CentOS 7.x Configure cbpolicyd for Zimbra 8.7

From Notes_Wiki
Revision as of 08:59, 27 January 2019 by Saurabh (talk | contribs)

<yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb>

CentOS 7.x Configure cbpolicyd for Zimbra 8.7

For older Zimbra versions please refer Zimbra Policyd configuration or specifically Configure and enable policyd on Zimbra

From Zimbra 8.7 onwards cbpolicyd access-lists are disabled by default. To enable and use them use following steps:

  1. Activate Policyd WebUI. As root run:
    cd /opt/zimbra/data/httpd/htdocs/ && ln -s ../../../common/share/webui
  2. Edit '/opt/zimbra/common/share/webui/includes/config.php' and change DB_DSN from mysql value to
    $DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
  3. Enable the cbpolicyd service as Zimbra user
    zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd
  4. Enable ACLs for policyd
    zmprov mcf +zimbraMtaRestriction 'check_policy_service inet:127.0.0.1:10031'
    zmprov ms mail.domainname.com zimbraCBPolicydAccessControlEnabled TRUE
  5. Restart zimbra
    su - zimbra -c "zmcontrol restart"
    su - zimbra -c "zmapachectl restart"
  6. You can access cbpolicyd using below link http://<zimbraserver>:7780/webui/index.php

Refer:


How to enable debug logs for cbpoliyd

To enable debug logs for cbpolicyd use following:

  1. su - zimbra
  2. vim /opt/zimbra/conf/cbpolicyd.conf.in and set log_level to 4.
    Better would be to do
    su - zimbra
    zmprov ms mail.radiantcorpn.in zimbraCBPolicydLogLevel 4
    zmcbpolicydctl restart



Protect cbpolicyd web interface from unauthorized access

By default Zimbra policyd ( http://<zimbra-ip>:7780/webui/index.php ) is not protected after configuring cbpolicyd. To protect it edit /opt/zimbra/conf/httpd.conf and add protection configuration inside

   <Directory "/opt/zimbra/data/httpd/htdocs">
   </Directory>   

For example, for file based authentication using username and password use:

        AuthBasicProvider file
        AuthUserFile /opt/zimbra/conf/zimbra-htpasswd
        AuthName "RND cbpolicyd login"
        AuthType Basic
        Require valid-user

In this case create the password file using following as *zimbra* user:

      /opt/zimbra/common/bin/htpasswd -c /opt/zimbra/conf/zimbra-htpasswd sysadmin

Anytime in future password can be changed using following as *zimbra* user:

      /opt/zimbra/common/bin/htpasswd /opt/zimbra/conf/zimbra-htpasswd sysadmin    


Other option is to use IP based authentication. For that use

        Require ip <ip-address>    

In both cases comment default:

        #Require all granted 

After configuration you need to do:

    zmapachectlrestart

and verify by opening http://<zimbra-ip>:7780/webui/index.php whether protection is working or not.

Note that opening http://<zimbra-ip>:7780/webui/ will result into access denied as "DirectoryIndex index.php" is not configured.


<yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb>