Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Per user throttle/rate-limit?

  1. #1
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default Per user throttle/rate-limit?

    Is it possble to implement, within zimbra, a per-user daily message throttle/rate limit?

    In order to help prevent spam from compromised accounts, i'd like to place a per day mesage count limit per account. Something that would warn an administrator once an account hit threshold A, and start delaying, or outright stopping, delivery once the account hit threshold B.

    This would give an administrator time to stop a spam/phish outbreak from a compromised account before it got out of hand.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,568
    Rep Power
    57

    Default

    The answer would be to use Policyd as it's not available in Postfix.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default

    Ok, i've got policyd setup, but its effectively doing nothing.

    Things get a tad more complicated because i'm running a multi-server install. My mysql server is on a different server than my mta.

    I believe i've worked around all of that, i'm able to get a connection from policyd to my mysql server, and i'm able to connect to policyd's port from all of the other hosts in my multiserver install.

    All of my database connections, and references to where to connect to policyd are configured to the proper working IP's.

    However, it simply doesnt work.

    With policyd started, and an outbound policy enabled, i get no feedback in my policyd log even though i have it set to log debugging. Policyd starts, i send a message, my maillog reports that it was sent, policyd does not give me any inclination that it was even referenced.

    What am i missing?

  4. #4
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default

    It seems as if postfix is ignoring the config which tells it to conenct to policyd before sending the mesasge.

    If i telnet to to 10031 on my zimbra mta (where policyd runs) i see the following in my policyd log:
    [2010/02/04-14:53:04 - 7452] [CORE] INFO: 2010/02/04-14:53:04 CONNECT TCP Peer: "127.0.0.1:42922" Local: "127.0.0.1:10031"
    [2010/02/04-14:53:04 - 7450] [CORE] INFO: Starting "1" children
    [2010/02/04-14:53:04 - 18658] [CORE] DEBUG: Child Preforked (18658)
    [2010/02/04-14:53:04 - 18658] [CBPOLICYD] DEBUG: Starting up caching engine
    [2010/02/04-14:53:24 - 7452] [CBPOLICYD] WARNING: Client closed connection => Peer: 127.0.0.1:42922, Local: 127.0.0.1:10031
    [2010/02/04-14:53:44 - 7450] [CORE] INFO: Killing "1" children
    [2010/02/04-14:53:44 - 7454] [CBPOLICYD] DEBUG: Shutting down caching engine (7454)

    Which tells me that policyd is accepting connections, and that i should see a similar log whenever postfix attempts to send a message. I see no such log when i send via zimbra.

    My zimbraMtaRestriction looks like:

    [zimbra@zstore00 conf]$ zmprov gcf zimbraMtaRestriction
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: check_policy_service inetip of my zimbra mta):10031



    And my postfix_recipient_restrictions.cf looks like:

    %%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_client%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
    %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
    %%contains VAR:zimbraMtaRestriction check_policy_service unixrivate/policy%%
    %%contains VAR:zimbraMtaRestriction check_policy_service inetip of my zimbra mta):10031%%


    Is there something i'm missing?

  5. #5
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Can you post a extract from /var/log/zimbra.log when a email is sent so we can see what is happening ?

  6. #6
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default

    From /var/log/zimbra.log during my smtp transaction.

    Feb 5 10:13:48 zsmtp0 postfix/smtpd[28893]: connect from zstore01.zdev.[IPOFSERVER]
    Feb 5 10:13:48 zsmtp0 postfix/smtpd[28893]: EAB4D40020: client=zstore01.zdev[IPOFSERVER]
    Feb 5 10:13:48 zsmtp0 postfix/cleanup[28896]: EAB4D40020: message-id=<762635443.831265382828907.JavaMail.root@zstore 01.zdev>
    Feb 5 10:13:48 zsmtp0 postfix/qmgr[23663]: EAB4D40020: from=<lagern@zdev>, size=672, nrcpt=1 (queue active)
    Feb 5 10:13:48 zsmtp0 postfix/smtpd[28893]: disconnect from zstore01.zdev.lafayette.edu[139.147.6.82]
    Feb 5 10:13:49 zsmtp0 postfix/smtp[28897]: EAB4D40020: to=<Personaladdress>, relay=mta.domain.com[IPOFRELAYMTA]:25, delay=0.3, delays=0.02/0.03/0.02/0.22, dsn=2.0.0, status=sent (250 2.0.0 o15FDnMh016233 Message accepted for delivery)
    Feb 5 10:13:49 zsmtp0 postfix/qmgr[23663]: EAB4D40020: removed

  7. #7
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Has /opt/zimbra/postconf/conf/main.cf updated with your changes ? If not then have you restarted the MTA services?
    Code:
    su - zimbra
    zmmtactl stop ; zmmtactl start

  8. #8
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default

    So, the changes i applied to postfix_recipient_restrictions.cf should have ended up in main.conf?

    I restarted zimbra on the smtp server, i see it in there now. I'll give it another shot.

    Thanks!

  9. #9
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default

    No better.

    Here is what i see in main.cf.


    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, check_policy_service inet:IPOFMYPOLICYDSERVER:10031, permit


    Which looks right to me. As i stated before, this is a multiserver install, do i need to restart any other services? The store server?

    I have the zimbra core on one server, smtp on another, ldap on another, and proxy on another. To give you an idea of how things are configured.

    Thanks!

  10. #10
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default

    Also, we have a Proofpoint spam appliance configured as zimbra's relay host. This scans outbound mail for us.

    As this is my dev environment, i've removed that from the mix, to be safe. No change.
    I've also tried moving policyd's policy to the beginning of the &#37;%contains list, and that hasnt helped either.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  3. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  4. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 09:19 AM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •