[SOLVED] limiting sent emails per month/day

Discussion in 'ISPConfig 3 Priority Support' started by Tomislav Aurednik, Nov 24, 2016.

  1. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    Hi I'm looking into limiting the amount of sent email per month or day from my server. I found two addons for postfix. PolicyD and postfwd2.
    I'm want to use postfwd but don't find some info. I know that I can limit the amount of send mails for everyone. But I need exclude some accounts from this rule. Can this be done with postfwd with rule priority that the rule that gives a user a higher limit, has higher priority than the lower rate limit for all users?
    Or do I need PolicyD for this?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I used only policyd until now to limit the amount of email, but it may work with postfwd as well, just try it out.
     
  3. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    The limiting works in postfwd, but I can't find how to "disable" or give a bigger limit for specific emali in domain that has limit.

    id=RULE001;
    sasl_username=arko@mydomain.si;
    action=rate(sasl_username/5/600/REJECT only 5 recipients per 10 min for $$sasl_username);

    id=RULE002
    sender_domain=mydomain.si
    action=rate(sender_domain/1/300/REJECT only 1 recipients per 5 min for $$sender_domain)

    So anyone knows if it's possible? I don't wan't to waste time on trying to figure out the imposible if I can try with a different program.
     
  4. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    Ok I have not found a way to write a rule with postfwd that excludes a user from a specific rule. And I didn't get any awnser if this is possible with PolicyD (cluebringer).
    I also see that PolicyD uses a web interface and this can be a problem because I have a multiserver install that has web&mysql on first server and email on the second.
    So when using this http://wiki.policyd.org/installing guide should I install all on my web&mysql server and than on my mail server add
    check_policy_service inet:<web&mysql IP>:10031 instead of 127.0.0.1?
    Will the install guide work on Ubuntu 14.04. server, the database part?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Policyd has a configuration file which contains the mysql login details. So I would just install policyd locally on the mail server and then edit the policyd config file to use the mysql database on the first server. The web interface must have a config file as well, so you can install it on the web server and configure it to use the right database as well.
     
    Tomislav Aurednik likes this.
  6. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    Ok... I think it's installed as you suggested.
    MAIL server:
    apt-get install postfix-cluebringer
    vi /etc/cluebringer/cluebringer.conf
    DSN=DBI:mysql:database=policyd;host=<hostname_of_db_server>
    DB_Type=mysql
    DB_Host=<hostname_of_db_server>
    DB_Port=3306
    DB_Name=policyd
    Username=policyd
    Password=<password>

    Postfix /etc/postfix/main.cf:
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_policy_service inet:127.0.0.1:10031, ....
    smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031

    WEB&MYSQL server:
    apt-get install postfix-cluebringer-mysql postfix-cluebringer-webui
    created the database added the user and imported the db tables.

    Edited /etc/cluebringer/cluebringer-webui.conf
    $DB_DSN="mysql:host=localhost;dbname=policyd";
    $DB_USER="policyd";
    $DB_PASS="<password>";
    and created a alias so I can access the webui from mydomain.si/cluebringer

    I can create policies and they are stored correctly in the DB, but when I try to send mail I get errors:
    postfix/submission/smtpd[12655]: NOQUEUE: reject: RCPT from web.mydomain.si[ip]: 450 4.7.1 <xxx@gmail.com>: Recipient address rejected: Access denied; from=<xxx@mydomain.si> to=<xxx@gmail.com> proto=ESMTP helo=<ip>

    postfix/submission/smtpd[13012]: A24F3A0B09: reject: END-OF-MESSAGE from web.mydomain.si[ip]: 450 4.7.1 <END-OF-MESSAGE>: End-of-data rejected: Access denied; from=<xxx@mydomain.si> to=<xxx@gmail.com> proto=ESMTP helo=<ip>

    Any one any idea what I messed up?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you enable smtp-auth in your mail client?
     
  8. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    I think I have. In my roundcube config.ini.php:

    $config['smtp_server'] = 'tls://bckmail.mydomain.si';
    $config['smtp_port'] = 587;
    $config['smtp_user'] = '%u';
    $config['smtp_conn_options'] = array(
    'ssl' => array(
    'verify_peer' => false,
    'verify_peer_name' => false,
    ),
    );
    $config['smtp_auth_type'] = 'PLAIN';
    $config['smtp_pass'] = '%p';

    Is $config['smtp_auth_type'] = 'PLAIN'; what you mean?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    plain should be ok as auth mechanism. Does it start working again when you remove policyd from postfix config?
     
  10. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    yeah if I remove policyd it starts working.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    I installed policyd on a server of a customer some years ago, at that time I used these settings in postfix:

    Code:
    smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
    smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
     
  12. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    Used your settings and it's the same.

