----

https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/

How To Install PolicyD on Zimbra 8.8           

Policyd on Zimbra 8.8.x

Run the following command as root

cd /opt/zimbra/data/httpd/htdocs/ && ln -s ../../../common/share/webui

Edit file:

#  vi  /opt/zimbra/common/share/webui/includes/config.php

     # $DB_DSN=”mysql:host=localhost;dbname=cluebringer”;

$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";

# su - zimbra# zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd

su - zimbra -c "zmcontrol restart"          # Zimbra restart su - zimbra -c "zmapachectl restart"         # httpd restart

http://zimbraserver:7780/webui/index.php

                         Protect/password Policyd WebUI                           

#   cd /opt/zimbra/common/share/webui/

#   vi .htaccess

AuthUserFile /opt/zimbra/common/share/webui/.htpasswd

AuthGroupFile /dev/null

AuthName "User and Password"

AuthType Basic

require valid-user

#  touch .htpasswd

#  /opt/zimbra/common/bin/htpasswd -cb .htpasswd admin StrongPass

# vi /opt/zimbra/conf/httpd.conf

Add the following contents at the end of “httpd.conf” file

Alias /webui /opt/zimbra/common/share/webui/

<Directory /opt/zimbra/common/share/webui>

# Comment out the following 3 lines to make web ui accessible from anywhere

AllowOverride AuthConfig

Order Deny,Allow

Allow from all

</Directory>

su - zimbra -c "zmapachectl restart"

ACTIVATING POLICYD ADDON # when not Activated

su – zimbra

zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd +zimbraServiceEnabled cbpolicyd

zmlocalconfig -e postfix_enable_smtpd_policyd=yes

zmprov mcf +zimbraMtaRestriction “check_policy_service inet:127.0.0.1:10031”

zmlocalconfig -e cbpolicyd_log_level=4; zmlocalconfig -e cbpolicyd_log_detail=modules,tracking,policies; zmlocalconfig -e cbpolicyd_module_accesscontrol=1 cbpolicyd_module_checkhelo=1 cbpolicyd_module_checkspf=1 cbpolicyd_module_greylisting=1 cbpolicyd_module_quotas=1

zmcontrol restart

Improving Anti Spam : Reject Unlisted Domain On Zimbra 8.5

                      https://imanudin.net/2014/09/11/improving-anti-spam-reject-unlisted-domain-on-zimbra-8-5/

Reject unlisted domain is one of many method to improve anti spam on email server, especially Zimbra mail server. On Zimbra, we can setup any IP address to listed as trusted network. IP address listed on trusted network, can sending email without authentication or prompt asking. In other words, listed ip address on trusted network can sending email with any domain, although is not listed on Zimbra.

If you have email server with domain example.com, email server should be sending email to outside with example.com domain, if not, then it should be rejected. This article, will describe step by step how to reject unlisted domain on Zimbra with Policyd. Assuming you have install and enable Policyd. If not, you can following this article to enable it : http://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/

Access Policyd WebUI via browser http://zimbraserver:7780/webui/index.php. Make sure your Zimbra service apache have been running

Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups

Select Policies | Main. Add new policy and give name or information like the following picture. Then submit query

select new policy have been made and select members on action. Add member and fill on source/destination with group that has previously been made. See the following picture

above configuration is explain source and destination is not from members listed on group. Select Access Control | Configure. Add new ACL and give name or information like this :

Name : Reject Unlisted Domain Link to policy : Reject Unlisted Domain (New policy has previously been made) Verdict : Reject Data : Sorry, you are not authorized to sending email

See the following picture. Then submit query

Make sure disabled status is no of all configuration has been made. Enable policyd accesscontrol and restart policyd service

Please try to sending email use telnet on Zimbra mail server itself. it is the example result of above configuration

mail:~ # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.xxxxxxx.xxx ESMTP Postfix ehlo mail 250-mail.xxxxxxx.xxx 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:ahmad@gmail.com 250 2.1.0 Ok rcpt to:ahmad@yahoo.com 554 5.7.1 <ahmad@gmail.com>: Sender address rejected: Sorry, you are not authorized to sending email

Zimbra Tips : Blacklist Email Based on Body Email             

https://imanudin.net/2015/02/13/zimbra-tips-blacklist-email-based-on-body-email/

After formerly i am doing email blacklist based on subject, now i am often receive email spam who ask to me to fill the information of username and password. Besides, he claimed as administrator account of email server. Whereas, i am is an administrator of email and never sending email like that . The following is example email that received by me

