On previous article : PolicyD and Rate Limit Sending Message Implementation on Zimbra 8, we’ve installing and configuring PolicyD to prevent spam message to go to outside network (or to came into internal network). Zimbra based mail server without PolicyD can be blacklisted due to spam message sent by compromised account (account got hacked by attacker).
By default, PolicyD Web Admin can be accesses from anywhere, including from outside or public network. From mail server security perspective, this method is highly not recommended, because attacker could modify PolicyD on web admin and changes it or disable it to fit with their purposes. We can apply some method to limit the access as describe below :
Shutdown The Apache Service
This is the easiest way to prevent access by turn off Apache web service used by PolicyD Web Admin
su - zimbra -c "zmapachectl stop"
If you need to modify an existing policy, just turn on the services :
su - zimbra -c "zmapachectl start"
Creating Firewall/Block Port 7780
PolicyD web admin using port 7780. Set the firewall to limit the access and set to be accessible from a specific IP address only.
Using Authentication
We can use web authentication and configure .htaccess to limit access into PolicyD web admin. Only authenticated user can access web admin.
- Move to the webui cbpolicyd directory
cd /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui
- Move to the webui cbpolicyd directory
touch .htaccess vi .htaccess
the contents of .htaccess should looks like this :
AuthUserFile /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/.htpasswd AuthGroupFile /dev/null AuthName "User and Password" AuthType Basic require valid-user
- create a htpasswd file, username and password
touch .htpasswd htpasswd -c .htpasswd cbpadmin
or
htpasswd2 -c .htpasswd cbpadmin
Edit /opt/zimbra/conf/httpd.conf and append the following line on the bottom of file :
Alias /webui /opt/zimbra/cbpolicyd-2.1.0-beta/share/webui/ # Comment out the following 3 lines to make web ui accessible from anywhere AllowOverride AuthConfig Order Deny,Allow Allow from all
- Restart the apache zimbra service
su - zimbra -c "zmapachectl restart"
Try to reopen Web Admin PolicyD, it should provide authentication login. Login with cbpadmin username and password provided on the above step.