1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
|
Compiling
=========
If you downloaded the sources using Mercurial, you will need to execute
./autogen.sh first to build the automake structure in your source tree. This
process requires autotools and libtool to be installed.
If you installed Dovecot from sources, Pigeonhole's configure script should be
able to find the installed dovecot-config automatically:
./configure
make
sudo make install
If your system uses a $prefix different than the default /usr/local, the
configure script can still find the installed dovecot-config automatically when
supplied with the proper --prefix argument:
./configure --prefix=/usr
make
sudo make install
If this doesn't work, you can use --with-dovecot=<path> configure option, where
the path points to a directory containing dovecot-config file. This can point to
an installed file:
./configure --with-dovecot=/usr/local/lib/dovecot
make
sudo make install
or to a Dovecot source directory that is already compiled:
./configure --with-dovecot=../dovecot-2.1.0
make
sudo make install
The following additional parameters may be of interest for the configuration of
the Pigeonhole build:
--with-managesieve=yes
Controls whether Pigeonhole ManageSieve is compiled and installed, which is
the default.
--with-unfinished-features=no
Controls whether unfinished features and extensions are built. Enabling this
will enable the compilation of code that is considered unfinished and highly
experimental and may therefore introduce bugs and unexpected behavior.
In fact, it may not compile at all. Enable this only when you are eager to
test some of the new development functionality.
--with-ldap=no
Controls wether Sieve LDAP support is built. This allows retrieving Sieve
scripts from an LDAP database. When set to `yes', support is built in. When
set to `plugin', LDAP support is compiled into a Sieve plugin called
`sieve_storage_ldap'.
Configuration
=============
The Pigeonhole package provides the following items:
- The Sieve interpreter plugin for Dovecot's Local Delivery Agent (LDA): This
facilitates the actual Sieve filtering upon delivery.
- The ManageSieve Service: This implements the ManageSieve protocol through
which users can remotely manage Sieve scripts on the server.
The functionality of these items is described in more detail in the README file.
In this file and in this section their configuration is described. Example
configuration files are provided in the doc/example-config directory of this
package.
Sieve Interpreter - Script Locations
------------------------------------
The Sieve interpreter can retrieve Sieve scripts from several types of
locations. The default `file' location type is a local filesystem path pointing
to a Sieve script file or a directory containing multiple Sieve script files.
More complex setups can use other location types such as `ldap' or `dict' to
fetch Sieve scripts from remote databases.
All settings that specify the location of one ore more Sieve scripts accept the
following syntax:
location = [<type>:]path[;<option>[=<value>][;...]]
The following script location types are implemented by default:
file - The location path is a file system path pointing to the script file
or a directory containing script files with names structured as
`<script-name>.sieve'. Read doc/locations/file.txt for more
information and examples.
dict - The location path is a Dovecot dict uri. Read doc/locations/dict.txt
for more information and examples.
ldap - LDAP database lookup. The location path is a configuration file with
LDAP options. Read doc/locations/ldap.txt for more information
and examples.
If the type prefix is omitted, the script location type is 'file' and the
location is interpreted as a local filesystem path pointing to a Sieve script
file or directory.
The following options are defined for all location types:
name=<script-name>
Set the name of the Sieve script that this location points to. If the name
of the Sieve script is not contained in the location path and the
location of a single script is specified, this option is required
(e.g. for dict locations that must point to a particular script).
If the name of the script is contained in the location path, the value of
the name option overrides the name retrieved from the location. If the Sieve
interpreter explicitly queries for a specific name (e.g. to let the Sieve
"include" extension retrieve a script from the sieve_global= location),
this option has no effect.
bindir=<dirpath>
Points to the directory where the compiled binaries for this script location
are stored. This directory is created automatically if possible. If this
option is omitted, the behavior depends on the location type. For `file'
type locations, the binary is then stored in the same directory as where the
script file was found if possible. For `dict' type locations, the binary is
not stored at all in that case. Don't specify the same directory for
different script locations, as this will result in undefined behavior.
Multiple mail users can share a single script directory if the script
location is the same and all users share the same system credentials (uid,
gid).
Sieve Interpreter - Basic Configuration
---------------------------------------
To use Sieve, you will first need to make sure you are using Dovecot LDA
or Dovecot LMTP for delivering incoming mail to users' mailboxes. Then, you need
to enable the Sieve interpreter plugin for LDA/LMTP in your dovecot.conf:
protocol lda {
..
mail_plugins = sieve # ... other plugins like quota
}
protocol lmtp {
..
mail_plugins = sieve # ... other plugins like quota
}
The Sieve interpreter recognizes the following configuration options in the
plugin section of the config file (default values are shown if applicable):
sieve = file:~/sieve;active=~/.dovecot.sieve
The location of the user's main Sieve script or script storage. The LDA
Sieve plugin uses this to find the active script for Sieve filtering at
delivery. The "include" extension uses this location for retrieving
:personal" scripts.
This location is also where the ManageSieve service will store the user's
scripts, if supported by the location type. For the 'file' location type, the
location will then be the path to the storage directory for all the user's
personal Sieve scripts. ManageSieve maintains a symbolic link pointing to
the currently active script (the script executed at delivery). The location
of this symbolic link can be configured using the `;active=<path>' option.
sieve_default =
The location of the default personal sieve script file, which gets executed
ONLY if user's private Sieve script does not exist, e.g.
/var/lib/dovecot/default.sieve. This is usually a global script, so be sure
to pre-compile this script manually using the sievec command line tool, as
explained in the README file. This setting used to be called
`sieve_global_path', but that name is now deprecated.
sieve_default_name =
The name by which the default Sieve script is visible to ManageSieve
clients. Normally, it is not visible at all. See "Visible Default Script"
section below for more information.
sieve_global =
Location for :global include scripts for the Sieve include extension. This
setting used to be called `sieve_global_dir', but that name is now
deprecated.
sieve_discard =
The location of a Sieve script that is run for any message that is about to
be discarded; i.e., it is not delivered anywhere by the normal Sieve
execution. This only happens when the "implicit keep" is canceled, by e.g.
the "discard" action, and no actions that deliver the message are executed.
This "discard script" can prevent discarding the message, by executing
alternative actions. If the discard script does nothing, the message is still
discarded as it would be when no discard script is configured.
sieve_extensions =
Which Sieve language extensions are available to users. By default, all
supported extensions are available, except for deprecated extensions or those
that are still under development. Some system administrators may want to
disable certain Sieve extensions or enable those that are not available by
default. This setting can use '+' and '-' to specify differences relative to
the default. For example `sieve_extensions = +imapflags' will enable the
deprecated imapflags extension in addition to all extensions were already
enabled by default.
sieve_global_extensions =
Which Sieve language extensions are ONLY avalable in global scripts. This can
be used to restrict the use of certain Sieve extensions to administrator
control, for instance when these extensions can cause security concerns. This
setting has higher precedence than the `sieve_extensions' setting (above),
meaning that the extensions enabled with this setting are never available to
the user's personal script no matter what is specified for the
`sieve_extensions' setting. The syntax of this setting is similar to
the `sieve_extensions' setting, with the difference that extensions are
enabled or disabled for exclusive use in global scripts. Currently, no
extensions are marked as such by default.
sieve_implicit_extensions =
Which Sieve language extensions are implicitly available to users. The
extensions listed in this setting do not need to be enabled explicitly using
the Sieve "require" command. This behavior directly violates the Sieve
standard, but can be necessary for compatibility with some existing
implementations of Sieve (notably jSieve). Do not use this setting unless you
really need to! The syntax and semantics of this setting are otherwise
identical to the `sieve_extensions' setting
sieve_plugins =
The Pigeonhole Sieve interpreter can have plugins of its own. Using this
setting, the used plugins can be specified. Check the Dovecot wiki
(wiki2.dovecot.org) or the pigeonhole website (http://pigeonhole.dovecot.org)
for available plugins. The `sieve_extprograms' plugin is included in this
release. LDAP support may also be compiled as a plugin called
`sieve_storage_ldap'.
sieve_user_email =
The primary e-mail address for the user. This is used as a default when no
other appropriate address is available for sending messages. If this setting
is not configured, either the postmaster or null "<>" address is used as a
sender, depending on the action involved. This setting is important when
there is no message envelope to extract addresses from, such as when the
script is executed in IMAP.
sieve_user_log =
The path to the file where the user log file is written. If not configured, a
default location is used. If the main user's personal Sieve (as configured
with sieve=) is a file, the logfile is set to <filename>.log by default. If
it is not a file, the default user log file is ~/.dovecot.sieve.log.
recipient_delimiter = +
The separator that is expected between the :user and :detail address parts
introduced by the subaddress extension. This may also be a sequence of
characters (e.g. '--'). The current implementation looks for the separator
from the left of the localpart and uses the first one encountered. The :user
part is left of the separator and the :detail part is right. This setting is
also used by Dovecot's LMTP service.
sieve_redirect_envelope_from = sender
Specifies what envelope sender address is used for redirected messages.
Normally, the Sieve "redirect" command copies the sender address for the
redirected message from the processed message. So, the redirected message
appears to originate from the original sender. The following values are
supported for this setting:
"sender" - The sender address is used (default).
"recipient" - The final recipient address is used.
"orig_recipient" - The original recipient is used.
"user_email" - The user's primary address is used. This is
configured with the "sieve_user_email" setting. If
that setting is unconfigured, "user_mail" is equal to
"sender" (the default).
"postmaster" - The postmaster_address configured for the LDA.
"<user@domain>" - Redirected messages are always sent from user@domain.
The angle brackets are mandatory. The null "<>" address
is also supported.
When the envelope sender of the processed message is the null address "<>",
the envelope sender of the redirected message is also always "<>",
irrespective of what is configured for this setting.
sieve_redirect_duplicate_period = 12h
In an effort to halt potential mail loops, the Sieve redirect action records
identifying information for messages it has forwarded. If a duplicate message
is seen, it is not redirected and the message is discarded; i.e., the
implicit keep is canceled. This setting configures the period during which
the identifying information is recorded. If an account forwards many
messages, it may be necessary to lower this setting to prevent the
~/.dovecot.lda-dupes database file (in which these are recorded) from growing
to an impractical size.
For example:
plugin {
...
# The include extension fetches the :personal scripts from this
# directory. When ManageSieve is used, this is also where scripts
# are uploaded.
sieve = file:~/sieve
# If the user has no personal active script (i.e. if the location
# indicated in sieve= settings does have and active script or does not exist),
# use this one:
sieve_default = /var/lib/dovecot/sieve/default.sieve
# The include extension fetches the :global scripts from this
# directory.
sieve_global = /var/lib/dovecot/sieve/global/
}
Sieve Interpreter - Configurable Limits
---------------------------------------
The settings that specify a period are specified in s(econds), unless followed
by a d(ay), h(our), or m(inute) specifier character.
sieve_max_script_size = 1M
The maximum size of a Sieve script. The compiler will refuse to compile any
script larger than this limit. If set to 0, no limit on the script size is
enforced.
sieve_max_actions = 32
The maximum number of actions that can be performed during a single script
execution. If set to 0, no limit on the total number of actions is enforced.
sieve_max_redirects = 4
The maximum number of redirect actions that can be performed during a single
script execution. If set to 0, no redirect actions are allowed.
sieve_max_cpu_time = 30s
The maximum amount of CPU time that a Sieve script is allowed to use while
executing. If the execution exceeds this resource limit, the script ends with
an error, causing the implicit "keep" action to be executed. This limit is
not only enforced for a single script execution, but also cumulatively for
the last executions within a configurable timeout
(see sieve_resource_usage_timeout).
sieve_resource_usage_timeout = 1h
To prevent abuse, the Sieve interpreter can record resource usage of a Sieve
script execution in the compiled binary if it is significant. Currently, this
happens when CPU system + user time exceeds 1.5 seconds for one execution.
