CentOS 7.x Configure cbpolicyd for Zimbra 8.7

From Notes_Wiki
Revision as of 08:59, 27 January 2019 by Saurabh (talk | contribs)

<yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb>

CentOS 7.x Configure cbpolicyd for Zimbra 8.7

For older Zimbra versions please refer Zimbra Policyd configuration or specifically Configure and enable policyd on Zimbra

From Zimbra 8.7 onwards cbpolicyd access-lists are disabled by default. To enable and use them use following steps:

  1. Activate Policyd WebUI. As root run: 
    cd /opt/zimbra/data/httpd/htdocs/ && ln -s ../../../common/share/webui
  2. Edit '/opt/zimbra/common/share/webui/includes/config.php' and change DB_DSN from mysql value to 
    $DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
  3. Enable the cbpolicyd service as Zimbra user 
    zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd
  4. Enable ACLs for policyd 
    zmprov mcf +zimbraMtaRestriction 'check_policy_service inet:127.0.0.1:10031'
    

    zmprov ms mail.domainname.com zimbraCBPolicydAccessControlEnabled TRUE
  5. Restart zimbra 
    su - zimbra -c "zmcontrol restart"
    

    su - zimbra -c "zmapachectl restart"
  6. You can access cbpolicyd using below link http://<zimbraserver>:7780/webui/index.php

Refer:


How to enable debug logs for cbpoliyd

To enable debug logs for cbpolicyd use following:

  1. su - zimbra
  2. vim /opt/zimbra/conf/cbpolicyd.conf.in and set log_level to 4.
    Better would be to do 
    su - zimbra
    

    zmprov ms mail.radiantcorpn.in zimbraCBPolicydLogLevel 4
    

    zmcbpolicydctl restart



Protect cbpolicyd web interface from unauthorized access

By default Zimbra policyd ( http://<zimbra-ip>:7780/webui/index.php ) is not protected after configuring cbpolicyd. To protect it edit /opt/zimbra/conf/httpd.conf and add protection configuration inside 

   <Directory "/opt/zimbra/data/httpd/htdocs">
   </Directory>

For example, for file based authentication using username and password use: 

        AuthBasicProvider file
        AuthUserFile /opt/zimbra/conf/zimbra-htpasswd
        AuthName "RND cbpolicyd login"
        AuthType Basic
        Require valid-user

In this case create the password file using following as *zimbra* user: 

      /opt/zimbra/common/bin/htpasswd -c /opt/zimbra/conf/zimbra-htpasswd sysadmin

Anytime in future password can be changed using following as *zimbra* user: 

      /opt/zimbra/common/bin/htpasswd /opt/zimbra/conf/zimbra-htpasswd sysadmin


Other option is to use IP based authentication. For that use 

        Require ip <ip-address>

In both cases comment default: 

        #Require all granted

After configuration you need to do: 

    zmapachectlrestart

and verify by opening http://<zimbra-ip>:7780/webui/index.php whether protection is working or not.

Note that opening http://<zimbra-ip>:7780/webui/ will result into access denied as "DirectoryIndex index.php" is not configured.


<yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb>

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=CentOS_7.x_Configure_cbpolicyd_for_Zimbra_8.7&oldid=3972"