Many of my users got similar email and ask to me as administrator email whether this email from me or not. I am say and sending email to all my users for not give any information if receive email like that and always ask to me firstly. Because many similar email received from random sender, finally i am blacklist email based on body email. This is what i do on my email server

# Open file salocal.cf.in

adding on the bottom the following line

body     LOCAL_RULE1     /Your email has/i score    LOCAL_RULE1     40.0 body     LOCAL_RULE2     /System Administrator/i score    LOCAL_RULE2     40.0

Note : LOCAL_RULE1/2 is a rule/acl which is contains “your email has” and “system administrator” and “score 40.0” is value that given if body email meet rule on acl. If you want to blacklist other words on the body of email, you must create another name of acl.

# Save and restart service of Amavis

please try to sending email with contains of body email “your email has” or “system administrator” and check on your zimbra.log

Feb 12 12:40:44 mail amavis[26679]: (26679-01) Blocked SPAM {DiscardedInbound}, [209.85.216.50]:52623 [209.85.216.50] <imanudin.linux@gmail.com> -> <admin@imanudin.net>, Queue-ID: 34F0A6E579, Message-ID: <CA+m7d0d9BQV1KtVT7uqV8Dd24OoW-QjsHOBtpG_0PnT+06HPVw@mail.gmail.com>, mail_id: j6BxTkvRg4zb, Hits: 39.431, size: 2834, dkim_sd=20120113:gmail.com, 3241 ms Feb 12 12:40:44 mail postfix/smtp[26385]: 34F0A6E579: to=<admin@imanudin.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.7, delays=1.5/0/0.06/3.2, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=26679-01 - spam)

On my log, i got information Blocked SPAM, value of Hits more/less than 39 and discarded email for every receive email which contains “your email has” or “system administrator” on the body of email.

Source : http://wiki.zimbra.com/wiki/Improving_Anti-spam_system

Zimbra Tips : Blacklist Email Based on Subject       

Recently, i am often receive email with subject “me new photo” which is contains spam and fake link. i am try to blacklist sender but still receive that email spam with another sender. Finally i am try to blacklist email by subject and it work’s for me. i am not again receive email with subject “me new photo” even though with random sender. This is what i do on my Zimbra server.

# Create file chandu.cf in spamassassin folder as root

Fill with the following example

header     SPAM_BANNED     Subject =~ /me new photo/i describe   SPAM_BANNED     Subject contains me new photo score      SPAM_BANNED     40.0

Note : SPAM_BANNED is name of ACL who created. me new photo is subject who want to blacklisted and score40.0 is score who given if subject meet with the ACL. If you want to create blacklist to other word/subject, don’t use the same name of ACL and create another ACL name.

# Save and give owner for user and group Zimbra

Please try to send email with subject “me new photo” and check on the log

Feb 12 07:35:18 mail amavis[26021]: (26021-01) Blocked SPAM {DiscardedInternal}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:52921 [127.0.0.1] <admin@imanudin.net> -> <admin@imanudin.net>, Queue-ID: 873FF1A4AFC, Message-ID: <562367973.12.1407818118361.JavaMail.zimbra@imanudin.net>, mail_id: PVCoVT9JsO-P, Hits: 40.592, size: 945, 307 ms Feb 12 07:35:18 mail postfix/smtp[27963]: 873FF1A4AFC: to=<admin@imanudin.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.36, delays=0.05/0.01/0.01/0.3, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=26021-01 - spam)

On my log, i got information Blocked SPAM, value of Hits more/less than 40 and discarded for every email with subject “me now photo” and the subject not case sensitive. If you want to see whether the subject is same or not on zimbra.log, you could try to enable logging subject and attachment at this link : http://imanudin.net/2015/01/14/adding-subject-and-attachment-information-on-the-log-zimbra-8-58-6/

How To Limit Sending/Receipt Email Per day, Per Week or Per Month                

https://imanudin.net/2014/12/01/how-to-limit-sendingreceipt-email-per-day-per-week-or-per-month/

CBPolicyD has some modules and one of them is module accounting. What is usability of module accounting? with module accounting, we can rate limit sending/receipt email with daily, weekly and monthly method. Even Gmail, Yahoo or other email also limit sending/receipt email perday. You can see that information at this link : http://www.yetesoft.com/free-email-marketing-resources/email-sending-limit/.

