IRedMail/FAQ/Install.and.configure.Cluebringer/RHEL

From iRedMail
Revision as of 02:06, 20 January 2014 by ZhangHuangbin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents


Summary

Cluebringer (a.k.a. Policyd v2) is a multi-platform policy server for popular MTAs (e.g. Postfix). This policy daemon is designed mostly for large scale mail hosting environments. The main goal is to implement as many spam combating and email compliance features as possible while at the same time maintaining the portability, stability and performance required for mission critical email hosting of today. Most of the ideas and methods implemented in Policyd v2 stem from Policyd v1 as well as the authors' long time involvement in large scale mail hosting industry.

Requirements

This tutorial is applicable to Red Hat Enterprise Linux 6, CentOS 6.

Install Cluebringer

Please make sure you have iRedMail yum repository enabled on your server:

File: /etc/yum.repos.d/iRedMail.repo
[iRedMail]
name=iRedMail
baseurl=http://www.iredmail.org/yum/rpms/6/
enabled=1
gpgcheck=0

You can now install Cluebringer with yum directly:

Terminal:
# yum install cluebringer
  • Main config file of Cluebringer is /etc/policyd/cluebringer.conf.
  • Init script is /etc/init.d/cbpolicyd.

Create system user/group for Cluebringer

We will run Cluebringer as a low-privileged user and group, so let's create the user "cluebringer" and group "cluebringer" first.

Terminal:
# groupadd cluebringer
# useradd -m -d /home/cluebringer -s /sbin/nologin -g cluebringer cluebringer

Create SQL database for Cluebringer

  • Cluebringer stores blacklist/whitelist/greylisting and other data in SQL database, so we have to create one for it.
  • Cluebringer RPM package ships a SQL file for sample SQL tables, what we need to do is creating a database then importing this sample SQL file.

For iRedMail with OpenLDAP or MySQL backend

If you're running iRedMail with OpenLDAP or MySQL backend, you have to create a MySQL database to store Cluebringer data.

  • Find the sample SQL file:
Terminal:
# rpm -ql cluebringer | grep 'policyd.mysql.sql'
/usr/share/doc/cluebringer-2.0.14/database/policyd.mysql.sql
  • Newest MySQL server doesn't recognize 'TYPE=MyISAM' or 'TYPE=InnoDB' while creating SQL table, so we'd better convert them to 'ENGINE=' before importing it.
Terminal:
# perl -pi -e 's#TYPE=#ENGINE=#g' /usr/share/doc/cluebringer-2.0.14/database/policyd.mysql.sql
  • Now create a SQL database for Cluebringer and import SQL sample file. Important note: iRedAdmin-Pro detects Policyd/Cluebringer by dataabse name, so please do NOT use other database name.
Terminal:
# mysql -uroot -p
mysql> CREATE DATABASE cluebringer;
mysql> USE cluebringer;
mysql> SOURCE /usr/share/doc/cluebringer-2.0.14/database/policyd.mysql.sql;
Terminal:
mysql> USE cluebringer;
mysql> SOURCE /tmp/extra.sql;
mysql> SOURCE /tmp/column_character_set.mysql;
  • Create SQL user "cluebringer" (with password 'cb_password') for Cluebringer database and grant necessary privileges. Important note: Please 'cb_password' by a long, complex password.
Terminal:
mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON cluebringer.* TO "cluebringer"@"localhost" IDENTIFIED BY 'cb_password';
mysql> FLUSH PRIVILEGES;
  • Make sure you can connect to MySQL server with this new SQL username and password:
Terminal:
# mysql -u cluebringer -p

For iRedMail with PostgreSQL backend

If you're running iRedMail with PostgreSQL backend, you have to create a PostgreSQL database to store Cluebringer data.

  • Find the sample SQL file:
Terminal:
# rpm -ql cluebringer | grep 'policyd.pgsql.sql'
/usr/share/doc/cluebringer-2.0.14/database/policyd.pgsql.sql
  • This sample file uses incorrect comment mark (#), we should fix it before importing:
Terminal:
# perl -pi -e 's=^(#.*)=/*${1}*/=' /usr/share/doc/cluebringer-2.0.14/database/policyd.pgsql.sql
  • Now create a SQL database for Cluebringer and import SQL sample file. Important note: iRedAdmin-Pro detects Policyd/Cluebringer by dataabse name, so please do NOT use other database name.
Terminal:
# su - postgres
$ psql
sql> CREATE DATABASE cluebringer WITH TEMPLATE template0 ENCODING 'UTF8';
sql> \c cluebringer;
sql> \i /usr/share/doc/cluebringer-2.0.14/database/policyd.pgsql.sql;
Terminal:
sql> \c cluebringer;
sql> \i /tmp/extra.sql;
  • Create SQL user "cluebringer" (with password 'cb_password') for Cluebringer database and grant necessary privileges. Important note: Please 'cb_password' by a long, complex password.
Terminal:
sql> CREATE USER cluebringer WITH ENCRYPTED PASSWORD 'cb_password' NOSUPERUSER NOCREATEDB NOCREATEROLE;
  • Make sure you can connect to PostgreSQL server with this new SQL username and password:
Terminal:
$ psql -U cluebringer -W

Configure Cluebringer

Open Cluebringer config file /etc/policyd/cluebringer.conf, set proper values for below parameters:

  • WARNING: This is just part of Cluebringer config file.
File: /etc/policyd/cluebringer.conf
[server]
# Protocols to load
protocols=<<EOT
Postfix
EOT

# Modules to load
modules=<<EOT
Core
AccessControl
CheckHelo
CheckSPF
Greylisting
Quotas
EOT

# User to run this daemon as
user = cluebringer
group = cluebringer

# Filename to store pid of parent process
pid_file=/var/run/cbpolicyd.pid

# Log level:
# 0 - Errors only
# 1 - Warnings and errors
# 2 - Notices, warnings, errors
# 3 - Info, notices, warnings, errors
# 4 - Debugging 
log_level = 0

# File to log to instead of stdout
log_file = /var/log/cbpolicyd.log

# Log destination for mail logs...
log_mail = mail@syslog:native

# IP to listen on, * for all
host = 127.0.0.1

# Port to run on
port = 10031

[database]
DSN = DBI:mysql:database=cluebringer;host=localhost;user=cluebringer;password=cb_password
Username = cluebringer
Password = cb_password

# Access Control module. Used for whitelist/blacklist in iRedMail.
[AccessControl]
enable=1

# Greylisting module. Used for server-wide, per-domain, per-user greylisting control in iRedMail.
[Greylisting]
enable=1

# CheckHelo module
[CheckHelo]
enable=1

# CheckSPF module
[CheckSPF]
enable=1

# Quotas module. Used for per-domain and per-user throttling in iRedMail.
[Quotas]
enable=1

Now it's ready to start Cluebringer service.

If you have Policyd-1.8 running, you have to tell Postfix not to use Policyd as policy server first (so that your users can still send/receive emails), then disable it completely:

  • To disable Policyd in Postfix, please open file /etc/postfix/main.cf, remove check_policy_service inet:127.0.0.1:10031, then restart Postfix service.
  • To disable Policyd service completely:
Terminal:
# /etc/init.d/policyd stop
# chkconfig --level 345 policyd off

Now let's start Cluebringer service and make it auto start during system start up:

Terminal:
# /etc/init.d/cbpolicyd restart
# chkconfig --level 345 cbpolicyd on

Make sure it's running on port 10031:

Terminal:
# netstat -ntlp | grep 10031
tcp        0      0 0.0.0.0:10031               0.0.0.0:*                   LISTEN      1966/perl           

Enable Cluebringer in Postfix

Now it's ready to enable Cluebringer in Postfix.

  • Open Postfix config file /etc/postfix/main.cf, add check_policy_service inet:127.0.0.1:10031 in parameter smtpd_recipient_restrictions before existing restruction rule permit_mynetworks like below:
    • Important note: Order of restriction rules is very important, so please do not add 'check_policy_service inet:127.0.0.1:10031' in wrong place.
File: /etc/postfix/main.cf
smtpd_recipient_restrictions = ..., check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, ...
  • Add check_policy_service inet:127.0.0.1:10031 in parameter smtpd_end_of_data_restrictions like below:
File: /etc/postfix/main.cf
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
  • Restart Postfix service to load your changed settings.

That's all.

Backup Cluebringer database

Please don't forget to backup Cluebringer database by adding database name "cluebringer" in backup script, variable name "DATABASES", it's /var/vmail/backup/backup_mysql.sh (or backup_pgsql.sh if you're running PostgreSQL backend) by default. For example:

File: /var/vmail/backup/backup_mysql.sh
DATABASES="... cluebringer"

Enable Cluebringer support in iRedAdmin-Pro

If you have iRedAdmin-Pro, please update its config file /var/www/iredadmin/settings.py with correct SQL database name, username and password. For example:

File: /var/www/iredadmin/settings.py
# Enable policyd integration: True, False.
policyd_enabled = True

policyd_db_host = '127.0.0.1'
policyd_db_port = 3306
policyd_db_name = 'cluebringer'                     # <- Update this one
policyd_db_user = 'cluebringer'                     # <- Update this one
policyd_db_password = 'cb_password'                 # <- Update this one

Restart Apache service is required.

Personal tools