A few days ago, I just implemented a Zimbra email server for a client.  My Client request for restricting that some of users cannot send or receive an email to/from the internet.  In this case, only important user can send and receive an email from/to internets, such as BOD, or Head Division. It can be applied using CBPolicyD.

In Zimbra Email Server, we can integrate CBPolicyD easily, because it’s included in Zimbra Package. But, consideration with the performance for MTA. I decided to let Zimbra MTA work only for Sending or receiving email. So, i use their anti-spam anti-virus server for MTA policy server using CBPolicyD.  They’re using Mailborder for Antispam, so i try to integrate it with policyd.

How to integrate it? Let’s check.

System Requirement

  • Mailborder (i use Ubuntu 14.04)
  • Internet Connection

Installing Dependencies

Below is dependency before installing policyd.

  • MySQL, PostgreSQL or SQLite (Database)
  • Net::Server >= 0.96
  • Net::CIDR
  • Config::IniFiles
  • Cache::FastmMap
  • Mail::SPF

For database we have MySQL. because by default mailborder use it for database server. So we don’t have to install it again. We just have to install Perl Module.

cpan Net::Server
cpan Net::CIDR
cpan Config::IniFiles
cpan Cache::FastmMap
cpan Mail::SPF

Installation & Configuration

After installing for dependencies, download policyd binary and configure policyd. Note : i use policyd 2.0.

cd /srv/
wget -c
tar -zxvf cluebringer-v2.0.14.tar.gz
cd cluebringer-v2.0.14/
mkdir /usr/local/lib/policyd-2.0
cp -r cbp /usr/local/lib/policyd-2.0/
cp cbpadmin /usr/local/bin/
cp cbpolicyd /usr/local/sbin/
cp cluebringer.conf /etc/

Configure cluebringer.conf, remove Kress (#) symbol in these lines and customize it like this :



And then, save it.

Next, we have to configure database for policyd, enter to database folder in cbpolicyd binary folder and execute this command to create database configuration :

cd database
for i in core.tsql access_control.tsql quotas.tsql amavis.tsql checkhelo.tsql checkspf.tsql greylisting.tsql accounting.tsql
./convert-tsql mysql $i
done > policyd.sql

sed -i "s/TYPE=/Engine=/g" policyd.sql 
sed -i "s/ERROR: Cannot open file 'accounting.tsql'//g" policyd.sql

Then, Import database configuration :

mysqladmin -u root -prahasia create policyd
mysql -u root -p policyd < policyd.sql

Next, integrate cbpolicyd with postfix so that it can integrate. add check_policy_service inet: to smtpd_recipient_restrictions and smtpd_end_of_data_restrictions into

To add these configurations to smtpd_recipient_restrictions, you can add it using “mailborder ways” via WebUI. Go to webui, Mailborder Servers | Edit Postfix, and add that configuration in smtpd_recipient_restrictions before permit_mynetworks,

check_policy_service inet:,

And then, add again these configurations in smtpd_end_of_data_restrictions. If you using License Edition, you can add these configurations with “Mailborder Ways” via Webui. But, if you use mailborder community edition, you have to insert in manually in But, first you have to change the attribute so that that configuration will not dissapear after postfix reloaded :

chattr -i /etc/postfix/
echo "smtpd_end_of_data_restrictions = check_policy_service inet:" >> /etc/postfix/
chattr +i /etc/postfix/

Restart postfix and start cbpolicyd with the following command :

service postfix restart

WebUI Configuration

So, until this step policyd have been integrated with mailborder. But, to make a rule or policy we have to configure webui for policyd, you can follow this step :

Copy webui folder in policyd binary into “/var/www/html/

cp -r /srv/cluebringer-v2.0.14/webui /var/www/html/

And then edit config.php in webui configuration according to your database configuration :

vi /var/www/html/webui/includes/config.php


Restart apache2 service : service apache2 restart

You can open policyd webui on this URL : http://ipaddress/webui

Automatic Start on Boot

If you use Ubuntu 14.04 server, insert cbpolicyd command into /etc/.rc.local before exit 0. Like this :

vi /etc/rc.local

mkdir -p /var/lock/subsys
exit 0

How to Protect Policyd WebUI

Now, until above step. We can create an policy with Policyd WebUI. But, in this case, the WebUI can be access with another user if they know webui directory. So, we can protect it using htaccess. you can follow this steps :

Install apache2-utils for htpasswd :

apt-get install apache2-utils

Create .htaccess in /var/www/html/webui/ and add this following configuration.

vi /var/www/html/webui/.htaccess

AuthUserFile /var/www/html/webui/.htpasswd
AuthName "Please Insert Username and Password"
AuthType Basic

require valid-user

Save configuration and create an user for autentication with htpasswd

touch /var/www/html/webui/.htpasswd
htpasswd -cb .htpasswd USERNAME PASSWORD

Don’t forget to change USERNAME and PASSWORD according to you.

Last, insert this following configuration in apache2.conf :

vi /etc/apache2/apache2.conf

<Directory /var/www/html/webui/>
AllowOverride AuthConfig
Order Deny,Allow
Allow from all

Okay, Now policyd ready to serve you 🙂


Dhenandi Putra

Hi, I'm dhenandi, Mac and openSUSE user. An office boy, typist, and man behind this blog. I also write on another blog in Bahasa Indonesia.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.