Dovecot, Nachrichten auf dem Server mit SIEVE filtern

BILD: Dovecot Pigeonhole Logo Zur Filtern von E-Mails auf IMAP-Servern wurde die Programmiersprache SIEVE konzipiert - die genaue Spezifikationen erfolgten hierzu im RFC 5228 und vielen Erweiterungen/Ergänzungen in weiteen RFCs. Das Hauptaugenmerk von SIEVE liegt auf Einfachheit, Erweiterbarkeit, sowie auf Unabhängigkeit von der verwendeten Zugriffsart und Architektur wie auch dem verwendeten Betriebssystem. Sieve wurde spezifiziert, um den Usern die Möglichkeit zu beiten, bereits serverseitig auf einfache Art und Weise eigene Regeln zur Filterung von E-Mails zu definieren. Sieve-Scripte werden bereits während der Zustellung der eMail am IMAP-Server ausgeführt.

Weitere Hintergrundinformationen finden man unter anderem in dem Wikipedia-Artikel zu SIEVE.
Die Unterstützung und Implementierung von SIEVE erfolgt über das Projekt managesieve von Stefan Bosch. Detaillierte Informationen zum Protokoll Managesieve sowie zum RFC 5228 und den zahlreichen Erweiterungen RFCs findet man auf der Projektseite von Stefan Bosch.

Am Einfachsten bedienen wir uns zur Installation des Paketes dovecot-pigeonhole eines aktuell gepflegten Dovecot-Repositories, wie z.B. dem Repository mailserver.guru. Das dort enthaltene Paket wurde für den aktuellen Dovecot-release 2.2.131) gebaut. Die Intstallation und Integration des Repositories mailserver.guru ist im Kapitel mailserver.guru unter CentOS 6 und CentOS 7 einbinden erklärt.

Die Installation des Paketes geht dank des Repositories mailserver.guru leicht von statten, benötigen wir hierzu lediglich den Befehl yum.

 # yum install dovecot-pigeonhole -y

Was uns das Paket dovecot alles mit ins System bringt, zeigt uns der Befehl rpm mit der Option -qil.

 # rpm -qil dovecot-pigeonhole
Name        : dovecot-pigeonhole
Epoch       : 1
Version     : 2.2.13
Release     : 2.el7.centos
Architecture: x86_64
Install Date: Mon 04 Aug 2014 11:01:38 PM CEST
Group       : System Environment/Daemons
Size        : 1133200
License     : MIT and LGPLv2
Signature   : RSA/SHA1, Fri 01 Aug 2014 08:55:53 PM CEST, Key ID 60ecfb9e8195aea0
Source RPM  : dovecot-2.2.13-2.el7.centos.src.rpm
Build Date  : Fri 01 Aug 2014 08:52:54 PM CEST
Build Host  : vml000200.dmz.nausch.org
Relocations : (not relocatable)
Packager    : Django <django@mailserver.guru>
Vendor      : django
URL         : http://www.dovecot.org/
Summary     : Sieve and managesieve plug-in for dovecot
Description :
This package provides sieve and managesieve plug-in for dovecot LDA.
/etc/dovecot/conf.d/20-managesieve.conf
/etc/dovecot/conf.d/90-sieve-extprograms.conf
/etc/dovecot/conf.d/90-sieve.conf
/usr/bin/sieve-dump
/usr/bin/sieve-filter
/usr/bin/sieve-test
/usr/bin/sievec
/usr/lib64/dovecot/lib90_sieve_plugin.so
/usr/lib64/dovecot/settings/libmanagesieve_login_settings.so
/usr/lib64/dovecot/settings/libmanagesieve_settings.so
/usr/lib64/dovecot/sieve
/usr/lib64/dovecot/sieve/lib90_sieve_extprograms_plugin.so
/usr/libexec/dovecot/managesieve
/usr/libexec/dovecot/managesieve-login
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/AUTHORS
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/COPYING
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/COPYING.LGPL
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/ChangeLog
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/INSTALL
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/NEWS
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/README
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/example-config
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/example-config/conf.d
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/example-config/conf.d/20-managesieve.conf
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/example-config/conf.d/90-sieve-extprograms.conf
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/example-config/conf.d/90-sieve.conf
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/sieve
/usr/share/doc/dovecot-2.2-pigeonhole-0.4.2/sieve/script-location-dict.txt
/usr/share/man/man1/sieve-dump.1.gz
/usr/share/man/man1/sieve-filter.1.gz
/usr/share/man/man1/sieve-test.1.gz
/usr/share/man/man1/sievec.1.gz
/usr/share/man/man1/sieved.1.gz
/usr/share/man/man7/pigeonhole.7.gz

Die Konfiguration vom Managesieve-Plugin dovecot-pigeonhole erfolgt über die drei Konfigurationsdateien 20-managesieve.conf, 90-sieve-extprograms.conf und 90-sieve.conf im Verzeichnis /etc/dovecot/conf.d/

20-managesieve.conf

Auf welchem Port und welcher Adresse unser Managesieve-Logindaemon horchen soll wird in der datei /etc/dovecot/conf.d/20-managesieve.conf festgelegt. Da wir ausschließlich den aktuellen Port 4190 beschränken, geben wir den Port 2000 explizit nicht an.

