Zimbra Tips : How To Secure PolicyD Web Admin

On previous article : PolicyD and Rate Limit Sending Message Implementation on Zimbra 8,  we’ve installing and configuring PolicyD to prevent spam message to go to outside network (or to came into internal network).  Zimbra based mail server without PolicyD  can be blacklisted due to spam message sent by compromised account (account got hacked by attacker).

By default, PolicyD Web Admin  can be accesses from anywhere, including from outside or public network. From mail server security perspective, this method is highly not recommended, because attacker could modify  PolicyD on web admin and changes it or disable it to fit with their purposes. We can apply some method to limit the access as describe below :

Shutdown The Apache Service

This is the easiest way to prevent access by turn off Apache web service used by PolicyD Web Admin

su - zimbra -c "zmapachectl stop"

If you need to modify an existing policy, just turn on the services :

su - zimbra -c "zmapachectl start"

policyd_logoCreating Firewall/Block Port 7780

PolicyD web admin using port 7780. Set the firewall to limit the access and set to be accessible from a specific IP address only.

Using Authentication

We can use web authentication and configure .htaccess to limit access into PolicyD web admin. Only authenticated user can access web admin.

  • Move to the webui cbpolicyd directory
cd /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui
  • Move to the webui cbpolicyd directory
touch .htaccess
vi .htaccess

the contents of .htaccess should looks like this :

AuthUserFile /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/.htpasswd
AuthGroupFile /dev/null
AuthName "User and Password"
AuthType Basic
require valid-user
  • create a htpasswd file, username and password
touch .htpasswd
htpasswd -c .htpasswd cbpadmin

or

htpasswd2 -c .htpasswd cbpadmin

Edit /opt/zimbra/conf/httpd.conf and append the following line on the bottom of file :

Alias /webui /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/
# Comment out the following 3 lines to make web ui accessible from anywhere
AllowOverride AuthConfig
Order Deny,Allow
Allow from all
  • Restart the apache zimbra service
su - zimbra -c "zmapachectl restart"

Try to reopen Web Admin PolicyD, it should provide authentication login. Login with cbpadmin username and password provided on the above step.

Latest Comments

  1. tuan March 20, 2014
    • Alessio June 5, 2014
      • Amol Jirge August 28, 2014
        • Amol Jirge August 28, 2014
  2. Alessio June 5, 2014
  3. tuan June 10, 2015
  4. Edmond September 3, 2015
  5. munawar October 19, 2017

Leave a Reply