I am trying to set up a policyd policy in Zimbra that sets a max number of outbound emails for a given sender (user@domain). I was testing it with a simple script to log into the SMTP server and send a test mail. I noticed, if I omitted the login information, the SMTP request was rejected (Authorization Failed), but the policyd quota counter was still incremented!
Is there some way to keep failed login attempts from reaching the policy? I am worried this could be used as a DOS attack.
Best Answer
Introduction
Zimbra is email and collaborative suits. It uses postfix as MTA. You can optionally enable policyd to provide limiting features such as quota or throttle.
Every configuration can be altered by web interface or CLI. Direct editing to configuration file / database shouldn't be done. Zimbra could overwrite it when upgrading or restarting.
Enabling policyd
According to this page, we can enable policyd by executing two command lines only.
In the background, zimbra will altered postfix configuration. Here the
postconf -n
output before and after policyd enabled.After
Analysis
The behavior that happened in your zimbra can be explained after analyze the output of
postconf -n
. At smtpd_sender_restrictions stage, zimbra already contacts policyd (by check_policy_services). In that stage, the counter was already incrementing. In smtpd_relay_restrictions stage, postfix reject the email by emitting error message 'authorization failed'.Solution
Based on analysis above, the behavior can be prevented by removing check_policy_services in smtpd_sender_restrictions. Postfix still call check_policy_services in smptd_recipient_restrictions.
Disclaimer: