content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: pigeonhole section

2024-11-24 00:50:18 +00:00 · 2024-11-24 00:50:18 +00:00 · 3b2361ef62
commit 3b2361ef62
parent 4d580d21e8
1 changed files with 140 additions and 0 deletions
--- a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
+++ b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
@ -224,6 +224,7 @@ following TCP ports are open on your firewall:
 | 465  | Email message submission over TLS |
 | 587  | Email message submission          |
 | 993  | IMAPS (IMAP over TLS)             |
 | 4190 | ManageSieve                       |
 ## Obtain a TLS certificate
@ -1307,6 +1308,11 @@ instance](#a-note-on-my-dns-records), this is `master.revsuine.xyz`).
 TrustedAuthservIDs mail.domain.com
 ```
 This specifies that OpenDMARC should trust authentication results from `mail.domain.com`. Otherwise you would get the
 following error message in your syslog:
    ignoring Authentication-Results at 1 from mail.domain.com
 Enable `RejectFailures`, which means your server will comply with `p=reject` in DMARC DNS records.
 ```conf
@ -1388,6 +1394,10 @@ Authentication-Results: master.revsuine.xyz;
        dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=nc4YWVM/
 ```
 <!--
    TODO: switch SPF filter to a milter e.g. https://www.acme.com/software/spfmilter/ so that SPF isn't checked twice
 -->
 ### Test SPF, DKIM, and DMARC
 You can use [mail-tester.com](https://www.mail-tester.com/) and send an email from your domain to check that SPF, DKIM,
@ -1619,6 +1629,136 @@ X-Spam-Status: Yes, score=999.802 tagged_above=2 required=6.2
 URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
 ```
 # Pigeonhole
 Dovecot can do server-side mail filtering with sieve scripts. These are user scripts that can perform actions on mail
 based on particular criteria, e.g.
 ```sieve
 require "fileinto";
 if address :is "to" "postmaster@revsuine.xyz" {
    fileinto "Postmaster";
 }
 ```
 Places mail in the `Postmaster` folder if the `To:` field is `postmaster@revsuine.xyz`. You also can do things
 unconditionally, like
 ```sieve
 redirect postmaster@revsuine.xyz;
 ```
 unconditionally redirects all mail to `postmaster@revsuine.xyz`.
 Sieve scripts can be both per-user and system-wide.
 For more examples, [this page](https://doc.dovecot.org/main/howto/sieve.html) has some good examples.
 ## Installing and setting up Pigeonhole
 To use Sieve, install `dovecot-pigeonhole-plugin`:
    # apk add dovecot-pigeonhole-plugin
 Then edit `/etc/dovecot/conf.d/20-lmtp.conf`, and add the `sieve` plugin like so:
 ```conf
 protocol lmtp {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve
 }
 ```
 To configure Pigeonhole and sieve, edit `/etc/dovecot/conf.d/90-sieve.conf`. Sieve's options will be configured in the
 `plugin {}` block in this file.
 We can set the location of user sieve scripts with the `sieve` option.
 ```conf
 sieve = file:~/sieve;active=~/.dovecot.sieve
 ```
 means that `~/sieve` is a directory of sieve scripts, whilst `~/.dovecot.sieve` is a symlink to the "active" one, e.g.
 ```
 sieve
 ├── script1.sieve
 ├── script2.sieve
 └── script3.sieve
 ```
 could be your `~/sieve/` directory, and to make `script2.sieve` active, you would do
    $ ln -s ~/sieve/script2.sieve ~/.dovecot.sieve
 `sieve_before` defines a directory of sieve scripts which will be executed *prior* to any user scripts. e.g.
 ```conf
 sieve_before = /etc/dovecot/sieve
 ```
 means that the sieve scripts in `/etc/dovecot/sieve` will be executed first, then the user's personal scripts at
 `~/.dovecot.sieve`.
 You can specify multiple directories in order, like so:
 ```conf
 sieve_before = /var/lib/dovecot/sieve.d/
 sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
 sieve_before3 = /etc/dovecot/sieve
 ```
 etc. The `sieve_after` option also exists, and works the same way.
 This is not the same as `sieve_default`, which is *overridden* by user sieve scripts and only executes when a user has
 no sieve script.
 ## ManageSieve
 Users can configure their own user sieve scripts using a protocol called ManageSieve. Like how IMAP allows users to
 read their emails without having shell access to the mail server, ManageSieve allows users to write sieve scripts
 without requiring shell access.
 To enable ManageSieve, edit `/etc/dovecot/conf.d/20-managesieve.conf`. Make sure the following line is uncommented:
 ```conf
 protocols = $protocols sieve
 ```
 By default, ManageSieve will listen on port 4190.
 ## Sieve scripts for spam filtering
 Let's use a system-wide sieve script to file SpamAssassin-marked spam into a Spam folder. Create an
 `/etc/dovecot/sieve/` directory, and add it to your `sieve_before` settings:
 ```conf
 plugin {
  ...
  sieve_before = /etc/dovecot/sieve/
  ...
 }
 ```
 Now create a new sieve script, `/etc/dovecot/sieve/spam_folder.sieve`:
 ```sieve
 require ["fileinto", "mailbox"];
 if header :contains "X-Spam-Flag" "YES" {
  fileinto :create "Spam";
 }
 ```
 Replace `"Spam"` with the name of your spam folder. If it's a subfolder, e.g.
 ```
 Inbox
 └── Spam
 ```
 you would write `"Inbox.Spam"` in that case.
 # Miscellaneous suggestions
 You may want to get your domain whitelisted on [dnswl.org](https://www.dnswl.org/), an email whitelist service where