How to do server-wide mail filtering

hinzberlin · July 11, 2018, 6:45am

NethServer Version: 7.5.1804 (final)
Module: Email
Hello,
just the next newbie question after the first was answered so quick
Is it possible to filter emails not at user level but at server level?
Let’s say one special account receives emails from one special customer but I want to forward these emails to another address.
I know, I can create a filter in the first account but I’d like to have those filters in a central place.
I come from hmailserver, there you have general rules and more rules in every account.
Where should those general filtering rules be placed?
Regards
Uwe

mrmarkuz · July 11, 2018, 11:32am

Hi Uwe,

Nethserver uses Sieve for filtering. You may setup rules with roundcube, thunderbird or other clients.

Me too. I still use it in some Windows environments.

hinzberlin · July 11, 2018, 11:59am

Hello Markus,
thank you, you’re very active here
I’m afraid you misunderstood my question: filters I create in roundcube/Thunderbird… are for that special user, they get saved in
/var/lib/nethserver/vmail/USERNAME@example.com/.dovecot.sieve -> sieve/sogo.sieve
(correct me if I’m wrong)
I want to create some rules for the whole server, filter every mail that comes in regardless of address.
Is that possible?

BTW: I’m planning to replace hmailserver because I want to connect the mail/groupware server directly to the dangerous web with all that bad boys and girls waiting to hack my machine. Do you thing nethserver is hard enough for that? (in a DMZ of course)
Regards
Uwe

mrmarkuz · July 11, 2018, 12:16pm

Sieve works for whole domains too:

There are sieve scripts in /var/lib/nethserver/sieve-scripts/. Don’t edit them directly, they are templated. I never tested this but it should be possible. Please share what you find out…

For sure. Shorewall firewall and fail2ban should keep the bad guys out.

hinzberlin · July 12, 2018, 10:27am

Think I’ve got it, I try to tell what I did until now

Nethserver uses the e-smith or SEM-Server template system so I looked in their documentation.
The file, where the server-wide filter settings should be defined:

/var/lib/nethserver/sieve-scripts/before.sieve

This file is created from the template (fragments) files in

/etc/e-smith/templates/var/lib/nethserver/sieve-scripts/before.sieve/

In default nethserver there is only one file 10junkmail which defines the sieve require and the rules to move spam to the Junk folder (GUI setting!)
To change this behaviour I created the same path in /etc/e-smith/templates-custom and placed my own files there.

created the custom template folder

mkdir -p /etc/e-smith/templates-custom/var/lib/nethserver/sieve-scripts/before.sieve

copied the nethserver 10junkmail file here (so this will be used instead of the one in /templates/…)

 cp  /etc/e-smith/templates/var/lib/nethserver/sieve-scripts/before.sieve/10junkmail /etc/e-smith/templates-custom/var/lib/nethserver/sieve-scripts/before.sieve

edited the 10junkmail file to require “copy”, needed for forwarding emails

require ["fileinto", "mailbox", "copy"];

created my own sieve file

echo "#20myfilter" >/etc/e-smith/templates-custom/var/lib/nethserver/sieve-scripts/before.sieve/20myfilter

edited my own filter file 20myfilter to include the first forwarding rule. It’s important to quote the curled braces to avoid the file to be interpreted as perl. Otherwise one gets a message at expanding like:

Unquoted string "contains" may clash with future reserved word

this is how my 20myfilter file looks like:

#20myfilter
if header :contains "subject" "myteststring"
\{
    redirect :copy "archiv@example.com";
\}

again, take care of the backslash in front of the curly braces "\{" !

To compile/expand the sieve config file I fired at the console:

signal-event nethserver-mail-server-save

You may see the output (success or error) in /var/log/messages

Check the resulting sieve config file if your changes are included

more /var/lib/nethserver/sieve-scripts/before.sieve

Send a test message with the subject including myteststring and check /var/log/maillog for success/errors. If the generated sieve syntax has errors, you will see it here.

This is how it works for me but I think it will bring problems, if you decide to disable the “Move to Junk Folder” setting in the backend, because the require line in the generated before.sieve will be missing. But you must not include require ["fileinto", "mailbox", "copy"]; in your own filter file because it would apprear twice in before.sieve and you would see an error in /var/log/mailog

hope this helps someone
Uwe

BTW: It would be nice to find hints on how to format your posting in the FAQ.
I can not format “” and backslash correctly.
Edit: thank you Dan, I reformatted the text, so it looks a lot better.

danb35 · July 12, 2018, 10:40am

mrmarkuz · July 12, 2018, 11:36am

Thanks for this contribution!

I could not reproduce the sieve error in /var/log/maillog, when do you get it? On restarting dovecot or on receiving mails?

hinzberlin · July 12, 2018, 12:01pm

Hello Markus,
when you use the default 10junkmail AND your own 20mailfilters and your 20mailfilters has the line
require [“fileinto”, “mailbox”, “copy”]; as 10junkmail has too
Then the generated /var/lib/nethserver/sieve-scripts/before.sieve will contain two of these lines, one in the 10junkmail part and one in your 20mailfilter part.
Then, when receiving an email, in maillog you get the message:
sieve: before: line 30: require commands can only be placed at top level at the beginning of the file
sieve: before: validation failed
sieve: failed to compile script /var/lib/nethserver/sieve-scripts/before.sieve
and the filters will not trigger at all
Uwe

mrmarkuz · July 12, 2018, 12:20pm

I wonder if we could workaround the require problem with include scripts:

https://wiki2.dovecot.org/Pigeonhole/Sieve/Examples#Include_scripts

This way we still have to change the first require to make the include scripts work but then we may use separate scripts with our own require commands.

If that doesn’t work we may think about an e-smith db property to have the possibility to change the require line in before.sieve.

hinzberlin · July 12, 2018, 12:55pm

What about removing the start of before.sieve and the require line from 10junkmail into a new file 05requires.
In my theory 05requires is always executed, 10junkmail only if the setting “send spam to Junk folder” is active and after that comes our 20mailfilter and every other file.
If you need a new require you will have to add it to 05requires.
But that’s just my newbie theory

mrmarkuz · July 12, 2018, 1:45pm

That’s possible too, but the goal is not to change original templates and not to override templates directly with template-customs with same name because if future system updates change templates it will have no effect.

I think best way for now is to disable Junk folder with

config setprop dovecot SpamFolder ''

and manually add the junkmail rule to your custom 20mailfilter rule if needed. This way you define the require in an additional custom template.

hinzberlin · October 5, 2018, 2:00pm

I just saw that now there is a file
/etc/e-smith/templates/var/lib/nethserver/sieve-scripts/before.sieve/10sieveExtensions
that only includes all the needed sieve extensions and comes first when before.sieve is generated.

So you may copy that file into your custom templates folder and insert all your needed extensions there.
nice!

( I followed my own procedure and today found Errors
Error: sieve: before: line 32: require commands can only be placed at top level at the beginning of the file
in maillog)