Policyd is used to limit incoming and outgoing emails per hour.

Video instructions

Installation instructions

Install it from cwp.admin by rebuilding the mail server with option policyd
Left Menu->Email->MailServer Manager and select policyd

other options is to do the manual installation over ssh command:

sh /scripts/install_cbpolicyd

* Run this command from the ssh

If needed to set a policy for all currently installed packages, the installer already does that.
Based on the user package this command will set limit per domain:

/scripts/cwp_api account update_policyd_all

The default limit for all incoming and outgoing mail domains is 250 per hour.
Default policy is in use only if the domain has no other policies configured, this policy will be also in use for all incoming emails meaning that you can receive for example only 250 emails per hour from Gmail.

Manage System Service
service cbpolicyd status
Options: start/stop/restart/status

MySQL Database name
* This database is in use for configuration and to track and count emails.

Log file: /var/log/maillog

Example policy status using default package when sending email:

Jul  2 12:13:32 cwp7 cbpolicyd[29870]: module=Quotas, mode=update, host=, helo=localhost, from=webmail@centos-webpanel.info, to=test@test.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:@centos-webpanel.info, counter=MessageCount, quota=3.87/250 (1.5%)

Example policy status using custom package when sending email:

Jul  2 12:53:58 cwp7 cbpolicyd[30994]: module=Quotas, mode=create, host=, helo=localhost, from=webmail@centos-webpanel.info, to=test@test.com, reason=quota_create, policy=9, quota=6, limit=7, track=Sender:@centos-webpanel.info, counter=MessageCount, quota=1.00/120 (0.8%)

POLICIES explained
PRIORITY, lower priority is always in use, you can check in policyd module in cwp.admin which policy domain is using.
Default policy: this policy is always in use if the user has no any others configured.

We have 4 levels of email policy:
- the default for all incoming / outgoing (priority:20)
- per package (priority:19)
- per user (priority:18)
- per domain (priority:17)

PackageID 0 with the name "Default Server Limit" and priority 20

PackageID is the same ID as in the packages module, the name is from packages shown as package_PACKAGE-NAME with priority 19

user policy has the packageID over 1000 and name starts with user_USERNAME with priority 18

domain policy has the packageID over 10000 and name starts with domain_DOMAIN with priority 17

Tracking status per domain:

Jul  2 14:47:05 vps cbpolicyd[4061]: module=Quotas, mode=update, host=, helo=mail-pj1-f66.google.com, from=recaudacion.satrim2020@gmail.com, to=juanpinto@heladosrizo.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:@gmail.com, counter=MessageCount, quota=3.58/250 (1.4%)

You can see here that this is a server default policy by policy ID (policy=6) and status is for domain (track=Sender:@gmail.com) having quota 3.5/250.

Incoming emails for example coming from Gmail will be limited by the default policy per domain.
For example, incoming emails from Gmail will be limited to 250 per hour, and from yahoo, there will be also separated limit on 250 per hour.

Error in the RoundCube when the limit is reached
SMTP Error (450): Failed to add recipient "email@gmail.com" (4.7.1 : Recipient address rejected: 0).

Jul 2 19:34:11 cwp7 cbpolicyd[23990]: module=Quotas, action=defer, host=, helo=localhost, from=webmail@centos-webpanel.info, to=email@gmail.com, reason=quota_match, policy=28, quota=25, limit=26, track=Sender:@centos-webpanel.info, counter=MessageCount, quota=2.98/1 (298.1%)

Setting the limit to 0 would fully block send/receive email from/to that domain.
This is only possible to be set manually using PHPMyAdmin or custom queries.

"postfix / smtpd: NOQUEUE: reject: RCPT from: 450 4.7.1 Recipient address rejected: Access denied"

Check in the policyd module limits set per hour, if the limit for some domain is set to 0 then it will not allow email sending at all.

Checking Policyd REQUIREMENTS

- check that service is working
service cbpolicyd status

- check if the port 10031 is up
netstat -tulpn|grep 10031

- check postfix having active configuration in /etc/postfix/main.cf, starting as:
smtpd_recipient_restrictions = check_policy_service inet:, permit_sasl_authenticated...

Important configuration is: check_policy_service inet:

To disable policyd simply remove the following from /etc/postfix/main.cf
check_policy_service inet:

Another option is also limit in the /etc/postfix/main.cf

# Limit 500 emails per hour per email address
anvil_rate_time_unit = 3600s
smtpd_client_message_rate_limit = 500

* info: http://www.postfix.org/postconf.5.html
The maximal number of message delivery requests that any client is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages. The time unit is specified with the anvil_rate_time_unit configuration parameter.

By default, a client can send as many message delivery requests per time unit as Postfix can accept.

To disable this feature, specify a limit of 0.

WARNING: The purpose of this feature is to limit abuse. It must not be used to regulate legitimate mail traffic.

Change Default policy limit

Example for setting default policy limit to 500 emails per hour:

mysql postfix_policyd --defaults-extra-file=/root/.my.cnf -e 'UPDATE `quotas_limits` SET `CounterLimit` = '500' WHERE `quotas_limits`.`ID` = 4;'

Uninstall policyd
* We recommend to use uninstall option from MailServer Manager in cwp

/scripts/install_cbpolicyd remove

Reinstall policyd
* this will do a clean install of policyd files and database.

/scripts/install_cbpolicyd reinstall