 # vim /etc/dovecot/conf.d/20-managesieve.conf
/etc/dovecot/conf.d/20-managesieve.conf
##
## ManageSieve specific settings
##
 
# Uncomment to enable managesieve protocol:
#protocols = $protocols sieve
 
# Service definitions
 
# Django : 2014-08-04
# default: unset
service managesieve-login {
  inet_listener sieve {
  address = 10.0.0.70 
  port = 4190
  }
 
  #inet_listener sieve_deprecated {
  #  port = 2000
  #}
 
  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1
 
  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0
 
  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = 64M
}
 
#service managesieve {
  # Max. number of ManageSieve processes (connections)
  #process_limit = 1024
#}
 
# Service configuration
 
protocol sieve {
  # Maximum ManageSieve command line length in bytes. ManageSieve usually does
  # not involve overly long command lines, so this setting will not normally
  # need adjustment
  #managesieve_max_line_length = 65536
 
  # Maximum number of ManageSieve connections allowed for a user from each IP
  # address.
  # NOTE: The username is compared case-sensitively.
  #mail_max_userip_connections = 10
 
  # Space separated list of plugins to load (none known to be useful so far).
  # Do NOT try to load IMAP plugins here.
  #mail_plugins =
 
  # MANAGESIEVE logout format string:
  #  %i - total number of bytes read from client
  #  %o - total number of bytes sent to client
  #managesieve_logout_format = bytes=%i/%o
 
  # To fool ManageSieve clients that are focused on CMU's timesieved you can
  # specify the IMPLEMENTATION capability that Dovecot reports to clients.
  # For example: 'Cyrus timsieved v2.2.13'
  #managesieve_implementation_string = Dovecot Pigeonhole
 
  # Explicitly specify the SIEVE and NOTIFY capability reported by the server
  # before login. If left unassigned these will be reported dynamically
  # according to what the Sieve interpreter supports by default (after login
  # this may differ depending on the user).
  #managesieve_sieve_capability =
  #managesieve_notify_capability =
 
  # The maximum number of compile errors that are returned to the client upon
  # script upload or script verification.
  #managesieve_max_compile_errors = 5
 
  # Refer to 90-sieve.conf for script quota configuration and configuration of
  # Sieve execution limits.
}

90-sieve-extprograms.conf

Mit Hilfe der Datei /etc/dovecot/conf.d/90-sieve-extprograms.conf könnte man noch externe Programme einbinden. Da wir aber darauf verzichten, brauchen wir keinerlei Änderungen vornehmen.

 # cat /etc/dovecot/conf.d/90-sieve-extprograms.conf
/etc/dovecot/conf.d/90-sieve-extprograms.conf
# Sieve Extprograms plugin configuration
 
# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
# vnd.dovecot.filter and vnd.dovecot.execute) by adding these   to the
# sieve_extensions or sieve_global_extensions settings. Restricting these
# extensions to a global context using sieve_global_extensions is recommended.
 
plugin {
 
  # The directory where the program sockets are located for the
  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
  # respectively. The name of each unix socket contained in that directory
  # directly maps to a program-name referenced from the Sieve script.
  #sieve_pipe_socket_dir = sieve-pipe
  #sieve_filter_socket_dir = sieve-filter
  #sieve_execute_socket_dir = sieve-execute
 
  # The directory where the scripts are located for direct execution by the
  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
  # respectively. The name of each script contained in that directory
  # directly maps to a program-name referenced from the Sieve script.
  #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
  #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
  #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
}
 
# An example program service called 'do-something' to pipe messages to
#service do-something {
  # Define the executed script as parameter to the sieve service
  #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh
 
  # Use some unprivileged user for executing the program
  #user = dovenull
 
  # The unix socket located in the sieve_pipe_socket_dir (as defined in the 
  # plugin {} section above)
  #unix_listener sieve-pipe/do-something {
    # LDA/LMTP must have access
  #  user = vmail  
  #  mode = 0600
  #}
#}

90-sieve.conf

Die Einstellungen des Sieve-Plugins erfolgen mit Hilfe der Datei /etc/dovecot/conf.d/90-sieve.conf. Die Standard-Werte dort braucht man in aller Regel nicht abändern, somit begnügen wir uns mit der Ansicht der Datei.

 # less /etc/dovecot/conf.d/90-sieve.conf
/etc/dovecot/conf.d/90-sieve.conf
##
## Settings for the Sieve interpreter
##
 
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.
 
plugin {
  # The path to the user's main active script. If ManageSieve is used, this the
  # location of the symbolic link controlled by ManageSieve.
  sieve = ~/.dovecot.sieve
 
  # The default Sieve script when the user has none. This is a path to a global
  # sieve script file, which gets executed ONLY if user's private Sieve script
  # doesn't exist. Be sure to pre-compile this script manually using the sievec
  # command line tool.
  # --> See sieve_before fore executing scripts before the user's personal
  #     script.
  #sieve_default = /var/lib/dovecot/sieve/default.sieve
 
  # Directory for :personal include scripts for the include extension. This
  # is also where the ManageSieve service stores the user's scripts.
  sieve_dir = ~/sieve
 
  # Directory for :global include scripts for the include extension.
  #sieve_global_dir =
 
  # Path to a script file or a directory containing script files that need to be
  # executed before the user's script. If the path points to a directory, all
  # the Sieve scripts contained therein (with the proper .sieve extension) are
  # executed. The order of execution within a directory is determined by the
  # file names, using a normal 8bit per-character comparison. Multiple script
  # file or directory paths can be specified by appending an increasing number.
  #sieve_before =
  #sieve_before2 =
  #sieve_before3 = (etc...)
 
  # Identical to sieve_before, only the specified scripts are executed after the
  # user's script (only when keep is still in effect!). Multiple script file or
  # directory paths can be specified by appending an increasing number.
  #sieve_after =
  #sieve_after2 =
  #sieve_after2 = (etc...)
 
  # Which Sieve language extensions are available to users. By default, all
  # supported extensions are available, except for deprecated extensions or
  # those that are still under development. Some system administrators may want
  # to disable certain Sieve extensions or enable those that are not available
  # by default. This setting can use '+' and '-' to specify differences relative
  # to the default. For example `sieve_extensions = +imapflags' will enable the
        # deprecated imapflags extension in addition to all extensions were already
  # enabled by default.
  #sieve_extensions = +notify +imapflags
 
  # Which Sieve language extensions are ONLY available in global scripts. This
  # can be used to restrict the use of certain Sieve extensions to administrator
  # control, for instance when these extensions can cause security concerns.
  # This setting has higher precedence than the `sieve_extensions' setting
  # (above), meaning that the extensions enabled with this setting are never
  # available to the user's personal script no matter what is specified for the
  # `sieve_extensions' setting. The syntax of this setting is similar to the
  # `sieve_extensions' setting, with the difference that extensions are
  # enabled or disabled for exclusive use in global scripts. Currently, no
  # extensions are marked as such by default.
  #sieve_global_extensions =
 
  # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
  # setting, the used plugins can be specified. Check the Dovecot wiki
  # (wiki2.dovecot.org) or the pigeonhole website
  # (http://pigeonhole.dovecot.org) for available plugins.
        # The sieve_extprograms plugin is included in this release.
  #sieve_plugins =
 
  # The separator that is expected between the :user and :detail
  # address parts introduced by the subaddress extension. This may
  # also be a sequence of characters (e.g. '--'). The current
  # implementation looks for the separator from the left of the
  # localpart and uses the first one encountered. The :user part is
  # left of the separator and the :detail part is right. This setting
  # is also used by Dovecot's LMTP service.
  #recipient_delimiter = +
 
  # The maximum size of a Sieve script. The compiler will refuse to compile any
  # script larger than this limit. If set to 0, no limit on the script size is
  # enforced.
  #sieve_max_script_size = 1M
 
  # The maximum number of actions that can be performed during a single script
  # execution. If set to 0, no limit on the total number of actions is enforced.
  #sieve_max_actions = 32
 
  # The maximum number of redirect actions that can be performed during a single
  # script execution. If set to 0, no redirect actions are allowed.
  #sieve_max_redirects = 4
 
  # The maximum number of personal Sieve scripts a single user can have. If set
  # to 0, no limit on the number of scripts is enforced.
  # (Currently only relevant for ManageSieve)
  #sieve_quota_max_scripts = 0
 
  # The maximum amount of disk storage a single user's scripts may occupy. If
  # set to 0, no limit on the used amount of disk storage is enforced.
  # (Currently only relevant for ManageSieve)
  #sieve_quota_max_storage = 0
}

dovecot.conf

Zu guter letzt fügen wir noch das Protokoll oder exakter formuliert die Script-Sprache sieve zu den Protokollen hinzu, die unser Dovecot-Server zur Verfügung stellen soll. Per Default bietet unser Dovecot-Server bisher folgende Protokolle an:

 # doveconf protocols
 protocols = imap pop3 lmtp

Die Erweiterung um sieve erfolgt in der Konfigurationsdatei /etc/dovecot/dovecot.conf.

 # vim /etc/dovecot/dovecot.conf
/etc/dovecot/dovecot.conf
## Dovecot configuration file
 
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
 
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
 
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace  "
 
# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
 
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
 
# Protocols we want to be serving.
# Django : 2014-08-04
# Erweiterung um die Scriptsprache/Protokoll sieve
# default: #protocols = imap pop3 lmtp
protocols = imap pop3 lmtp sieve
 
# A comma separated list of IPs or hosts where to listen in for connections. 
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
# Django : 2014-08-04
# IPv6-Adressen deaktivieren, Server lauscht nur auf einem Netzwerkinterface
# bzw. einer IPv4-Addresse
# default: #listen = *, ::
# listen = 10.0.0.70
 
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
 
# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot
 
# Greeting message for clients.
#login_greeting = Dovecot ready.
 
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
 
# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets = 
 
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =
 
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
# Django : 2014-07-21
# In der Prozessliste bei den POP3/IMAP-Prozessen zusätzlich den Usernamen, 
# die Client-IP-Adresse und den ausgeführten IMAP-Befehl anzeigen. 
# default: #verbose_proctitle = no
verbose_proctitle = yes
 
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
 
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
 
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
 
##
## Dictionary server settings
##
 
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
 
dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
 
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
 
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

20-lmtp.conf

Da die definierten SIEVE-Regeln bei der Zustellung der Nachrichten ihre Arbeit verrichten, müssen wir bei den Konfigurationsparametern von LMTP das Plugin sieve mit aufnehmen.

 # vim /etc/dovecot/conf.d/20-lmtp.conf
/etc/dovecot/conf.d/20-lmtp.conf
##
## LMTP specific settings
##
 
# Support proxying to other LMTP/SMTP servers by performing passdb lookups.
#lmtp_proxy = no
 
# When recipient address includes the detail (e.g. user+detail), try to save
# the mail to the detail mailbox. See also recipient_delimiter and
# lda_mailbox_autocreate settings.
#lmtp_save_to_detail_mailbox = no
 
# Verify quota before replying to RCPT TO. This adds a small overhead.
#lmtp_rcpt_check_quota = no
 
protocol lmtp {
  # Space separated list of plugins to load (default is global mail_plugins).
  # Django : 2014-08-04
  # default:   #mail_plugins = $mail_plugins
  mail_plugins = $mail_plugins sieve
}

Die notwendigen Konfigurationseinstellungen bei der Applikation ingo ist auf folgenden Seite ausführlich beschrieben.

Damit unsere Kunden mit Ihren Mailclients Verbindungen zum geöffneten Ports 4190 unseres Dovecot-Server aufbauen können, müssen wir für diese noch Änderungen am Paketfilter firewalld vornehmen.

 # firewall-cmd --permanent --zone=public --add-port=4190/tcp
 success

Anschließend können wir den Firewall-Daemon einmal durchstarten und anschließend überprüfen, ob die Regeln auch entsprechend unserer Definition, gezogen haben.

 # firewall-cmd --reload
 success

Abschließend prüfen wir noch, ob die Erweiterung unseres Paketfilter aktiv ist.

 # iptables -nvL IN_public_allow
Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       10.0.0.80            10.0.0.70            tcp dpt:24 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 ctstate NEW

Zum Aktivieren unserer Änderungen starten wir den Daemon nun einmal durch.

 # systemctl restart dovecot

Im Maillog wurde der Restart entsprechend dokumentiert.

 # tail -n4 /var/log/maillog
Aug  4 23:41:47 vml000070 dovecot: anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug  4 23:41:47 vml000070 dovecot: log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug  4 23:41:47 vml000070 dovecot: master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug  4 23:41:47 vml000070 dovecot: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp, sieve (core dumps disabled)

Fragen wir den Serverstatus ab, finden wir nun auch den Dienst sieve bei den Protokollen.

 # systemctl status dovecot
dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled)
   Active: active (running) since Mon 2014-08-04 23:41:47 CEST; 2min 42s ago
  Process: 4156 ExecStartPre=/usr/libexec/dovecot/prestartscript (code=exited, status=0/SUCCESS)
 Main PID: 4161 (dovecot)
   CGroup: /system.slice/dovecot.service
           ├─4161 /usr/sbin/dovecot -F
           ├─4165 dovecot/anvil [0 connections]
           ├─4166 dovecot/log
           └─4168 dovecot/config

Aug 04 23:41:47 vml000070.dmz.nausch.org systemd[1]: Started Dovecot IMAP/POP3 email server.
Aug 04 23:41:47 vml000070.dmz.nausch.org dovecot[4161]: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp, sieve (core dumps disabled)

Fragen wir mit netstat die geöffneten Ports ab, sehen wir auch dort, dass unser Dovecot-Server nun auch auf Port 4190 bei der IP-Adresse 10.0.0.70 lauscht.

