[HowTo] Enabling CBPolicyD in Zimbra 7.1.1
Results 1 to 2 of 2
Like Tree1Likes
  • 1 Post By Cine

Thread: [HowTo] Enabling CBPolicyD in Zimbra 7.1.1

  1. #1
    ZeXtras Community Manager ZeXtras Employee Cine's Avatar
    Join Date
    Apr 2011

    [HowTo] Enabling CBPolicyD in Zimbra 7.1.1

    WARNING: This guide applies to Zimbra 7.1.1. If you are running Zimbra 7.2.0+ or Zimbra 8.0.2+ please find the official docs at Postfix Policyd - Zimbra :: Wiki

    This guide explains how to enable and configure Cluebringer Policyd, a new antispam system included in Zimbra 7.0. Unleash the power of your Zimbra!

    What is CBPolicyd
    Quote from policyd.org, CBPolicyd official website:
    Policyd v2 (codenamed "cluebringer") is a multi-platform policy server for popular MTAs. This policy daemon is designed mostly for large scale mail hosting environments. The main goal is to implement as many spam combating and email compliance features as possible while at the same time maintaining the portability, stability and performance required for mission critical email hosting of today. Most of the ideas and methods implemented in Policyd v2 stem from Policyd v1 as well as the authors' long time involvement in large scale mail hosting industry.
    CBPolicyd is included in Zimbra since version 7, but it has become usable in version 7.1. This guide refers to version 7.1.1 as its support for CBPolicyd has been enhanced since 7.1. Different modules can be activated within CBPolicyd to enable different funcions. Those modules are:
    • Access Control: Simple access control on all the incoming/outgoing
    • Accounting: Message count and cumulative size policies
    • Amavis: Amavisd-new integration
    • CheckHelo: Helo/Ehlo checks and blacklisting
    • CheckSPF: Sender Policy Framework support
    • Graylist: Anti-spam Graylisting support
    • Quotas: Message count and cumulative size policies

    The Amavis module will not be in this guide, since Zimbra already has it's own Amavis support.

    Enabling and configuring CBPolicyd in Zimbra 7.1.1

    • Switch to the zimbra user
      su - zimbra
    • Enable the cbpolicyd service (server-wide) via zmprov:
      zmprov ms servername +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd
      (mind that "+" in front of "zimbraServiceEnabled cbpolicyd". Miss it and you'll end up having cbpolicyd as the ONLY service enabled)
    • In most recent Zimbra versions a CBpolicyD zimbraMtaRestriction exists. If not, add a new one:
      zmprov mcf +zimbraMtaRestriction "check_policy_service inet:"
    • Configure the CBPolicyd logging and active modules
      zmlocalconfig -e cbpolicyd_log_level=4; zmlocalconfig -e cbpolicyd_log_detail=modules,tracking,policies; zmlocalconfig -e cbpolicyd_module_accesscontrol=1 cbpolicyd_module_checkhelo=1 cbpolicyd_module_checkspf=1 cbpolicyd_module_greylisting=1 cbpolicyd_module_quotas=1
      (sets loglevel to Debug, detailed logging of Modules, Policies and Tracking, enables all the modules excluding Amavis)
    • Restart the MTA service to apply all the configurations
      zmmtactl restart

    Activating the WEB UI for CBPolicyd
    This is only valid for servers with the zimbra-spell package installed - in case of a standalone MTA please refer to THIS guide for the official command line management howto.

    Now that CBPolicyd is fully active you need a GUI to configure it, since its features are not implemented in the Zimbra Administration Console yet.
    All operations must be executed as 'root' except where specified.

    CBPolicyd Web UI is located in /opt/zimbra/cbpolicyd/share/webui/.
    To enable it "one shot" for a quick test (this configuration will be erased if you update Zimbra) just create a symlink of the webui in the document root of Zimbra's Apache server:
    cd /opt/zimbra/httpd/htdocs/ && ln -s ../../cbpolicyd/share/webui
    Then, edit the /opt/zimbra/cbpolicyd-2.0.10/share/webui/includes/config.php file putting a "#" front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER:
    Reload the httpd services with
    su - zimbra -c "zmapachectl restart"
    You can now access the webui from http://yourzimbraserver:7780/webui/index.php

    REMEMBER: This method is suggested only for internal testing, as it has no access control enabled and does not persist after a Zimbra update.

    To enable the webui in a more complete way, follow this steps:
    • Copy the cluebringer-httpd.conf file from the CBPolicyd folder to the Zimbra's conf/ folder:
      cp /opt/zimbra/cbpolicyd/share/contrib/httpd/cluebringer-httpd.conf /opt/zimbra/conf/
    • Edit the copied file with your favourite editor (i personally like nano, less scary than vi/m and less nerdysh than emacs)The result should look like:
      Alias /cluebringer /opt/zimbra/cbpolicyd/share/webui/    # Comment out the following 3 lines to make web ui accessible from anywhere    Order Deny,Allow    Deny from all    Allow from
      (the ip range/netmask after the "Allow from" directive must match the ip range you want to grant access to the web ui.
    • Edit the "/opt/zimbra/conf/httpd.conf" file and add the following line at the end of the file:

     Include /opt/zimbra/conf/cluebringer-httpd.conf
    • Edit the /opt/zimbra/cbpolicyd-2.0.10/share/webui/includes/config.php file putting a "#" front of all the lines beginning with $DB_DSN and adding the following line just before the line beginning with $DB_USER:
    • Reload the httpd services with
      su - zimbra -c "zmapachectl restart"

    You can now access the webui from http://yourzimbraserver:7780/cluebringer/index.phpTo learn how to configure CBPolicyD refer to the official documentation at Policyd.org Support

    Zimbra 7.1.1, 7.1.2 and 7.1.3 had a misconfiguration in the default logrotate config...Check the /etc/logrotate.d/zimbra file, find the "/opt/zimbra/log/cbpolicyd.log" section and change this line:
    create 0644 syslog adm
    to this:
    create 0644 zimbra zimbra
    then change the ownership of the existing log file with
    chown zimbra:zimbra /opt/zimbra/log/cbpolicyd.log
    and then restart the cbpolicyd service with
    su - zimbra -c "zmcbpolicydctl restart"

    Cleaning up the CBPolicyD Database
    Old and outdated entries are not automatically purged from CBPolicyd's database.
    A tool called "cbpadmin" is provided to take care of this operation, so you just need to schedule the execution of this tool through cron to keep your db slim and healthy!

    35 3 * * * /opt/zimbra/cbpolicyd/bin/cbpadmin --config=/opt/zimbra/conf/cbpolicyd.conf  --cleanup >/dev/null

    Special thanks to Mishikal for contributing some nice suggestions!
    Last edited by Cine; 04-23-2013 at 01:04 PM.
    bjron.mork likes this.

  2. #2
    ZeXtras Community Manager ZeXtras Employee Cine's Avatar
    Join Date
    Apr 2011
    Check out http://forums.zextras.com/zimbra-how...0-8-0-1-a.html to see how to enable CBPolicyD in Zimbra 8!

LinkBacks (?)

  1. 09-17-2014, 05:40 AM
  2. 04-03-2014, 05:14 AM
  3. 03-25-2014, 10:03 AM
  4. 01-28-2014, 03:35 AM
  5. 01-22-2014, 03:57 AM
  6. 01-20-2014, 06:20 AM
  7. 04-04-2013, 07:10 PM
  8. 01-18-2013, 01:49 AM
  9. 12-03-2012, 11:38 PM
  10. 02-13-2012, 09:34 AM
  11. 10-18-2011, 04:20 PM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts