Zimbra

Zimbra Tips: How To Protect Policyd WebUI

Still talking about Policyd. When you access policyd webui, it’s not asking username and password. So, everyone can access policyd configuration via webui. To protect policyd webui, we can use three ways. First, we can stopping Apache service Zimbra with zmapachectl stop. Second, we can use firewall to protect and third, we can use login username and password  with htaccess. From three options available, i am recommended to using third option. This is how to protect policyd webui using username and password with htaccess.

cd /opt/zimbra/cbpolicyd/share/webui/
vi .htaccess

fill with the following lines

AuthUserFile /opt/zimbra/cbpolicyd/share/webui/.htpasswd
AuthGroupFile /dev/null
AuthName "User and Password"
AuthType Basic

<LIMIT GET>
require valid-user
</LIMIT>

create htpasswd file, username and password

touch .htpasswd
/opt/zimbra/httpd/bin/htpasswd -cb .htpasswd USERNAME PASSWORD

change username and password with username/password do you want. Edit httpd.conf Apache Zimbra

vi /opt/zimbra/conf/httpd.conf

add the following configuration at the bottom

Alias /webui /opt/zimbra/cbpolicyd/share/webui/
<Directory /opt/zimbra/cbpolicyd/share/webui/>
# Comment out the following 3 lines to make web ui accessible from anywhere
AllowOverride AuthConfig
Order Deny,Allow
Allow from all
</Directory>

Restart Apache Zimbra service

su - zimbra -c "zmapachectl restart"

please try to access policyd webui via browser. it would asking username and password like the following picture

policyd-webui

Good luck and hopefully useful 😀

Let’s See the Video on Youtube

64 comments

  1. i did the above config but i’m not able to access the web its show the below error

    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator at you@example.com to inform them of the time this error occurred, and the actions you performed just before this error.

    More information about this error may be available in the server error log.

      1. Hi iman ; i check httpd.conf and i don’t see any mistake

        SSLRandomSeed startup builtin
        SSLRandomSeed connect builtin

        Alias /webui /opt/zimbra/cbpolicyd/share/webui/

        # Comment out the following 3 lines to make web ui accessible from anywhere
        AllowOverride AuthConfig
        Order Deny,Allow
        Allow from all

        1. I got the same issue and I proceed to add # to the 3 lines and restart, then remove the # and restart. Now it prompts for login, but the login refused to let me in despite entering the correct login name and password!

          1. Got it to work. The issue was due to typo error in .htaccess due to a missing spacing.

  2. hello,getting this error when starting http server,

    zmapachectl start
    Starting apache…httpd: Syntax error on line 148 of /opt/zimbra/conf/httpd.conf: Cannot load modules/libphp5.so into server: libaspell.so.15: cannot open shared object file: No such file or directory

    1. Hello,

      Are you not install Zimbra Spell? if yes, please install aspell package from your Linux distribution and try to restart Zimbra Apache again 🙂

  3. Hello Iman,

    As you can see my above comment i used your method since last year and it works perfectly 🙂 but I’m stuck a bit nowadays. Is there any way to change the port of PolicyD Web UI 7780 to another ? We need to change the port for some reason and if you can help me, i would be appreciate 🙂

    Thanks in advance
    By Regards..

  4. Sugeng Enjang mas Iman..

    saya mau tanya mas… ketika saya mau buat user dan password ada error kayak begini..

    root@email:~# /opt/zimbra/common/bin/htpasswd -cb .htpasswd cbadmin cbpassword
    /opt/zimbra/common/bin/htpasswd: symbol lookup error: /opt/zimbra/common/bin/htpasswd: undefined symbol: e

    kira2 apanya ya Mas..?

    Maturnuwun – Arim

  5. Hello.
    For Zimbra 8.7.11:
    /opt/zimbra/common/bin/htpasswd -cb .htpasswd USERNAME PASSWORD
    Edit /opt/zimbra/conf/httpd.conf
    And add:
    Alias /webui /opt/zimbra/common/share/webui/

    # Comment out the following 3 lines to make web ui accessible from anywhere
    AllowOverride AuthConfig
    Order Deny,Allow
    Allow from all

    You can now access the Policyd Webui with browser at URL http://IPZimbra:7780/webui/index.php

  6. hi,
    CbPolicyD WEBGUI is not working ,
    /opt/zimbra/bin/zmapachectl: line 85: kill: (11288) – No such process
    apache is not running.
    restarted apache server many times still the same.

      1. zimbraServiceInstalled: amavis
        zimbraServiceInstalled: antivirus
        zimbraServiceInstalled: antispam
        zimbraServiceInstalled: opendkim
        zimbraServiceInstalled: logger
        zimbraServiceInstalled: mailbox
        zimbraServiceInstalled: memcached
        zimbraServiceInstalled: mta
        zimbraServiceInstalled: dnscache
        zimbraServiceInstalled: stats
        zimbraServiceInstalled: proxy
        zimbraServiceInstalled: snmp
        zimbraServiceInstalled: spell
        zimbraServiceInstalled: ldap
        zimbraServiceInstalled: cbpolicyd

  7. Hello Iman,
    Done setup as you recommended for zimbra 8.7 but its not working. Can you please let me know waht to do further.

  8. All is working but the webui does not take the username password defined in .htpasswd file.
    Can you please suggest?

  9. Hello Iman,

    Thanks for the response but could not get through with this link also.
    The issue remains same. Could not login with provided user ID and Password.

  10. Hi,
    I am running Release 8.7.11.GA.1854.UBUNTU16.64 UBUNTU16_64 FOSS edition. Can you please guide me where to put htpasswd file and AuthUserFile path?
    Regards,
    Sheikh Munawar

  11. terimakasih byk atas tuts nya mas iman.

    tuts nya lancar, tp sy ingin bertanya :

    apakah usernamepassword hanya untuk 1 id ?

  12. I walked thru the steps and have tried all configuration listed in the blog and those offered in the comments.

    I can access the site however, I still do not get a login prompt.

    help?

  13. Hi Iman.
    I need to enable Policyd on a zimbra server, version 8.8.
    I’m having difficulties with the webui e opendkim. What do I need to enable the webui, which is my main problem?

  14. I had already tried that guide, but it didn’t work, I mean I still do not the web interface for Policyd.
    I don’t need the web interface for opendkim.
    (Sorry for the late reply but I’ve never received follow-up comments by email, just a first one after posting my question).

  15. Well, I disabled policyd and re-enabled it. This time everything went fine, I wonder what kind of mistake I made the first time but I’m allright. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.