Zimbra 8.0.1 Policyd

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
niam
Posts: 3
Joined: Sat Sep 13, 2014 3:00 am

Zimbra 8.0.1 Policyd

Post by niam »

Hello

I have Zimbra Release 8.0.1.GA.5438.UBUNTU12.64 UBUNTU12_64 FOSS edition

Everything is ok, but Policyd is not enabled in admin panel.

zimbra@mail:~$ zmcbpolicydctl status

policyd is running.
tcp 0 0 127.0.0.1:10031 0.0.0.0:* LISTEN 24620/perl



In admin panel Policy service is 127.0.0.0
/opt/zimbra/log/cbpolicyd.log

[2012/11/27-06:34:37 - 24620] [CORE] NOTICE: Process Backgrounded

[2012/11/27-06:34:37 - 24620] [CBPOLICYD] NOTICE: Policyd v2 / Cluebringer - v2.1.0a

[2012/11/27-06:34:37 - 24620] [CBPOLICYD] NOTICE: Initializing system modules.

[2012/11/27-06:34:37 - 24620] [CBPOLICYD] NOTICE: System modules initialized.

[2012/11/27-06:34:37 - 24620] [CBPOLICYD] NOTICE: Module load started...

[2012/11/27-06:34:37 - 24620] [CORE] NOTICE: => AccessControl: enabled

[2012/11/27-06:34:38 - 24620] [CORE] NOTICE: => CheckHelo: enabled

[2012/11/27-06:34:38 - 24620] [CORE] NOTICE: => CheckSPF: enabled

[2012/11/27-06:34:38 - 24620] [CORE] NOTICE: => Greylisting: enabled

[2012/11/27-06:34:38 - 24620] [CORE] NOTICE: => Quotas: enabled

[2012/11/27-06:34:38 - 24620] [CORE] NOTICE: => Protocol(Postfix): enabled

[2012/11/27-06:34:38 - 24620] [CORE] NOTICE: => Protocol(Bizanga): enabled

[2012/11/27-06:34:38 - 24620] [CBPOLICYD] NOTICE: Module load done.

[2012/11/27-06:34:38 - 24620] [CBPOLICYD] NOTICE: Session tracking is ENABLED.

[2012/11/27-06:34:38 - 24620] [CORE] NOTICE: 2012/11/27-06:34:38 cbp (type Net::Server::PreFork) starting! pid(24620)

[2012/11/27-06:34:38 - 24620] [CORE] NOTICE: Resolved [localhost]:10031 to [127.0.0.1]:10031, IPv4

[2012/11/27-06:34:38 - 24620] [CORE] NOTICE: Binding to TCP port 10031 on host 127.0.0.1 with IPv4

[2012/11/27-06:34:38 - 24620] [CORE] NOTICE: Setting gid to "1001 1001"

[2012/11/27-06:34:38 - 24620] [CORE] INFO: Setting up serialization via flock

[2012/11/27-06:34:38 - 24620] [CORE] INFO: Beginning prefork (4 processes)

[2012/11/27-06:34:38 - 24620] [CORE] INFO: Starting "4" children

[2012/11/27-06:34:38 - 24648] [CORE] DEBUG: Child Preforked (24648)

[2012/11/27-06:34:38 - 24648] [CBPOLICYD] DEBUG: Starting up caching engine

[2012/11/27-06:34:38 - 24649] [CORE] DEBUG: Child Preforked (24649)

[2012/11/27-06:34:38 - 24649] [CBPOLICYD] DEBUG: Starting up caching engine

[2012/11/27-06:34:38 - 24650] [CORE] DEBUG: Child Preforked (24650)

[2012/11/27-06:34:38 - 24620] [CORE] DEBUG: Parent ready for children.

[2012/11/27-06:34:38 - 24650] [CBPOLICYD] DEBUG: Starting up caching engine

[2012/11/27-06:34:38 - 24651] [CORE] DEBUG: Child Preforked (24651)

[2012/11/27-06:34:38 - 24651] [CBPOLICYD] DEBUG: Starting up caching engine


How to enable cbpolicyd?

