dan user mana yang suspect melakukan spamming. Jika email langsung di drop, untuk ngeceknya agak susah.

  25. Thank you Iman, for this article and video.

    I have installed policyd on my zimbra 8.6. and enabled tracking based on user@domain.com.

    If the user is sending one mail to 10 addresses, it is counting as 20 mails. it is creating problem.

    Can you please help me how to rectify this issue. Any help in this regard is highly appreciated.

    Thanks,
    Kondaiah

    1. Hi Kondaiah,

      If you sending from webmail, email will counting 2 email on PolicyD. But, if you sending email from email client (Thunderbird, Outlook, etc), the email will counting as one

      1. Hi iman,

        do you know if this will be fixed with the next release? Also that it is counting both inbound and outbound messages, this should also be fixed

  26. Hi, iman,
    How can I release a specific user not be afected by the rule? we use a account to sendo e-mail from um monitoring system and on events can pass the limit.
    Tks for your work.

    1. Hi Hilton Carvalho,

      You can configure on source Policy as follows

      Source : !monitoring@imanudin.net,!admin@imanudin.net
      Destination : !@imanudin.net

      The above configuration will pass rate limit if sender from monitoring and admin

  27. Dear Imran,
    First thank for provide such useful article. i have zimbra 8.6 network edition, i configure policyd configuration as per your guide and set all user send 2000/day limit, but many time user try to send mail to internal domain user getting error – sender address rejected, and require to try mail again many times we also get such complain from many user’s.

    1. Hi Bakul Goswami,

      If you follow my guidance, send/receive email from local domain will not counting as limitations. Please make sure you have been configured like this

      Source : @list_domain Destination : !@list_domain
      
  28. Thank you for the how to. If I set member as @mydomain.com is see this in the log:

    [2017/06/10-15:03:58 – 4690] [CORE] INFO: module=Quotas, mode=update, host=127.0.0.1, helo=mail.server.com, from=me@mydomain.com, to=test@gmail.com, reason=quota_update, policy=7, quota=3, limit=4, track=Sender:me@mydomain.com, counter=MessageCount, quota=8.79/150 (5.9%)

    However, if I set member to “user@domain” (this is exactly what I entered), then nothing shows up in the log. Since I have over 40 domains on my server, what can I use so I don’t have to enter a member for each domain?

  29. Thank you iman. I did notice that also enforces the quota for incoming mail as well. Not sure I want to do that.

    Thanks to you not only do I have quota module working, but I learned enough to get greylisting module working as well!!!

  30. Each time I send an email with the quota configured it counts as two emails. Can anyone help me configure to only count as one email ?

    2017/07/17-16:32:53 – 7591] [CBPOLICYD] INFO: Got request #10 (pipelined)
    [2017/07/17-16:32:53 – 7591] [CORE] INFO: module=Quotas, mode=update, host=208.xxx.xxxxx, helo=xxxxx.xxxx.com, from=root@xxxxxx.xxx.com, to=xxxxxx@xxxxxx.com, reason=quota_update, policy=9, quota=8, limit=9, track=Sender:root@xxxxxxxx.xx.com, counter=MessageCount, quota=11.70/200 (5.9%)
    [2017/07/17-16:32:53 – 7591] [POLICIES] INFO: [ID:11/Name:Rate Limit Sending Messages]: Source matching result: matched=0
    [2017/07/17-16:32:53 – 7591] [POLICIES] INFO: [ID:12/Name:Rate Limit Sending Messages]: Source matching result: matched=1
    [2017/07/17-16:32:53 – 7591] [POLICIES] INFO: [ID:12/Name:Rate Limit Sending Messages]: Destination matching result: matched=1
    [2017/07/17-16:32:53 – 7591] [CBPOLICYD] INFO: Got request #11 (pipelined)
    [2017/07/17-16:32:53 – 7591] [CORE] INFO: module=Quotas, mode=update, host=208.xxx.xxx, helo=xxxxxx.xxx.com, from=root@xxxxxx.xx.com, to=xxxxxx@xxxxxx.com, reason=quota_update, policy=9, quota=8, limit=9, track=Sender:root@xxxxxx.xxx.com, counter=MessageCount, quota=12.70/200 (6.4%)
    [2017/07/17-16:33:10 – 7592] [POLICIES] INFO: [ID:11/Name:Rate Limit Sending Messages]: Source matching result: matched=0
    [2017/07/17-16:33:10 – 7592] [POLICIES] INFO: [ID:12/Name:Rate Limit Sending Messages]: Source matching result: matched=1
    [2017/07/17-16:33:10 – 7592] [POLICIES] INFO: [ID:12/Name:Rate Limit Sending Messages]: Destination matching result: matched=1
    [2017/07/17-16:33:10 – 7592] [CBPOLICYD] INFO: Got request #4 (pipelined)

