File: sieve_extprograms.txt

package info (click to toggle)
dovecot 1:2.2.13-12~deb8u4
  • links: PTS, VCS
  • area: main
  • in suites: jessie
  • size: 38,792 kB
  • sloc: ansic: 341,472; sh: 16,920; makefile: 5,393; cpp: 1,474; perl: 265; xml: 44; python: 34; pascal: 27
file content (175 lines) | stat: -rw-r--r-- 7,255 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
Sieve Extprograms plugin for Pigeonhole

Relevant specifications
=======================

	doc/rfc/spec-bosch-sieve-extprograms.txt

Introduction
============

Sieve (RFC 5228) is a highly extensible machine language specifically tailored
for internet message filtering. For the Dovecot Secure IMAP server, Sieve
support is provided by the Pigeonhole Sieve plugin. This package includes a
plugin for Pigeonhole called "sieve_extprograms", which extends the Sieve 
filtering implementation with action commands for invoking a predefined set of
external programs. Messages can be piped to or filtered through those programs
and string data can be input to and retrieved from those programs.

The Sieve language is explicitly designed to be powerful enough to be useful yet
limited in order to allow for a safe server-side filtering system. Therefore,
the base specification of the language makes it impossible for users to do
anything more complex (and dangerous) than write simple mail filters. One of the
consequences of this security-minded design is that users cannot execute
external programs from their mail filter. Particularly for server-side filtering
setups in which mail accounts have no corresponding system account, allowing the
execution of arbitrary programs from the mail filter can be a significant
security risk. However, such functionality can also be very useful, for instance
to easily implement a custom action or external effect that Sieve normally
cannot provide.

The "sieve_extprograms" plugin provides an extension to the Sieve filtering
language adding new action commands for invoking a predefined set of external
programs. To mitigate the security concerns, the external programs cannot be
chosen arbitrarily; the available programs are restricted through administrator
configuration.

This extension is specific to the Pigeonhole Sieve implementation for the
Dovecot Secure IMAP server. It will therefore most likely not be supported by
web interfaces or GUI-based Sieve editors. This extension is primarily meant for
use in small setups or global scripts that are managed by the systems
administrator.

Implementation Status
---------------------

The "vnd.dovecot.pipe", "vnd.dovecot.filter" and "vnd.dovecot.execute" Sieve
language extensions introduced by this plugin are vendor-specific with draft
status and their implementation for Pigeonhole is experimental, which means that
the language extensions are still subject to change and that the current
implementation is not thoroughly tested.

Configuration
=============

The plugin is activated by adding it to the sieve_plugins setting:

sieve_plugins = sieve_extprograms

This plugin registers the "vnd.dovecot.pipe", "vnd.dovecot.filter" and
"vnd.dovecot.execute" extensions with the Sieve interpreter. However, these
extensions are not enabled by default and thus need to be enabled explicitly. It
is recommended to restrict the use of these extensions to global context by
adding these to the "sieve_global_extensions" setting. If personal user scripts
also need to directly access external programs, the extensions need to be added
to the "sieve_extensions" setting. 

The commands introduced by the Sieve language extensions in this plugin can
directly pipe a message or string data to an external program (typically a shell
script) by forking a new process. Alternatively, these can connect to a unix
socket behind which a Dovecot script service is listening to start the external
program, e.g. to execute as a different user or for added security.

The program name specified for the new Sieve "pipe", "filter" and "execute"
commands is used to find the program or socket in a configured directory.
Separate directories are specified for the sockets and the directly executed
binaries. The socket directory is searched first. Since the use of "/" in
program names is prohibited, it is not possible to build a hierarchical
structure.

Directly forked programs are executed with a limited set of environment
variables: HOME, USER, HOST, SENDER, RECIPIENT and ORIG_RECIPIENT. Programs
executed through the script-pipe socket service currently have no environment
set at all.

If a shell script is expected to read a message or string data, it must fully
read the provided input until the data ends with EOF, otherwise the Sieve action
invoking the program will fail. The action will also fail when the shell script
returns a nonzero exit code. Standard output is available for returning a
message (for the filter command) or string data (for the execute command) to the
Sieve interpreter. Standard error is written to the LDA log file. 

The three extensions introduced by this plugin - "vnd.dovecot.pipe",
"vnd.dovecot.filter" and "vnd.dovecot.pipe" - each have separate but similar
configuration. The settings that specify a time period are specified in
s(econds), unless followed by a d(ay), h(our) or m(inute) specifier character.
The following configuration settings are used, for which "<extension>" in the
setting name is replaced by either "pipe", "filter" or "execute" depending on
which extension is being configured.

sieve_<extension>_socket_dir =
  Points to a directory relative to the Dovecot base_dir where the plugin looks
  for script service sockets. 

sieve_<extension>_bin_dir =
  Points to a directory where the plugin looks for programs (shell scripts) to
  execute directly and pipe messages to.

sieve_<extension>_exec_timeout = 10s
  Configures the maximum execution time after which the program is forcefully
  terminated.

Examples
--------

Example 1: socket service for "pipe" and "execute"

plugin {
  sieve = ~/.dovecot.sieve

  sieve_plugins = sieve_extprograms
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute

  # pipe sockets in /var/run/dovecot/sieve-pipe
  sieve_pipe_socket_dir = sieve-pipe        

  # execute sockets in /var/run/dovecot/sieve-execute
  sieve_execute_socket_dir = sieve-execute
}

service sieve-pipe-script {
  # This script is executed for each service connection
  executable = script /usr/lib/dovecot/sieve-extprograms/sieve-pipe-action.sh

  # use some unprivileged user for execution
  user = dovenull

  # socket name is program-name in Sieve (without sieve-pipe/ prefix)
  unix_listener sieve-pipe/sieve-pipe-script {
  }
}

service sieve-execute-action {
  # This script is executed for each service connection
  executable = script /usr/lib/dovecot/sieve-extprograms/sieve-execute-action.sh

  # use some unprivileged user for execution
  user = dovenull

  # socket name is program-name in Sieve (without sieve-execute/ prefix)
  unix_listener sieve-execute/sieve-execute-action {
  }
}

Example 2: direct execution for "pipe" and "filter"

plugin {
  sieve = ~/.dovecot.sieve

  sieve_plugins = sieve_extprograms
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.filter

  # This directory contains the scripts that are available for the pipe command.
  sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe

  # This directory contains the scripts that are available for the filter
  # command.
  sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
}

Using
=====

Refer to doc/rfc/spec-bosch-sieve-extprograms.txt for a specification of the
Sieve language extensions.