cluebringer and ISPConfig3

Discussion in 'ISPConfig 3 Priority Support' started by stargazer, Jun 1, 2014.

  1. stargazer

    stargazer New Member HowtoForge Supporter

    I have searched for a couple of days but still not able to find the answer.

    I installed cluebringer from apt-get (debian wheezy) on my production web server. It all appears to work except I see no outgoing messages in session_tracking database and also see no entries at all in quotas_limits. It appears nothing is being tracked when it goes out.

    My quotas table has the following entry:
    | ID | PolicyID | Name | Track | Period | Verdict | Data | Comment | Disabled |
    | 4 | 2 | Limit Outgoing | Sender:[email protected] | 3600 | REJECT | NULL | NULL | 0 |

    select * from quotas_limits where QuotasID = 4;
    | ID | QuotasID | Type | CounterLimit | Comment | Disabled |
    | 6 | 4 | MessageCount | 600 | | 0 |

    I have all domains, private IP and public IP of the servers listed in policy_group_members. I did use the @domainname format for the domain entries.

    Any clues? Till, in all your "spare" time, a tutorial on this would be excellent. I'd be happy to help with a rough draft since I just did the install.


  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you see messages in the mail.log from cluebringer?

    Yes, that would be nice. I have a draft of a guide here that I used for a few installs but it installs cluebringer manually from source and is not 100% consistent in the directory and user naming scheme yet (cluebringer vs. policyd).
  3. stargazer

    stargazer New Member HowtoForge Supporter

    No, nothing. 'grep clue mail.log.1' returns nothing (I also did it on mail.log.

    Now, I see something in quotas_tracking. However, it is very little from what I expected (6 rows on a machine that has 128 active users.

    I'll keep an eye on it. Maybe I was just too impatient.

    We are building out another machine for a client. When that is built out, I'll install cluebringer and take some decent notes. I'll attach them to this ticket when I do that and you can feel free to use them however you want. It will be ISPConfig3 on Debian Wheezy. Probably early next week.


  4. stargazer

    stargazer New Member HowtoForge Supporter

    FYI, under Wheezy and Cluebringer, the logs are stored in /var/log/cbpolicyd.log, and it doesn't appear there is a logrotate on it. Create the file cluebringer in /etc/logrotate.d with the following contents (testing now, but I think it will work).

    /var/log/cbpolicyd.log {
    rotate 15
    create 640 cluebringer adm
    /etc/init.d/postfix-cluebringer restart

    If I did that right, it should rotate the logs nightly, keeping 15 logs
  5. stargazer

    stargazer New Member HowtoForge Supporter

    cluebringer instructions

    well, if I did this right, the instructions for installing cluebringer are attached. They are not the quality HowtoForge has, but basically are my notes when I just completed the installation on a new machine.

    I'll tell this thing to update me if anyone posts a reply to this, so you can use that to clarify anything.

    Falko, do you wan to turn this into a real HowTo or just leave it as is. I really am not a good documenter, but if you want screen shots and everything, I can tell one of my tech's to do it in her spare time.

  6. till

    till Super Moderator Staff Member ISPConfig Developer


    it would be nice if you could attach the instructions to the post or send them to me by email to dev [at] ispconfig [dot] org. I will turn them into a tutorial then.
  7. stargazer

    stargazer New Member HowtoForge Supporter

    Sorry, I thought I had attached it. I'll post it inline to make sure it is available.

    apt-get install postfix-cluebringer postfix-cluebringer-mysql postfix-cluebringer-webui

    mysql -p
    create database policyd;
    grant all on policyd.* to [email protected] identified by 'somepassword';

    cd /tmp
    cp /usr/share/doc/postfix-cluebringer/database/policyd-db.mysql.gz .
    gunzip policyd-db.mysql.gz
    sed 's/TYPE=InnoDB CHARACTER SET latin1 COLLATE latin1_bin//' < policyd-db.mysql > policyd-db.mysql.sql
    mysql -p policyd < policyd-db.mysql.sql

    joe /etc/cluebringer/cluebringer.conf
    Uncomment the line (line 124 in my copy)
    (modify if you used a different database name)

