Setup policyd on Zimbra 8.8.x to rate limit the number of messages each account can send with smtp-auth

Question

I'm running Zimbra 8.8.9 and I'm trying to rate limit the number of messages that a single user can send over smtp after authenticating with smtp-auth. The purpose is to limit the damage in case one of the passwords of my users is guessed/obtained by a spammer.

Zimbra ships CBPolicyD (www.policyd.org) as part of zimbra-mta package, but it's disabled by default.

I followed the howto at https://wiki.zimbra.com/wiki/How-to_for_cbpolicyd and enabled policyd with:

zmprov ms zimbra.mydomain.tld +zimbraServiceInstalled cbpolicyd
zmprov ms zimbra.mydomain.tld +zimbraServiceEnabled cbpolicyd

I also activated the web interface:

 sudo -s
 cd /opt/zimbra/data/httpd/htdocs
 ln -s ../../../common/share/webui

and setup Zimbra's Apache to serve this new dir:

• edit /opt/zimbra/conf/httpd.conf
• add Alias /webui /opt/zimbra/common/share/webui/ to the end of the file
• restart Zimbra

I edited the config file at /opt/zimbra/common/share/webui/includes/config.php to point to the proper sqlite db:

 $DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";

and finally added a cronjob to periodically cleanup the tracking database at the end of zimbra's crontab:

 # ZIMBRAEND -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
 0 * * * * cat /opt/zimbra/log/clean_cbpolicyd_daily.sql  | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb

I couldn't find a step-by-step example of how to setup the rate limiting using policyd webui and the interface is far from intuitive to use.

How do I have policyd count emails sent by each account and rate limit them?

Answer 1

First of all note that policyd webui is not password protected unless you take additional measures, i.e. add an .htaccess to that dir and add an AllowOverride AuthConfig to httpd.conf:

 <Directory /opt/zimbra/common/share/webui>
 AllowOverride AuthConfig
 </Directory>

Also note that by default policyd is only available on the cleartext web interface of Zimbra, i.e. http://zimbra.domain.tld:7780/webui/index.php

Take appropriate steps to secure the web interface.

Go to http://zimbra.domain.tld:7780/webui/policy-main.php and choose 'Add'. Enter the following:

• Name: smtp-auth-limit
• Priority: 1
• Description: anything

Go back to http://zimbra.domain.tld:7780/webui/policy-main.php and select the new 'smtp-auth-limit' policy then choose Action "Change". Set "Disabled" to "No" and submit.

Now go back to http://zimbra.domain.tld:7780/webui/policy-main.php again, select 'smtp-auth-limit' again and choose action "Members".

Choose "Add" and enter the following:

• Source: $*
• Destination: any
• Comment: anything

Now be careful click on "Back to members" not "Back to policies" or you'll get lost.

If you were careful, select the line with Source "$*" and choose Action "Change".

If you were not careful, go back to http://zimbra.domain.tld:7780/webui/policy-main.php choose "smtp-auth-limit" policy, Action "Members", select the line with Source "$*" and choose Action "Change".

Set "Disabled" to "No" and submit.

Finally go to http://zimbra.domain.ltd:7780/webui/quotas-main.php and choose Action "Add". Enter the following:

• Name: rate limit smtp auth
• Track: SASLUsername:username
• Period: 86400
• Link to policy: choose 'smtp-auth-limit' from the drop-down menu
• Verdict: Defer (delay)
• Data: you talk too fast (this message will be shown to the sender)
• Stop processing here: yes

Go back to http://zimbra.domain.ltd:7780/webui/quotas-main.php and select the 'smtp-auth-limit' policy, choose Action "Change". Set Disabled to "No" and submit.

Go back once again to http://zimbra.domain.ltd:7780/webui/quotas-main.php and select 'smtp-auth-limit' policy, choose Action "Limits".

Select Action "Add" and enter the following, assuming you want to allow each account to send a maximum of 200 msgs every 86400 secs:

• Type: Message Count
• Counter Limit: 200
• Comment: anything

Now be careful, you know the drill, click on "Back to quota limits" or you'll get lost. Select the line with Counter Limit = 200 then choose Action "Change". Set Disabled to "No" and submit.