How to do server-wide mail filtering


(Uwe) #1

NethServer Version: 7.5.1804 (final)
Module: Email
just the next newbie question after the first was answered so quick :smile:
Is it possible to filter emails not at user level but at server level?
Let’s say one special account receives emails from one special customer but I want to forward these emails to another address.
I know, I can create a filter in the first account but I’d like to have those filters in a central place.
I come from hmailserver, there you have general rules and more rules in every account.
Where should those general filtering rules be placed?

(Markus Neuberger) #2

Hi Uwe,

Nethserver uses Sieve for filtering. You may setup rules with roundcube, thunderbird or other clients.

Me too. I still use it in some Windows environments.

(Uwe) #3

Hello Markus,
thank you, you’re very active here :+1:
I’m afraid you misunderstood my question: filters I create in roundcube/Thunderbird… are for that special user, they get saved in
/var/lib/nethserver/vmail/ -> sieve/sogo.sieve
(correct me if I’m wrong)
I want to create some rules for the whole server, filter every mail that comes in regardless of address.
Is that possible?

BTW: I’m planning to replace hmailserver because I want to connect the mail/groupware server directly to the dangerous web with all that bad boys and girls waiting to hack my machine. Do you thing nethserver is hard enough for that? (in a DMZ of course)

(Markus Neuberger) #4

Sieve works for whole domains too:

There are sieve scripts in /var/lib/nethserver/sieve-scripts/. Don’t edit them directly, they are templated. I never tested this but it should be possible. Please share what you find out…

For sure. Shorewall firewall and fail2ban should keep the bad guys out.

(Uwe) #5

Think I’ve got it, I try to tell what I did until now

Nethserver uses the e-smith or SEM-Server template system so I looked in their documentation.
The file, where the server-wide filter settings should be defined:


This file is created from the template (fragments) files in


In default nethserver there is only one file 10junkmail which defines the sieve require and the rules to move spam to the Junk folder (GUI setting!)
To change this behaviour I created the same path in /etc/e-smith/templates-custom and placed my own files there.

created the custom template folder

mkdir -p /etc/e-smith/templates-custom/var/lib/nethserver/sieve-scripts/before.sieve

copied the nethserver 10junkmail file here (so this will be used instead of the one in /templates/…)

 cp  /etc/e-smith/templates/var/lib/nethserver/sieve-scripts/before.sieve/10junkmail /etc/e-smith/templates-custom/var/lib/nethserver/sieve-scripts/before.sieve

edited the 10junkmail file to require “copy”, needed for forwarding emails

require ["fileinto", "mailbox", "copy"];

created my own sieve file

echo "#20myfilter" >/etc/e-smith/templates-custom/var/lib/nethserver/sieve-scripts/before.sieve/20myfilter

edited my own filter file 20myfilter to include the first forwarding rule. It’s important to quote the curled braces to avoid the file to be interpreted as perl. Otherwise one gets a message at expanding like:

Unquoted string "contains" may clash with future reserved word

this is how my 20myfilter file looks like:

if header :contains "subject" "myteststring"
    redirect :copy "";

again, take care of the backslash in front of the curly braces "\{" !

To compile/expand the sieve config file I fired at the console:

signal-event nethserver-mail-server-save

You may see the output (success or error) in /var/log/messages

Check the resulting sieve config file if your changes are included

more /var/lib/nethserver/sieve-scripts/before.sieve

Send a test message with the subject including myteststring and check /var/log/maillog for success/errors. If the generated sieve syntax has errors, you will see it here.

This is how it works for me but I think it will bring problems, if you decide to disable the “Move to Junk Folder” setting in the backend, because the require line in the generated before.sieve will be missing. But you must not include require ["fileinto", "mailbox", "copy"]; in your own filter file because it would apprear twice in before.sieve and you would see an error in /var/log/mailog

hope this helps someone

BTW: It would be nice to find hints on how to format your posting in the FAQ.
I can not format “” and backslash correctly.
Edit: thank you Dan, I reformatted the text, so it looks a lot better.

(Dan) #6

(Markus Neuberger) #7

Thanks for this contribution!

I could not reproduce the sieve error in /var/log/maillog, when do you get it? On restarting dovecot or on receiving mails?

(Uwe) #8

Hello Markus,
when you use the default 10junkmail AND your own 20mailfilters and your 20mailfilters has the line
require [“fileinto”, “mailbox”, “copy”]; as 10junkmail has too
Then the generated /var/lib/nethserver/sieve-scripts/before.sieve will contain two of these lines, one in the 10junkmail part and one in your 20mailfilter part.
Then, when receiving an email, in maillog you get the message:
sieve: before: line 30: require commands can only be placed at top level at the beginning of the file
sieve: before: validation failed
sieve: failed to compile script /var/lib/nethserver/sieve-scripts/before.sieve
and the filters will not trigger at all

(Markus Neuberger) #9

I wonder if we could workaround the require problem with include scripts:

This way we still have to change the first require to make the include scripts work but then we may use separate scripts with our own require commands.

If that doesn’t work we may think about an e-smith db property to have the possibility to change the require line in before.sieve.

(Uwe) #10

What about removing the start of before.sieve and the require line from 10junkmail into a new file 05requires.
In my theory 05requires is always executed, 10junkmail only if the setting “send spam to Junk folder” is active and after that comes our 20mailfilter and every other file.
If you need a new require you will have to add it to 05requires.
But that’s just my newbie theory :smile:

(Markus Neuberger) #11

That’s possible too, but the goal is not to change original templates and not to override templates directly with template-customs with same name because if future system updates change templates it will have no effect.

I think best way for now is to disable Junk folder with

config setprop dovecot SpamFolder ''

and manually add the junkmail rule to your custom 20mailfilter rule if needed. This way you define the require in an additional custom template.