    Also, find the block (starts on line 144 in mine)

    and fill in all the blanks. Mine looks like this


    Save file and exit
    joe /etc/cluebringer/cluebringer-webui.conf

    Find the block which reads (about line 11)

    and change to


    /etc/init.d/postfix-cluebringer start

    cluebringer listens on port 10031 by default. Verify cluebringer is running by the following:

    netstat -pant | grep 10031

    it should return the following line (listening on localhost only)

    tcp 0 0* LISTEN 7756/perl

    Now, add it to Postfix by adding the command 'check_policy_service inet:' to the lines smtpd_end_of_data_restrictions and smtpd_recipient_restrictions. The first one (smtpd_end_of_data_restrictions) does not exist in a standard ISPConfig install, so simply add that line.
    smtpd_recipient_restrictions should exist. Simply prepend the restriction to the existing ones, separated by a comma. Do not remove existing, simply place the section in the line.

    joe /etc/postfix/

    smtpd_end_of_data_restrictions = check_policy_service inet:
    smtpd_recipient_restrictions = check_policy_service inet:, check_recipient_access mysql:/etc/postfix/, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

    OR, issue the following two commands. This assumes you have the exact same postconf file I have

    postconf -e 'smtpd_end_of_data_restrictions = check_policy_service inet:'
    postconf -e 'smtpd_recipient_restrictions = check_policy_service inet:, check_recipient_access mysql:/etc/postfix/, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination'

    Restart postfix and watch syslog to ensure it is working

    The installer does not build a logrotate script for cbpolicyd.log, so we need to create one:

    joe /etc/logrotate.d/cluebringer

    /var/log/cbpolicyd.log {
    rotate 15
    create 640 cluebringer adm
    /etc/init.d/postfix-cluebringer restart

    cp -av /usr/share/doc/postfix-cluebringer-webui/examples/httpd/cluebringer-httpd.conf /etc/apache2/conf.d/

    By default, cluebringer webui only allows connections from localhost. This is good as it has no security, however, if you have a secure static IP, you can add an allow to the configuration that will let you log in from that machine only. THIS IS A SECURITY RISK. If you don't know what I'm talking about, don't do it.
    joe /etc/apache2/conf.d/cluebringer-httpd.conf

    Find line which says
    Allow from
    and add a line under it which says
    Allow from
    replacing with the IP address of your secure machine.

    /etc/init.d/apache2 restart

    Configure cluebringer via webui

    If you are security concious and left the webui set to only localhost (, use the following command to get to the web interface:

    ssh -L localhost:8080:localhost:80 my.web.server
    Open a web browser to

    You should now configure the cluebringer service. At the very least, you should set up the internal ip's and internal domains
    Last edited: Jun 16, 2014
  8. stargazer

    stargazer New Member HowtoForge Supporter

    Error Messages in cluebringer install

    I kept getting the following error message in the cluebring log after installation. I found several mentions of it when searching the net.

    Use of uninitialized value $email_domain in lc at /usr/lib/postfix-cluebringer/cbp/ line 476

    I figured, what the heck, I know Perl, so I went and looked. It is not initializing array elements if they are null, which is what is causing the problem. Look in /usr/lib/postfix-cluebringer/cbp/, about line 475 for the following line, then add the lines between the "modified by RWR" lines. First line is already in the module, as I said, on line 475 in my copy.

    my ($template_user,$template_domain) = ($template =~ /^(\S*)@(\S+)$/);
    # modified by RWR
    $template_domain = '' unless $template_domain;
    $email_domain = '' unless $email_domain;
    $email_user = '' unless $email_user;
    $template_user = '' unless $template_user;
    # end modification

    This is sloppy as I did not take the time to see exactly what was going on. Basically, it initializes the four variables to an empty string if they are not defined (actually, if they are anything which evaluates to false, but that is good enough for this).


Share This Page