How to config it? I did't find WebUi for cbpolicyd
niam
Posts: 3
Joined: Sat Sep 13, 2014 3:00 am

Zimbra 8.0.1 Policyd

Post by niam »

enable cbpolicyd

http://www.zimbra.com/forums/administra ... post236411

[HowTo] Enabling CBPolicyD in Zimbra 7.1.1
WebUi from home | Policyd Downloads

Policyd - Files - LinuxAssist Development Labs

from cluebringer-v2.1.x-201211111115.zip
quersystem
Posts: 1
Joined: Sat Sep 13, 2014 3:09 am

Zimbra 8.0.1 Policyd

Post by quersystem »

Hi,
I wrote this guide for own use. If someone else wants to test Policyd in Zimbra 8 this should help and save you some time. Bottom questions are open to anyone who has some experience with this service.


Zimbra official documentation at Postfix Policyd - Zimbra :: Wiki gives us a simple way for deploying Policyd for versions 7 and 8.
This zmprov command will run the necessary processes for enabling Policyd. If we take a look at official Policyd documentation at installing [PolicyD], we will see that the configuration needs the following steps:
1- Setup a database (SQLite or Mysql).

2- Install Policyd files in filesystem (executable, log directories and other files).

3- Enable web admin interface.

4- Configure Postfix for using Policyd.
Zimbra will do all that tasks automatically, except enabling web interface. This is because there is no “official place” for hosting it in Zimbra services. Zextras tutorial [HowTo] Enabling CBPolicyD in Zimbra 7.1.1 suggests to run it inside Zimbra Apache web server which main purpouse is the spell service.
Lets take a look at what happens after enablig Policyd the “official” way. This is what happens after running


zmprov ms +zimbraServiceEnabled cbpolicyd:



1- The following files appears automatically


[zimbra@host db]$ ls /opt/zimbra/data/cbpolicyd/db/

cbpolicyd.sqlitedb cbpolicyd.sqlitedb.sq3


2-The following configuration appears in main.cf


smtpd_recipient_restrictions = check_policy_service inet:localhost:10031

smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031


3- Policyd process starts
[root@host conf]# ps -A | grep policyd

6370 ? 00:00:00 cbpolicyd

11874 ? 00:00:00 cbpolicyd

15511 ? 00:00:00 cbpolicyd

21215 ? 00:00:00 cbpolicyd

22254 ? 00:00:00 cbpolicyd

22541 ? 00:00:00 cbpolicyd

30914 ? 00:00:00 cbpolicyd

30993 ? 00:00:00 cbpolicyd



Here comes the manual config. If we check current local config for Policyd this is the output:


[zimbra@host db]$ zmlocalconfig | grep policyd

cbpolicyd_bind_port = 10031

cbpolicyd_bypass_mode = tempfail

cbpolicyd_bypass_timeout = 30

cbpolicyd_cache_file = ${zimbra_home}/data/cache

cbpolicyd_db_file = ${zimbra_home}/data/cbpolicyd/db/cbpolicyd.sqlitedb

cbpolicyd_log_detail = modules

cbpolicyd_log_file = ${zimbra_log_directory}/cbpolicyd.log

cbpolicyd_log_level = 3

cbpolicyd_log_mail = main

cbpolicyd_module_accesscontrol = 0

cbpolicyd_module_checkhelo = 0

cbpolicyd_module_checkspf = 0

cbpolicyd_module_greylisting = 0

cbpolicyd_module_quotas = 1

cbpolicyd_pid_file = ${zimbra_log_directory}/cbpolicyd.pid

cbpolicyd_timeout = 120

postfix_enable_smtpd_policyd = no


Zextras tutorial suggests the following configuration:
1- Enabling the service, of course.



zmlocalconfig -e postfix_enable_smtpd_policyd=yes



2- Enabling different modules, setting loglevel and other details.



zmlocalconfig -e cbpolicyd_log_level=4; zmlocalconfig -e cbpolicyd_log_detail=modules,tracking,policies; zmlocalconfig -e cbpolicyd_module_accesscontrol=1 cbpolicyd_module_checkhelo=1 cbpolicyd_module_checkspf=1 cbpolicyd_module_greylisting=1 cbpolicyd_module_quotas=1



Afer these comands, local config should look like this:


[zimbra@host db]$ zmlocalconfig | grep policyd

cbpolicyd_bind_port = 10031

cbpolicyd_bypass_mode = tempfail

cbpolicyd_bypass_timeout = 30

cbpolicyd_cache_file = ${zimbra_home}/data/cache

cbpolicyd_db_file = ${zimbra_home}/data/cbpolicyd/db/cbpolicyd.sqlitedb

cbpolicyd_log_detail = modules,tracking,policies

cbpolicyd_log_file = ${zimbra_log_directory}/cbpolicyd.log

cbpolicyd_log_level = 4

cbpolicyd_log_mail = main

cbpolicyd_module_accesscontrol = 1

cbpolicyd_module_checkhelo = 1

cbpolicyd_module_checkspf = 1

cbpolicyd_module_greylisting = 1

cbpolicyd_module_quotas = 1

cbpolicyd_pid_file = ${zimbra_log_directory}/cbpolicyd.pid

cbpolicyd_timeout = 120

postfix_enable_smtpd_policyd = yes


For enabling new config we need to restart MTA.


zmmtactl restart


At this point, the service must be running. Now lets go for the web admin interface.
1- Grab the files which are missing in Zimbra Policyd folde fom Policyd - Files - LinuxAssist Development Labs . Download the file cluebringer-snapshot-2.1.x-201205100639.tar.gz.
2- Extract the files inside the webui directory. From here you can choose two ways of running the site.
Option 1: If you want to run the web admin using Zimbra apache spell instance, extract all the php and css files (just files, not folders, because they already exist) in /opt/zimbra/cbpolicyd/share/webui and create a symlink.



cd /opt/zimbra/httpd/htdocs/ && ln -s ../../cbpolicyd/share/webui



In this case, your web admin will be ready if you point your browser to

This">http://zimbrahost:7780/webui/index.php
This method wont survive a Zimbra update.
Option 2: If you want to run the site in another web server, just extract all the content from webui folder to the web directory of your server. Have in mind that if the server is not inside the Zimbra box, you will need access to the SQLite database files.
For both options, you will need to configure the web admin for connecting to the database. Edit webui/includes/config.php and comment this line:



$DB_DSN="mysql:host=localhost;dbname=cluebringer";



And add this line:



$DB_DSN="sqlite:/opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb";



Further investigation:
1- Would be a good idea using Zimbra MySQL server for hosting Policyd database? That deployment would be update-proof?
2- If the Zimbra machine doesnt have Apache spell service, what would be a better choice: installing an http server (Apache, Nginx, LightHttpd...) or running the site from another server? In case of choosing another server, what would be the best way to access the SQLite files?
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Zimbra 8.0.1 Policyd

Post by quanah »

The best thing to do is to understand how to define policies via the command line, as documented in the wiki.
Postfix Policyd - Zimbra :: Wiki
--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
essential_mix
Posts: 11
Joined: Sat Sep 13, 2014 3:07 am

Zimbra 8.0.1 Policyd

Post by essential_mix »

[quote user="quanah"]The best thing to do is to understand how to define policies via the command line, as documented in the wiki.
Postfix Policyd - Zimbra :: Wiki
--Quanah[/QUOTE]
Should i do this:

zmlocalconfig -e postfix_enable_smtpd_policyd=yes
if i want to enable policyd? I am asking because this link Postfix Policyd - Zimbra :: Wiki does not contain
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Zimbra 8.0.1 Policyd

Post by phoenix »

[quote user="essential_mix"]Should i do this:

zmlocalconfig -e postfix_enable_smtpd_policyd=yes[/QUOTE]No, you should not do that.
[quote user="essential_mix"]if i want to enable policyd? I am asking because this link Postfix Policyd - Zimbra :: Wiki does not contain[/QUOTE]The article gives you exact details on how to enable policyd in the paragraph titled "Enabling policyd ".
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Post Reply