Intro

A few days ago, I just implemented a Zimbra email server for a client.  My Client request for restricting that some of users cannot send or receive an email to/from the internet.  In this case, only important user can send and receive an email from/to internets, such as BOD, or Head Division. It can be applied using CBPolicyD.

In Zimbra Email Server, we can integrate CBPolicyD easily, because it’s included in Zimbra Package. But, consideration with the performance for MTA. I decided to let Zimbra MTA work only for Sending or receiving email. So, i use their anti-spam anti-virus server for MTA policy server using CBPolicyD.  They’re using Mailborder for Antispam, so i try to integrate it with policyd.

How to integrate it? Let’s check.

System Requirement

  • Mailborder (i use Ubuntu 14.04)
  • Internet Connection

Installing Dependencies

Below is dependency before installing policyd.

  • MySQL, PostgreSQL or SQLite (Database)
  • Net::Server >= 0.96
  • Net::CIDR
  • Config::IniFiles
  • Cache::FastmMap
  • Mail::SPF

For database we have MySQL. because by default mailborder use it for database server. So we don’t have to install it again. We just have to install Perl Module.

cpan Net::Server
cpan Net::CIDR
cpan Config::IniFiles
cpan Cache::FastmMap
cpan Mail::SPF

Installation & Configuration

After installing for dependencies, download policyd binary and configure policyd. Note : i use policyd 2.0.

cd /srv/
wget -c https://download.policyd.org/v2.0.14/cluebringer-v2.0.14.tar.gz
tar -zxvf cluebringer-v2.0.14.tar.gz
cd cluebringer-v2.0.14/
mkdir /usr/local/lib/policyd-2.0
cp -r cbp /usr/local/lib/policyd-2.0/
cp cbpadmin /usr/local/bin/
cp cbpolicyd /usr/local/sbin/
cp cluebringer.conf /etc/

Configure cluebringer.conf, remove Kress (#) symbol in these lines and customize it like this :

pid_file=/var/run/cbpolicyd.pid
log_level=3
log_file=/var/log/cbpolicyd.log
log_mail=main
log_detail=info
port=10031

[database]
#DSN=DBI:SQLite:dbname=policyd.sqlite
DSN=DBI:mysql:database=policyd;host=localhost
Username=root
Password=secret

And then, save it.

Next, we have to configure database for policyd, enter to database folder in cbpolicyd binary folder and execute this command to create database configuration :

cd database
for i in core.tsql access_control.tsql quotas.tsql amavis.tsql checkhelo.tsql checkspf.tsql greylisting.tsql accounting.tsql
do
./convert-tsql mysql $i
done > policyd.sql

sed -i "s/TYPE=/Engine=/g" policyd.sql 
sed -i "s/ERROR: Cannot open file 'accounting.tsql'//g" policyd.sql

Then, Import database configuration :

mysqladmin -u root -prahasia create policyd
mysql -u root -p policyd < policyd.sql

Next, integrate cbpolicyd with postfix so that it can integrate. add check_policy_service inet:127.0.0.1:10031 to smtpd_recipient_restrictions and smtpd_end_of_data_restrictions into main.cf

To add these configurations to smtpd_recipient_restrictions, you can add it using “mailborder ways” via WebUI. Go to webui, Mailborder Servers | Edit Postfix, and add that configuration in smtpd_recipient_restrictions before permit_mynetworks,

...
check_policy_service inet:127.0.0.1:10031,
permit_mynetworks,
reject_unauth_destination,
...

And then, add again these configurations in smtpd_end_of_data_restrictions. If you using License Edition, you can add these configurations with “Mailborder Ways” via Webui. But, if you use mailborder community edition, you have to insert in manually in main.cf. But, first you have to change the attribute so that that configuration will not dissapear after postfix reloaded :

chattr -i /etc/postfix/main.cf
echo "smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031" >> /etc/postfix/main.cf
chattr +i /etc/postfix/main.cf

Restart postfix and start cbpolicyd with the following command :

service postfix restart
cbpolicyd

WebUI Configuration

So, until this step policyd have been integrated with mailborder. But, to make a rule or policy we have to configure webui for policyd, you can follow this step :

Copy webui folder in policyd binary into “/var/www/html/

cp -r /srv/cluebringer-v2.0.14/webui /var/www/html/

And then edit config.php in webui configuration according to your database configuration :

vi /var/www/html/webui/includes/config.php

$DB_DSN="mysql:host=localhost;dbname=policyd";
$DB_USER="root";
$DB_PASS="rahasia";

Restart apache2 service : service apache2 restart

You can open policyd webui on this URL : http://ipaddress/webui

Automatic Start on Boot

If you use Ubuntu 14.04 server, insert cbpolicyd command into /etc/.rc.local before exit 0. Like this :

vi /etc/rc.local

#!/bin/sh
mkdir -p /var/lock/subsys
cbpolicyd
exit 0

How to Protect Policyd WebUI

Now, until above step. We can create an policy with Policyd WebUI. But, in this case, the WebUI can be access with another user if they know webui directory. So, we can protect it using htaccess. you can follow this steps :

Install apache2-utils for htpasswd :

apt-get install apache2-utils

Create .htaccess in /var/www/html/webui/ and add this following configuration.

vi /var/www/html/webui/.htaccess

AuthUserFile /var/www/html/webui/.htpasswd
AuthName "Please Insert Username and Password"
AuthType Basic

<LIMIT GET>
require valid-user
</LIMIT>

Save configuration and create an user for autentication with htpasswd

touch /var/www/html/webui/.htpasswd
htpasswd -cb .htpasswd USERNAME PASSWORD

Don’t forget to change USERNAME and PASSWORD according to you.

Last, insert this following configuration in apache2.conf :

vi /etc/apache2/apache2.conf

<Directory /var/www/html/webui/>
AllowOverride AuthConfig
Order Deny,Allow
Allow from all
</Directory>

Okay, Now policyd ready to serve you 🙂

 


Dhenandi Putra

Hi, I'm dhenandi, Mac and openSUSE user. An office boy, typist, and man behind this blog. I also write on another blog https://dhenandi.web.id/ in Bahasa Indonesia.

0 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.