Per user throttle/rate-limit?

[NathanL]

Is it possble to implement, within zimbra, a per-user daily message throttle/rate limit?

In order to help prevent spam from compromised accounts, i'd like to place a per day mesage count limit per account. Something that would warn an administrator once an account hit threshold A, and start delaying, or outright stopping, delivery once the account hit threshold B.

This would give an administrator time to stop a spam/phish outbreak from a compromised account before it got out of hand.

[phoenix]

The answer would be to use Policyd as it's not available in Postfix.

[NathanL]

Ok, i've got policyd setup, but its effectively doing nothing.

Things get a tad more complicated because i'm running a multi-server install. My mysql server is on a different server than my mta.

I believe i've worked around all of that, i'm able to get a connection from policyd to my mysql server, and i'm able to connect to policyd's port from all of the other hosts in my multiserver install.

All of my database connections, and references to where to connect to policyd are configured to the proper working IP's.

However, it simply doesnt work.

With policyd started, and an outbound policy enabled, i get no feedback in my policyd log even though i have it set to log debugging. Policyd starts, i send a message, my maillog reports that it was sent, policyd does not give me any inclination that it was even referenced.

What am i missing?

[NathanL]

It seems as if postfix is ignoring the config which tells it to conenct to policyd before sending the mesasge.

If i telnet to to 10031 on my zimbra mta (where policyd runs) i see the following in my policyd log:
[2010/02/04-14:53:04 - 7452] [CORE] INFO: 2010/02/04-14:53:04 CONNECT TCP Peer: "127.0.0.1:42922" Local: "127.0.0.1:10031"
[2010/02/04-14:53:04 - 7450] [CORE] INFO: Starting "1" children
[2010/02/04-14:53:04 - 18658] [CORE] DEBUG: Child Preforked (18658)
[2010/02/04-14:53:04 - 18658] [CBPOLICYD] DEBUG: Starting up caching engine
[2010/02/04-14:53:24 - 7452] [CBPOLICYD] WARNING: Client closed connection => Peer: 127.0.0.1:42922, Local: 127.0.0.1:10031
[2010/02/04-14:53:44 - 7450] [CORE] INFO: Killing "1" children
[2010/02/04-14:53:44 - 7454] [CBPOLICYD] DEBUG: Shutting down caching engine (7454)

Which tells me that policyd is accepting connections, and that i should see a similar log whenever postfix attempts to send a message. I see no such log when i send via zimbra.

My zimbraMtaRestriction looks like:

[zimbra@zstore00 conf]$ zmprov gcf zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: check_policy_service inetip of my zimbra mta):10031



And my postfix_recipient_restrictions.cf looks like:

%%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%contains VAR:zimbraMtaRestriction reject_unknown_client%%
%%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
%%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
%%contains VAR:zimbraMtaRestriction check_policy_service unixrivate/policy%%
%%contains VAR:zimbraMtaRestriction check_policy_service inetip of my zimbra mta):10031%%


Is there something i'm missing?

[uxbod]

Can you post a extract from /var/log/zimbra.log when a email is sent so we can see what is happening ?

[NathanL]

From /var/log/zimbra.log during my smtp transaction.

Feb 5 10:13:48 zsmtp0 postfix/smtpd[28893]: connect from zstore01.zdev.[IPOFSERVER]
Feb 5 10:13:48 zsmtp0 postfix/smtpd[28893]: EAB4D40020: client=zstore01.zdev[IPOFSERVER]
Feb 5 10:13:48 zsmtp0 postfix/cleanup[28896]: EAB4D40020: message-id=<762635443.831265382828907.JavaMail.root@zstore 01.zdev>
Feb 5 10:13:48 zsmtp0 postfix/qmgr[23663]: EAB4D40020: from=<lagern@zdev>, size=672, nrcpt=1 (queue active)
Feb 5 10:13:48 zsmtp0 postfix/smtpd[28893]: disconnect from zstore01.zdev.lafayette.edu[139.147.6.82]
Feb 5 10:13:49 zsmtp0 postfix/smtp[28897]: EAB4D40020: to=<Personaladdress>, relay=mta.domain.com[IPOFRELAYMTA]:25, delay=0.3, delays=0.02/0.03/0.02/0.22, dsn=2.0.0, status=sent (250 2.0.0 o15FDnMh016233 Message accepted for delivery)
Feb 5 10:13:49 zsmtp0 postfix/qmgr[23663]: EAB4D40020: removed

[uxbod]

Has /opt/zimbra/postconf/conf/main.cf updated with your changes ? If not then have you restarted the MTA services?

Code:

su - zimbra
zmmtactl stop ; zmmtactl start

[NathanL]

So, the changes i applied to postfix_recipient_restrictions.cf should have ended up in main.conf?

I restarted zimbra on the smtp server, i see it in there now. I'll give it another shot.

Thanks!

[NathanL]

No better.

Here is what i see in main.cf.


smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, check_policy_service inet:IPOFMYPOLICYDSERVER:10031, permit


Which looks right to me. As i stated before, this is a multiserver install, do i need to restart any other services? The store server?

I have the zimbra core on one server, smtp on another, ldap on another, and proxy on another. To give you an idea of how things are configured.

Thanks!

[NathanL]

Also, we have a Proofpoint spam appliance configured as zimbra's relay host. This scans outbound mail for us.

As this is my dev environment, i've removed that from the mix, to be safe. No change.
I've also tried moving policyd's policy to the beginning of the %%contains list, and that hasnt helped either.