 # netstat -tulpen | grep dovecot
 tcp        0      0 10.0.0.70:4190          0.0.0.0:*               LISTEN      0          44593      4161/dovecot        
 tcp        0      0 10.0.0.70:993           0.0.0.0:*               LISTEN      0          44656      4161/dovecot        
 tcp        0      0 10.0.0.70:995           0.0.0.0:*               LISTEN      0          44619      4161/dovecot        
 tcp        0      0 10.0.0.70:110           0.0.0.0:*               LISTEN      0          44618      4161/dovecot        
 tcp        0      0 10.0.0.70:143           0.0.0.0:*               LISTEN      0          44655      4161/dovecot        
 tcp        0      0 10.0.0.70:24            0.0.0.0:*               LISTEN      0          44628      4161/dovecot

Unser ersten Funktionstest werden wir nun mit SIEVE via LMTP durchführen. Bei diesem folgenden Test nutzen wir die Authentifikations-Methode PLAIN. Die Anmeldedaten müssen dabei zum einen Base64 codiert werden und das Format „\0<username>\0<password“ (mit \0 als ASCII NULL Zeichen).

 AUTHENTICATE "PLAIN" "<BASE64 codierte Anmeldedaten>"

Zum Erstellen dieses Anmeldestrings nutzen wir einfach das script sieve-auth-command.pl von Stephan Bosch.

 # vim /usr/local/bin/sieve-auth-command.pl
/usr/local/bin/sieve-auth-command.pl
#!/usr/bin/perl
#
# sieve-auth-command.pl
# ---------------------
#
# Generates ManageSieve AUTHENTICATE command for manually testing the protocol 
# using telnet or gnutls-cli (TLS)
#
# Usage:
#   sieve-auth-command.pl <username> <password>
#
# Prints the AUTHENTICATE "PLAIN" "<encoded>" command on standard out. 
#
# --
# Stephan Bosch, stephan@rename-it.nl
#
 
use MIME::Base64;
 
use strict;
 
my $username = shift;
my $password = shift;
 
my $userpass = "\x00".$username."\x00".$password."";
my $encode=encode_base64($userpass);
 
$encode =~ s/^\s+//;
$encode =~ s/\s+$//;
 
print "AUTHENTICATE \"PLAIN\" \"$encode\"\r\n";

Um das Script einfach ausführen zu können versehen wir nun noch die Datei-Rechte mit einem x.

 # chmod +x /usr/local/bin/sieve-auth-command.pl

Für unseren User django@nausch.org mit dem Passwort Dj4n90_d3r_G33k! erstellen wir nun unseren Anmeldestring.

 $ sieve-auth-command.pl django@nausch.org Dj4n90_d3r_G33k!
 AUTHENTICATE "PLAIN" "AGRqYW5nb0BuYXVzY2gub3JnAERqNG45MF9kM3JfRzMzayE="

Diesen Anmeldestring verwenden wir nun bei unserem ersten Test. Bei diesem SIEVE-Test via telnet sind die Eingaben am testenden Client in der Farbe blau und die Rückmeldungen unseres Dovecot-Servers in der Farbe grün gekennzeichnet. Die Ausgaben des Befehls telnet sind in der Farbe schwarz eingefärbt.

Als erstes bauen wir eine Verbindung zu unserem Dovecot-Server zum ManageSieve-Port 4190 auf und melden uns mit unserem zuvor generierten Anmeldestring am Server an.

$ telnet 10.0.0.70 4190
Trying 10.0.0.70...
Connected to 10.0.0.70.
Escape character is '^]'.
 "IMPLEMENTATION" "Dovecot Pigeonhole"
 "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave"
 "NOTIFY" "mailto"
 "SASL" "PLAIN LOGIN DIGEST-MD5 CRAM-MD5"
 "STARTTLS"
 "VERSION" "1.0"
 OK "Dovecot ready."
AUTHENTICATE "PLAIN" "AGRqYW5nb0BuYXVzY2gub3JnAERqNG45MF9kM3JfRzMzayE="
 OK "Logged in."

Als erste Aktion fragen wir ab, welche SIEVE-Scruipte auf dem Server vorhanden sind. Da bis dato noch keine Scripte hinterlegt wurden, sit die Antwort des Servers natürlich etwas spartanisch, nämlich leer.

LISTSCRIPTS
 OK "Listscripts completed."

