2/3 – Zimbra Open Core Series – Rate Limiting Email with PolicyD

Hello Zimbra Friends,

 

This blog is educational only. It is a customization to your Zimbra environment and is not supported by Zimbra Support. Please run thoroughly in your test environment before using it in production.

 

We are happy to bring you part 2 of a 3-part series on Zimbra’s open-source components, a series brought to you by Barry de Graaff, Channel Evangelist at Synacor. The series covers:
  1. Amavis Policy Banks to set up an email address for a VIP
  2. cbpolicyd to set-up rate limiting on outgoing email to enforce a mass mailing guideline
  3. Milter filters to extend postfix

Rate Limiting Email Using PolicyD

PolicyD is a built-in, open-source tool in Zimbra that allows you to implement spam combating and email compliance features. In this post, I will show you how to setup outgoing email rate limiting, which can help you keep your email server and domains in good standing with public blacklists.

This example is one of many things you can do (and probably not the only thing you should do) to avoid being blacklisted.

Real world example: SMB wants to implement mailing policy

Recently a Zimbra SMB customer asked if it was possible to prevent users in their company from sending out mass emails from the company’s Zimbra mailserver. They want to implement a policy to use an external service like Mailchimp to send out these emails from a different email domain to keep their Zimbra server in good standing (a business critical concern).

PolicyD can help. It can be setup with policies to define a maximum number of email recipients a user can send to in a specific period of time.

This example introduces and educates you in the ways of PolicyD. It is in no way meant to be a drop-in production ready solution. Please use it responsibly and run in a test environment.

The script below has been tested on a CentOS 7 single server Zimbra 8.8.15 installation.

  1. Download the install script on your test environment.
wget https://raw.githubusercontent.com/Zimbra-Community/zimbra-tools/
master/cbpolicyd.sh -O /tmp/cbpolicyd.sh
chmod +rx /tmp/cbpolicyd.sh

 

Read the contents of cbpolicyd.sh for an understanding of the how the setup works. Please note that you probably want to modify it to install on a MariaDB server outside of your Zimbra server, as that way your data is preserved on Zimbra upgrades.

2. When you are ready, run the installer:

./tmp/cbpolicyd.sh

After running the default setup, the following policy is installed:

* Rate limit any sender from sending more then 100 emails every 60 seconds. Messages beyond this limit are deferred.
* Rate limit anyone from receiving more then 125 emails in a 60 second period. Messages beyond this rate are rejected.

3. Enable and start the cbpolicyd service on Zimbra:

su zimbra
zmprov ms $(zmhostname) +zimbraServiceEnabled cbpolicyd
zmprov ms $(zmhostname) zimbraCBPolicydQuotasEnabled TRUE
zmmtactl restart && zmcbpolicydctl start

 

4. To test the configuration, temporarily change the outgoing email rate to a lower number, so you can observe if the email is rejected.

/opt/zimbra/bin/mysql policyd_db
SELECT * FROM quotas_limits;
UPDATE quotas_limits SET CounterLimit = 1 WHERE QuotasID = 3;

 

If you have no experience in relational databases, the above may be a bit confusing. To find the correct `QuotasID`, do a `SELECT * from quotas;` and take a look at the `ID` from the `Sender:user@domain` record. Now try and send 2 emails to yourself in one minute to ensure that the second is rejected.

Bonus Tip

When accounts are compromised, the above policies will not help. Instead of looking at emails per minute, it is better to configure policies that count per hour by setting the corresponding Period to 3600 in the quotas table. You can also customize the error message in the Zimbra UI (hidden under the details button) by setting the corresponding Data-field in the quotas table.

Thank you,

Barry de Graaff
Channel Evangelist
Zimbra | A Synacor Product

, , , , , , , , , , , , , , , ,

4 Responses to 2/3 – Zimbra Open Core Series – Rate Limiting Email with PolicyD

  1. ChandraWest April 25, 2020 at 6:48 PM #

    Good information for us. Full detailed specification can I get? Please give a reply or a link where I get the full details about the PolicyD.

    • Gayle Billat May 11, 2020 at 6:40 PM #

      Hello – here is a link for you: Thanks!

  2. Andrea Giuliani June 30, 2020 at 11:30 AM #

    I want to create script that run cbpolicyd.sh and then
    su – zimbra
    zmprov ms $(zmhostname) +zimbraServiceEnabled cbpolicyd
    zmprov ms $(zmhostname) zimbraCBPolicydQuotasEnabled TRUE
    zmmtactl restart && zmcbpolicydctl start

    How i can run the last line under root?

    • Gayle Billat July 9, 2020 at 6:59 PM #

      Hello – Please ask this question in forums.zimbra.com. We have a very active Zimbra community there, and someone will be able to help you. Thanks!

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures