Enabling the Policy Scripts

March 26, 2020 Contributors

As of version 3.2, default Lua policy scripts are included with Momentum. After installing Momentum you can configure policy by editing the /opt/msys/ecelerity/etc/sample-configs/dp_config.lua file. This document describes the available options, notes their default status and explains the policies that they enforce.

The built-in Lua policy scripts are not enabled by default. To use them you must add a default_policy.conf file to your configuration. To do this make use of the /opt/msys/ecelerity/etc/sample-configs/default_policy.conf file. Instructions for adding a configuration file are found in Best Practices for Adding Configuration Files.

Note

Since the policy scripts are written in Lua you must enable the scriptlet module. For information about this module see scriptlet Module. The audit series modules are dependent on the inbound_audit module. For information about this module see inbound_audit Module. The relay authorization configuration is dependent on the auth_ds module. For information about this module see auth_ds Module. The early talker configuration is dependent on the conntrol module. For information about this module see conntrol Module.

In addition to enabling the default_policy.conf file, you must configure a dp_config.lua file. Use the existing /opt/msys/ecelerity/etc/sample-configs/dp_config.lua file and save it to a directory under the /opt/msys/ecelerity/etc/conf/default directory. Also copy the /opt/msys/ecelerity/etc/sample-configs/custom_policy.lua to the same directory as the dp_config.lua file. Add these files to the repository as well. For more information about the repository directory structure see The Momentum Configuration Server: ecconfigd. This document describes all the configuration options in the dp_config.lua file. For your convenience these files are reproduced in The dp_config.lua and custom_policy.lua Files .

In addition to defining connection limits, whitelists and other policy-related items, the default policy scripts can also be used to configure various partner modules. These modules include:

Enable the modules you intend to use. Note: The beik and csapi modules are included in the default_policy.conf file. The cloudmark and commtouch modules are not. In order to use the default policy scripts, AV modules must be loaded in "passive" mode. For more information see Module Overview.