Nun wollen wir unser erstes SIEVE Script anlegen. Mit Hilfe dieses Scriptes werden alle Nachrichten sofort gelöscht, sobald diese im Betreff das Wörtchen p0rn enthält und der Postfix-MTA die Nachricht via LMTP an unseren Backend-server Dovecot übergibt. Das entsprechende Script könnte nun wie folgt aussehen.

if header :comparator "i;ascii-casemap" :contains "Subject" "p0rn"  {
    discard;
    stop;
}

Das script hat insgesamt 96-Zeichen (gefolgt von einem abschließendem CR). Zusammen ergibt das also 97 Zeichen. Mit dem Befehl PUTSCRIPT laden wir nun dieses script zum Server hoch.

PUTSCRIPT "erste_sieve-regel_zum_testen" {97+}
if header :comparator "i;ascii-casemap" :contains "Subject" "p0rn"  {
    discard;
    stop;
}
 OK "PUTSCRIPT completed."

Fragen wir nun erneut ab, welche Scripte auf dem Server vorliegen, sehen wir auch unser erstes Testscript erste_sieve-regel_zum_testen.

LISTSCRIPTS
 "erste_sieve-regel_zum_testen"
 OK "Listscripts completed."

Zum Scharfschalten des Scripts wird der Befehl SETACTIVE verwendet.

SETACTIVE "erste_sieve-regel_zum_testen"
 OK "Setactive completed."

Fragen wir nun erneut die Liste des SIEVE-Scripte ab, sehen wir ein ACTIVE hinter dem Scriptnamen erste_sieve-regel_zum_testen; d.h. dieses Script ist nunmehr aktiv.

LISTSCRIPTS
 "erste_sieve-regel_zum_testen" ACTIVE
 OK "Listscripts completed."

Wollen wir ein script Herunterladen verwenden wir den Befehl GETSCRIPT.

GETSCRIPT "erste_sieve-regel_zum_testen"
 {97}
 if header :comparator "i;ascii-casemap" :contains "Subject" "p0rn"  {
     discard;
     stop;
 }
 OK "Getscript completed."

Zu guter Letzt melden wir uns nun von unserem Server mit dem Befehl LOGOUT wieder ab.

LOGOUT
 OK "Logout completed."
Connection closed by foreign host.

Im Verzeischnis des Users django@nausch.org finden wir nun auch das Verzeichnis /srv/vmail/nausch.org/django/sieve in dem die SIEVE-Scripte abgelegt werden.

/srv/vmail/nausch.org/django/
├── .dovecot.sieve -> sieve/erste_sieve-regel_zum_testen.sieve
├── Maildir/
│   ├── cur/
│   │   └── 1407189625.M304698P4532.vml000070.dmz.nausch.org,S=409,W=422:2,
│   ├── dovecot.index.cache
│   ├── dovecot.index.log
│   ├── dovecot.mailbox.log
│   ├── dovecot-uidlist
│   ├── dovecot-uidvalidity
│   ├── dovecot-uidvalidity.53dfa2ad
│   ├── .Drafts/
│   │   ├── cur/
│   │   ├── dovecot.index.log
│   │   ├── dovecot-uidlist
│   │   ├── maildirfolder
│   │   ├── new/
│   │   └── tmp/
│   ├── new/
│   ├── .Sent/
│   │   ├── cur/
│   │   ├── dovecot.index.log
│   │   ├── dovecot-uidlist
│   │   ├── maildirfolder
│   │   ├── new/
│   │   └── tmp/
│   ├── subscriptions
│   └── tmp/
└── sieve/
    ├── erste_sieve-regel_zum_testen.sieve
    └── tmp/

Das aktive Script erkennen wir an dem symlink .dovecot.sieve im HOME-Verzeichnis des Users.

 # ll /srv/vmail/nausch.org/django/.dovecot.sieve 
 lrwxrwxrwx 1 vmail vmail 40 Aug  5 13:01 /srv/vmail/nausch.org/django/.dovecot.sieve -> sieve/erste_sieve-regel_zum_testen.sieve

Im Maillog wurden unsere SIEVE-Script Aktivitäten mit Hilfe des Mail-Plugins ManageSieve dokumentiert.

