sieve_extprograms - run any individual script?

Stephan Bosch stephan at rename-it.nl
Mon Sep 21 22:37:30 UTC 2015


Op 9/21/2015 om 2:34 PM schreef Hajo Locke:
> Hello,
>
> i use sieve extension sieve_extprograms to send incoming mail to some
> script.
> For security reasons it is needed that script-paths etc. are
> registered in dovecot.conf
> This is my current dovecot.conf
>
> plugin {
>   sieve = ~/.dovecot.sieve
>   sieve_plugins = sieve_extprograms
>   sieve_extensions = +vnd.dovecot.pipe +vnd.dovecot.filter
> +vnd.dovecot.execute
>   sieve_pipe_bin_dir = /usr/local/bin/
>   sieve_filter_bin_dir = /usr/local/bin/
> }
>
> .dovecot.sieve example:
>
> if address "to" "test at example.com"
> {
>         filter "myfilter";
> }

Uhh.. you're pointing extprograms to a directory where many programs can
be installed by default. That is unwise to put it mildly. Do not allow
Sieve to execute random programs like this. Typical use is to point it
to a directory of scripts that check their arguments vigorously for
malicious use, not common system tools.

> This is all working without problems.


> Is there a possibility to allow users the execution of individual
> scripts in own homepath? Some people need to pipe mails to scripts for
> immediately processing (some ticketsystems need this).
> Is there a way to make this possible with sieve?

It is generally not a good idea to let any user just execute any program
they like from Sieve. The LMTP seteuid root privileges are dropped
before executing the program, but still...

About your question: the extprograms plugin currently supports only one
directory for programs. You could use those scripts to execute/include a
script in the user's directory, e.g. based on script parameters. You can
also set sieve_*_bin_dir from userdb, to make these user-specific.

Regards,

Stephan.






More information about the dovecot mailing list