Error Cbpolicyd

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
ALP
Posts: 14
Joined: Sat Jun 23, 2018 11:37 pm
Location: Mendoza, Argentina
ZCS/ZD Version: 8.8.8 Patch 4 Network Edition

Error Cbpolicyd

Post by ALP »

Hi, I need to limit the number of outgoing emails and I have followed the steps in the https://wiki.zimbra.com/wiki/How-to_for_cbpolicyd guide to implement cbpolicyd on my ZSC server 8.8.8 and it did not work for me. Then copy the outputs of the console. I need to find out what the errors are.


Thank you very much and greetings


zimbra@correo1:/home$ zmprov ms `zmhostname` +zimbraServiceInstalled cbpolicyd && zmprov ms `zmhostname` +zimbraServiceEnabled cbpolicyd

zimbra@correo1:/home$ zmprov gs `zmhostname` | grep zimbraServiceInstalled
zimbraServiceInstalled: amavis
zimbraServiceInstalled: antivirus
zimbraServiceInstalled: antispam
zimbraServiceInstalled: opendkim
zimbraServiceInstalled: stats
zimbraServiceInstalled: logger
zimbraServiceInstalled: proxy
zimbraServiceInstalled: mailbox
zimbraServiceInstalled: spell
zimbraServiceInstalled: convertd
zimbraServiceInstalled: mta
zimbraServiceInstalled: dnscache
zimbraServiceInstalled: ldap
zimbraServiceInstalled: memcached
zimbraServiceInstalled: snmp
zimbraServiceInstalled: cbpolicyd


zimbra@correo1:/home$ zmcbpolicydctl status
policyd is running.

zimbra@correo1:/home$ cat /opt/zimbra/common/conf/main.cf |grep smtpd_end_of_data_restrictions
smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031

zimbra@correo1:/home$ cat /opt/zimbra/common/conf/main.cf |grep smtpd_recipient_restrictions
smtpd_recipient_restrictions = check_policy_service inet:localhost:10031, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_sender, permit

zimbra@correo1:/home$ zmlocalconfig | grep -i cbpolicy
cbpolicyd_cache_file = ${zimbra_home}/data/cbpolicyd/cbpolicyd.cache
cbpolicyd_db_file = ${zimbra_home}/data/cbpolicyd/db/cbpolicyd.sqlitedb
cbpolicyd_log_detail = modules
cbpolicyd_log_file = ${zimbra_log_directory}/cbpolicyd.log
cbpolicyd_log_mail = main
cbpolicyd_pid_file = ${zimbra_log_directory}/cbpolicyd.pid


root@correo1:/home# tail -f /opt/zimbra/log/cbpolicyd.log
[2018/06/28-11:13:09 - 3898] [POLICIES] WARNING: [ID:3/Name:Default Inbound]: Error while processing source item '!%internal_ips', skipping...
[2018/06/28-11:13:09 - 3898] [POLICIES] WARNING: [ID:4/Name:Default Internal]=>(group:internal_ips): - Resolved source '' to a IP/CIDR specification, but its INVALID: awitpt::netip::new(96): Failed to guess IP address version
[2018/06/28-11:13:09 - 3898] [POLICIES] WARNING: [ID:4/Name:Default Internal]: Error while processing source item '%internal_ips', skipping...
[2018/06/28-11:13:09 - 3898] [CBPOLICYD] INFO: Got request #45 (pipelined)
[2018/06/28-11:13:09 - 3898] [CBPOLICYD] INFO: Got request #46 (pipelined)
[2018/06/28-11:14:49 - 3894] [CORE] INFO: Killing "1" children
User avatar
gabrieles
Outstanding Member
Outstanding Member
Posts: 233
Joined: Tue Feb 14, 2017 9:40 am

Re: Error Cbpolicyd

Post by gabrieles »

Actually your cbpolicyd IS working, as your cbpolicyd.log reports.
Did you configure some policies or is it running only the Default Internal as seen on these lines?
ALP
Posts: 14
Joined: Sat Jun 23, 2018 11:37 pm
Location: Mendoza, Argentina
ZCS/ZD Version: 8.8.8 Patch 4 Network Edition

Re: Error Cbpolicyd

Post by ALP »

Hello Gabriels, thank you for your response. I have applied the following policies to limit the speed:

BEGIN TRANSACTION;
INSERT INTO "policies" VALUES (6, 'Zimbra', 0, 'Zimbra QA Test Policy', 0);
DELETE FROM sqlite_sequence;
INSERT INTO "sqlite_sequence" VALUES ('policies', 6);
INSERT INTO "sqlite_sequence" VALUES ('policy_members', 6);
INSERT INTO "sqlite_sequence" VALUES ('policy_groups', 2);
INSERT INTO "sqlite_sequence" VALUES ('policy_group_members', 3);
INSERT INTO "sqlite_sequence" VALUES ('quotas', 4);
INSERT INTO "sqlite_sequence" VALUES ('quotas_limits', 5);
INSERT INTO "sqlite_sequence" VALUES ('checkhelo_blacklist', 4);
INSERT INTO "policy_members" VALUES (6, 6, 'any', 'any',, 0);
INSERT INTO "quotas" VALUES (3, 6, 'Sender: user @ domain', 'Sender: user @ domain', 60, 'DEFER', 'Deferring: Too many messages from sender in last 60',, 0);
INSERT INTO "quotas" VALUES (4, 6, 'Recipient: @domain', 'Recipient: @domain', 60, 'REJECT',,, 0);
INSERT INTO "quotas_limits" VALUES (4, 3, 'MessageCount', 20,, 0);
INSERT INTO "quotas_limits" VALUES (5, 4, 'MessageCount', 50,, 0);
COMMIT;

It works, the problem is that from webmail interprets each recipient as an email sent. And instead of putting them in the deferred queue it shows an error preventing the sending.

Thanks and regards
User avatar
gabrieles
Outstanding Member
Outstanding Member
Posts: 233
Joined: Tue Feb 14, 2017 9:40 am

Re: Error Cbpolicyd

Post by gabrieles »

ALP wrote: INSERT INTO "quotas" VALUES (3, 6, 'Sender: user @ domain', 'Sender: user @ domain', 60, 'DEFER', 'Deferring: Too many messages from sender in last 60',, 0);
INSERT INTO "quotas" VALUES (4, 6, 'Recipient: @domain', 'Recipient: @domain', 60, 'REJECT',,, 0);
I hope these are mockups and you don't exactly copypasted them from there: https://wiki.zimbra.com/wiki/Cluebringe ... _cbpolicyd ?

Anyways, using 'Sender:user@domain' as tracker, tracks every single message and is not so good in case of Cc or lists. Use 'SASLUsername:username' instead, with the SASL username as value.
And finally, don't go crazy policing with sqlite, use the webui: https://wiki.zimbra.com/wiki/King0770-N ... nsupported (if you are on ZCS>=8.7 use the correct path, /opt/zimbra/common/share/webui )
ALP
Posts: 14
Joined: Sat Jun 23, 2018 11:37 pm
Location: Mendoza, Argentina
ZCS/ZD Version: 8.8.8 Patch 4 Network Edition

Re: Error Cbpolicyd

Post by ALP »

Hello Gabrieles, gracais for your answer.

The exact policies I am using are the following:

BEGIN TRANSACTION;
INSERT INTO "policies" (Name,Priority,Description) VALUES('Zimbra CBPolicyd Policies', 0, 'Zimbra CBPolicyd Policies');
INSERT INTO "policy_members" (PolicyID,Source,Destination) VALUES(6, 'any', 'any');
INSERT INTO "quotas" (PolicyID,Name,Track,Period,Verdict,Data) VALUES (6, 'LimiteDeEnvios','Sender:user@domain', 60, 'DEFER', 'Deferring: Too many messages from sender in last 60');
INSERT INTO "quotas_limits" (QuotasID,Type,CounterLimit) VALUES(3, 'MessageCount', 3);
COMMIT;

The problem is that from webmail it takes each recipient as a sent message.

$cat /opt/zimbra/log/cbpolicyd.log

[2018/07/04-09:04:08 - 3693] [CORE] INFO: module=Quotas, action=defer, host=a.b.c.d, helo=correo1.dominio.com, from=admin@dominio.com, to=prueba2@dominio.com, reason=quota_match, policy=6, quota=3, limit=4, track=Sender:admin@dominio.com, counter=MessageCount, quota=5.00/3 (166.7%)


Also instead of putting the emails in the tail of differed, it shows the user the following message.


Mensaje no enviado; una o más direcciones no han sido aceptadas.
Direcciones rechazadas: c <prueba2@dominio.com>
method: [unknown]
msg: Invalid address: c <prueba2@dominio.com>. com.zimbra.cs.mailbox.MailSender$SafeSendFailedException: MESSAGE_NOT_DELIVERED; chained exception is: com.zimbra.cs.mailclient.smtp.InvalidRecipientException: RCPT failed: Invalid recipient prueba2@dominio.com: 450 4.7.1 <admin@dominio.com>: Sender address rejected: Deferring: Too many messages from sender in last 60
code: mail.SEND_ABORTED_ADDRESS_FAILURE
detail: soap:Sender
trace: qtp1684106402-16:1530705848687:9a3f581427d2cc76
request:
.....
.....
.....

I enabled webui and created the policies from the interface I got the same result.
Also replace 'Sender: user @ domain' with 'SASLUsername: username' but it does not apply to shipments from webmail.

Do you have any idea why this is ...?

Thank you very much
abeen
Posts: 1
Joined: Mon Dec 31, 2018 11:32 am

Re: Error Cbpolicyd

Post by abeen »

hello,

did you found the solution for this issue? I also have the same issue with verdict defer. The emails are getting rejected rather than getting deffered.
Post Reply