Zimbra Forums

Zimbra Collaboration & Zimbra Desktop Forums
https://forums.zimbra.org/

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

https://forums.zimbra.org/viewtopic.php?t=14527

Page 1 of 3

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Posted: Mon Aug 26, 2013 6:31 pm
by bloom
Hi,
I have gone thru Postfix Policyd - Zimbra :: Wiki and How-to for cbpolicyd - Zimbra :: Wiki .

I have setup quota policies and limits.
While someting must be wrong, it works OK when I send emails from Zimbra web client, but it does not work for emails sent from Thunderbird (with encrypted smtp to 587 port).
What may I be missing?
Some debugs are:


[2013/08/27-00:25:00 - 17814] [TRACKING] DEBUG: Request translated into session data: $VAR1 = {

'SASLUsername' => '',

'QueueID' => '0A114E3A40',

'RecipientData' => '/#0=1,6;',

'EncryptionCipher' => '',

'Instance' => '4c85.521bd5bb.de80e.0',

'Size' => '1',

'EncryptionKeySize' => '0',

'UnixTimestamp' => 1377555900,

'ProtocolTransport' => 'Postfix',

'EncryptionProtocol' => '',

'Helo' => 'OFFICE.xxx.xxx',

'ClientAddress' => '192.168.47.50',

'ClientName' => 'yyy.xxx.xxx',

'Sender' => 'piotr@xxx.xxx',

'SASLSender' => '',

'_ClientAddress' => bless( {

'raw_ip' => '192.168.47.50',

'ip' => '192.168.47.50',

'ip_version' => 4,

'cidr' => 32

}, 'awitpt::netip' ),

'ProtocolState' => 'END-OF-MESSAGE',

'_Recipient_To_Policy' => {

'pkam@XXX' => {

'0' => [

'1',

'6'

]

}

},

'Protocol' => 'ESMTP',

'ClientReverseName' => 'yyy.xxx.xxx',

'SASLMethod' => ''

};


This is followed by

[2013/08/27-00:24:59 - 17814] [CBPOLICYD] DEBUG: Running module: Quotas Plugin

[2013/08/27-00:25:00 - 17814] [CORE] INFO: module=Quotas, mode=update, host=192.168.47.50,

[cut]


And the bad one:


[2013/08/27-01:00:48 - 17815] [TRACKING] DEBUG: Request translated into session data: $VAR1 = {

'SASLUsername' => 'piotr@xxx.xxx',

'QueueID' => '2567EE3A42',

'RecipientData' => '',

'Instance' => '6ee1.521bde20.1a1cf.0',

'EncryptionCipher' => 'ECDHE-RSA-AES256-SHA',

'Size' => '1',

'EncryptionKeySize' => '256',

'UnixTimestamp' => 1377558048,

'ProtocolTransport' => 'Postfix',

'EncryptionProtocol' => 'TLSv1',

'Helo' => '[192.168.47.201]',

'ClientAddress' => '192.168.47.1',

'ClientName' => 'unknown',

'Sender' => 'piotr@xxx.xxx',

'SASLSender' => '',

'_ClientAddress' => bless( {

'raw_ip' => '192.168.47.1',

'ip' => '192.168.47.1',

'ip_version' => 4,

'cidr' => 32

}, 'awitpt::netip' ),

'ProtocolState' => 'END-OF-MESSAGE',

'Protocol' => 'ESMTP',

'ClientReverseName' => 'unknown',

'SASLMethod' => 'PLAIN'

};

This is followed by


[2013/08/27-01:00:48 - 17815] [CBPOLICYD] INFO: Got request #1

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: Access Control Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'Access Control Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: HELO/EHLO Check Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'HELO/EHLO Check Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: SPF Check Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'SPF Check Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: Greylisting Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'Greylisting Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: Quotas Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'Quotas Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: Accounting Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'Accounting Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Done with modules

[2013/08/27-01:00:48 - 28390] [CORE] DEBUG: Child Preforked (28390)

[2013/08/27-01:00:48 - 28390] [CBPOLICYD] DEBUG: Starting up caching engine

Please help! I have run out of ideas where to look for a mistake.

Regards

Piotr

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Posted: Wed Aug 28, 2013 8:34 am
by bloom
bump...
anyone willing to help ?

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Posted: Thu Aug 29, 2013 4:49 pm
by bloom
[quote user="inqueue"]Hello bloom,
Are you sure you want to enable cbpolicyd for your authenticated SMTP clients? cbpolicyd restrictions are not configured (Postfix master.cf) on the submission smtpd on 587.[/QUOTE]
Are you saying this is by design?

Yes, I am looking how to limit number of emails possible to send in order to prevent mass mailing from hijacked account. I had such a problem recently when a lot of spam emails were sent. I have not been able to remove the the sever's IP from some RBLs yet.
So, yes. I am desperately looking for a way to prevent using my ZCS installs by spammers.
Regards,

Piotr

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Posted: Fri Aug 30, 2013 1:13 am
by phoenix
Why not implement a) strong passwords on your ZCS server and b) rate limiting for outbound mail?

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Posted: Fri Aug 30, 2013 6:01 am
by bloom
[quote user="10330phoenix"]Why not implement a) strong passwords on your ZCS server and b) rate limiting for outbound mail?[/QUOTE]
a) even strong passwords may get stolen and misused
b) that is what I am trying to achieve. I have set the rate limit and it works OK, but only when sending emails from ZWC. Emails submitted to 587 port are not rate limited. Please take a look at my first post.
If there is something I need to show, configs, or quota and quota_limits tables - I am willing to. But I believe it is done correctly because it works (for ZWC).
Help still needed.

Regards

Piotr

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Posted: Sat Aug 31, 2013 1:40 am
by phoenix
[quote user="bloom"]a) even strong passwords may get stolen and misused[/QUOTE]Of course but they're less likely to get hacked if they're also forced to change them regularly.
[quote user="bloom"]Please take a look at my first post.[/QUOTE]Unfortunately I missed it on the second viewing when I posted my reply and I don't have any answer for why it's not processing port 587, sorry.

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Posted: Tue Sep 03, 2013 3:35 pm
by quanah
https://bugzilla.zimbra.com/show_bug.cgi?id=83922

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Posted: Wed Sep 04, 2013 2:43 pm
by bloom
[quote user="inqueue"]Hello bloom,
Are you sure you want to enable cbpolicyd for your authenticated SMTP clients? cbpolicyd restrictions are not configured (Postfix master.cf) on the submission smtpd on 587.[/QUOTE]
@inqueue : Could you please give me some advice how to make cbpolicyd restrictions work also for mail submitted to smtpd on 587 port? Thanks.
Regards,

Piotr

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Posted: Wed Sep 04, 2013 2:52 pm
by quanah
You could modify the /opt/zimbra/postfix/conf/master.cf.in file until bug#83922 is fixed.
Under the section that starts with "submission" where it has:



-o smtpd_recipient_restrictions=


Change it to


-o smtpd_recipient_restrictions=check_policy_service inet:localhost:10031


You can do the same thing under the section that starts with port 465.
Once you have modified master.cf.in, run postfix stop; postfix start as the zimbra user so that the master.cf file is rewritten.
This would hard code cbpolicyd checks for both ports.
--Quanah
All times are UTC
Page 1 of 3

Powered by phpBB® Forum Software © phpBB Limited