cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
bloom
Posts: 21
Joined: Sat Sep 13, 2014 3:01 am

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Post by bloom »

Hi,
I have gone thru Postfix Policyd - Zimbra :: Wiki and How-to for cbpolicyd - Zimbra :: Wiki .

I have setup quota policies and limits.
While someting must be wrong, it works OK when I send emails from Zimbra web client, but it does not work for emails sent from Thunderbird (with encrypted smtp to 587 port).
What may I be missing?
Some debugs are:


[2013/08/27-00:25:00 - 17814] [TRACKING] DEBUG: Request translated into session data: $VAR1 = {

'SASLUsername' => '',

'QueueID' => '0A114E3A40',

'RecipientData' => '/#0=1,6;',

'EncryptionCipher' => '',

'Instance' => '4c85.521bd5bb.de80e.0',

'Size' => '1',

'EncryptionKeySize' => '0',

'UnixTimestamp' => 1377555900,

'ProtocolTransport' => 'Postfix',

'EncryptionProtocol' => '',

'Helo' => 'OFFICE.xxx.xxx',

'ClientAddress' => '192.168.47.50',

'ClientName' => 'yyy.xxx.xxx',

'Sender' => 'piotr@xxx.xxx',

'SASLSender' => '',

'_ClientAddress' => bless( {

'raw_ip' => '192.168.47.50',

'ip' => '192.168.47.50',

'ip_version' => 4,

'cidr' => 32

}, 'awitpt::netip' ),

'ProtocolState' => 'END-OF-MESSAGE',

'_Recipient_To_Policy' => {

'pkam@XXX' => {

'0' => [

'1',

'6'

]

}

},

'Protocol' => 'ESMTP',

'ClientReverseName' => 'yyy.xxx.xxx',

'SASLMethod' => ''

};


This is followed by

[2013/08/27-00:24:59 - 17814] [CBPOLICYD] DEBUG: Running module: Quotas Plugin

[2013/08/27-00:25:00 - 17814] [CORE] INFO: module=Quotas, mode=update, host=192.168.47.50,

[cut]


And the bad one:


[2013/08/27-01:00:48 - 17815] [TRACKING] DEBUG: Request translated into session data: $VAR1 = {

'SASLUsername' => 'piotr@xxx.xxx',

'QueueID' => '2567EE3A42',

'RecipientData' => '',

'Instance' => '6ee1.521bde20.1a1cf.0',

'EncryptionCipher' => 'ECDHE-RSA-AES256-SHA',

'Size' => '1',

'EncryptionKeySize' => '256',

'UnixTimestamp' => 1377558048,

'ProtocolTransport' => 'Postfix',

'EncryptionProtocol' => 'TLSv1',

'Helo' => '[192.168.47.201]',

'ClientAddress' => '192.168.47.1',

'ClientName' => 'unknown',

'Sender' => 'piotr@xxx.xxx',

'SASLSender' => '',

'_ClientAddress' => bless( {

'raw_ip' => '192.168.47.1',

'ip' => '192.168.47.1',

'ip_version' => 4,

'cidr' => 32

}, 'awitpt::netip' ),

'ProtocolState' => 'END-OF-MESSAGE',

'Protocol' => 'ESMTP',

'ClientReverseName' => 'unknown',

'SASLMethod' => 'PLAIN'

};

This is followed by


[2013/08/27-01:00:48 - 17815] [CBPOLICYD] INFO: Got request #1

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: Access Control Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'Access Control Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: HELO/EHLO Check Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'HELO/EHLO Check Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: SPF Check Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'SPF Check Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: Greylisting Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'Greylisting Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: Quotas Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'Quotas Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Running module: Accounting Plugin

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Module 'Accounting Plugin' returned CBP_SKIP

[2013/08/27-01:00:48 - 17815] [CBPOLICYD] DEBUG: Done with modules

[2013/08/27-01:00:48 - 28390] [CORE] DEBUG: Child Preforked (28390)

[2013/08/27-01:00:48 - 28390] [CBPOLICYD] DEBUG: Starting up caching engine

Please help! I have run out of ideas where to look for a mistake.

Regards

Piotr
bloom
Posts: 21
Joined: Sat Sep 13, 2014 3:01 am

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Post by bloom »

bump...
anyone willing to help ?
bloom
Posts: 21
Joined: Sat Sep 13, 2014 3:01 am

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Post by bloom »

[quote user="inqueue"]Hello bloom,
Are you sure you want to enable cbpolicyd for your authenticated SMTP clients? cbpolicyd restrictions are not configured (Postfix master.cf) on the submission smtpd on 587.[/QUOTE]
Are you saying this is by design?

Yes, I am looking how to limit number of emails possible to send in order to prevent mass mailing from hijacked account. I had such a problem recently when a lot of spam emails were sent. I have not been able to remove the the sever's IP from some RBLs yet.
So, yes. I am desperately looking for a way to prevent using my ZCS installs by spammers.
Regards,

Piotr
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Post by phoenix »

Why not implement a) strong passwords on your ZCS server and b) rate limiting for outbound mail?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
bloom
Posts: 21
Joined: Sat Sep 13, 2014 3:01 am

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Post by bloom »

[quote user="10330phoenix"]Why not implement a) strong passwords on your ZCS server and b) rate limiting for outbound mail?[/QUOTE]
a) even strong passwords may get stolen and misused
b) that is what I am trying to achieve. I have set the rate limit and it works OK, but only when sending emails from ZWC. Emails submitted to 587 port are not rate limited. Please take a look at my first post.
If there is something I need to show, configs, or quota and quota_limits tables - I am willing to. But I believe it is done correctly because it works (for ZWC).
Help still needed.

Regards

Piotr
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Post by phoenix »

[quote user="bloom"]a) even strong passwords may get stolen and misused[/QUOTE]Of course but they're less likely to get hacked if they're also forced to change them regularly.
[quote user="bloom"]Please take a look at my first post.[/QUOTE]Unfortunately I missed it on the second viewing when I posted my reply and I don't have any answer for why it's not processing port 587, sorry.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Post by quanah »

--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
bloom
Posts: 21
Joined: Sat Sep 13, 2014 3:01 am

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Post by bloom »

[quote user="inqueue"]Hello bloom,
Are you sure you want to enable cbpolicyd for your authenticated SMTP clients? cbpolicyd restrictions are not configured (Postfix master.cf) on the submission smtpd on 587.[/QUOTE]
@inqueue : Could you please give me some advice how to make cbpolicyd restrictions work also for mail submitted to smtpd on 587 port? Thanks.
Regards,

Piotr
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

cbpolicy quota module - working via Zimbra web client, not working with smtp emails

Post by quanah »

You could modify the /opt/zimbra/postfix/conf/master.cf.in file until bug#83922 is fixed.
Under the section that starts with "submission" where it has:



-o smtpd_recipient_restrictions=


Change it to


-o smtpd_recipient_restrictions=check_policy_service inet:localhost:10031


You can do the same thing under the section that starts with port 465.
Once you have modified master.cf.in, run postfix stop; postfix start as the zimbra user so that the master.cf file is rewritten.
This would hard code cbpolicyd checks for both ports.
--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Post Reply