I'm running Zimbra 8.8.9 and I'm trying to rate limit the number of messages that a single user can send over smtp after authenticating with smtp-auth.
The purpose is to limit the damage in case one of the passwords of my users is guessed/obtained by a spammer.
Zimbra ships CBPolicyD (www.policyd.org) as part of zimbra-mta package, but it's disabled by default.
I followed the howto at https://wiki.zimbra.com/wiki/How-to_for_cbpolicyd and enabled policyd with:
zmprov ms zimbra.mydomain.tld +zimbraServiceInstalled cbpolicyd
zmprov ms zimbra.mydomain.tld +zimbraServiceEnabled cbpolicyd
I also activated the web interface:
sudo -s
cd /opt/zimbra/data/httpd/htdocs
ln -s ../../../common/share/webui
and setup Zimbra's Apache to serve this new dir:
- edit /opt/zimbra/conf/httpd.conf
- add
Alias /webui /opt/zimbra/common/share/webui/
to the end of the file - restart Zimbra
I edited the config file at /opt/zimbra/common/share/webui/includes/config.php
to point to the proper sqlite db:
$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
and finally added a cronjob to periodically cleanup the tracking database at the end of zimbra's crontab:
# ZIMBRAEND -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
0 * * * * cat /opt/zimbra/log/clean_cbpolicyd_daily.sql | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb
I couldn't find a step-by-step example of how to setup the rate limiting using policyd webui and the interface is far from intuitive to use.
How do I have policyd count emails sent by each account and rate limit them?
Best Answer
First of all note that policyd webui is not password protected unless you take additional measures, i.e. add an
.htaccess
to that dir and add anAllowOverride AuthConfig
tohttpd.conf
:Also note that by default policyd is only available on the cleartext web interface of Zimbra, i.e. http://zimbra.domain.tld:7780/webui/index.php
Take appropriate steps to secure the web interface.
Go to http://zimbra.domain.tld:7780/webui/policy-main.php and choose 'Add'. Enter the following:
Go back to http://zimbra.domain.tld:7780/webui/policy-main.php and select the new 'smtp-auth-limit' policy then choose Action "Change". Set "Disabled" to "No" and submit.
Now go back to http://zimbra.domain.tld:7780/webui/policy-main.php again, select 'smtp-auth-limit' again and choose action "Members".
Choose "Add" and enter the following:
Now be careful click on "Back to members" not "Back to policies" or you'll get lost.
If you were careful, select the line with Source "$*" and choose Action "Change".
If you were not careful, go back to http://zimbra.domain.tld:7780/webui/policy-main.php choose "smtp-auth-limit" policy, Action "Members", select the line with Source "$*" and choose Action "Change".
Set "Disabled" to "No" and submit.
Finally go to http://zimbra.domain.ltd:7780/webui/quotas-main.php and choose Action "Add". Enter the following:
Go back to http://zimbra.domain.ltd:7780/webui/quotas-main.php and select the 'smtp-auth-limit' policy, choose Action "Change". Set Disabled to "No" and submit.
Go back once again to http://zimbra.domain.ltd:7780/webui/quotas-main.php and select 'smtp-auth-limit' policy, choose Action "Limits".
Select Action "Add" and enter the following, assuming you want to allow each account to send a maximum of 200 msgs every 86400 secs:
Now be careful, you know the drill, click on "Back to quota limits" or you'll get lost. Select the line with Counter Limit = 200 then choose Action "Change". Set Disabled to "No" and submit.