Dovecot Sieve implementation?

22 posts / 0 new
Last post
#1 Tue, 09/15/2009 - 05:55
Hal9000

Dovecot Sieve implementation?

Hello!

I just upgraded my roundcube to 0.3 to find out it has some nice plugins. So I coded a virtualmin driver for their password plugin, so users can change passwords from within roundcube via the Virtualmin remote API.

Now, I would love to offer mail filtering management from roundcube, as usermin is (let's face it) pretty awful and no-one uses it. Roundcube offers a sieve plugin, which is fine, but Virtualmin makes use of Procmail. One of the big advantages of sieve is that it is tightly integrated in dovecot and with managesieve you have a service that allows roundcube in this case to manage filters without needing ftp access or other strange hacks.

So I digged a bit, and found out that basically dovecot (at least on debian lenny) already comes with LDA and Managesieve support, so it would be no problem to implement in the postfix config file (mailbox_command), but then I would loose antivirus/antispam checking, and possibly some other stuff, which Virtualmin implements via procmail.

So my question here: is it possible, maybe by changing something to the Virtualmin procmail template (if there is any) to pass the mail to the dovecot deliver service, isntead of delivering directly to inbox? So basically procmail would do its stuff, then pass the thing on to dovecot, and dovecot will do its filter stuff and deliver it to the mailbox. That would be a nice workaround I could definetly live with...

Please let me know ;)

Tue, 09/15/2009 - 09:34
andreychek

Howdy,

I suspect you've found this already, but even if not for yourself, perhaps others could benefit from the Dovecot LDA page, which details how to use the "deliver" command:

http://wiki.dovecot.org/LDA

So how would that tie into the tools currently on the system?

I think all you'd have to do is add the appropriate command to the end of the /etc/procmailrc file. With that, spam/virus processing would take place first, after which your email will be handed over to Dovecot's tools.

Personally, I'd love to see a procmail plugin, but sieve is pretty good at what it does ;-)

-Eric

Tue, 09/15/2009 - 10:11
Hal9000

Good to know that this is possible. However, I'm not really good at procmail... So I looked at it, and i suspec these two lines: ORGMAIL=$HOME/Maildir/ DEFAULT=$HOME/Maildir/ have to disappear in favor of something else? or maybe somethig like ORGMAIL=path/to/deliver -parameters or something? any clues? :)

Tue, 09/15/2009 - 10:40
andreychek

I'd leave those two lines there in case something goes awry; they aren't causing anything to be delivered, they're just telling procmail what the defaults are.

You can tell procmail to pipe an email into a program by using the | character:

|/path/to/file

You could put something like that at the end of the /etc/procmailrc file.

There's some additional examples of procmail usage in the procmailex manpage.

-Eric

Tue, 09/15/2009 - 10:49
Hal9000

thank you very much, i will try to implement all this soon, and hopefully get a nice webmail :)

Tue, 09/15/2009 - 13:56
Hal9000

yay, got it working pretty easilly thanks to you andreychek basically added this at the bottom of /etc/procmailrc

:0 w | /usr/lib/dovecot/deliver

as also explained on http://wiki.dovecot.org/procmail with the needed config settings in /etc/dovecot.conf i got filters working, and quota as well, using the fs backend ;)

Fri, 10/09/2009 - 07:19 (Reply to #6)
lulatsch66

Hello Hal9000,

I've tried to integrate deliver with procmail as you did on a Debian Lenny 5.0 system (completely installed via virtualmin gpl install.sh script), but no success. Managing sieve filters via roundcube 0.3 does work properly, scripts are created in ~/.dovecot.sieve

But when postfix tries to deliver mail, filtering doesn't work and in procmail.log I get for every mail:

procmail: Program failure (78) of "/usr/lib/dovecot/deliver" From xx@yy.de Thu Oct 8 16:52:30 2009 Subject: SPAM Folder: /home/t3yaml/homes/test/Maildir/new/1255013550.29943_0.xxx 400 Time:1255013550 From:xx@yy.de To:test@xx.de User:test.t3yaml Size:450 Dest:/home/t3yaml/homes/test/Maildir/new/1255013550.29943_0.xxx Mode:None

Last lines of /etc/procmailrc are as advised:

:0 w | /usr/lib/dovecot/deliver

Could you please post your procmailrc and dovecot.conf (relevant parts) so I could compare things?

Thanx in advance, Falko

Wed, 10/07/2009 - 06:56
psirac

Hi Hal900,

I got filtering working with managesieve and now i'm trying to found how to make possible for user to change their password.

You said you've coded a plugin to work with password plugin in Roundcube, could you please help me to make this possible too ?

Thanks in advance.

Wed, 10/07/2009 - 07:45
Hal9000

that's how i did it. i got the password plugin for redmine from their website, then i made following modifications (i assume you are in plugins/password/):

in config.inc.php i set $rcmail_config['password_driver'] = 'virtualmin'; and $rcmail_config['password_confirm_current'] = false; then i added these new parameters at the bottom of the file:

// Virtualmin Driver options // ------------------------- // The host which changes the password $rcmail_config['password_virtualmin_host'] = 'hostname';   // TCP port used for DirectAdmin connections $rcmail_config['password_virtualmin_port'] = 10000;   // CP admin password $rcmail_config['password_virtualmin_rpwd'] = 'foo';

IMPORTANT: make sure you chmod your config.inc.php to 0600

now i created the file drivers/virtualmin.php with the following content:

<div class="codeblock"><pre><code><span style="color: #000000"><span style="color: #0000BB"><?php<br /></span><span style="color: #007700">&</span><span style="color: #FF8000">#10;&#10;function password_save($curpass, $passwd){&#10;&#10;    $rcmail = rcmail::get_instance();&#10;&#10;    $da_user    = $_SESSION[&#039;username&#039;];&#10;        $da_domain  = explode(&quot;_&quot;, $da_user);&#10;        $da_domain  = $da_domain[0];&#10;    $da_newpass = $passwd;&#10;    $da_host    = $rcmail-&gt;config-&gt;get(&#039;password_virtualmin_host&#039;);&#10;    $da_port    = $rcmail-&gt;config-&gt;get(&#039;password_virtualmin_port&#039;);&#10;        $da_rpwd    = $rcmail-&gt;config-&gt;get(&#039;password_virtualmin_rpwd&#039;);&#10;&#10;        $response = shell_exec(&quot;wget -O - --quiet --http-user=root --http-passwd={$da_rpwd} --no-check-certificate &#039;https://{$da_host}:{$da_port}/virtual-se$&#10;&#10;    if(!$response)&#10;        return PASSWORD_CONNECT_ERROR;&#10;    elseif(!strpos($response, &quot;success&quot;))&#10;        return PASSWORD_ERROR;&#10;    else&#10;        return PASSWORD_SUCCESS;&#10;&#10;}&#10;&#10;<br /></span><span style="color: #0000BB">?></span></span></code></pre></div>

and of course enabled the password plugin in the roundcube config. the implementation could be cleaner I guess, and also please note that the virtualmin driver assumes you have usernames in the domain_user style, which is my case. you will need to adapt it for your system, see the explode( part where i get the domain name out of the username.

hope this helps ;)

UPDATE: dont ask me why this editor screws up the code content, but the "em" tags actually are _ underscores...

Wed, 10/07/2009 - 07:54 (Reply to #9)
Hal9000

nice, cant edit previous comment now... theres a line which is cut off... here the complete one:

$response = shell_exec("wget -O - --quiet --http-user=root --http-passwd={$da_rpwd} --no-check-certificate 'https://{$da_host}:{$da_port}/virtual-server/remote.cgi?program=modify-user&domain={$da_domain}&user={$da_user}&pass={$da_newpass}'");

btw i wonder if a mail user is able to run the command line to change its password. in this case the password setting would not be needed, whereas password_confirm_current should be set to true and the current password then sent to the command line. this would improve things on security a bit, i will try it later ;)

Sun, 10/04/2015 - 02:06 (Reply to #10)
Steffan
Steffan's picture

Can you perhaps post the instructions and code in a file available for download somewhere? I'm definitely interested in beefing up roundcube! Thanks!!

Wed, 10/07/2009 - 10:14
psirac

To improve security you can create extra-admin with only rights for mail administration...

Tue, 02/23/2010 - 12:24
ovidiubica

Hello Hal9000,

Can you elaborate on what exactly does it take to pipe the mail from procmail to managesieve for roundcube filters to work on virtualmin?

Putting :0 w | /usr/lib/dovecot/deliver alone doesn't help much. You mentioned some modifications to dovecot.conf, can you please post here the modifications you made?

Thank you

Wed, 02/24/2010 - 02:43
Hal9000

it's been a while, so i don't quite remember what i did, but this is how my procmailrc looks today

DELIVER=/usr/lib/dovecot/deliver LOGFILE=/var/log/procmail.log TRAP=/etc/webmin/virtual-server/procmail-logger.pl :0wi VIRTUALMIN=|/etc/webmin/virtual-server/lookup-domain.pl $LOGNAME :0 * ?/usr/bin/test "$VIRTUALMIN" != "" { INCLUDERC=/etc/webmin/virtual-server/procmail/$VIRTUALMIN } ORGMAIL=$HOME/Maildir/ DEFAULT=$HOME/Maildir/ DROPPRIVS=yes :0 w | $DELIVER :0 $DEFAULT

please keep in mind that i am running a debian system, so path may differ for other distros. hope this helps...

Wed, 02/24/2010 - 05:22
ovidiubica

I put it just like you did and still no luck.

[root@ns1 ~]# cat /etc/procmailrc
DELIVER=/usr/libexec/dovecot/deliver
LOGFILE=/var/log/procmail.log
TRAP=/etc/webmin/virtual-server/procmail-logger.pl
:0wi
VIRTUALMIN=|/etc/webmin/virtual-server/lookup-domain.pl $LOGNAME
:0
* ?/usr/bin/test "$VIRTUALMIN" != ""
{
INCLUDERC=/etc/webmin/virtual-server/procmail/$VIRTUALMIN
}
DEFAULT=$HOME/Maildir/
ORGMAIL=$HOME/Maildir/
DROPPRIVS=yes
:0 w
| $DELIVER
:0
$DEFAULT

You mentioned something about modifications to /etc/dovecot.conf, can you please post relevant parts of it?

mine looks something like this:


[root@ns1 ~]# dovecot -n
# 1.2.10: /etc/dovecot.conf
# OS: Linux 2.6.18-164.10.1.el5 x86_64 CentOS release 5.4 (Final)
protocols: imap imaps pop3 pop3s managesieve
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
login_executable(managesieve): /usr/libexec/dovecot/managesieve-login
mail_location: maildir:~/Maildir
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_executable(managesieve): /usr/libexec/dovecot/managesieve
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
mail_plugin_dir(managesieve): /usr/lib64/dovecot/managesieve
managesieve_implementation_string(default): dovecot
managesieve_implementation_string(imap): dovecot
managesieve_implementation_string(pop3): dovecot
managesieve_implementation_string(managesieve): Cyrus timsieved v2.2.13
lda:
postmaster_address: postmaster@example.com
auth default:
passdb:
driver: pam
userdb:
driver: passwd

