Postfix + Centos + Policyd V2 + MySQL

Prerequisites

Requirements for Policyd v2

• MySQL
• Net::Server >= 0.96
• Net::CIDR
• Config::IniFiles (Debian based: libconfig-inifiles-perl, RPM based: perl-Config-IniFiles)
• Cache::FastMmap (Debian based: libcache-fastmmap-perl, RPM based: perl-Cache-FastMmap)
• Mail::SPF (Required for SPF)

Requirements for webui

• PHP v5+

Download policyd v2

# wget http://downloads.sourceforge.net/project/policyd/2.0.x%20%28Stable%29/v2.0.7/cluebringer-2.0.7.tar.bz2?use_mirror=biznetnetworks

Build rpm from source tarball

# rpmbuild -ta cluebringer-2.0.7.tar.bz2

Install the rpm

# rpm -ivh /usr/src/redhat/RPMS/cluebringer-2.0.7-1.noarch.rpm

In database/ run…

# for i in  core.tsql access_control.tsql quotas.tsql amavis.tsql checkhelo.tsql checkspf.tsql greylisting.tsql <- press enter
> do <- press enter
>  ./convert-tsql mysql $i <- press enter
> done > policyd.mysql <- press enter

This will build policyd.mysql, be sure to ALWAYS load core.tsql first, you only really need the
schema for the modules you plan to use, no harm in adding all of them though.

Create policyd database

# mysqladmin -u root -ppassword create policyd

Load policyd.mysql into MySQL

# mysql -u root -p policyd < database/policyd.mysql
Enter password:

Press enter

Edit cluebringer.conf and adjust the MySQL server details

#vi /etc/policyd/cluebringer.conf
find the [database] section
DSN=DBI:mysql:database=policyd;host=localhost
Username=root
Password=your-root-password

Start cbpolicyd service

# /etc/init.d/cbpolicyd start

Make sure the service is started

# ps ax | grep policyd
 7888 ?        Ss     0:00 /usr/bin/perl /usr/sbin/cbpolicyd --config /etc/policyd/cluebringer.conf
 7891 ?        S      0:00 /usr/bin/perl /usr/sbin/cbpolicyd --config /etc/policyd/cluebringer.conf
 7892 ?        S      0:00 /usr/bin/perl /usr/sbin/cbpolicyd --config /etc/policyd/cluebringer.conf
 7893 ?        S      0:00 /usr/bin/perl /usr/sbin/cbpolicyd --config /etc/policyd/cluebringer.conf
 7894 ?        S      0:00 /usr/bin/perl /usr/sbin/cbpolicyd --config /etc/policyd/cluebringer.conf

# netstat -pln | grep :10031
tcp        0      0 0.0.0.0:10031               0.0.0.0:*                   LISTEN      7888/perl

By default cbpolicyd not starting automatically at every runlevel.

# chkconfig --list cbpolicyd
cbpolicyd       0:off   1:off   2:off   3:off   4:off   5:off   6:off

We should add it manualy to runlevel

# chkconfig --level 2345 cbpolicyd on

Edit webui config and adjust the MySQL server details

# /etc/policyd/webui.conf
$DB_DSN="mysql:host=localhost;dbname=policyd";
$DB_USER="root";
$DB_PASS="your-root-password";

Setup Postfix to use cbpolicyd
Add the following Postfix config…

check_policy_service inet:127.0.0.1:10031

in BOTH  smtpd_recipient_restrictions and smtpd_end_of_data_restrictions.

Now configuring httpd part
if you have already working website just create symlink for Poilcyd webui

# ln -s /usr/share/cluebringer/webui/ /path/to/www/webui

Seems like Policyd webui does not protecting the web interface with authentication?

We can create  .htaccess/.htpasswd
Create .htaccess file in /usr/share/cluebringer/webui/

# /usr/share/cluebringer/webui/.htaccess
AuthUserFile /usr/share/cluebringer/webui/.htpasswd
AuthGroupFile /dev/null
AuthName "user and password"
AuthType Basic

<LIMIT GET>
require valid-user
</LIMIT>

Create user with htpasswd

# htpasswd -c /usr/share/cluebringer/webui/.htpasswd your-user

httpasswd will asked for password
Don’t forget to modify httpd config

<Directory "/var/www/html/cabal/policyd">
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>

Point your browser to http://www.yourdomain.tld/policyd/

That’s it for now

Source: INSTALL file cluebringer-2.0.7.tar.bz2