On previous article : PolicyD and Rate Limit Sending Message Implementation on Zimbra 8, we’ve installing and configuring PolicyD to prevent spam message to go to outside network (or to came into internal network). Zimbra based mail server without PolicyD can be blacklisted due to spam message sent by compromised account (account got hacked by attacker).
By default, PolicyD Web Admin can be accesses from anywhere, including from outside or public network. From mail server security perspective, this method is highly not recommended, because attacker could modify PolicyD on web admin and changes it or disable it to fit with their purposes. We can apply some method to limit the access as describe below :
Shutdown The Apache Service
This is the easiest way to prevent access by turn off Apache web service used by PolicyD Web Admin
su - zimbra -c "zmapachectl stop"
If you need to modify an existing policy, just turn on the services :
su - zimbra -c "zmapachectl start"
Creating Firewall/Block Port 7780
PolicyD web admin using port 7780. Set the firewall to limit the access and set to be accessible from a specific IP address only.
Using Authentication
We can use web authentication and configure .htaccess to limit access into PolicyD web admin. Only authenticated user can access web admin.
- Move to the webui cbpolicyd directory
cd /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui
- Move to the webui cbpolicyd directory
touch .htaccess vi .htaccess
the contents of .htaccess should looks like this :
AuthUserFile /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/.htpasswd AuthGroupFile /dev/null AuthName "User and Password" AuthType Basic require valid-user
- create a htpasswd file, username and password
touch .htpasswd htpasswd -c .htpasswd cbpadmin
or
htpasswd2 -c .htpasswd cbpadmin
Edit /opt/zimbra/conf/httpd.conf and append the following line on the bottom of file :
Alias /webui /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/ # Comment out the following 3 lines to make web ui accessible from anywhere AllowOverride AuthConfig Order Deny,Allow Allow from all
- Restart the apache zimbra service
su - zimbra -c "zmapachectl restart"
Try to reopen Web Admin PolicyD, it should provide authentication login. Login with cbpadmin username and password provided on the above step.
9 Comments
Please help erorr:
su – zimbra -c “zmapachectl restart”
Stopping apache…AH00526: Syntax error on line 497 of /opt/zimbra/conf/httpd.conf:
AllowOverride not allowed here
failed.
Starting apache…AH00526: Syntax error on line 497 of /opt/zimbra/conf/httpd.conf:
AllowOverride not allowed here
failed.
The correct syntax of httpd.conf append is:
Alias /webui /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/
# Comment out the following 3 lines to make web ui accessible from anywhere
AllowOverride AuthConfig
Order Deny,Allow
Allow from all
It should be
Alias /webui /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/
# Comment out the following 3 lines to make web ui accessible from anywhere
AllowOverride AuthConfig
Order Deny,Allow
Allow from all
Directory Tag is not appearing due to HTML.
Directory tag should start after Alias line and should end at the end
Note: if authentication fails generate .htpasswd content with some external tools.
For htpasswd2 mechanims you I used:
https://rawstudio.org/htpasswd2.php
config OK :
Alias /webui /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/
#Comment out the following 3 lines to make web ui accessible from anywhere
AllowOverride AuthConfig
Order Deny,Allow
Allow from all
still the communication goes through plain http, you should secure it through https !
hi,
can you please guide me the locations of .htaccess and .htpasswd location of ubuntu 16.04. I am a bit confused.
Hi Munawar,
You need to create it manually on the respective folder