1

I've ran onto a behavior issue that I cannot see how to fix.

I've configured Zimbra (8.0.4) with policyd, following this tutorial

Step1: Create a policy
Step2: Create a group (list_domain)
Step3: Add a domain to the group (@example.com)
Step4: Add a member to policy (from: %list_domain, to: any)
Step5: Add a quota (track: Sender: user@domain, Period: 60, verdict: defer)
Step6: Add a limit to the quota (Type: messageCount, Limit: 5)

And, hey presto. It's working!!!

BUT

The quota counters get incremented by number of recipient. That is, if I send one mail message to 6 recipients, it will be blocked.

Question

What must I change in order to make policyd track number of messages instead of number of recipients?

UPDATE

Here are some relative server logs, where all the sensitive information has been replaced with imaginary data.

mailbox.log abstract

2015-09-02 10:58:44,980 INFO  [qtp126151468-4888876] [name=account@domain.com;mid=537;ip=xx.xx.xx.xx;ua=ZimbraWebClient - FF40 (Win)/8.0.7_GA_6021;] smtp - Sending message to MTA at server.domain.com: Message-ID=<1187019100.8600745.14411807248
66.JavaMail.zimbra@domain.com>, origMsgId=101f0b66-b103-4161-8767-7ab1e00ffffd:1279544, replyType=w
2015-09-02 10:58:45,206 WARN  [qtp126151468-4888876] [name=account@domain.com;mid=537;ip=xx.xx.xx.xx;ua=ZimbraWebClient - FF40 (Win)/8.0.7_GA_6021;] smtp - Failed to send message
com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient acc5@otherdomain.com: 450 4.7.1 <account@domain.com>: Sender address rejected: Deferring: Too many messages from sender in last 60
        at com.zimbra.cs.mailclient.smtp.SmtpConnection.rcpt(SmtpConnection.java:680)
        [........]

cbpolicyd.log abstract

[2015/09/02-10:58:45 - 28180] [CORE] INFO: module=Quotas, mode=create, host=yy.yy.yy.yy, helo=server.domain.com, from=account@domain.com, to=acc1@otherdomain.com, reason=quota_create, policy=6, quota=3, limit=4, track=Sender:account@domain.com, counter=MessageCount, quota=1.00/3 (33.3%)
[2015/09/02-10:58:45 - 28180] [CORE] INFO: module=Quotas, mode=update, host=yy.yy.yy.yy, helo=server.domain.com, from=account@domain.com, to==acc2@otherdomain.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:account@domain.com, counter=MessageCount, quota=2.00/3 (66.7%)
[2015/09/02-10:58:45 - 28180] [CORE] INFO: module=Quotas, mode=update, host=yy.yy.yy.yy, helo=server.domain.com, from=account@domain.com, to==acc3@otherdomain.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:account@domain.com, counter=MessageCount, quota=3.00/3 (100.0%)
[2015/09/02-10:58:45 - 28180] [CORE] INFO: module=Quotas, mode=update, host=yy.yy.yy.yy, helo=server.domain.com, from=account@domain.com, to==acc4@otherdomain.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:account@domain.com, counter=MessageCount, quota=4.00/3 (133.3%)
[2015/09/02-10:58:45 - 28180] [CORE] INFO: module=Quotas, action=defer, host=yy.yy.yy.yy, helo=server.domain.com, from=account@domain.com, to==acc5@otherdomain.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:account@domain.com, counter=MessageCount, quota=5.00/3 (166.7%)

Our zimbra server does not act as a relay agent, it uses an external service in our lan to deliver messages to external domains. So, all the outgoing messages that are to be delivered to external domains, are passed over to the external mta in one single queue item.

Thus, every message becomes one and only one queue item to the external mta/relay, regardless the number of recipients in it.

1 Answers1

1

No, you can't

The quota counters get incremented by number of recipient. That is, if I send one mail message to 6 recipients, it will be blocked. What must I change in order to make policyd track number of messages instead of number of recipients?

Of course it will blocked. When you send email to 6 recipients, basically postfix (in Zimbra) will send copy of your email to 6 recipients. So, cbpolicyd also count it as 6 messages.

In postfix terms, number of messages and number of recipients was same. Remember that your email client can have different ways to sending email.

  • They can send email to 6 recipients at once in one SMTP session or
  • They can send email for each recipient in each SMTP session

More importantly, this mechanism will protect you again some nasty user/spammer who wants to bypass this restriction by putting thousands on recipients in single message.


Additional note:

I can confirm that this behavior was intended in cbpolicyd. The evidence came from cbpolicyd source code, especially in files cbp/modules/Quotas.pm line 192. Basically, cbpolicyd will increment counter in each RCPT TO stage. So, right now you can't do it via policyd.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
  • This functionality, recipients-per-message restriction, comes out of the box in postfix and we are already using it. So, the answer to the question is basically "you can't"? – Stavros Souvatzis Sep 04 '15 at 01:20
  • Hmm, perhaps I misunderstanding the purpose of `messageCount` parameter in policyd. Can you edit the question and add mail.log when client send a message with recipient exceed the limit. – masegaloeh Sep 04 '15 at 03:20
  • I've edited, @masegaloeh – Stavros Souvatzis Sep 04 '15 at 07:35
  • I can confirm that this is how policyd works right now. So, update above – masegaloeh Sep 04 '15 at 14:06
  • I've been looking at that file myself. Policyd is open source, so I'll try adapting some blocks to alter the functionality, or even make a slightly different module. Thanks – Stavros Souvatzis Sep 04 '15 at 19:52