CentOS 7.x Configure cbpolicyd for Zimbra 8.7
<yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb>
CentOS 7.x Configure cbpolicyd for Zimbra 8.7
For older Zimbra versions please refer Zimbra Policyd configuration or specifically Configure and enable policyd on Zimbra
From Zimbra 8.7 onwards cbpolicyd access-lists are disabled by default. To enable and use them use following steps:
- Activate Policyd WebUI. As root run:
- cd /opt/zimbra/data/httpd/htdocs/ && ln -s ../../../common/share/webui
- Edit '/opt/zimbra/common/share/webui/includes/config.php' and change DB_DSN from mysql value to
- $DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";
- Enable the cbpolicyd service as Zimbra user
- zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd
- Enable ACLs for policyd
- zmprov mcf +zimbraMtaRestriction 'check_policy_service inet:127.0.0.1:10031'
- zmprov ms mail.domainname.com zimbraCBPolicydAccessControlEnabled TRUE
- Restart zimbra
- su - zimbra -c "zmcontrol restart"
- su - zimbra -c "zmapachectl restart"
- You can access cbpolicyd using below link http://<zimbraserver>:7780/webui/index.php
Refer:
- https://github.com/sangamc/policyD_zimbra87/blob/master/automatic-policyd-zcs8.7.sh
- http://haffi.is/wp/?p=38
How to enable debug logs for cbpoliyd
To enable debug logs for cbpolicyd use following:
- su - zimbra
- vim /opt/zimbra/conf/cbpolicyd.conf.in and set log_level to 4.
- Better would be to do
- su - zimbra
- zmprov ms mail.radiantcorpn.in zimbraCBPolicydLogLevel 4
- zmcbpolicydctl restart
- Better would be to do
Protect cbpolicyd web interface from unauthorized access
By default Zimbra policyd ( http://<zimbra-ip>:7780/webui/index.php ) is not protected after configuring cbpolicyd. To protect it edit /opt/zimbra/conf/httpd.conf and add protection configuration inside
<Directory "/opt/zimbra/data/httpd/htdocs"> </Directory>
For example, for file based authentication using username and password use:
AuthBasicProvider file AuthUserFile /opt/zimbra/conf/zimbra-htpasswd AuthName "RND cbpolicyd login" AuthType Basic Require valid-user
In this case create the password file using following as *zimbra* user:
/opt/zimbra/common/bin/htpasswd -c /opt/zimbra/conf/zimbra-htpasswd sysadmin
Anytime in future password can be changed using following as *zimbra* user:
/opt/zimbra/common/bin/htpasswd /opt/zimbra/conf/zimbra-htpasswd sysadmin
Other option is to use IP based authentication. For that use
Require ip <ip-address>
In both cases comment default:
#Require all granted
After configuration you need to do:
zmapachectlrestart
and verify by opening http://<zimbra-ip>:7780/webui/index.php whether protection is working or not.
Note that opening http://<zimbra-ip>:7780/webui/ will result into access denied as "DirectoryIndex index.php" is not configured.
Preventing email reputation damage if user account is compromised
To prevent email reputation damage if user account is compromised cbpolicyd is used with quota such as 300 emails per user per day. This way attacker cannot send more than 300 emails from compromised account. For this to work we must enable match between from address and sasl username (preferably with exception DB) using https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5 Without this essential configuration in place an advanced attacker can bypass cbpolicyd quota restrictions by using different from address for various emails.
<yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb>