1

Topic: Sieve rule for forwarded emails only

Hello again!

I have a situation and want to create a sieve rule to fix the problem. But I'm having problems how to create this rule.

Scenario:
- email from spammer@spammer.com to user@mydomain.com
- Amavis marks the message as spam (Subject: [SPAM] ...)
- user@mydomain.com set to FORWARD his e-mails to otheraccount@gmail.com
- Amavis process email from spammer@spammer.com to otheraccount@gmail.com

I want to block forwards to external servers if message was marked as spam.

My idea is create a sieve rule like this: "if spamscore>5 and recipient domain is not in "my domain list" and destination domain is not in "my domain list" -- discard) (I think that's the way to identify a real forward).

Detail: user needs to receive the spam locally (.Junk folder) but won't receive the message in his external account.

This way I'll prevent Gmail blocks me as spammer.

Any ideias how to begin?

Thank you!!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Sieve rule for forwarded emails only

Real examples in log:

Feb  5 19:11:09 sol amavis[27655]: (27655-03) Passed SPAM {RelayedTaggedInternal}, MYUSERS LOCAL [89.203.242.129]:48535 [89.203.242.129] <bounce@novaesperancaseguros.com.br> -> <user1@uol.com.br>, Queue-ID: B8CE717A41C, Message-ID: <be47455d09a7be0cc2d2166607a9b863@novaesperancaseguros.com.br>, mail_id: gOGqPc0FAxZL, Hits: 19.464, size: 10416, queued_as: 08AF817A424, 3051 ms

Feb  5 19:13:08 sol amavis[27655]: (27655-05) Passed SPAM {RelayedTaggedInternal}, MYUSERS LOCAL [179.43.186.186]:50962 [179.43.186.186] <bounce@informativoamil.com.br> -> <user2@hotmail.com>, Queue-ID: AE51017A41C, Message-ID: <cb7d84184f1090c9b6af355230603d4b@informativoamil.com.br>, mail_id: 6QLZBGVVKE32, Hits: 10.412, size: 17955, queued_as: 5A2BB17A427, 2385 ms

* none of domains (from and to) are mine

3

Re: Sieve rule for forwarded emails only

I'm reading a lot on Google.

Maybe something like this? I'm in the right way?

require "envelope";
if header :contains "X-Spam-Flag" ["YES"] {
  if not envelope :contains "From" ["mydomain1.com","mydomain2.com"] {
     if not envelope :contains "To" ["mydomain1.com","mydomain2.com"] {
        discard;
        stop;
     }
  }

*or*

require "envelope";
if header :contains "X-Spam-Flag" ["YES"] {
  if not envelope :domain "From" ["mydomain1.com","mydomain2.com"] {
     if not envelope :domain "To" ["mydomain1.com","mydomain2.com"] {
        discard;
        stop;
     }
  }
}

(domain, instead substring)

4

Re: Sieve rule for forwarded emails only

InWeb wrote:

Feb  5 19:11:09 sol amavis[27655]: (27655-03) Passed SPAM {RelayedTaggedInternal}, MYUSERS LOCAL [89.203.242.129]:48535 [89.203.242.129] <bounce@novaesperancaseguros.com.br> -> <user1@uol.com.br>, Queue-ID: B8CE717A41C, Message-ID: <be47455d09a7be0cc2d2166607a9b863@novaesperancaseguros.com.br>, mail_id: gOGqPc0FAxZL, Hits: 19.464, size: 10416, queued_as: 08AF817A424, 3051 ms

Since Amavisd already detected spam, how about simply discard it, or quarantines it into SQL database?

After spam/virus scanning, Amavisd will re-inject scanned email into Postfix, Postfix will expand alias (user@mydomain.com -> otheraccount@gmail.com, iRedMail implements mail forwarding as alias in Postfix parameter virtual_alias_maps) immediately then sent email to forwarded email address (otheraccount@gmail.com), the message won't be passed to LDA (Dovecot LDA or LMTP), so sieve rule won't be executed at all.

There's only one way to implement your idea:

*) Set mail forwarding with sieve command 'redirect' (with Roundcube webmail, Settings -> Filters) instead of iRedAdmin-Pro.
*) Then setup sieve rules as you pasted in your post.

Here's the full mail flow:

Sender sent email -> Postfix accepts it -> Postfix passes to Amavisd for spam/virus scanning -> Amavisd re-injects scanned email to Postfix -> Postfix rewrites addresses, e.g. expands alias account (note: no forwarding here since we use sieve command for forwarding) -> Postfix passes mail to local mail deliver agent (Dovecot LDA or LMTP) -> Dovecot LDA/LMTP executes sieve rules

5

Re: Sieve rule for forwarded emails only

That's the problem, the user wants to receive the message marked as spam in his LOCAL account, but not in the external email that receive only copies of "good" messages.

If I understand, the best way is not configure the email forward in Postfix tables and create one sieve filter to "redirect" all messages not marked as spam? In this case, the rule is per user basis, right?

Thanks

6

Re: Sieve rule for forwarded emails only

InWeb wrote:

That's the problem, the user wants to receive the message marked as spam in his LOCAL account, but not in the external email that receive only copies of "good" messages.

I didn't see conflict here. Detect whether it's spam or not (mail header: 'X-Spam-Flag: YES'), if yes, don't redirect.

InWeb wrote:

If I understand, the best way is not configure the email forward in Postfix tables and create one sieve filter to "redirect" all messages not marked as spam? In this case, the rule is per user basis, right?

Yes.

7

Re: Sieve rule for forwarded emails only

Thank you, Zhang!