Aug  5 12:58:29 vml000070 dovecot: managesieve-login: Login: user=<django@nausch.org>, method=PLAIN, rip=10.0.0.70, mpid=5212, secured, session=<4sFTvN//sAAKAABG>
Aug  5 12:58:29 vml000070 dovecot: managesieve(django@nausch.org): Debug: Effective uid=10000, gid=10000, home=/srv/vmail/nausch.org/django
Aug  5 12:58:29 vml000070 dovecot: managesieve(django@nausch.org): Debug: Namespace inbox: type=private, prefix=INBOX/, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:/srv/vmail/nausch.org/django/Maildir
Aug  5 12:58:29 vml000070 dovecot: managesieve(django@nausch.org): Debug: maildir++: root=/srv/vmail/nausch.org/django/Maildir, index=, indexpvt=, control=, inbox=/srv/vmail/nausch.org/django/Maildir, alt=
Aug  5 12:58:29 vml000070 dovecot: managesieve(django@nausch.org): Debug: Namespace : type=private, prefix=, sep=, inbox=no, hidden=yes, list=no, subscriptions=no location=fail::LAYOUT=none
Aug  5 12:58:29 vml000070 dovecot: managesieve(django@nausch.org): Debug: none: root=, index=, indexpvt=, control=, inbox=, alt=
Aug  5 12:58:29 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve: Pigeonhole version 0.4.2 initializing
Aug  5 12:58:29 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve: include: sieve_global_dir is not set; it is currently not possible to include `:global' scripts.
Aug  5 12:58:29 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve-storage: using active sieve script path: /srv/vmail/nausch.org/django/.dovecot.sieve
Aug  5 12:58:29 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve-storage: using sieve script storage directory: /srv/vmail/nausch.org/django/sieve
Aug  5 12:58:29 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve-storage: using permissions from /srv/vmail/nausch.org/django/sieve: mode=0700 gid=-1
Aug  5 12:58:29 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve-storage: relative path to sieve storage in active link: sieve/
Aug  5 12:59:09 vml000070 dovecot: managesieve(django@nausch.org): Disconnected: Logged out bytes=6/41
Aug  5 12:59:25 vml000070 dovecot: master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug  5 12:59:25 vml000070 dovecot: imap-login: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug  5 12:59:25 vml000070 dovecot: anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug  5 12:59:25 vml000070 dovecot: log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug  5 13:00:00 vml000070 dovecot: master: Dovecot v2.2.13 starting up for imap, pop3, lmtp, sieve (core dumps disabled)
Aug  5 13:00:18 vml000070 dovecot: managesieve-login: Login: user=<django@nausch.org>, method=PLAIN, rip=10.0.0.70, mpid=5262, secured, session=<4prRwt//sQAKAABG>
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: Effective uid=10000, gid=10000, home=/srv/vmail/nausch.org/django
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: Namespace inbox: type=private, prefix=INBOX/, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:/srv/vmail/nausch.org/django/Maildir
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: maildir++: root=/srv/vmail/nausch.org/django/Maildir, index=, indexpvt=, control=, inbox=/srv/vmail/nausch.org/django/Maildir, alt=
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: Namespace : type=private, prefix=, sep=, inbox=no, hidden=yes, list=no, subscriptions=no location=fail::LAYOUT=none
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: none: root=, index=, indexpvt=, control=, inbox=, alt=
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve: Pigeonhole version 0.4.2 initializing
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve: include: sieve_global_dir is not set; it is currently not possible to include `:global' scripts.
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve-storage: using active sieve script path: /srv/vmail/nausch.org/django/.dovecot.sieve
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve-storage: using sieve script storage directory: /srv/vmail/nausch.org/django/sieve
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve-storage: permission lookup failed from /srv/vmail/nausch.org/django/sieve
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve-storage: created storage directory /srv/vmail/nausch.org/django/sieve/tmp
Aug  5 13:00:18 vml000070 dovecot: managesieve(django@nausch.org): Debug: sieve-storage: relative path to sieve storage in active link: sieve/
Aug  5 13:02:09 vml000070 dovecot: managesieve(django@nausch.org): Disconnected: Logged out bytes=276/385

Zum Abschluß unseres Tests liefern wir nun eine Nachricht via LMTP bei unserem Dovecot-Server ein.

$ telnet 10.0.0.70 24
Trying 10.0.0.70...
Connected to 10.0.0.70.
Escape character is '^]'.
 220 imap.nausch.org Dovecot ready.
LHLO mx01.nausch.org
 250-imap.nausch.org
 250-8BITMIME
 250-ENHANCEDSTATUSCODES
 250 PIPELINING
mail from:<michael@nausch.org>
 250 2.1.0 OK
rcpt to:<django@nausch.org>
 250 2.1.5 OK
DATA
 354 OK
From: Michael Nausch 
To: Django [BOfH] 
Subject: Haben Du Interesse an p0rn?
Date: Mon, 21 Jul 2014 09:00:36 -0000

HI,     
wenn Du haben willst lot of p0rn, Du mir sagen.
Ich habe sehr viel davon.

ttyl
Bazibua
.
 250 2.0.0  fs6GLxrC4FO0FAAAOs1BfA Saved
quit
 221 2.0.0 OK
Connection closed by foreign host.

