diff --git a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md index 6a05ccb..aa48f4a 100644 --- a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md +++ b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md @@ -224,6 +224,7 @@ following TCP ports are open on your firewall: | 465 | Email message submission over TLS | | 587 | Email message submission | | 993 | IMAPS (IMAP over TLS) | +| 4190 | ManageSieve | ## Obtain a TLS certificate @@ -1307,6 +1308,11 @@ instance](#a-note-on-my-dns-records), this is `master.revsuine.xyz`). TrustedAuthservIDs mail.domain.com ``` +This specifies that OpenDMARC should trust authentication results from `mail.domain.com`. Otherwise you would get the +following error message in your syslog: + + ignoring Authentication-Results at 1 from mail.domain.com + Enable `RejectFailures`, which means your server will comply with `p=reject` in DMARC DNS records. ```conf @@ -1388,6 +1394,10 @@ Authentication-Results: master.revsuine.xyz; dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=nc4YWVM/ ``` + + ### Test SPF, DKIM, and DMARC You can use [mail-tester.com](https://www.mail-tester.com/) and send an email from your domain to check that SPF, DKIM, @@ -1619,6 +1629,136 @@ X-Spam-Status: Yes, score=999.802 tagged_above=2 required=6.2 URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no ``` +# Pigeonhole + +Dovecot can do server-side mail filtering with sieve scripts. These are user scripts that can perform actions on mail +based on particular criteria, e.g. + +```sieve +require "fileinto"; + +if address :is "to" "postmaster@revsuine.xyz" { + fileinto "Postmaster"; +} +``` + +Places mail in the `Postmaster` folder if the `To:` field is `postmaster@revsuine.xyz`. You also can do things +unconditionally, like + +```sieve +redirect postmaster@revsuine.xyz; +``` + +unconditionally redirects all mail to `postmaster@revsuine.xyz`. + +Sieve scripts can be both per-user and system-wide. + +For more examples, [this page](https://doc.dovecot.org/main/howto/sieve.html) has some good examples. + +## Installing and setting up Pigeonhole + +To use Sieve, install `dovecot-pigeonhole-plugin`: + + # apk add dovecot-pigeonhole-plugin + +Then edit `/etc/dovecot/conf.d/20-lmtp.conf`, and add the `sieve` plugin like so: + +```conf +protocol lmtp { + # Space separated list of plugins to load (default is global mail_plugins). + mail_plugins = $mail_plugins sieve +} +``` + +To configure Pigeonhole and sieve, edit `/etc/dovecot/conf.d/90-sieve.conf`. Sieve's options will be configured in the +`plugin {}` block in this file. + +We can set the location of user sieve scripts with the `sieve` option. + +```conf +sieve = file:~/sieve;active=~/.dovecot.sieve +``` + +means that `~/sieve` is a directory of sieve scripts, whilst `~/.dovecot.sieve` is a symlink to the "active" one, e.g. + +``` +sieve +├── script1.sieve +├── script2.sieve +└── script3.sieve +``` + +could be your `~/sieve/` directory, and to make `script2.sieve` active, you would do + + $ ln -s ~/sieve/script2.sieve ~/.dovecot.sieve + +`sieve_before` defines a directory of sieve scripts which will be executed *prior* to any user scripts. e.g. + +```conf +sieve_before = /etc/dovecot/sieve +``` + +means that the sieve scripts in `/etc/dovecot/sieve` will be executed first, then the user's personal scripts at +`~/.dovecot.sieve`. + +You can specify multiple directories in order, like so: + +```conf +sieve_before = /var/lib/dovecot/sieve.d/ +sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain +sieve_before3 = /etc/dovecot/sieve +``` + +etc. The `sieve_after` option also exists, and works the same way. + +This is not the same as `sieve_default`, which is *overridden* by user sieve scripts and only executes when a user has +no sieve script. + +## ManageSieve + +Users can configure their own user sieve scripts using a protocol called ManageSieve. Like how IMAP allows users to +read their emails without having shell access to the mail server, ManageSieve allows users to write sieve scripts +without requiring shell access. + +To enable ManageSieve, edit `/etc/dovecot/conf.d/20-managesieve.conf`. Make sure the following line is uncommented: + +```conf +protocols = $protocols sieve +``` + +By default, ManageSieve will listen on port 4190. + +## Sieve scripts for spam filtering + +Let's use a system-wide sieve script to file SpamAssassin-marked spam into a Spam folder. Create an +`/etc/dovecot/sieve/` directory, and add it to your `sieve_before` settings: + +```conf +plugin { + ... + sieve_before = /etc/dovecot/sieve/ + ... +} +``` + +Now create a new sieve script, `/etc/dovecot/sieve/spam_folder.sieve`: + +```sieve +require ["fileinto", "mailbox"]; +if header :contains "X-Spam-Flag" "YES" { + fileinto :create "Spam"; +} +``` + +Replace `"Spam"` with the name of your spam folder. If it's a subfolder, e.g. + +``` +Inbox +└── Spam +``` + +you would write `"Inbox.Spam"` in that case. + # Miscellaneous suggestions You may want to get your domain whitelisted on [dnswl.org](https://www.dnswl.org/), an email whitelist service where