    1. Hello,

      If you send from webmail, quota will counting twice. But if you send from email client with port 465 or 587, quota will counting once. You can configure when send from webmail quota counting once, but if you send from email client (port 465 and 587) quota will not counting

      1. How to fix it?
        Because I want counter via webmail and email clients same.
        Thank you!

        If you send from webmail, quota will counting twice. But if you send from email client with port 465 or 587, quota will counting once. You can configure when send from webmail quota counting once, but if you send from email client (port 465 and 587) quota will not counting

  31. Thanks Iman for such a nice article . Can you please let me know how to bypass “out of office” message in zimbra 8.x on policyd . my users are using lot of out of office . In zimbra log they seem to come from mail id for all the messages , so sender seems to be one i.e in all the out of messages for 10K+ users . zimbra.log say “postfix/smtpd[20819]: NOQUEUE: reject: RCPT from server.doamin.com[x.x.x.x]: 554 5.7.1 : Sender address rejected: Sorry your sending quota is full please try again ; from= to= proto=ESMTP helo=”

  32. Hi Iman,

    First I want to thank you a lot for making this nice tutorial.
    I’ve configured it and its working fine on my CentOS server with iRedmail. for test purpose I’ve set the limit to 1 email / minute and have set the Verdict to DEFER so its preventing me to send more than 1 mail if I use Roundecube.

    Now I tried with bulk mailing software. My mission is to delay the emails and send after the time period automatically by the server.

    But the problem comes when I try to send the emails from the bulk mailer software its still giving me the same error on my software. I’ve tried 2 different software but result is same.

    >>>smtp.domain.com to myemailid@gmail.com sending failed. Message: “: Recipient address rejected: Sorry, your quotas to sending email has been full. please try again later | | “<<<

    Can you please tell me what can I do to fix this?

    Thanks in advance.

    1. Hi Serazum Munir,
      If your email exist on Queue, you can ignore the error. I am also getting same problem when using bulk email. But email exist on Queue 🙂

  33. For your support I had configured policyd. It can be worked at the beginning,but when more and more user online and send the email,a lot of mail send failure .
    so i checked zimbra.log and cbpolicyd.log

    zimbra.log

    “mail postfix/smtpd[19969]: warning: problem talking to server localhost:10031: Connection timed out
    mail postfix/smtpd[19969]: NOQUEUE: reject: RCPT from unknown[x.x.x.x]: 451 4.3.5 : Sender address rejected: Server configuration problem; from= to= prot
    o=ESMTP helo=”

    “mail postfix/smtps/smtpd[22452]: warning: problem talking to server localhost:10031: Connection timed out
    mail postfix/smtps/smtpd[22452]: NOQUEUE: reject: RCPT from unknown[x.x.x.x]: 451 4.3.5 : Sender address rejected: Server configuration problem; from= to= prot
    o=ESMTP helo=”

    cbpolicyd.log

    “[CBPOLICYD] NOTICE: Timed out after 1020s from => Peer: 127.0.0.1:53213, Local: 127.0.0.1:10031”

    Do you have the way to fix this issue. Thanks

        1. Hi Siomon,
          You can change configuration directly on your server. If still get same problem, you can add Zimbra and configure with large deployment

  34. Dear Iman ,
    today i am facing issue , one my user send 7 mb of file for 260 users after he send my outlook showing receiving error
    what i can do right now please help me to resolve this issue

  35. Hallo mas iman,

    Jika saya ingin melimitasi pengiriman per request kirim bagaimana ya ? bukan per alamat tujuan..

    Btw thanks mas iman, saya banyak belajar dari anda

  36. Great tutorial!
    Tell me how can I monitor the domain quota? I would like to monitor by zabbix.

  37. Thanks gan tutorial nya berhasil di implementasikan di mail server saya,

    setelah beberapa hari saya mendapat serangan dri spam dengan log berikut, dia bisa melebihi batas limit untuk sending email, mohon pencerahanya gan,

    [2018/06/07-09:48:24 – 26610] [CORE] INFO: module=Quotas, action=defer, host=192.168.0.203, helo=mail.touchpoint.cloud, from=, to=info@hafidzcyber.web.id, reason=quota match, policy=6, kuota=3, limit=4, track=Sender:, counter=MessageCount, quota=201.85/200 (100.9%)

    1. Hi mas,
      Jika dilihat dari lognya, pembatasannya sudah berjalan dan tidak melebihi yang ditentukan. Adapun persentase melebihi, itu wajar. Karena email yang hendak melebihi sudah melakukan koneksi. Sehingga persentasenya seperti itu

      1. Thank mas atas reply nya,
        klo si spam tersebut terus menerus kirim email ke akun yg tidak ada di mail server bermasalah atau tdk terhadapat performa servernya?
        karna dri sipengirim nya tidak ada lamat email (from=,) hanya ada tanda koma

  38. I am using Zimbra Collaboration Server 8.7.11 and I have created rate limit policy and it’s working perfectly fine. Now, I want to allow a single user to send more emails than allowed limit. For this, do I need to create a separate policy or I can add this user in same policy !user@domain.com.

    Would be great if you can help me this.

  39. Hi, Iman, thanks for sharing. I have version 8.8.8 and I have installed Cbpolicyd to limit the sending of emails as indicated in this guide.

    The problem is that each recipient is taken as a sent email and this complicates the use of distribution lists. In addition, when a user exceeds the limit, the emails are rejected instead of being sent to the deferred queue. Has this happened in your implementations? Have you managed to fix it?

    Thank you very much.

    regards

    1. Hi Andres,
      – Yes, when a user exceeds the limit. Email will reject. This happen caused email came from normal user/activity
      – I am usually limit all email that sent into the internet. But, no limitation if sent into the internal domain

  40. Hi Iman, first of all I would like to thank you for sharing this wonderful tutorial, I did implemented it on our server. I was wondering why was there a delay in delivering an email approx 30 minutes to 40 minutes after I have implemented this, where could I be possibly wrong?

    Regards,

    1. Hi Chito,

      You can see log cbpolicyd in /opt/zimbra/log/cbpolicyd.log. Whether your account already maximum rate limit or not. Implement rate limit should not delay every normal email

  41. Hi Iman,
    I have enabled cbpolicyd on my zimbra 8.7.7 version, but i couldn’t get log in /opt/zimbra/log/cbpolicyd.log.. please see my below logs are updating in my system.

    *************
    [2018/09/18-01:26:50 – 4855] [CBPOLICYD] INFO: Got request #1
    [2018/09/18-01:26:50 – 4855] [CBPOLICYD] INFO: Got request #2 (pipelined)
    [2018/09/18-01:26:50 – 4855] [CBPOLICYD] INFO: Got request #3 (pipelined)
    [2018/09/18-01:27:46 – 4855] [CBPOLICYD] INFO: Got request #4 (pipelined)
    [2018/09/18-01:27:46 – 4855] [CBPOLICYD] INFO: Got request #5 (pipelined)
    [2018/09/18-01:27:46 – 4855] [CBPOLICYD] INFO: Got request #6 (pipelined)
    **********************************************

    Help me to enable the same, also i have limit 3 mails only per hour, that is also not working.

    Regards,
    Balaji

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.