AppSuite:OX Guard MailFilter

Revision as of 16:35, 8 May 2020 by Greg.hill (talk | contribs) (OX Guard MailFilter Integration)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

OX Guard MailFilter Integration

It is possible to add the Sieve test “PGP Signature” as well as the action “encrypt incoming” to the mailfilter functionality of Appsuite.  This utilizes the sieve  Extprograms plugin to call Guard through an api to either verify signatures or return the email encrypted.


The user creates either the filter test “PGP Signature” or action “Encrypt email”.  This creates a sieve rule that calls and external script with the users ID and Context.  Only pre-configured scripts can be called, there isn’t any ability for someone to create their own external scripts to be called.

Incoming emails then go through the Sieve filter, which then calls the external script with the users ID and Context as parameters.

The external script calls a Guard server through an api call.  Response is returned to the script.  Either marked as signed, or the encrypted content of the email is returned.


Dovecot sieve extension ExtPrograms must be enabled.  This adds three different capabilities to sieve vnd.dovecot.pipe, vnd.dovecot.filter, and vnd.dovecot.exectue (pipe is not required for these scripts), but they are disabled by default.  “Filter” and “execute” must be enabled for users, and then the directories containing the scripts must be configured.

Example configuration:


plugin {  
    sieve = file:~/sieve;active=~/.dovecot.sieve  
    sieve_default = /var/lib/dovecot/sieve/default.sieve  
    sieve_plugins = sieve_extprograms  
    sieve_extensions = +vnd.dovecot.filter +vnd.dovecot.execute  
    # The directory contains the scripts that are available for the filter and execute  
    # commands.  
     sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter  
     sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute  

Of course, the sieve protocol must be enabled and managesieve must be already working.


There are currently two scripts, one to test the email signatures, another to encrypt the email.  Add/create scripts in the following location (assuming the above configuration).  Replace the username/password rest:secret with the rest username and password configured with Guard.



## Send the stdin to guard using curl, store result

encrypted=$(curl -s -X POST -F file=@- "http://${GUARD}/oxguard/pgpmail?action=encrypt_mime&user=${1}&context=${2}&respondWithJSON=true" --user rest:secret )

## Check for errors and basic sanity check

if [[ $encrypted == \{\"error* ]] ;  
  logger "Guard sieve encrypter error: $encrypted"  
  ## Error, exit  
  exit 1  

## Return the encrypted text. Preserve /r

echo -e "$encrypted"



## Send the stdin to guard using curl, store result

verified=$(curl -s -X POST -F file=@- "http://${GUARD}/oxguard/pgpmail?action=verify&user=${1}&context=${2}&simple=true&respondWithJSON=true" --user rest:secret )  
logger $verified  

## Check if returns true

if [[ $verified == "{\"data\":true}" ]] ;  
  exit 0  
if [[ $verified == \{\"error* ]] ;  
  logger "Guard sieve signature error: $verified"  
exit 1

There is no requirement that these scripts are in different directories.  Dovecot requires that scripts are not world writable.  In addition, as these scripts contain the rest username/password, recommend changing the owner to vmail and restricting permissions to 700


The guard mailfilter functionality must be enabled on the middleware.  Recommend adding the configuration to on the middleware servers:


The script names may be configured differently, but default to the following:

MailFilter User Interface:

Assuming the user has guard-mail and mailfilter capabilities, they will now be able to add the configured test and actions for Guard.