• Home
  • Free Stuff
  • About
  • Contact

Zimbra Tips : How To Secure PolicyD Web Admin

February 8, 2014

On previous article : PolicyD and Rate Limit Sending Message Implementation on Zimbra 8,  we’ve installing and configuring PolicyD to prevent spam message to go to outside network (or to came into internal network).  Zimbra based mail server without PolicyD  can be blacklisted due to spam message sent by compromised account (account got hacked by attacker).

By default, PolicyD Web Admin  can be accesses from anywhere, including from outside or public network. From mail server security perspective, this method is highly not recommended, because attacker could modify  PolicyD on web admin and changes it or disable it to fit with their purposes. We can apply some method to limit the access as describe below :

Shutdown The Apache Service

This is the easiest way to prevent access by turn off Apache web service used by PolicyD Web Admin

[code language=”bash”]
su – zimbra -c “zmapachectl stop”
[/code]

If you need to modify an existing policy, just turn on the services :

[code language=”bash”]
su – zimbra -c “zmapachectl start”
[/code]

policyd_logoCreating Firewall/Block Port 7780

PolicyD web admin using port 7780. Set the firewall to limit the access and set to be accessible from a specific IP address only.

Using Authentication

We can use web authentication and configure .htaccess to limit access into PolicyD web admin. Only authenticated user can access web admin.

  • Move to the webui cbpolicyd directory

[code language=”bash”]cd /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui[/code]

  • Move to the webui cbpolicyd directory

[code language=”bash”]
touch .htaccess
vi .htaccess
[/code]
the contents of .htaccess should looks like this :
[code language=”bash”]
AuthUserFile /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/.htpasswd
AuthGroupFile /dev/null
AuthName “User and Password”
AuthType Basic
require valid-user
[/code]

  • create a htpasswd file, username and password

[code language=”bash”]
touch .htpasswd
htpasswd -c .htpasswd cbpadmin
[/code]
or
[code language=”bash”]
htpasswd2 -c .htpasswd cbpadmin
[/code]
Edit /opt/zimbra/conf/httpd.conf and append the following line on the bottom of file :
[code language=”bash”]
Alias /webui /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/
# Comment out the following 3 lines to make web ui accessible from anywhere
AllowOverride AuthConfig
Order Deny,Allow
Allow from all
[/code]

  • Restart the apache zimbra service

[code language=”bash”]
su – zimbra -c “zmapachectl restart”
[/code]

Try to reopen Web Admin PolicyD, it should provide authentication login. Login with cbpadmin username and password provided on the above step.

Mail ServerPolicyDZimbra
Share

Linux

Fikri Assagaf

9 Comments


tuan
March 20, 2014 at 15:46
Reply

Please help erorr:
su – zimbra -c “zmapachectl restart”
Stopping apache…AH00526: Syntax error on line 497 of /opt/zimbra/conf/httpd.conf:
AllowOverride not allowed here
failed.
Starting apache…AH00526: Syntax error on line 497 of /opt/zimbra/conf/httpd.conf:
AllowOverride not allowed here
failed.



    Alessio
    June 5, 2014 at 20:44
    Reply

    The correct syntax of httpd.conf append is:

    Alias /webui /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/
    # Comment out the following 3 lines to make web ui accessible from anywhere

    AllowOverride AuthConfig
    Order Deny,Allow
    Allow from all

      Amol Jirge
      August 28, 2014 at 15:13

      It should be

      Alias /webui /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/
      # Comment out the following 3 lines to make web ui accessible from anywhere
      AllowOverride AuthConfig
      Order Deny,Allow
      Allow from all

        Amol Jirge
        August 28, 2014 at 17:26

        Directory Tag is not appearing due to HTML.

        Directory tag should start after Alias line and should end at the end

Alessio
June 5, 2014 at 20:46
Reply

Note: if authentication fails generate .htpasswd content with some external tools.
For htpasswd2 mechanims you I used:
https://rawstudio.org/htpasswd2.php



tuan
June 10, 2015 at 10:31
Reply

config OK :

Alias /webui /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/
#Comment out the following 3 lines to make web ui accessible from anywhere

AllowOverride AuthConfig
Order Deny,Allow
Allow from all



Edmond
September 3, 2015 at 16:11
Reply

still the communication goes through plain http, you should secure it through https !



munawar
October 19, 2017 at 22:07
Reply

hi,
can you please guide me the locations of .htaccess and .htpasswd location of ubuntu 16.04. I am a bit confused.



    Masim "Vavai" Sugianto
    December 7, 2017 at 09:34
    Reply

    Hi Munawar,

    You need to create it manually on the respective folder

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Recent Posts

    • Januari 2021 Portfolio Update
    • December 2020 Portfolio Update
    • After a While
    • Life goes On : Farming
    • Pursuing FIRE in Indonesia : Are You Prepared For A Recession?
    • VirtualBox Error Kernel Driver not Installed (rc=-1908) on Zorin OS 15.2
    • ZorinOS on Intel NUC Hades Canyon Series NUC817HVK
    • Banana Farm
    • Zorin OS 15.2 Ultimate
    • Haraka and LDAP Authentication with Zimbra



© Copyright LetsBlog Theme Demo - Theme by ThemeGoods