I am trying to set up a policyd policy in Zimbra that sets a max number of outbound emails for a given sender (user@domain). I was testing it with a simple script to log into the SMTP server and send a test mail. I noticed, if I omitted the login information, the SMTP request was rejected (Authorization Failed), but the policyd quota counter was still incremented!
Is there some way to keep failed login attempts from reaching the policy? I am worried this could be used as a DOS attack.
Zimbra is email and collaborative suits. It uses postfix as MTA. You can optionally enable policyd to provide limiting features such as quota or throttle.
Every configuration can be altered by web interface or CLI. Direct editing to configuration file / database shouldn't be done. Zimbra could overwrite it when upgrading or restarting.
According to this page, we can enable policyd by executing two command lines only.
In the background, zimbra will altered postfix configuration. Here the postconf -n output before and after policyd enabled.
smtpd_client_restrictions = reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions = yreject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, permit
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_restriction_classes =
smtpd_sender_restrictions =
After
smtpd_client_restrictions = reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_services 127.0.0.1:10031
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_policy_services 127.0.0.1:10031, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, permit
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_restriction_classes =
smtpd_sender_restrictions = check_policy_services 127.0.0.1:10031
The behavior that happened in your zimbra can be explained after analyze the output of postconf -n. At smtpd_sender_restrictions stage, zimbra already contacts policyd (by check_policy_services). In that stage, the counter was already incrementing. In smtpd_relay_restrictions stage, postfix reject the email by emitting error message 'authorization failed'.
Based on analysis above, the behavior can be prevented by removing check_policy_services in smtpd_sender_restrictions. Postfix still call check_policy_services in smptd_recipient_restrictions.
Disclaimer: