From 3b2361ef62f36b1bc3fa10fd58e4a72defbd0aa5 Mon Sep 17 00:00:00 2001
From: revsuine <pid1@revsuine.xyz>
Date: Sun, 24 Nov 2024 00:50:18 +0000
Subject: [PATCH] content/blog/mail_server_alpine_postfix_dovecot_tutorial.md:
 pigeonhole section

---
 .../index.md                                  | 140 ++++++++++++++++++
 1 file changed, 140 insertions(+)

diff --git a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
index 6a05ccb..aa48f4a 100644
--- a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
+++ b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
@@ -224,6 +224,7 @@ following TCP ports are open on your firewall:
 | 465  | Email message submission over TLS |
 | 587  | Email message submission          |
 | 993  | IMAPS (IMAP over TLS)             |
+| 4190 | ManageSieve                       |
 
 ## Obtain a TLS certificate
 
@@ -1307,6 +1308,11 @@ instance](#a-note-on-my-dns-records), this is `master.revsuine.xyz`).
 TrustedAuthservIDs mail.domain.com
 ```
 
+This specifies that OpenDMARC should trust authentication results from `mail.domain.com`. Otherwise you would get the
+following error message in your syslog:
+
+    ignoring Authentication-Results at 1 from mail.domain.com
+
 Enable `RejectFailures`, which means your server will comply with `p=reject` in DMARC DNS records.
 
 ```conf
@@ -1388,6 +1394,10 @@ Authentication-Results: master.revsuine.xyz;
         dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=nc4YWVM/
 ```
 
+<!--
+    TODO: switch SPF filter to a milter e.g. https://www.acme.com/software/spfmilter/ so that SPF isn't checked twice
+-->
+
 ### Test SPF, DKIM, and DMARC
 
 You can use [mail-tester.com](https://www.mail-tester.com/) and send an email from your domain to check that SPF, DKIM,
@@ -1619,6 +1629,136 @@ X-Spam-Status: Yes, score=999.802 tagged_above=2 required=6.2
  URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
 ```
 
+# Pigeonhole
+
+Dovecot can do server-side mail filtering with sieve scripts. These are user scripts that can perform actions on mail
+based on particular criteria, e.g.
+
+```sieve
+require "fileinto";
+
+if address :is "to" "postmaster@revsuine.xyz" {
+    fileinto "Postmaster";
+}
+```
+
+Places mail in the `Postmaster` folder if the `To:` field is `postmaster@revsuine.xyz`. You also can do things
+unconditionally, like
+
+```sieve
+redirect postmaster@revsuine.xyz;
+```
+
+unconditionally redirects all mail to `postmaster@revsuine.xyz`.
+
+Sieve scripts can be both per-user and system-wide.
+
+For more examples, [this page](https://doc.dovecot.org/main/howto/sieve.html) has some good examples.
+
+## Installing and setting up Pigeonhole
+
+To use Sieve, install `dovecot-pigeonhole-plugin`:
+
+    # apk add dovecot-pigeonhole-plugin
+
+Then edit `/etc/dovecot/conf.d/20-lmtp.conf`, and add the `sieve` plugin like so:
+
+```conf
+protocol lmtp {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins sieve
+}
+```
+
+To configure Pigeonhole and sieve, edit `/etc/dovecot/conf.d/90-sieve.conf`. Sieve's options will be configured in the
+`plugin {}` block in this file.
+
+We can set the location of user sieve scripts with the `sieve` option.
+
+```conf
+sieve = file:~/sieve;active=~/.dovecot.sieve
+```
+
+means that `~/sieve` is a directory of sieve scripts, whilst `~/.dovecot.sieve` is a symlink to the "active" one, e.g.
+
+```
+sieve
+├── script1.sieve
+├── script2.sieve
+└── script3.sieve
+```
+
+could be your `~/sieve/` directory, and to make `script2.sieve` active, you would do
+
+    $ ln -s ~/sieve/script2.sieve ~/.dovecot.sieve
+
+`sieve_before` defines a directory of sieve scripts which will be executed *prior* to any user scripts. e.g.
+
+```conf
+sieve_before = /etc/dovecot/sieve
+```
+
+means that the sieve scripts in `/etc/dovecot/sieve` will be executed first, then the user's personal scripts at
+`~/.dovecot.sieve`.
+
+You can specify multiple directories in order, like so:
+
+```conf
+sieve_before = /var/lib/dovecot/sieve.d/
+sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
+sieve_before3 = /etc/dovecot/sieve
+```
+
+etc. The `sieve_after` option also exists, and works the same way.
+
+This is not the same as `sieve_default`, which is *overridden* by user sieve scripts and only executes when a user has
+no sieve script.
+
+## ManageSieve
+
+Users can configure their own user sieve scripts using a protocol called ManageSieve. Like how IMAP allows users to
+read their emails without having shell access to the mail server, ManageSieve allows users to write sieve scripts
+without requiring shell access.
+
+To enable ManageSieve, edit `/etc/dovecot/conf.d/20-managesieve.conf`. Make sure the following line is uncommented:
+
+```conf
+protocols = $protocols sieve
+```
+
+By default, ManageSieve will listen on port 4190.
+
+## Sieve scripts for spam filtering
+
+Let's use a system-wide sieve script to file SpamAssassin-marked spam into a Spam folder. Create an
+`/etc/dovecot/sieve/` directory, and add it to your `sieve_before` settings:
+
+```conf
+plugin {
+  ...
+  sieve_before = /etc/dovecot/sieve/
+  ...
+}
+```
+
+Now create a new sieve script, `/etc/dovecot/sieve/spam_folder.sieve`:
+
+```sieve
+require ["fileinto", "mailbox"];
+if header :contains "X-Spam-Flag" "YES" {
+  fileinto :create "Spam";
+}
+```
+
+Replace `"Spam"` with the name of your spam folder. If it's a subfolder, e.g.
+
+```
+Inbox
+└── Spam
+```
+
+you would write `"Inbox.Spam"` in that case.
+
 # Miscellaneous suggestions
 
 You may want to get your domain whitelisted on [dnswl.org](https://www.dnswl.org/), an email whitelist service where