Hi Konstantin,

There is no sieve for the user (checked his dovecot mail directory, sieve folder is empty and there is no sieve file) and the only global sieve present is regarding the X-Spam-Flag header, which is not the case. There is no login happening for this user and this occur, for sure.

The only thing I can imagine is some e-mail client as you said is holding an old connection open, previously authenticated (before I disabled his login) and moving the messages with some filter. Looking at the logs, it surely looks like an e-mail client software.

I'll take a deeper look into this.

On Wed, Sep 28, 2016 at 10:30 AM, Konstantin Khomoutov < flatworm@users.sourceforge.net> wrote:

On Wed, 28 Sep 2016 10:15:25 -0300 Webert de Souza Lima <webert.boss@gmail.com> wrote:

...

is there any dovecot rule settings besides X-Spam-Flag header? Can it move messages via IMAP?

I have a message that is being moved to spam folder after delivered in the INBOX but it has no X-Spam-Flag and it's not beeing done by the user (I changed his password, suspended his account and made his login impossible).

This happens only when certain "FROM" address is present in the body, like the following message (sent via telnet): [...] Sep 28 13:08:00 lmtp(my.user@my.domain): Info: OOKlA3rA61dNbwAAkzG9Ng: sieve: msgid=unspecified: stored mail into mailbox 'INBOX'

Sep 28 13:08:01 imap(my.user@my.domain): Info: copy from INBOX: box=INBOX.Spam, uid=154, msgid=, size=340, subject=Test

Sep 28 13:08:01 imap(my.user@my.domain): Info: expunge: box=INBOX, uid=18147, msgid=, size=340, subject=Test [...]

Are you sure there's no Sieve script active for this user? (Note that there also could be a global Sieve script or scripts which are executed before/after those of a user.)

And have you really verified nothing logs into the server for sure using that user's credentials (such as a Thunderbird instance with mail filters enabled)? Another thing to check is that this user's INBOX folder is not shared with someone else (if at all possible).

Hello,

it worked just fine. thank your for your help.

After change this user's password and kicked him, I resent the e-mail and it didn't move. Surely he has some MUA set somewhere but he has no clue where.

Thank you for your time.

On Wed, Sep 28, 2016 at 11:13 AM, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:

Hi,

you could try doveadm who and doveadm kick. These might help you out.

Aki

...

On September 28, 2016 at 4:39 PM Webert de Souza Lima < webert.boss@gmail.com> wrote:

Hi Konstantin,

There is no sieve for the user (checked his dovecot mail directory, sieve folder is empty and there is no sieve file) and the only global sieve present is regarding the X-Spam-Flag header, which is not the case. There is no login happening for this user and this occur, for sure.

The only thing I can imagine is some e-mail client as you said is holding an old connection open, previously authenticated (before I disabled his login) and moving the messages with some filter. Looking at the logs, it surely looks like an e-mail client software.

I'll take a deeper look into this.

On Wed, Sep 28, 2016 at 10:30 AM, Konstantin Khomoutov < flatworm@users.sourceforge.net> wrote:

...

On Wed, 28 Sep 2016 10:15:25 -0300 Webert de Souza Lima <webert.boss@gmail.com> wrote:

...

is there any dovecot rule settings besides X-Spam-Flag header? Can it move messages via IMAP?

I have a message that is being moved to spam folder after delivered in the INBOX but it has no X-Spam-Flag and it's not beeing done by the user (I changed his password, suspended his account and made his login impossible).

This happens only when certain "FROM" address is present in the body, like the following message (sent via telnet): [...] Sep 28 13:08:00 lmtp(my.user@my.domain): Info: OOKlA3rA61dNbwAAkzG9Ng: sieve: msgid=unspecified: stored mail into mailbox 'INBOX'

Sep 28 13:08:01 imap(my.user@my.domain): Info: copy from INBOX: box=INBOX.Spam, uid=154, msgid=, size=340, subject=Test

Sep 28 13:08:01 imap(my.user@my.domain): Info: expunge: box=INBOX, uid=18147, msgid=, size=340, subject=Test [...]

Are you sure there's no Sieve script active for this user? (Note that there also could be a global Sieve script or scripts which are executed before/after those of a user.)

And have you really verified nothing logs into the server for sure using that user's credentials (such as a Thunderbird instance with mail filters enabled)? Another thing to check is that this user's INBOX folder is not shared with someone else (if at all possible).