Now, how we can also make like Gmail or Yahoo to limit sending email/receipt per day, per week or per month? with CBPolicyD accounting module, we also can do that. Previously, you should be enable CBPolicyD on your Zimbra mail server. If you are using Zimbra 8.5, you can use this guidance : http://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/

For activating module accounting, open webui via browser, choose accounting | configure. Select add, and fill with the following example

Name : Rate limit perday Link to policy : Default Track : Sender:@domain . You can choose with your choice Period : Daily Message Count Limit : 5000 Message Cumulative Size Limit : empty. I am not using cumulative size Verdict : HOLD. Data : You can fill with information if policy has been fulfilled. for example, you can fill with "Sorry, your maximum email perday have been full"  Stop processing here : No Comment : You can fill with comment or emptied Disabled : No

If no tables for module accounting and get information “no such table” while create rule, you can manually adding tables accounting to sqlite.

Delete all lines starting with # (comment) and saved. Inject database to sqlite

Don’t forget to enable accounting module on Zimbra

please check log cbpolicyd.log and you can get information like below

[2014/11/29-21:33:37 - 27354] [CORE] INFO: module=Accounting, mode=update, host=127.0.0.1, helo=mail.example.com, from=user@example.com, to=user2@gmail.com, reason=accounting_update, policy=1, accounting=2, track=Sender:@example.com, period=2014-11-29, count=2/5000 (0.0%), size=0/-

Restricting Users to Send mails to Certain Domains on Zimbra 8.5                

https://imanudin.net/2014/10/13/restricting-users-to-send-mails-to-certain-domains-on-zimbra-8-5/

Previously, i have been explain how to restrict users to send mails to certain users/domains using CBPolicyd. This article have same aims with previous article, but in this case, we must do some modification on Postfix to get it works. This is how to apply it

Do the following command as user Zimbra

1. Open file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line at the top

check_sender_access lmdb:/opt/zimbra/postfix/conf/restricted_senders

2. Open file /opt/zimbra/conf/zmconfigd.cf and add those lines before RESTART mta. This is example on my system

POSTCONF    smtpd_restriction_classes  local_only POSTCONF    local_only  FILE  postfix_check_recipient_access.cf RESTART mta

3. Create a file /opt/zimbra/conf/postfix_check_recipient_access.cf and add the following line

check_recipient_access lmdb:/opt/zimbra/postfix/conf/local_domains, reject

4. Create a file “/opt/zimbra/postfix/conf/restricted_senders” and list all the users, whom you want to restrict. Follow this syntax:

user@yourdomain.com            local_only

5. Create a file “/opt/zimbra/postfix/conf/local_domains” and list all the domains where “restricted users” allowed to sent mails. Please follow this syntax:

yourdomain.com              OK  otheralloweddomain.com      OK

6. Run following commands

postmap /opt/zimbra/postfix/conf/restricted_senders postmap /opt/zimbra/postfix/conf/local_domains  zmmtactl stop  zmmtactl start

Please try to sending email to allowed domain and not allowed domain. If you insert new user on number 4 or new domain on number 5, don’t forget to running again number 6.

How To Restrict Users Sending to Certain Users/Domains With Policyd         

https://imanudin.net/2014/09/29/how-to-restrict-users-sending-to-certain-usersdomains-with-policyd/

Policyd has module access control. This module can use for some aims as improving anti spam reject unlisted domain like article has been wrote before. Module access control also can use for restrict users sending to certain users/domains and this article will explain how to apply.

Assume you have been install and configure policyd like the following article How To Install PolicyD on Zimbra 8.5. For information, i have user with name user1@imanudin.net. This user can sending to domain local only (imanudin.net) and deny to other domain.

Open policyd webui on http://ZimbraServer:7780/webui/index.php. First, create users and domains group.

