How to grant user access to his .dovecot.sieve.log?
Sergey Ivanov
seriv at cs.umd.edu
Thu Feb 8 19:19:47 EET 2018
No, it won't work.
"sieve_after" require user script to explicitly "keep" the message. If the
script fails, the default action stores the message into INBOX, thus
finishing executions of sieve scripts. So, in most wanted case the
"sieve_after" which suppose to notify user about problems with his script
will not be called. These logs contain messages about syntax errors which
depend on the exact environment (say, the list of enabled Sieve
extensions). Also they have reports about runtime problems like absent
folder referenced in the script. It is a bad situation if user can not read
these logs.
I see a couple workarounds.
First: a separate FilterSet which user can activate to get
.dovecot.sieve.log when he wants. It can be something like
===
$ cat /srv/dovecot/seriv/.dovecot.sieve
require ["vnd.dovecot.execute"];
# rule:[dovecot.sieve.log]
if header :contains "subject" "dovecot.sieve.log"
{
execute "log_content.sh";
}
===
with
===
$ cat /usr/lib64/dovecot/sieve-extprograms/log_content.sh
#!/bin/bash
if test -s $HOME/.dovecot.sieve.log; then
/usr/bin/mailx -s "sieve.log" $recipient < $HOME/.dovecot.sieve.log
/usr/bin/echo -n '' > $HOME/.dovecot.sieve.log
fi
====
Second: a separate user, say "givemelogs at imap.example.org" on my IMAP
server. When user sends to this address a request, it replies with content
of users .dovecot.sieve.log emptying it afterwards. It should have access
to the "SENDER" external variable. If needed there should be 2 step
authentication against forged "SENDER", sending cryptographically strong
token and asking user to reply with the same token to authorize request and
emptying log. But isn't it too much complexity for such thing as looking at
the log?
Even another way, with proposed httpd access, can be set up to work with
apache of the version 2.4.8+, using "LocationMatch" and environment
variable set to matched regex in "Require User" statement, like:
===
$ cat /etc/httpd/conf.d/userdir.conf
<IfModule mod_userdir.c>
UserDir /srv/dovecot
Loglevel debug
<DirectoryMatch "^/srv/dovecot/(?<WHICHUSER>[^/]+)">
AllowOverride None
AuthType Basic
AuthName 'private logs'
AuthBasicProvider file
AuthUserFile /etc/httpd/users
Require user %{env:MATCH_WHICHUSER}
SSLRequireSSL
DirectoryIndex .dovecot.sieve.log
</DirectoryMatch>
</IfModule>
===
Sure for this to work in production I will put "AuthBasicProvider ldap" and
authenticate against the same LDAP server as dovecot uses. And I think I
should place these sieve files into separate from mail directory like
'/srv/sieve/', so that apache won't get access to mail.
--
Regards,
Sergey
On Thu, Feb 8, 2018 at 3:43 AM, LuKreme <kremels at kreme.com> wrote:
> On Feb 6, 2018, at 19:53, Sergey Ivanov <seriv at cs.umd.edu> wrote:
> > Answering myself (not yet implemented, but I hope it will work):
> > Using sieve extprograms extension and global "after" script, I can read
> .dovecot.sieve.log into a sieve variable 'log_content' if this log is not
> empty. I hope this log will be written before "after" script is called, but
> will check if it is true.
> > Then using sieve "notify" action with mailto:${user_mailaddress}?
> body=${log_content}"
>
> Did that work?
>
> --
> This is my signature. There are many like it, but this one is mine.
>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180208/be23f7e4/attachment.html>
More information about the dovecot
mailing list