also sprach Daniel Piddock <dgp-dove@corefiling.co.uk> [2012.08.08.1201 +0200]:

Have you taken a look at Pigeonhole and Sieve? There's experimental support for running spam filters and external commands. You'll need at least 0.3.0 which requires Dovecot 2.1.

Dear list,

here is an update. Indeed, the pigeonhole filters suggested by Daniel were the ticket. It took me a while to figure it all out though. Therefore, for posterity, at least for those running Debian systems:

First, I compiled the extprograms plugin, running into a segfault, which Stephan helped me solve. Essentially, the extprograms are not in Debian, but everything else is (install dovecot-dev!), so I checked out revision 058de395713a [1], ran

./configure --with-dovecot=/usr/lib/dovecot --with-pigeonhole=/usr/include/dovecot/sieve --with-prefix=/usr/local/stow/pigeonhole-extprograms make make install cd /usr/local/stow/ stow pigeonhole-extprograms

1. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684271#10

Since dovecot only allows a single plugin dir to be specified, I had to hack around this by creating a symlink:

ln -s /usr/local/lib/dovecot/sieve /usr/lib/dovecot/modules

Now, after enabling the following in /etc/dovecot/conf.d/90-sieve:

sieve_extensions = +vnd.dovecot.filter sieve_plugins = sieve_extprograms

you should see 'vnd.dovecot.filter' in the dovecot -n output:

dovecot -n | grep vnd.dovecot managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave vnd.dovecot.filter ^^^^^^^^^^^^^^^^^^

I used sieve_global_extensions instead, because I wanted to enable spamc globally for all users using the dovecot LDA, which includes all virtual users on this machine. I also set (in 90-sieve.conf)

sieve_before = /etc/dovecot/sieve.before.d

and then put the following sieve script into /etc/dovecot/sieve.before.d/spamassassin.sieve:

require [ "vnd.dovecot.filter" ]; filter "spamc" [ "--no-safe-fallback" ];

and then ran

sievec spamassassin.sieve && chmod 444 spamassassin.svbin

To tell the LDA where to find the spamc filter, I added (to 90-sieve.conf):

sieve_filter_bin_dir = /etc/dovecot/sieve-filter

and symlinked spamc there

ln -s /usr/bin/spamc /etc/dovecot/sieve-filter/spamc

So far so good, this now works for real system users, but it would not work for virtual users. The reason for that is that while vmm uses UIDs/GIDs above 70000 to tighten permissions per-virtual-user, spamc and spamd were unable to deal with the lack of libnss integration.

Stephan suggested simply to let libnss know about the virtual mail accounts, and I did. After installing libnss-pgsql2 and extending /etc/nsswitch.conf to read

passwd: compat pgsql group: compat pgsql

I wrote the attached configuration file (/etc/nss-pgsql.conf), which I will submit to the vmm project. The advantage is that now, while the users cannot log in, their UIDs/GIDs on the filesystems are properly mapped, and root *can* /bin/su to them (using -s to override the shell).

After a restart of spamd and dovecot, spamc is now run for every user as part of the LDA process before the user's sieve script runs.

Thanks to Stephan for his help. Comments welcome. I hope I did not forget anything.

PS: I know there are good reasons against running a spamfilter post-queue. There are also several reasons for that. The most important for me is that spam is subjective, especially in combination with training, and I never want to reject spam for fear of false positives, and since I do not want to overload the queues of mail servers (like debian.org) that forward to my account.

-- martin | http://madduck.net/ | http://two.sentenc.es/

"the unexamined life is not worth living" -- platon

spamtraps: madduck.bogus@madduck.net