    Can you look at my main.cf setup if I messed up something? The <my_hostname> is just to cover up my hostname.

    Code:
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    append_dot_mydomain = no
    
    smtpd_tls_cert_file = /etc/postfix/ispserver.pem
    smtpd_tls_key_file = /etc/postfix/ispserver.pem
    smtpd_tls_CAfile = /etc/postfix/ispserver.pem
    
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = bckmail.<my_hostname>.si
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = $myhostname
    mydestination = bckmail.<my_hostname>.si, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virt
    ual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    # Za PolicyD oz. cluebringer smtpd_end_of_data_restrictions
    #smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
    #smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    smtp_tls_security_level = may
    #smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    #smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    
    smtpd_tls_security_level = may
    smtpd_tls_auth_only = yes
    smtpd_tls_mandatory_ciphers = medium
    tls_medium_cipherlist = AES128+EECDH:AES128+EDH
    
    # DKIM
    # --------------------------------------
    milter_default_action = accept
    milter_protocol = 2
    smtpd_milters = inet:localhost:8891
    non_smtpd_milters = inet:localhost:8891
     
  13. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    Figured the problem for mail reject problem. I had only the db user created for localhost, so it could not connect from the mail server. Sorry for wasting your time Till. Now I just have to see if it works for limiting mail.
     
  14. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    And I think the policys are not working. Tryed out 1 quota limit from this how to http://uname.pingveno.net/blog/inde...pam,-using-cluebringer-(policyd)-with-Postfix.
    When I'm sending emails in the database the session_tracking table is getting filled but the quotas_tracking table is empty.

    My log is:
    Code:
    [2016/11/30-14:29:37 - 1372] [CBPOLICYD] NOTICE: Policyd v2 / Cluebringer - v2.0.11a-debian
    [2016/11/30-14:29:37 - 1372] [CBPOLICYD] NOTICE: Initializing system modules.
    [2016/11/30-14:29:37 - 1372] [CBPOLICYD] NOTICE: System modules initialized.
    [2016/11/30-14:29:37 - 1372] [CBPOLICYD] NOTICE: Module load started...
    [2016/11/30-14:29:37 - 1372] [CORE] NOTICE:   => AccessControl: enabled
    [2016/11/30-14:29:37 - 1372] [CORE] NOTICE:   => CheckHelo: enabled
    [2016/11/30-14:29:37 - 1372] [CORE] NOTICE:   => CheckSPF: enabled
    [2016/11/30-14:29:37 - 1372] [CORE] NOTICE:   => Greylisting: enabled
    [2016/11/30-14:29:37 - 1372] [CORE] NOTICE:   => Quotas: enabled
    [2016/11/30-14:29:37 - 1372] [CORE] NOTICE:   => Protocol(Postfix): enabled
    [2016/11/30-14:29:37 - 1372] [CORE] NOTICE:   => Protocol(Bizanga): enabled
    [2016/11/30-14:29:37 - 1372] [CBPOLICYD] NOTICE: Module load done.
    [2016/11/30-14:29:37 - 1372] [CBPOLICYD] DEBUG: Opening syslog, destination = 'native', facility = 'mail'.
    [2016/11/30-14:29:37 - 1372] [CORE] NOTICE: 2016/11/30-14:29:37 cbp (type Net::Server::PreFork) starting! pid(1372)
    [2016/11/30-14:29:37 - 1372] [CORE] NOTICE: Binding to TCP port 10031 on host 127.0.0.1 with IPv4
    [2016/11/30-14:29:37 - 1372] [CORE] INFO: Setting up serialization via flock
    [2016/11/30-14:29:37 - 1372] [CORE] INFO: Beginning prefork (4 processes)
    [2016/11/30-14:29:37 - 1372] [CORE] INFO: Starting "4" children
    [2016/11/30-14:29:37 - 1375] [CORE] DEBUG: Child Preforked (1375)
    [2016/11/30-14:29:37 - 1375] [CBPOLICYD] DEBUG: Starting up caching engine
    [2016/11/30-14:29:37 - 1372] [CORE] DEBUG: Parent ready for children.
    [2016/11/30-14:29:37 - 1377] [CORE] DEBUG: Child Preforked (1377)
    [2016/11/30-14:29:37 - 1377] [CBPOLICYD] DEBUG: Starting up caching engine
    [2016/11/30-14:29:37 - 1378] [CORE] DEBUG: Child Preforked (1378)
    [2016/11/30-14:29:37 - 1378] [CBPOLICYD] DEBUG: Starting up caching engine
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    I'm not that familar with policyd as I don't use it on my servers, you might want to ask the policyd developers if you need details on whch table contains which data for your configuration.
     
  16. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    It works. Now I just need to learn how to make the rules I need.
     

Share This Page