CentOS 7.x Configure cbpolicyd for Zimbra 8.7

From Notes_Wiki

Home > CentOS > CentOS 7.x > Email configuration > Zimbra configuration > CentOS 7.x Configure cbpolicyd for Zimbra 8.7

For older Zimbra versions please refer Zimbra Policyd configuration or specifically Configure and enable policyd on Zimbra

From Zimbra 8.7 onwards cbpolicyd access-lists are disabled by default. To enable and use them use following steps:

  1. Activate Policyd WebUI. As root run:
    cd /opt/zimbra/data/httpd/htdocs/ && ln -s ../../../common/share/webui
  2. Edit '/opt/zimbra/common/share/webui/includes/config.php' and change DB_DSN from mysql value to
    $DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
  3. Enable the cbpolicyd service as Zimbra user
    zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd
  4. Enable ACLs for policyd
    zmprov mcf +zimbraMtaRestriction 'check_policy_service inet:127.0.0.1:10031'
    zmprov ms mail.domainname.com zimbraCBPolicydAccessControlEnabled TRUE
  5. Restart zimbra
    su - zimbra -c "zmcontrol restart"
    su - zimbra -c "zmapachectl restart"
  6. You can access cbpolicyd using below link http://<zimbraserver>:7780/webui/index.php

Refer:


How to enable debug logs for cbpoliyd

To enable debug logs for cbpolicyd use following:

  1. su - zimbra
  2. vim /opt/zimbra/conf/cbpolicyd.conf.in and set log_level to 4.
    Better would be to do
    su - zimbra
    zmprov ms mail.radiantcorpn.in zimbraCBPolicydLogLevel 4
    zmcbpolicydctl restart



Protect cbpolicyd web interface from unauthorized access

By default Zimbra policyd ( http://<zimbra-ip>:7780/webui/index.php ) is not protected after configuring cbpolicyd. To protect it edit /opt/zimbra/conf/httpd.conf and add protection configuration inside

   <Directory "/opt/zimbra/data/httpd/htdocs">
   </Directory>   

For example, for file based authentication using username and password use:

        AuthBasicProvider file
        AuthUserFile /opt/zimbra/conf/zimbra-htpasswd
        AuthName "RND cbpolicyd login"
        AuthType Basic
        Require valid-user

In this case create the password file using following as *zimbra* user:

      /opt/zimbra/common/bin/htpasswd -c /opt/zimbra/conf/zimbra-htpasswd sysadmin

Anytime in future password can be changed using following as *zimbra* user:

      /opt/zimbra/common/bin/htpasswd /opt/zimbra/conf/zimbra-htpasswd sysadmin    


Other option is to use IP based authentication. For that use

        Require ip <ip-address>    

In both cases comment default:

        #Require all granted 

After configuration you need to do:

    zmapachectlrestart

and verify by opening http://<zimbra-ip>:7780/webui/index.php whether protection is working or not.

Note that opening http://<zimbra-ip>:7780/webui/ will result into access denied as "DirectoryIndex index.php" is not configured.


Preventing email reputation damage if user account is compromised

To prevent email reputation damage if user account is compromised cbpolicyd is used with quota such as 300 emails per user per day. This way attacker cannot send more than 300 emails from compromised account. For this to work we must enable match between from address and sasl username (preferably with exception DB) using https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5 Without this essential configuration in place an advanced attacker can bypass cbpolicyd quota restrictions by using different from address for various emails.


Home > CentOS > CentOS 7.x > Email configuration > Zimbra configuration > CentOS 7.x Configure cbpolicyd for Zimbra 8.7