Table of Contents (Daftar isi)
Intro
A few days ago, I just implemented a Zimbra email server for a client. My Client request for restricting that some of users cannot send or receive an email to/from the internet. In this case, only important user can send and receive an email from/to internets, such as BOD, or Head Division. It can be applied using CBPolicyD.
In Zimbra Email Server, we can integrate CBPolicyD easily, because it’s included in Zimbra Package. But, consideration with the performance for MTA. I decided to let Zimbra MTA work only for Sending or receiving email. So, i use their anti-spam anti-virus server for MTA policy server using CBPolicyD. They’re using Mailborder for Antispam, so i try to integrate it with policyd.
How to integrate it? Let’s check.
System Requirement
- Mailborder (i use Ubuntu 14.04)
- Internet Connection
Installing Dependencies
Below is dependency before installing policyd.
- MySQL, PostgreSQL or SQLite (Database)
- Net::Server >= 0.96
- Net::CIDR
- Config::IniFiles
- Cache::FastmMap
- Mail::SPF
For database we have MySQL. because by default mailborder use it for database server. So we don’t have to install it again. We just have to install Perl Module.
cpan Net::Server cpan Net::CIDR cpan Config::IniFiles cpan Cache::FastmMap cpan Mail::SPF
Installation & Configuration
After installing for dependencies, download policyd binary and configure policyd. Note : i use policyd 2.0.
cd /srv/ wget -c https://download.policyd.org/v2.0.14/cluebringer-v2.0.14.tar.gz tar -zxvf cluebringer-v2.0.14.tar.gz cd cluebringer-v2.0.14/ mkdir /usr/local/lib/policyd-2.0 cp -r cbp /usr/local/lib/policyd-2.0/ cp cbpadmin /usr/local/bin/ cp cbpolicyd /usr/local/sbin/ cp cluebringer.conf /etc/
Configure cluebringer.conf, remove Kress (#) symbol in these lines and customize it like this :
pid_file=/var/run/cbpolicyd.pid log_level=3 log_file=/var/log/cbpolicyd.log log_mail=main log_detail=info port=10031 [database] #DSN=DBI:SQLite:dbname=policyd.sqlite DSN=DBI:mysql:database=policyd;host=localhost Username=root Password=secret
And then, save it.
Next, we have to configure database for policyd, enter to database folder in cbpolicyd binary folder and execute this command to create database configuration :
cd database for i in core.tsql access_control.tsql quotas.tsql amavis.tsql checkhelo.tsql checkspf.tsql greylisting.tsql accounting.tsql do ./convert-tsql mysql $i done > policyd.sql sed -i "s/TYPE=/Engine=/g" policyd.sql sed -i "s/ERROR: Cannot open file 'accounting.tsql'//g" policyd.sql
Then, Import database configuration :
mysqladmin -u root -prahasia create policyd mysql -u root -p policyd < policyd.sql
Next, integrate cbpolicyd with postfix so that it can integrate. add check_policy_service inet:127.0.0.1:10031 to smtpd_recipient_restrictions and smtpd_end_of_data_restrictions into main.cf
To add these configurations to smtpd_recipient_restrictions, you can add it using “mailborder ways” via WebUI. Go to webui, Mailborder Servers | Edit Postfix, and add that configuration in smtpd_recipient_restrictions before permit_mynetworks,
... check_policy_service inet:127.0.0.1:10031, permit_mynetworks, reject_unauth_destination, ...
And then, add again these configurations in smtpd_end_of_data_restrictions. If you using License Edition, you can add these configurations with “Mailborder Ways” via Webui. But, if you use mailborder community edition, you have to insert in manually in main.cf. But, first you have to change the attribute so that that configuration will not dissapear after postfix reloaded :
chattr -i /etc/postfix/main.cf echo "smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031" >> /etc/postfix/main.cf chattr +i /etc/postfix/main.cf
Restart postfix and start cbpolicyd with the following command :
service postfix restart cbpolicyd
WebUI Configuration
So, until this step policyd have been integrated with mailborder. But, to make a rule or policy we have to configure webui for policyd, you can follow this step :
Copy webui folder in policyd binary into “/var/www/html/”
cp -r /srv/cluebringer-v2.0.14/webui /var/www/html/
And then edit config.php in webui configuration according to your database configuration :
vi /var/www/html/webui/includes/config.php $DB_DSN="mysql:host=localhost;dbname=policyd"; $DB_USER="root"; $DB_PASS="rahasia";
Restart apache2 service : service apache2 restart
You can open policyd webui on this URL : http://ipaddress/webui
Automatic Start on Boot
If you use Ubuntu 14.04 server, insert cbpolicyd command into /etc/.rc.local before exit 0
. Like this :
vi /etc/rc.local #!/bin/sh mkdir -p /var/lock/subsys cbpolicyd exit 0
How to Protect Policyd WebUI
Now, until above step. We can create an policy with Policyd WebUI. But, in this case, the WebUI can be access with another user if they know webui directory. So, we can protect it using htaccess. you can follow this steps :
Install apache2-utils for htpasswd :
apt-get install apache2-utils
Create .htaccess in /var/www/html/webui/ and add this following configuration.
vi /var/www/html/webui/.htaccess AuthUserFile /var/www/html/webui/.htpasswd AuthName "Please Insert Username and Password" AuthType Basic <LIMIT GET> require valid-user </LIMIT>
Save configuration and create an user for autentication with htpasswd
touch /var/www/html/webui/.htpasswd htpasswd -cb .htpasswd USERNAME PASSWORD
Don’t forget to change USERNAME and PASSWORD according to you.
Last, insert this following configuration in apache2.conf :
vi /etc/apache2/apache2.conf <Directory /var/www/html/webui/> AllowOverride AuthConfig Order Deny,Allow Allow from all </Directory>
Okay, Now policyd ready to serve you 🙂
0 Comments