Blue: ClueBringer Install File
RED: Change
ClueBringer POLICYD is an addon for postfix that limits the amount of mail shared web hosting users can send per hour.
Integrating ClueBringer for PostFix has not been the easiest of tasks especially when a complicated setup exists, Here i will try to make sense of the entire program, POLICYD cluebringer is written in Phython that i know very little about, i will try to make sense of the code with my C knowledge.
To begin with, i will go about this in the same order the installation file requieres.
1. Setup MySQL (or whichever database you plan to use)
a. In database/ run…
$ for i in core.tsql access_control.tsql quotas.tsql amavis.tsql checkhelo.tsql checkspf.tsql greylisting.tsql
$ do
$ ./convert-tsql mysql $i
$ done > policyd.mysql
This will build policyd.mysql, be sure to ALWAYS load core.tsql first, you only really need the
schema for the modules you plan to use, no harm in adding all of them though.
b. Load policyd.mysql into MySQL
$ mysql -u root -p policyd < policyd.mysql
Done with the trivial creation of database and users, converting tsql files to a mysql file and importing it, and having a database ready for cluebringer.
2. Put cluebringer.conf in your /etc directory and adjust cluebringer.conf with your MySQL database details
Let us take a look at the cluebringer.conf file, Other thatn copeying it to the /etc/ directory i will also raise the log level to 4 for debugging
log_level=4
And point the cluebringer log file to /var/log/cbpolicyd.log
log_file=/var/log/cbpolicyd.log
I will also fix the database credentials to use MySQL, and create a file for the log that cluebringer policyd can write to
3. Copy the cbp/ directory into /usr/local/lib/policyd-2.0/
mkdir /usr/local/lib/policyd-2.0
cp -r cbp /usr/local/lib/policyd-2.0/
Taking a look inside, I found a bunch of interesting files .PM, looked inside, nothing to do there.
4. Copy cbpolicyd and cbpadmin into /usr/local/bin
cp cbpolicyd cbpadmin /usr/local/bin/
Those are 2 interesting PERL files, they start with
use lib(‘/usr/local/lib/policyd-2.0′,’/usr/lib/policyd-2.0′);
but there is no /usr/lib/policyd-2.0, No need to reach for the good old camel book yet, it turns out that adding this (Non existing location) to the include directory of PERL is not really a big deal.
5. Install the webui/* into your apache directory, check out includes/config.php and adjust the MySQL server details.
No rocket science there.
So, up to this minute, no change has been done to the system, You see everything we have done up to this minute is simply adding files and configuring them to wait for some other program to execute them, No change has been done to the system up to now.
The first change that will be done to the system is when we approach POSTFIX to add POLICYD to its list of consultants.
Although we will not be asking it to do it directly (We will ask amavisd-new to do it), we do need to add some rules to postfix, according to the installation file.
6. Setup Postfix to use cbpolicyd…
Add the following Postfix config…
check_policy_service inet:127.0.0.1:10031
in BOTH smtpd_recipient_restrictions and smtpd_end_of_data_restrictions.
In short, they want me to edit /etc/postfix/main.cf , If this is the first time you hear of this file, Or if you don’t know what the risk of being an open relay is, or if you don’t know what an open relay is, or if you know very little about email and the internet in general, and if you don’t know what SPF means, or if you don’t know how to write to this file, this tutorial is not yet for you, you need to start with a postfix book not here, You have been warned.
7. Copy your amavisd from /usr/sbin/amavisd and patch it with contrib/amavisd-new-2.5.3_policyd-200802070918.patch like this…
$ patch < contrib/amavisd-new-2.5.3_policyd-200802070918.patch
After this change your initscripts to start the patched amavisd.
AMAVISD-NEW, The patch that comes with cluebringer does the following to the amavisd-new file that is written in PERL.
———————————-
Ads 2 parts to the script
1- First it ads (The part in RED)
sub new { my($class,$conn,$msginfo) = @_; undef }
sub checks { my($self,$conn,$msginfo) = @_; undef }
sub before_send { my($self,$conn,$msginfo) = @_; undef }
sub after_send { my($self,$conn,$msginfo) = @_; undef }
sub mail_done { my($self,$conn,$msginfo) = @_; undef }
sub process_policy { my($self,$conn,$msginfo,$pbn) = @_; return $pbn }
2- Then it ads a part (In RED)
my($cnt_local) = 0; my($cnt_remote) = 0;
for my $r (@{$msginfo->per_recip_data}) {
my($recip) = $r->recip_addr;
my($is_local) = lookup(0,$recip, @{ca(‘local_domains_maps’)});
$is_local ? $cnt_local++ : $cnt_remote++;
$r->recip_is_local($is_local);
if (!$r->bypass_banned_checks) {
my($bypassed_b) = lookup(0,$recip, @{ca(‘bypass_banned_checks_maps’)});
$r->bypass_banned_checks($bypassed_b);
}
if (!$r->bypass_spam_checks) {
my($bypassed_s) = lookup(0,$recip, @{ca(‘bypass_spam_checks_maps’)});
$r->bypass_spam_checks($bypassed_s);
}
}
# Check if we need to do last minute policy changes
if (ref $custom_object) {
$which_section = “custom-process_policy”;
eval {
my $new_policy_bank = $custom_object->process_policy($conn,$msginfo,\%current_policy_bank); 1;
%current_policy_bank = %{ $new_policy_bank };
} or do {
my($eval_stat) = $@ ne ” ? $@ : “errno=$!”; chomp $eval_stat;
do_log(-1,”custom process_policy error: %s”, $eval_stat);
};
section_time($which_section);
}
———————————————————————————————–
The initscript that does the amavisd-new initialisations is /etc/init.d/amavisd
8. Copy amavisd-policyd.pm where you see fit, and add this configuration line to your amavisd.conf file…
include_config_files(‘/path/to/amavisd-policyd.pm’);
9. Edit the top of amavisd-policyd.pm and change …
use lib(‘/root/cluebringer-trunk’); # to point to the directory which contains cbp/
my $DB_dsn = “DBI:SQLite:dbname=/tmp/cluebringer.sqlite”; # to point to your MySQL DB
10. Fire everything up and browse to the web gui to configure