Im Maillog sehen wir nun, dass die Nachricht nicht zugestellt, sonder gelöscht wurde marked message to be discarded if not explicitly delivered (discard action).

Aug  5 13:38:02 vml000070 dovecot: lmtp(5300): Debug: none: root=, index=, indexpvt=, control=, inbox=, alt=
Aug  5 13:38:02 vml000070 dovecot: lmtp(5300): Connect from 10.0.0.80
Aug  5 13:38:24 vml000070 dovecot: lmtp(5300): Debug: Loading modules from directory: /usr/lib64/dovecot
Aug  5 13:38:24 vml000070 dovecot: lmtp(5300): Debug: Module loaded: /usr/lib64/dovecot/lib90_sieve_plugin.so
Aug  5 13:38:24 vml000070 dovecot: lmtp(5300): Debug: auth input: django@nausch.org uid=10000 gid=10000 home=/srv/vmail/nausch.org/django
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): Debug: Effective uid=10000, gid=10000, home=/srv/vmail/nausch.org/django
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): Debug: Namespace inbox: type=private, prefix=INBOX/, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:/srv/vmail/nausch.org/django/Maildir
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): Debug: maildir++: root=/srv/vmail/nausch.org/django/Maildir, index=, indexpvt=, control=, inbox=/srv/vmail/nausch.org/django/Maildir, alt=
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): Debug: Namespace : type=private, prefix=, sep=, inbox=no, hidden=yes, list=no, subscriptions=no location=fail::LAYOUT=none
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): Debug: none: root=, index=, indexpvt=, control=, inbox=, alt=
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): Debug: sieve: Pigeonhole version 0.4.2 initializing
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): Debug: sieve: include: sieve_global_dir is not set; it is currently not possible to include `:global' scripts.
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): Debug: fs6GLxrC4FO0FAAAOs1BfA: sieve: using the following location for user's Sieve script: /srv/vmail/nausch.org/django/.dovecot.sieve;name=main script
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): Debug: fs6GLxrC4FO0FAAAOs1BfA: sieve: loading script /srv/vmail/nausch.org/django/.dovecot.sieve;name=main script
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): Debug: fs6GLxrC4FO0FAAAOs1BfA: sieve: script `main script' from /srv/vmail/nausch.org/django/.dovecot.sieve;name=main script successfully compiled
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): Debug: fs6GLxrC4FO0FAAAOs1BfA: sieve: executing script from /srv/vmail/nausch.org/django/.dovecot.sieve;name=main script
Aug  5 13:39:59 vml000070 dovecot: lmtp(5300, django@nausch.org): fs6GLxrC4FO0FAAAOs1BfA: sieve: msgid=unspecified: marked message to be discarded if not explicitly delivered (discard action)
Aug  5 13:40:03 vml000070 dovecot: lmtp(5300): Disconnect from 10.0.0.80: Successful quit

Im Verzeichnis des Users django@nausch.org sehen wir keine neue Nachricht, da diese mit Hilfe des SIEVE-scriptes sofort gelöscht wurde.

/srv/vmail/nausch.org/django/
├── .dovecot.sieve -> sieve/erste_sieve-regel_zum_testen.sieve
├── .dovecot.svbin
├── Maildir/
│   ├── cur/
│   │   └── 1407189625.M304698P4532.vml000070.dmz.nausch.org,S=409,W=422:2,
│   ├── dovecot.index.cache
│   ├── dovecot.index.log
│   ├── dovecot.mailbox.log
│   ├── dovecot-uidlist
│   ├── dovecot-uidvalidity
│   ├── dovecot-uidvalidity.53dfa2ad
│   ├── .Drafts/
│   │   ├── cur/
│   │   ├── dovecot.index.log
│   │   ├── dovecot-uidlist
│   │   ├── maildirfolder
│   │   ├── new/
│   │   └── tmp/
│   ├── new/
│   ├── .Sent/
│   │   ├── cur/
│   │   ├── dovecot.index.log
│   │   ├── dovecot-uidlist
│   │   ├── maildirfolder
│   │   ├── new/
│   │   └── tmp/
│   ├── subscriptions
│   └── tmp/
└── sieve/
    ├── erste_sieve-regel_zum_testen.sieve
    └── tmp/

… in Bearbeitung (Vorankündigung)! …

Links


1)
Stand Juli 2014
Cookies helfen bei der Bereitstellung von Inhalten. Durch die Nutzung dieser Seiten erklären Sie sich damit einverstanden, dass Cookies auf Ihrem Rechner gespeichert werden. Weitere Information
  • centos/mail_c7/dovecot_3.txt
  • Zuletzt geändert: 20.04.2018 10:45.
  • (Externe Bearbeitung)