Select Groups. Add new group and given name users_local_only. Add member users to group users_local_only. Don’t forget to change status disable yes become no. Add new group and given name list_domain. Add member domains to group list_domain. Don’t forget to change status disable yes become no. See the following pictures

Select Policies | Main. Create new policy and given name Sending Local Only. Give priority 30 and fill description with information about your policy. Add member to new policy and fill on source with group users_local_onlyand on destination with group list_domain but with reverse status.Don’t forget to change status disable yesbecome no. See the following pictures

Now, you must define access to new policy has been created. Select Access Control | Configure. Add new access control and given name Sending Local Only. Select Sending Local Only on link to policy and reject on verdict. Give information about why email cannot sending on data like “Sorry, you cannot sending to outside”. See the following pictures

Don’t forget to change status disable yes become no

Enable policyd accesscontrol and restart policyd service

Please try to sending email from user1@imanudin.net to outside and see the log information on /opt/zimbra/log/cbpolicyd.log and /var/log/zimbra.log to debug.

Configure Rate Limit Sending Message on PolicyD

https://imanudin.net/2014/09/09/zimbra-tips-how-to-configure-rate-limit-sending-message-on-policyd/

Yesterday, i have been wrote article about how to install/enable Policyd on Zimbra 8.5. The following article can read at this link http://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/. Now., i am will describe how to configure rate limit sending message with Policyd.

Why we must configuring rate limit sending message?

If there user have compromised password, spammer will sending email to outside with random email address receipt  and very much email have been sent. Usually, public IP address will have blacklisted on any RBL and cannot sending email to outside. To prevent it, we can use Policyd and configure rate limit sending message with quotas modules on Policyd. Quotas modules can prevent user@domain or other configuration can sending some email per minutes or per hours. For example, per users can sending maximum 200 emails per hours

How to configure it?

This is step by step how to configure it. Assuming you have been install/enable Policyd. If not, you can following this guidance http://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/

Access Policyd WebUI via browser http://zimbraserver:7780/webui/index.php. Ensure your Zimbra service apache have been running

Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups

Select Policies | Main. Create new policy and give name rate limit sending message. See the following example

Select new policy has been made. On action, select members and fill with the group that has previously been made. Ensure disabled is no. See the following example

Select Quotas | Configure. Select action | add. fill with the following example

Name : Rate Limit Track : sender:user@domain Period : 3600 Link to policy : Rate Limit Sending Message Verdict : Defer (delay) Data : information who give to users if policy have been meet or you can empty. Example : Sorry, your quotas to sending email has been full. please try again later

If all selection has been configured, click Submit Query. Select new quotas that has previously been made | select action | Limits. Add limit and configure. See the following example

Ensure disabled status is no

Above configuration will limit sending message from domain local to outside and outside to any domain with maximum message 200 email/user/hour. Please try to sending message to other domain and see the log information on /opt/zimbra/log/cbpolicyd.log

[2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=create, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_create, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=1.00/200 (0.5%) [2014/09/08-21:32:39 - 4871] [CBPOLICYD] INFO: Got request #2 (pipelined) [2014/09/08-21:32:39 - 4871] [CORE] INFO: module=Quotas, mode=update, host=127.0.0.1, helo=mail, from=admin@imanudin.net, to=ahmadiman@gmail.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:admin@imanudin.net, counter=MessageCount, quota=2.00/200 (1.0%)

Domain level blocking of users

ZCS 8.5 and 8.6

Create the postmap database as defined below Modify /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf, by adding this as the second line of the file:

%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/postfix/conf/postfix_reject_sender%% 

Then execute:

zmprov ms <zmhostname> +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/postfix/conf/postfix_reject_sender"

• • Create file /opt/zimbra/postfix/conf/postfix_reject_sender with the list of email addresses and domains to be rejected in the below format:

 user@domain.com REJECT   domainX.com REJECT

• • postmap it and restart postfix

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/postfix_reject_sender  zmmtactl stop && zmmtactl start

ZCS 8.7 and later

• • Create file /opt/zimbra/postfix/conf/postfix_reject_sender with the list of email addresses and domains to be rejected in the below format:

 user@domain.com REJECT   domainX.com REJECT

• • postmap it

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/postfix_reject_sender

Verification

Check the Postfix configuration with postconf | grep smtpd_sender_restrictions

You'll be able to see the changes show up in /opt/zimbra/log/zmconfigd.log .

Reject messages will be logged in /var/log/zimbra.log ; format looks like this:

[date / hostname] postfix/smtpd[####] NOQUEUE: reject: RCPT from [remote mta]: 554 5.7.1 <senders-email@DOMAIN>: Sender address rejected: Access denied: from=<senders-email@DOMAIN> to=<local-zimbra-user@domain> proto=ESMTP helo=<remote mta>

The sender will receive a returned email declaring the rejection.

----