Zimbra Tips: How To Protect Policyd WebUI

Posted by

Still talking about Policyd. When you access policyd webui, it’s not asking username and password. So, everyone can access policyd configuration via webui. To protect policyd webui, we can use three ways. First, we can stopping Apache service Zimbra with zmapachectl stop. Second, we can use firewall to protect and third, we can use login username and password  with htaccess. From three options available, i am recommended to using third option. This is how to protect policyd webui using username and password with htaccess.

cd /opt/zimbra/cbpolicyd/share/webui/
vi .htaccess

fill with the following lines

AuthUserFile /opt/zimbra/cbpolicyd/share/webui/.htpasswd
AuthGroupFile /dev/null
AuthName "User and Password"
AuthType Basic

<LIMIT GET>
require valid-user
</LIMIT>

create htpasswd file, username and password

touch .htpasswd
/opt/zimbra/httpd/bin/htpasswd -cb .htpasswd USERNAME PASSWORD

change username and password with username/password do you want. Edit httpd.conf Apache Zimbra

vi /opt/zimbra/conf/httpd.conf

add the following configuration at the bottom

Alias /webui /opt/zimbra/cbpolicyd/share/webui/
<Directory /opt/zimbra/cbpolicyd/share/webui/>
# Comment out the following 3 lines to make web ui accessible from anywhere
AllowOverride AuthConfig
Order Deny,Allow
Allow from all
</Directory>

Restart Apache Zimbra service

su - zimbra -c "zmapachectl restart"

Update 27 Jan 2020

For Zimbra 8.8.X

Thanks to Fayaz Khan for the guidance

cd /opt/zimbra/common/share/webui/
vi .htaccess

Fill with the following lines. Then save

AuthUserFile /opt/zimbra/common/share/webui/.htpasswd
AuthGroupFile /dev/null
AuthName "User and Password"
AuthType Basic
require valid-user
touch .htpasswd
/opt/zimbra/common/bin/htpasswd -cb .htpasswd user password
vi /opt/zimbra/conf/httpd.conf

Please add these lines at the bottom

Alias /webui /opt/zimbra/common/share/webui/
<Directory /opt/zimbra/common/share/webui/>
# Comment out the following 3 lines to make web ui accessible from anywhere
AllowOverride AuthConfig
Order Deny,Allow
Allow from all
</Directory>
su – zimbra -c "zmapachectl restart"

please try to access policyd webui via browser. it would asking username and password like the following picture

policyd-webui

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

76 comments

  1. edit http.conf
    open

    #LoadModule rewrite_module modules/mod_rewrite.so

    and change all

    AllowOverride None

    to
    AllowOverride All

  2. i did the above config but i’m not able to access the web its show the below error

    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator at you@example.com to inform them of the time this error occurred, and the actions you performed just before this error.

    More information about this error may be available in the server error log.

      1. Hi iman ; i check httpd.conf and i don’t see any mistake

        SSLRandomSeed startup builtin
        SSLRandomSeed connect builtin

        Alias /webui /opt/zimbra/cbpolicyd/share/webui/

        # Comment out the following 3 lines to make web ui accessible from anywhere
        AllowOverride AuthConfig
        Order Deny,Allow
        Allow from all

        1. I got the same issue and I proceed to add # to the 3 lines and restart, then remove the # and restart. Now it prompts for login, but the login refused to let me in despite entering the correct login name and password!

          1. Got it to work. The issue was due to typo error in .htaccess due to a missing spacing.

  3. hello,getting this error when starting http server,

    zmapachectl start
    Starting apache…httpd: Syntax error on line 148 of /opt/zimbra/conf/httpd.conf: Cannot load modules/libphp5.so into server: libaspell.so.15: cannot open shared object file: No such file or directory

    1. Hello,

      Are you not install Zimbra Spell? if yes, please install aspell package from your Linux distribution and try to restart Zimbra Apache again 🙂

  4. Hello Iman,

    As you can see my above comment i used your method since last year and it works perfectly 🙂 but I’m stuck a bit nowadays. Is there any way to change the port of PolicyD Web UI 7780 to another ? We need to change the port for some reason and if you can help me, i would be appreciate 🙂

    Thanks in advance
    By Regards..

  5. Sugeng Enjang mas Iman..

    saya mau tanya mas… ketika saya mau buat user dan password ada error kayak begini..

    root@email:~# /opt/zimbra/common/bin/htpasswd -cb .htpasswd cbadmin cbpassword
    /opt/zimbra/common/bin/htpasswd: symbol lookup error: /opt/zimbra/common/bin/htpasswd: undefined symbol: e

    kira2 apanya ya Mas..?

    Maturnuwun – Arim

  6. Dear Admin,

    What’s the default sending message rate of zimbra? (allow sending message per hour).

  7. Hello.
    For Zimbra 8.7.11:
    /opt/zimbra/common/bin/htpasswd -cb .htpasswd USERNAME PASSWORD
    Edit /opt/zimbra/conf/httpd.conf
    And add:
    Alias /webui /opt/zimbra/common/share/webui/

    # Comment out the following 3 lines to make web ui accessible from anywhere
    AllowOverride AuthConfig
    Order Deny,Allow
    Allow from all

    You can now access the Policyd Webui with browser at URL http://IPZimbra:7780/webui/index.php

  8. hi,
    CbPolicyD WEBGUI is not working ,
    /opt/zimbra/bin/zmapachectl: line 85: kill: (11288) – No such process
    apache is not running.
    restarted apache server many times still the same.

