You could send the message to an external program, which checks if the specific IP address is mentioned.
You need to manually activate the pigeonhole extension vnd.dovecot.execute: https://wiki2.dovecot.org/Pigeonhole/Sieve/Plugins/Extprograms and https://wiki2.dovecot.org/Pigeonhole/Sieve
This page links to an RFC describing the action/test execute. https://raw.githubusercontent.com/dovecot/pigeonhole/master/doc/rfc/spec-bos...
Sieve Test:
require [ "vnd.dovecot.execute" ]
if execute :pipe "check4ip.sh" { #actions to process, when check4ip.sh found specific IP action; }
/in/dovecot/defined/path/by/sieve_execute_bin_dir/check4ip.sh
#!/bin/bash
IP='127.0.0.1'
#take standard input and save a grep for $IP as $M
M=cat | grep "$IP"
#exit with success (exit 0) only if $M is not empty if [-z "$M" ]; then exit 1 fi exit 0
A test named pipe exists too, but it doesn't seem to be implemented in pigeonhole? http://mailutils.org/manual/html_chapter/Sieve-Language.html :
Test: pipe [:envelope] [:header] [:body] [:exit code(number)] [:signal code(number)] command(string)
Synopsis:
require "test-pipe";
if pipe command { … }
Description: The pipe test executes a shell command specified by its argument and pipes the entire message (including envelope) to its standard input. When given, tags :envelope, :header, and :body control what parts of the message to pipe to the command.
In the absence of the :exit tag, the test returns true if the command exits with code 0. If :exit is given, the test returns true if the command exits with code equal to its argument.
The :signal tag determines the result of the test in case if the program exits on signal. By default, the test returns false. If :signal is given and the number of signal which caused the program to terminate matches its argument, the test returns true.
On Tue, 2019-04-09 at 18:09 -0600, @lbutlr via dovecot wrote:
On 9 Apr 2019, at 17:07, Joseph Tam via dovecot dovecot@dovecot.org wrote:
On Mon, 8 Apr 2019, @lbutlr wrote:
Really? Where outside the Received headers do IPs appear in your email headers?
Well, let's see. Running a rough grep on 270-message spam folder
# grep -E '^[-A-Za-z0-9]+:.*[^.0-9]{0,1}[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' ~/mail/FN | sort -u -k1,1 -t: Authentication-Results: spf=fail (sender IP is 52.233.28.167)
a better IP regex: \b(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b
or
\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b
I checked a quarter million messages and all listed a domain in Authentication-result, not an IP, though to be fair some had matches like:
Authentication-Results: hostedmail.net.au; auth=pass smtp.auth=110.232.141.226@out.zuver.net.au
List-Help: http://121.242.224.101/lists/admin/?p=preferences&uid=fb545e011f371409028a40346e99f6ff List-Subscribe: http://121.242.224.101/lists/admin/?p=subscribe List-Unsubscribe: http://121.242.224.101/lists/admin/?p=unsubscribe&uid=fb545e011f371409028a40346e99f6ff&jo=1
I am quite sure I have never seen a mailing list with IPs in those header. But I did check. None. Some false matches along the lines of
List-Unsubscribe: mailto:465465-4654-117-162.xxx.xxx.xxx-gmail@abuse.*munged*.com
Message-ID: 0.0.8.0.1D4BD9273731DDA.4A40C20@scotiabank-ses.com
Not an IP
Received: from sonic308-11.consmr.mail.ne1.yahoo.com (sonic308-11.consmr.mail.ne1.yahoo.com [66.163.187.34])
Yes, I said received.
Received-SPF: pass (google.com: domain of notification@facebookmail.com designates 66.220.155.142 as permitted sender) client-ip=66.220.155.142;
Yes, this is also a Received header, but sure.
<many X-headers>
And I wouldn't count any x-header.
Regardless, I don't think you can search all headers.