Such high resource usage is summed over time in the binary and once that
cumulative resource usage exceeds the limits (sieve_max_cpu_time), the Sieve
script is disabled in the binary for future execution, even if an individual
execution exceeded no limits. If the last time high resource usage was
recorded is older than sieve_resource_usage_timeout, the resource usage in
the binary is reset. This means that the Sieve script is only disabled when
the limits are cumulatively exceeded within this timeout. With the default
configuration this means that the Sieve script is only disabled when the
total CPU time of Sieve executions that lasted more than 1.5 seconds exceeds
30 seconds in the last hour. A disabled Sieve script can be reactivated by
the user by uploading a new version of the Sieve script after the excessive
resource usage times out. An administrator can force reactivation by forcing
a script compile (e.g. using the sievec command line tool).
Sieve Interpreter - Per-user Sieve Script Location
--------------------------------------------------
By default, the Pigeonhole LDA Sieve plugin looks for the user's Sieve script
file in the user's home directory (~/.dovecot.sieve). This requires that the
home directory is set for the user.
If you want to store the script elsewhere, you can override the default using
the sieve= setting, which specifies the location of the user's script file. This
can be done in two ways:
1. Define the sieve setting in the plugin section of dovecot.conf.
2. Return sieve extra field from userdb extra fields.
For example, to use a Sieve script file named <username>.sieve in
/var/sieve-scripts, use:
plugin {
...
sieve = /var/sieve-scripts/%u.sieve
}
You may use templates like %u, as shown in the example. Refer to
http://wiki.dovecot.org/Variables for more information.
A relative path (or just a filename) will be interpreted to point under the
user's home directory.
Sieve Interpreter - Executing Multiple Scripts Sequentially
-----------------------------------------------------------
Pigeonhole's Sieve interpreter allows executing multiple Sieve scripts
sequentially. The extra scripts can be executed before and after the user's
private script. For example, this allows executing global Sieve policies before
the user's script. The following settings in the plugin section of the Dovecot
config file control the execution sequence:
sieve_before =
sieve_before2 =
sieve_before3 = (etc..)
Location Sieve of scripts that need to be executed before the user's personal
script. If a 'file' location path points to a directory, all the Sieve
scripts contained therein (with the proper `.sieve' extension) are executed.
The order of execution within that directory is determined by the file names,
using a normal 8bit per-character comparison.
Multiple script locations can be specified by appending an increasing number
to the setting name. The Sieve scripts found from these locations are added
to the script execution sequence in the specified order. Reading the numbered
sieve_before settings stops at the first missing setting, so no numbers may
be skipped.
sieve_after =
sieve_after2 =
sieve_after3 = (etc..)
Identical to sieve_before, but the specified scripts are executed after the
user's script (only when keep is still in effect, as explained below).
The script execution ends when the currently executing script in the sequence
does not yield a "keep" result: when the script terminates, the next script is
only executed if an implicit or explicit "keep" is in effect. Thus, to end all
script execution, a script must not execute keep and it must cancel the implicit
keep, e.g. by executing "discard; stop;". This means that the command "keep;"
has different semantics when used in a sequence of scripts. For normal Sieve
execution, "keep;" is equivalent to "fileinto "INBOX";", because both cause the
message to be stored in INBOX. However, in sequential script execution, it only
controls whether the next script is executed. Storing the message into INBOX
(the default folder) is not done until the last script in the sequence executes
(implicit) keep. To force storing the message into INBOX earlier in the
sequence, the fileinto command can be used (with ":copy" or together with
"keep;").
Apart from the keep action, all actions triggered in a script in the sequence
are executed before continuing to the next script. This means that when a script
in the sequence encounters an error, actions from earlier executed scripts are
not affected. The sequence is broken however, meaning that the script execution
of the offending script is aborted and no further scripts are executed. An
implicit keep is executed instead if necessary, meaning that the interpreter
makes sure that the message is at least stored in the default folder (INBOX).
Just as for executing a single script the normal way, the Pigeonhole LDA Sieve
plugin takes care never to duplicate deliveries, forwards or responses. When
vacation actions are executed multiple times in different scripts, the usual
error is not triggered: the subsequent duplicate vacation actions are simply
discarded.
For example:
plugin {
...
# Global scripts executed before the user's personal script.
# E.g. handling messages marked as dangerous
sieve_before = /var/lib/dovecot/sieve/discard-virusses.sieve
# Domain-level scripts retrieved from LDAP
sieve_before2 = ldap:/etc/dovecot/sieve-ldap.conf;name=ldap-domain
# User-specific scripts executed before the user's personal script.
# E.g. a vacation script managed through a non-ManageSieve GUI.
sieve_before3 = /var/vmail/%d/%n/sieve-before
# User-specific scripts executed after the user's personal script.
# (if keep is still in effect)
# E.g. user-specific default mail filing rules
sieve_after = /var/vmail/%d/%n/sieve-after
# Global scripts executed after the user's personal script
# (if keep is still in effect)
# E.g. default mail filing rules.
sieve_after2 = /var/lib/dovecot/sieve/after.d/
}
IMPORTANT: The scripts specified by sieve_before and sieve_after are often
located in global locations to which the Sieve interpreter has no write access
to store the compiled binaries. In that case, be sure to manually pre-compile
those scripts using the sievec tool, as explained in the README file.
Sieve Interpreter - Visible Default Script
------------------------------------------
The `sieve_default=' setting specifies the location of a default script that
is executed when the user has no active personal script. Normally, this
default script is invisible to the user; i.e., it is not listed in ManageSieve.
To give the user the ability to see and read the default script, it is possible
to make it visible under a specific configurable name using the
`sieve_default_name' setting.
ManageSieve will magically list the default script under that name, even though
it does not actually exist in the user's normal script storage location. This
way, the ManageSieve client can see that it exists and it can retrieve its
contents. If no normal script is active, the default is always listed as active.
The user can replace the default with a custom script, by uploading it under the
default script's name. If that custom script is ever deleted, the default script
will reappear from the shadows implicitly.
This way, ManageSieve clients will not need any special handling for this
feature. If the name of the default script is equal to the name the client uses
for the main script, it will initially see and read the default script when the
user account is freshly created. The user can edit the script, and when the
edited script is saved through the ManageSieve client, it will will override the
default script. If the user ever wants to revert to the default, the user only
needs to delete the edited script and the default will reappear.
The name by which the default script will be known is configured using the
`sieve_default_name' setting. Of course, the `sieve_default' setting needs to
point to a valid script location as well for this to work. If the default script
does not exist at the indicated location, it is not shown.
For example:
plugin {
...
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_default = /var/lib/dovecot/sieve/default.sieve
sieve_default_name = roundcube
}
Sieve Interpreter - Extension Configuration
-------------------------------------------
- Editheader extension:
The editheader extension [RFC5293] enables sieve scripts to interact with
other components that consume or produce header fields by allowing the script
to delete and add header fields.
The editheader extension requires explicit configuration and is not enabled
for use by default. Refer to doc/extensions/editheader.txt for configuration
information.
- Vacation extension:
The Sieve vacation extension [RFC5230] defines a mechanism to generate
automatic replies to incoming email messages.
The vacation extension is available by default, but it has its own specific
configuration options. Refer to doc/extensions/vacation.txt for settings
specific to the vacation extension.
- Variables extension:
The Sieve variables extension [RFC5229] adds the concept of variables to the
Sieve language.
The variables extension is available by default, but it has its own specific
configuration options. Refer to doc/extensions/variables.txt for settings
specific to the variables extension.
- Include extension:
The Sieve include extension (draft) permits users to include one Sieve script
into another.
The include extension is available by default, but it has its own specific
configuration options. Refer to doc/extensions/include.txt for settings
specific to the include extension.
- Spamtest and virustest extensions:
Using the spamtest and virustest extensions (RFC 5235), the Sieve language
provides a uniform and standardized command interface for evaluating spam and
virus tests performed on the message. Users no longer need to know what headers
need to be checked and how the scanner's verdict is represented in the header
field value. They only need to know how to use the spamtest (spamtestplus) and
virustest extensions. This also gives GUI-based Sieve editors the means to
provide a portable and easy to install interface for spam and virus filter
configuration.
The spamtest, spamtestplus and virustest extensions require explicit
configuration and are not enabled for use by default. Refer to
doc/extensions/spamtest-virustest.txt for configuration information.
- Duplicate extension:
The duplicate extension augments the Sieve filtering implementation with a
test that facilitates detecting and handling duplicate message deliveries,
e.g. as caused by mailinglists when people reply both to the mailinglist and
the user directly.
Refer to doc/extensions/vnd.dovecot.duplicate.txt for configuration
information.
- Dovecot environment extension:
The vnd.dovecot.environment extension builds on the standard environment
extension. It adds a few extra environment items that are useful for Sieve
scripts used by Dovecot.
Refer to doc/extensions/vnd.dovecot.environment.txt for more information.
- Extprograms plugin;
vnd.dovovecot.pipe, vnd.dovecot.filter, vnd.dovecot.execute extensions:
The "sieve_extprograms" plugin provides extensions to the Sieve filtering
language adding new action commands for invoking a predefined set of external
programs. Messages can be piped to or filtered through those programs and
string data can be input to and retrieved from those programs.
This plugin and the extensions it provides require explicit configuration and
are not enabled for use by default. Refer to doc/plugins/sieve_extprograms.txt
for more information.
- Imapsieve plugins
The "sieve_imapsieve" Sieve plugin and the "imap_sieve" IMAP plugin add Sieve
support to IMAP.
Refer to doc/plugins/imapsieve.txt for more information.
- IMAP Filter Sieve plugin
The "imap_filter_sieve" plugin adds the ability to manually invoke Sieve
filtering in IMAP.
Refer to doc/plugins/imap_filter_sieve.txt for more information.
Sieve Interpreter - Trace Debugging
-----------------------------------
Trace debugging provides detailed insight in the operations performed by
the Sieve script. Messages about what the Sieve script is doing are written
to the specified directory.
WARNING: On a busy server, this functionality can quickly fill up the trace
directory with a lot of trace files. Enable this only temporarily and as
selective as possible.
The following settings apply to both the LDA Sieve plugin and the IMAPSIEVE
plugin:
sieve_trace_dir =
The directory where trace files are written. Trace debugging is disabled if
this setting is not configured or if the directory does not exist. If the
path is relative or it starts with "~/" it is interpreted relative to the
current user's home directory.
sieve_trace_level =
The verbosity level of the trace messages. Trace debugging is disabled if
this setting is not configured. Possible values are:
"actions" - Only print executed action commands, like keep, fileinto,
reject and redirect.
"commands" - Print any executed command, excluding test commands.
"tests" - Print all executed commands and performed tests.
"matching" - Print all executed commands, performed tests and the values
matched in those tests.
sieve_trace_debug = no
Enables highly verbose debugging messages that are usually only useful for
developers.
sieve_trace_addresses = no
Enables showing byte code addresses in the trace output, rather than only
the source line numbers.
Sieve Interpreter - Migration from CMUSieve (Dovecot v1.0/v1.1)
---------------------------------------------------------------
For the most part, migration from CMUSieve to the Pigeonhole LDA Sieve plugin is
just a matter of changing the used plugin name from 'cmusieve' to 'sieve' in the
mail_plugins option in the protocol lda section of the config file (as explained
above). However, there are a few important differences:
* The imapflags extension is now called imap4flags. The CMUSieve implementation
is based on an old draft specification that is not completely compatible.
Particularly, the mark and unmark commands were removed from the new
specification. For backwards compatibility, support for the old imapflags
extension can be enabled using the sieve_extensions setting (as explained
above). This is disabled by default.
* The notify extension is now called enotify. The CMUSieve implementation is
based on an old draft specification that is not completely compatible.
Particularly, the denotify command and $text$ substitutions were removed from
the new specification. For backwards compatibility, support for the old
imapflags extension can be enabled using the sieve_extensions setting (as
explained above). This is disabled by default.
* The include extension now requires your script file names to end with
".sieve". This means that ` include :personal "myscript"; ' won't work unless
you rename "myscript" to "myscript.sieve"
Sieve Interpreter - Migration from Dovecot Sieve v0.1.x (Dovecot v1.2)
----------------------------------------------------------------------
* Dovecot v2.0 adds support for LMTP. Much like the Dovecot LDA, it can make
use of the Pigeonhole Sieve plugin. Since the LMTP service has its own
prototocol lmtp section in the config file, you need to add the Sieve plugin
to the mail_plugins setting there too when you decide to use LMTP.
* The 'sieve_subaddress_sep' setting for the Sieve subaddress extension is now
known as 'recipient_delimiter'. Although sieve_subaddress_sep is still
recognized for backwards compatibility, it is recommended to update the
setting to the new name, since the LMTP service also uses the
recipient_delimiter setting.
ManageSieve Service - Basic Configuration
-----------------------------------------
IMPORTANT:
If you have used the LDA Sieve plugin without ManageSieve before and you have
.dovecot.sieve files in user directories, you are advised to make a backup
before installing ManageSieve. Although the ManageSieve service takes care to
move these files to the Sieve directory before it is substituted with a
symbolic link, this is not a very well tested operation, meaning that there is
a slim possibility that existing Sieve scripts get lost.
Just like all other binaries that Dovecot uses, the managesieve and
managesieve-login binaries are installed during make install.
There are two things that have be done to activate the ManageSieve support in
Dovecot:
* The first step is to add `sieve' to the protocols= configuration line in
your dovecot.conf.
* The next step is specifying an additional service type for the ManageSieve
service. This could be done in Dovecot's conf.d/master.conf or you can use
the 20-managesieve.conf file from the doc/example-config/conf.d directory of
this package.
For example:
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
Because the implementation of the ManageSieve daemon is largely based on the
original IMAP implementation, it is very similar in terms of configuration. The
following settings can be configured in the 'protocol sieve' section:
managesieve_max_line_length = 65536
The maximum ManageSieve command line length in bytes. This setting is
directly borrowed from IMAP. But, since long command lines are very unlikely
with ManageSieve, changing this will not be very useful.
managesieve_logout_format = bytes=%i/%o
Specifies the string pattern used to compose the logout message of an
authenticated session. The following substitutions are available:
%i - total number of bytes read from client
%o - total number of bytes sent to client
managesieve_implementation_string = Dovecot Pigeonhole
To fool ManageSieve clients that are focused on CMU's timesieved, you can
specify the IMPLEMENTATION capability that the Dovecot reports to clients
(e.g. 'Cyrus timsieved v2.2.13').
managesieve_max_compile_errors = 5
The maximum number of compile errors that are returned to the client upon
script upload or script verification.
managesieve_sieve_capability =
managesieve_notify_capability =
Respectively the SIEVE and NOTIFY capabilities reported by the ManageSieve
service before authentication. If left unassigned these will be assigned
dynamically according to what the Sieve interpreter supports by default
(after login this may differ depending on the authenticated user).
Additionally, the ManageSieve service uses the following settings from the
plugin section of the config file. These settings are the same ones used by
the LDA Sieve plugin.
sieve = file:~/sieve;active=~/.dovecot.sieve
This specifies the location where the scripts that are uploaded through
ManageSieve are stored. During delivery, the LDA Sieve plugin uses this
location setting to find the active script for Sieve filtering. The Sieve
"include" extension uses this location for retrieving ":personal" scripts.
If the location type does not allow uploading scripts, the ManageSieve
service cannot be used. Currently, only the 'file' location type supports
ManageSieve.
For the 'file' location type:
* The location is the path to the storage directory for all the user's
personal Sieve scripts. Scripts are stored as separate files with
extension .sieve. All other files are ignored when scripts are listed
by a ManageSieve client. The storage directory is always generated
automatically if it does not exist (as far as the system permits the
user to do so; no root privileges are used). This is similar to the
behavior of the mail daemons regarding the mail_location configuration.
* ManageSieve maintains a symbolic link pointing to the currently active
script (the script executed at delivery). The location of this symbolic
link can be configured using the ;active=<path> option. If a regular
file already exists at the location specified by in the ;active=<path>
location option, it is moved to the storage directory before the
symbolic link is installed. It is renamed to dovecot.orig.sieve and
therefore listed as dovecot.orig by a ManageSieve client.
NOTE: It is not wise to place this active symbolic link inside your
mail store, as it may be mistaken for a mail folder. Inside a
maildir for instance, the default .dovecot.sieve would show up
as phantom folder /dovecot/sieve in your IMAP tree.
For Pigeonhole versions before v0.3.1, this setting can only be a
filesystem path pointing to a script file, or - when ManageSieve is used -
it is the location of the symbolic link pointing to the active script in
the storage directory. That storage directory is then configured using the
deprecated `sieve_dir' setting.
The following provides an example configuration for Sieve and ManageSieve. Only
sections and settings relevant to ManageSieve are shown. Refer to
20-managesieve.conf in the doc/example-config/conf.d directory for a full
example with comments, but don't forget to configure Sieve and add sieve to the
'protocols = ...' setting if you use it.
# *** conf.d/20-managesieve.conf ***
service managesieve-login {
inet_listener sieve {
# Bind the daemon only to the specified address(es)
# (default: *, ::)
address = 127.0.0.1
# Specify an alternative port the daemon must listen on
# (default: 4190)
port = 2000
}
}
protocol sieve {
managesieve_max_compile_errors = 10
}
# *** conf.d/90-sieve.conf ***
plugin {
sieve=file:~/sieve;active=~/.dovecot.sieve
}
# *** dovecot.conf ***
# .... (other config items)
# Start imap, pop3, lmtp and managesieve services
protocols = imap pop3 lmtp sieve
# .... (other config items)
ManageSieve Service - Quota Support
-----------------------------------
By default, users can manage an unlimited number of Sieve scripts on the server
through ManageSieve. However, ManageSieve can be configured to enforce limits on
the number of personal Sieve scripts per user and/or the amount of disk storage
used by these scripts. The maximum size of individual uploaded scripts is
dictated by the configuration of the Sieve plugin. The limits are configured in
the plugin section of the Dovecot configuration as follows:
sieve_max_script_size = 1M
The maximum size of a Sieve script. If set to 0, no limit on the script size
is enforced.
sieve_quota_max_scripts = 0
The maximum number of personal Sieve scripts a single user can have. If set
to 0, no limit on the number of scripts is enforced.
sieve_quota_max_storage = 0
The maximum amount of disk storage a single user's scripts may occupy. If set
to 0, no limit on the used amount of disk storage is enforced.
ManageSieve Service - Proxying
------------------------------
Like Dovecot's imapd, the ManageSieve login daemon supports proxying to multiple
backend servers. Although the underlying code is copied from the imapd sources
for the most part, it has some ManageSieve-specifics that have not seen much
testing.
The proxy configuration wiki page for POP3 and IMAP should apply to ManageSieve
as well:
http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy
ManageSieve Service - Migration
-------------------------------
The following has changed since the ManageSieve releases for Dovecot v1.x:
* For Dovecot v1.0 and v1.1, the sieve_dir setting used by ManageSieve was
called sieve_storage. Also, the sieve and sieve_storage settings were located
inside the 'protocol managesieve' section of the configuration. As per
Dovecot v1.2, these settings are shared with the Sieve plugin and located in
the 'plugin' section of the configuration. Make sure you have updated the
name of the sieve_dir setting and the location of both these settings if you
are upgrading from ManageSieve for Dovecot v1.0/v1.1.
* Pigeonhole ManageSieve does not use the mail_location configuration as a
fall-back anymore to determine a default location for storing Sieve scripts.
It always uses the sieve_dir setting, with default value ~/sieve.
* The Pigeonhole ManageSieve service now binds to TCP port 4190 by default due
to the IANA port assignment for the ManageSieve service. When upgrading from
v1.x, this should be taken into account. For a smooth transition, the service
can be configured manually to listen on both port 2000 and port 4190, as
demonstrated in the example above.
* The Dovecot configuration now calls the ManageSieve protocol 'sieve' instead
of 'managesieve' because it is registered as such with IANA. The binaries and
the services are still called 'managesieve' and 'managesieve-login'. The
example above demonstrates how this affects the configuration.
Test Suite
==========
This package includes a test suite to verify the basic processing of the Sieve
interpreter on your particular platform. Note that the test suite is not
available when this package is compiled against the Dovecot headers only. The
test suite executes a list of test cases and halts when one of them fails. If it
executes all test cases successfully, the test suite finishes. You can execute
the basic test suite using `make test`, which does not include the plugins. You
can test the plugins using `make test-plugins`.
A failing test case is always a bug and a report is greatly appreciated.
|