      1. zimbraServiceInstalled: amavis
        zimbraServiceInstalled: antivirus
        zimbraServiceInstalled: antispam
        zimbraServiceInstalled: opendkim
        zimbraServiceInstalled: logger
        zimbraServiceInstalled: mailbox
        zimbraServiceInstalled: memcached
        zimbraServiceInstalled: mta
        zimbraServiceInstalled: dnscache
        zimbraServiceInstalled: stats
        zimbraServiceInstalled: proxy
        zimbraServiceInstalled: snmp
        zimbraServiceInstalled: spell
        zimbraServiceInstalled: ldap
        zimbraServiceInstalled: cbpolicyd

  9. Hello Iman,
    Done setup as you recommended for zimbra 8.7 but its not working. Can you please let me know waht to do further.

  10. All is working but the webui does not take the username password defined in .htpasswd file.
    Can you please suggest?

  11. Hello Iman,

    Thanks for the response but could not get through with this link also.
    The issue remains same. Could not login with provided user ID and Password.

  12. Hi,
    I am running Release 8.7.11.GA.1854.UBUNTU16.64 UBUNTU16_64 FOSS edition. Can you please guide me where to put htpasswd file and AuthUserFile path?
    Regards,
    Sheikh Munawar

  13. terimakasih byk atas tuts nya mas iman.

    tuts nya lancar, tp sy ingin bertanya :

    apakah usernamepassword hanya untuk 1 id ?

    1. Hi mas,

      Untuk username dan password bisa lebih dari satu. Hilangkan parameter -c ketika menjalankan perintah htpasswd untuk menambah user baru

  14. I walked thru the steps and have tried all configuration listed in the blog and those offered in the comments.

    I can access the site however, I still do not get a login prompt.

    help?

  15. Hi Iman.
    I need to enable Policyd on a zimbra server, version 8.8.
    I’m having difficulties with the webui e opendkim. What do I need to enable the webui, which is my main problem?

  16. I had already tried that guide, but it didn’t work, I mean I still do not the web interface for Policyd.
    I don’t need the web interface for opendkim.
    (Sorry for the late reply but I’ve never received follow-up comments by email, just a first one after posting my question).

  17. Well, I disabled policyd and re-enabled it. This time everything went fine, I wonder what kind of mistake I made the first time but I’m allright. Thanks.

  18. im unable to start the apache service getting below error kindly help..

    Starting apache…AH00526: Syntax error on line 21 of /opt/zimbra/conf/httpd.conf:
    Invalid command ‘ServerRoot:’, perhaps misspelled or defined by a module not included in the server configuration
    failed.

  19. Hi iman ,
    We are using zimbra server for bulk mail sending , kindly give me suggest to check per hour / per day sent | bounced | deferred mail count ..

  20. hi

    i hope you are fine . i have deployed restricion on policyd on ZIMBRA 8.8.15 patch 6 . Please add in your blog for new user . its perfectly working fine for me. Here is the setps :

    ##############################Protect Policyd WebUI#################################

    Release 8.8.15_GA_3869.RHEL7_64_20190917004220 RHEL7_64 FOSS edition, Patch 8.8.15_P6

    1. cd /opt/zimbra/common/share/webui/

    2. vi .htaccess

    AuthUserFile /opt/zimbra/common/share/webui/.htpasswd
    AuthGroupFile /dev/null
    AuthName “User and Password”
    AuthType Basic

    require valid-user

    3. touch .htpasswd

    4. /opt/zimbra/common/bin/htpasswd -cb .htpasswd user password

    5. vi /opt/zimbra/conf/httpd.conf

    Alias /webui /opt/zimbra/common/share/webui/

    # Comment out the following 3 lines to make web ui accessible from anywhere
    AllowOverride AuthConfig
    Order Deny,Allow
    Allow from all

    6. su – zimbra -c “zmapachectl restart”

    #####################################

    Thanks
    Fayaz khan

  21. I have perfomed all steps which you have mention.

    # Secure (SSL/TLS) connections
    #Include conf/extra/httpd-ssl.conf
    #
    # Note: The following must must be present to support
    # starting without SSL on platforms with no /dev/random equivalent
    # but a statically compiled-in mod_ssl.
    #

    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin

    Alias /webui /opt/zimbra/common/share/webui
    AllowOverride AuthConfig
    Order Deny,Allow
    Allow from all

    after this when i restart zmapachectl then getting bellow error.
    [zimbra@mail ~]$ zmapachectl restart
    Stopping apache…AH00526: Syntax error on line 497 of /opt/zimbra/conf/httpd.conf:
    AllowOverride not allowed here
    failed.
    Starting apache…AH00526: Syntax error on line 497 of /opt/zimbra/conf/httpd.conf:
    AllowOverride not allowed here
    failed.

    so please check this error and please help me.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.