Wed, 02/24/2010 - 05:24
Hal9000

i have this portion which might be useful, dunno:

protocol managesieve { # Login executable location. #login_executable = /usr/libexec/dovecot/managesieve-login   # MANAGESIEVE executable location. See IMAP's mail_executable above for # examples how this could be changed. #mail_executable = /usr/libexec/dovecot/managesieve   # Maximum MANAGESIEVE command line length in bytes. This setting is # directly borrowed from IMAP. But, since long command lines are very # unlikely with MANAGESIEVE, changing this will not be very useful. #managesieve_max_line_length = 65536   # Specifies the location of the symlink pointing to the active script in # the sieve storage directory. This must match the SIEVE setting used by # deliver (refer to http://wiki.dovecot.org/LDA/Sieve#location for more # info). Variable substitution with % is recognized. sieve=~/.dovecot.sieve   # This specifies the path to the directory where the uploaded scripts must # be stored. In terms of '%' variable substitution it is identical to # dovecot's mail_location setting used by the mail protocol daemons. sieve_storage=~/sieve   # If, for some inobvious reason, the sieve_storage remains unset, the # managesieve daemon uses the specification of the mail_location to find out # where to store the sieve files (see explaination in README.managesieve). # The example below, when uncommented, overrides any global mail_location # specification and stores all the scripts in '~/mail/sieve' if sieve_storage # is unset. However, you should always use the sieve_storage setting. # mail_location = mbox:~/mail   # To fool managesieve clients that are focused on timesieved you can # specify the IMPLEMENTATION capability that the dovecot reports to clients # (default: dovecot). #managesieve_implementation_string = Cyrus timsieved v2.2.13 }   ## ## LDA specific settings ##   protocol lda { # Address to use when sending rejection mails. postmaster_address = admin@XXXXXX.XXX   # Hostname to use in various parts of sent mails, eg. in Message-Id. # Default is the system's real hostname. #hostname =   # Support for dynamically loadable plugins. mail_plugins is a space separated # list of plugins to load. mail_plugins = quota #mail_plugin_dir = /usr/lib/dovecot/modules/lda   # Binary to use for sending mails. sendmail_path = /usr/sbin/sendmail   # UNIX socket path to master authentication server to find users. #auth_socket_path = /var/run/dovecot/auth-master   # Enabling Sieve plugin for server-side mail filtering mail_plugins = cmusieve }

again, paths are for a debian system so might need adjustment

Wed, 02/24/2010 - 07:41
ovidiubica

I'm not sure where is the problem but now I see in procmail.log ...

procmail: Program failure (75) of "/usr/libexec/dovecot/deliver"

this looks like a permission problem ?

Wed, 02/24/2010 - 08:50
ovidiubica

Nevermind, I got it working. Just don't ask me how grin

Thanks again for the help.

Wed, 02/24/2010 - 08:52
Hal9000

how? restarted dovecot? ghgh...

Thu, 08/12/2010 - 08:45 (Reply to #19)
koniczynek

for the future generations: look into the damned log files ;)

looking into the procmail.log gave me nothing more than you. But enabling logging in the dovecot's lda protocol gave much info. You need to configure the lda section as follows:

protocol lda {
  # Address to use when sending rejection mails.
  postmaster_address = postmaster@your-nice-domain.com

  # Enabling Sieve plugin for server-side mail filtering
  mail_plugins = sieve
}

These two settings are crucial for the LDA/sieve to work. Be extra caucious - in the mail_plugins there is a cmusieve present, replace it with sieve.

In the /etc/procmailrc file you need to add (at the bottom is fine):

:0 w
|/usr/lib/dovecot/deliver

(paths from ubuntu 10.04)

And now it works like a charm!

Wed, 02/24/2010 - 09:20
ovidiubica

Nah, restarted dovecot hundreds of times. Trial and error I guess. Can't tell for sure what exactly did the job right.

I'll post later the relevant files just in case someone else needs them.

Sun, 10/04/2015 - 02:20 (Reply to #21)
Steffan
Steffan's picture

This is the link I found that allowed me to use dovecot to work with procmail so I can use some specific plugins:

http://blog.lorenzbausch.de/2013/07/15/virtualmin-enable-sieve-for-dovec...