- Amavis Policy Banks to set up an email address for a VIP
- cbpolicyd to set-up rate limiting on outgoing email to enforce a mass mailing guideline
- Milter filters to extend postfix
Rate Limiting Email Using PolicyD
PolicyD is a built-in, open-source tool in Zimbra that allows you to implement spam combating and email compliance features. In this post, I will show you how to setup outgoing email rate limiting, which can help you keep your email server and domains in good standing with public blacklists.
This example is one of many things you can do (and probably not the only thing you should do) to avoid being blacklisted.
Real world example: SMB wants to implement mailing policy
Recently a Zimbra SMB customer asked if it was possible to prevent users in their company from sending out mass emails from the company’s Zimbra mailserver. They want to implement a policy to use an external service like Mailchimp to send out these emails from a different email domain to keep their Zimbra server in good standing (a business critical concern).
PolicyD can help. It can be setup with policies to define a maximum number of email recipients a user can send to in a specific period of time.
This example introduces and educates you in the ways of PolicyD. It is in no way meant to be a drop-in production ready solution. Please use it responsibly and run in a test environment.
The script below has been tested on a CentOS 7 single server Zimbra 8.8.15 installation.
- Download the install script on your test environment.
wget https://raw.githubusercontent.com/Zimbra-Community/zimbra-tools/ master/cbpolicyd.sh -O /tmp/cbpolicyd.sh chmod +rx /tmp/cbpolicyd.sh
Read the contents of cbpolicyd.sh for an understanding of the how the setup works. Please note that you probably want to modify it to install on a MariaDB server outside of your Zimbra server, as that way your data is preserved on Zimbra upgrades.
2. When you are ready, run the installer:
After running the default setup, the following policy is installed:
* Rate limit any sender from sending more then 100 emails every 60 seconds. Messages beyond this limit are deferred.
* Rate limit anyone from receiving more then 125 emails in a 60 second period. Messages beyond this rate are rejected.
3. Enable and start the cbpolicyd service on Zimbra:
su zimbra zmprov ms $(zmhostname) +zimbraServiceEnabled cbpolicyd zmprov ms $(zmhostname) zimbraCBPolicydQuotasEnabled TRUE zmmtactl restart && zmcbpolicydctl start
4. To test the configuration, temporarily change the outgoing email rate to a lower number, so you can observe if the email is rejected.
/opt/zimbra/bin/mysql policyd_db SELECT * FROM quotas_limits; UPDATE quotas_limits SET CounterLimit = 1 WHERE QuotasID = 3;
If you have no experience in relational databases, the above may be a bit confusing. To find the correct `QuotasID`, do a `SELECT * from quotas;` and take a look at the `ID` from the `Sender:user@domain` record. Now try and send 2 emails to yourself in one minute to ensure that the second is rejected.
When accounts are compromised, the above policies will not help. Instead of looking at emails per minute, it is better to configure policies that count per hour by setting the corresponding Period to 3600 in the quotas table. You can also customize the error message in the Zimbra UI (hidden under the details button) by setting the corresponding Data-field in the quotas table.
Barry de Graaff
Zimbra | A Synacor Product