Setup policyd on Zimbra 8.8.x to rate limit the number of messages each account can send with smtp-auth

postfix spam zimbra smtp-auth policyd
6,286

First of all note that policyd webui is not password protected unless you take additional measures, i.e. add an .htaccess to that dir and add an AllowOverride AuthConfig to httpd.conf:

 <Directory /opt/zimbra/common/share/webui>
 AllowOverride AuthConfig
 </Directory>

Also note that by default policyd is only available on the cleartext web interface of Zimbra, i.e. http://zimbra.domain.tld:7780/webui/index.php

Take appropriate steps to secure the web interface.

Go to http://zimbra.domain.tld:7780/webui/policy-main.php and choose 'Add'. Enter the following:

  • Name: smtp-auth-limit
  • Priority: 1
  • Description: anything

Go back to http://zimbra.domain.tld:7780/webui/policy-main.php and select the new 'smtp-auth-limit' policy then choose Action "Change". Set "Disabled" to "No" and submit.

Now go back to http://zimbra.domain.tld:7780/webui/policy-main.php again, select 'smtp-auth-limit' again and choose action "Members".

Choose "Add" and enter the following:

  • Source: $*
  • Destination: any
  • Comment: anything

Now be careful click on "Back to members" not "Back to policies" or you'll get lost.

If you were careful, select the line with Source "$*" and choose Action "Change".

If you were not careful, go back to http://zimbra.domain.tld:7780/webui/policy-main.php choose "smtp-auth-limit" policy, Action "Members", select the line with Source "$*" and choose Action "Change".

Set "Disabled" to "No" and submit.

Finally go to http://zimbra.domain.ltd:7780/webui/quotas-main.php and choose Action "Add". Enter the following:

  • Name: rate limit smtp auth
  • Track: SASLUsername:username
  • Period: 86400
  • Link to policy: choose 'smtp-auth-limit' from the drop-down menu
  • Verdict: Defer (delay)
  • Data: you talk too fast (this message will be shown to the sender)
  • Stop processing here: yes

Go back to http://zimbra.domain.ltd:7780/webui/quotas-main.php and select the 'smtp-auth-limit' policy, choose Action "Change". Set Disabled to "No" and submit.

Go back once again to http://zimbra.domain.ltd:7780/webui/quotas-main.php and select 'smtp-auth-limit' policy, choose Action "Limits".

Select Action "Add" and enter the following, assuming you want to allow each account to send a maximum of 200 msgs every 86400 secs:

  • Type: Message Count
  • Counter Limit: 200
  • Comment: anything

Now be careful, you know the drill, click on "Back to quota limits" or you'll get lost. Select the line with Counter Limit = 200 then choose Action "Change". Set Disabled to "No" and submit.

Share:
6,286

Related videos on Youtube

Luca Gibelli
Author by

Luca Gibelli

I can't use what I can't abuse.

Updated on September 18, 2022

Comments

  • Luca Gibelli
    Luca Gibelli almost 2 years

    I'm running Zimbra 8.8.9 and I'm trying to rate limit the number of messages that a single user can send over smtp after authenticating with smtp-auth. The purpose is to limit the damage in case one of the passwords of my users is guessed/obtained by a spammer.

    Zimbra ships CBPolicyD (www.policyd.org) as part of zimbra-mta package, but it's disabled by default.

    I followed the howto at https://wiki.zimbra.com/wiki/How-to_for_cbpolicyd and enabled policyd with:

    zmprov ms zimbra.mydomain.tld +zimbraServiceInstalled cbpolicyd
zmprov ms zimbra.mydomain.tld +zimbraServiceEnabled cbpolicyd

    I also activated the web interface:

     sudo -s
 cd /opt/zimbra/data/httpd/htdocs
 ln -s ../../../common/share/webui

    and setup Zimbra's Apache to serve this new dir:

    • edit /opt/zimbra/conf/httpd.conf
    • add Alias /webui /opt/zimbra/common/share/webui/ to the end of the file
    • restart Zimbra

    I edited the config file at /opt/zimbra/common/share/webui/includes/config.php to point to the proper sqlite db:

     $DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";

    and finally added a cronjob to periodically cleanup the tracking database at the end of zimbra's crontab:

     # ZIMBRAEND -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
 0 * * * * cat /opt/zimbra/log/clean_cbpolicyd_daily.sql  | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb

    I couldn't find a step-by-step example of how to setup the rate limiting using policyd webui and the interface is far from intuitive to use.

    How do I have policyd count emails sent by each account and rate limit them?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Multi-IP address zimbra server DNS PTR records and spam
Why is my Zimbra mail going into the spam folder of yahoo, hotmail etc.?
How configure Zimbra to bounce mails over a given size limit?
Mail delivery failed for a message I didn't send
Use postfix and spamassassin packages on CentOS 6 to reject SPAM - without custom users and scripts
I can't send email from my server to gmail addresses
Zimbra 8.0: Warning create file maildrop/XXXXX.XXXXX permissions denied
Zimbra uses other IP than assigned, causing HELO/Reverse-DNS mismatch
smtpd_helo_restrictions = ..., reject_unknown_helo_hostname occasionally rejects mail I care about, how to handle?
Zimbra doesn't send mail via smtp relay anmore