This tutorial shows you how to set up and configure a ManageSieve service on a mail server managed by Plesk Panel. It builds on the results of the previous tutorial, that enabled filtering messages on the server using Sieve scripts.
ManageSieve is a protocol that allows you to manage Sieve scripts without having shell access to the mail server. ManageSieve is specified in RFC 5804.
You need to edit and create some files in the
/lib/security directory. This means you will need
root to the mail server.
This tutorial assumes, that Sieve scripts are stored in the file system and you mail server is configured to execute them. If you followed my previous tutorial, you should be fine.
Plesk Panel must be configured to use the full e-mail address when authenticating, not just the local part.
The ManageSieve service will ask the IMAP service when authenticating users. You therefore need a running IMAP service. The IMAP service does not need to be accessible from outside.
Step 1: Install and configure
All distributions supported by Plesk use PAM, so PAM is already installed. Howerver,
pam_imap is not available in all distributions. Use the package manager of your distribution to check whether it has the
pam_imap package and install.
If the package manager does not provide you with the
pam_imap package, you have to download and compile it yourself:
- Make sure you have a C compiler installed.
- Download and extract pam_imap-0.3.8.tar.bz2.
mkdir /usr/local/src cd /usr/local/src wget 'http://sf.net/projects/pam-imap/files/pam-imap/pam_imap-0.3.8/pam_imap-0.3.8.tar.bz2' tar xvjf pam_imap-0.3.8.tar.bz2 cd pam_imap-0.3.8
- Check the
READMEfile for additional libraries that you need.
./configure && makein the directory that was created when extracting
pam_imap-0.3.8.tar.bz2. This should create a file called
- Copy that file to where your other pam modules are installed (usually
/lib/security). Copy the configuration file to where your PAM configuration is installed (usually
cp pam_imap.so /lib/security/ cp config/pam_imap.conf /etc/pam.d/
When pam_imap.so is installed, you need to edit the configuration file (
/etc/pam.d/pam_imap.conf, if you compiled
pam_imap yourself). The file is extensively commented, so it should not be hard to figure out what each options is for.
Step 2: Download and extract pysieved
pysieved is a ManageSieve service written in Python. Download pysieved-1.1 and extract it into
/usr/local. This should create the folder
/usr/local/pysieved-pysieved. Rename the folder to
If you have not already done so, make sure you have Python installed. I use Python 2.6, I do not know whether pysieved-1.1 also runs on Python 2.7 or Python 3.x; try it if you have one of these versions already installed. Python is part of your distribution, so you can use your package manger to install it.
Step 3: Download the GNUStorage plugin
As noted in my previous tutorial, the
sieve program from GNU Mailutils has some pecularities.
- It does not conform to RFC 5804 in that it does not recognize the usual carriage return, line feed sequence (CRLF). If you have this in your Sieve script,
sievewill consider this as a syntax error and refuse to execute.
- It uses the file system hierarchy to specify folder names, rather than the IMAP hierarchy.
pysieved can be extended by plugins. Three types of plugins are supported:
- Authentication plugins are responsible for determining whether a user is who he claims to be.
- Session initation plugins allows pysieved to access the resources that belong to a user.
- Storage plugins read and write Sieve scripts.
The GNUStorage plugin is a storage plugin that saves Sieve scripts in a way that overcomes the pecularities of the GNU Mailutils
sieve program I mentioned earlier. Download the GNUStorage plugin for pysieved 1.1 and place it into the
plugins directory of your psysieved directory.
Step 4: Configure pysieved
Now that most of the files are in place, it's time to configure the ManageSieve service. This is done in two parts:
- telling PAM how to process authentication requests from pysieved,
- telling pysieved which plugins to use.
Create the file
/etc/pam.d/pysieved with the following content:
auth required pam_imap.so conf=/etc/pam.d/pam_imap.conf account sufficient pam_permit.so session sufficient pam_permit.so
Create the file
/usr/local/etc/pysieved.ini with the following content:
[main] pidfile = /var/run/pysieved.pid bindaddr = 127.0.0.1 port = 2000 auth = PAM userdb = Virtual storage = GNU [PAM] service = pysieved [Virtual] path = /srv/mail/mailnames/%d/%u [GNU] sieve = /usr/bin/sieve inbox = Maildir scripts = Filters active = current.sieve used = active.sieve uid = 110 gid = 31
I'll explain some of the configuration options used in this file.
portdirectives specify where
pysievedlistens for incomming connections. During the initial configuration,
pysievedonly listens on the loopback address and is not accessible from the outside.
servicedirective in the
PAMsection is used by
pysievedto tell the PAM library, which configuration from
pathdirective in the
Virtualsection is a template that is used to determine the User Folder as described in Step 1 of the previous tutorial.
%dis replaced with the domain part of the e-mail address,
%uis replaced with the local part of the e-mail address to determine the actual User Folder. That's why users must authenticate with their full e-mail address, rather than with the local part alone.
sievedirective tells the GNUStorage plugin where to find the
sieveprogram from the GNU Mailutils package. If you installed GNU Mailutils manually, you might have to adjust the value.
inboxdirective tells the GNUStorage plugin where the Mailbox of the user is, relative to the User Folder.
Maildiris the default on Plesk mail server.
scriptsdirective tells the GNUStorage plugin where to store Sieve scripts, relative to the User Folder. A ManageSieve service can manage multiple Sieve scripts for each user, but only one of those can be active.
activedirective is used by the GNUStorage plugin to remember which of thew scripts of the user is active. It will create a symbolic link from the file in the
scriptsdirectory to this file to mark a script as active.
useddirective tells the GNUStorage plugin the name of the Sieve script that is actually being used by the
sieveprogram. The GNUStorage plugin will update this file every time the active script is changed or updated.
giddirectives specify the user ID and group ID that the scripts should belong to. On a vanilla Plesk mail server, the user and group are called popuser. You can find the corresponding user ID and group ID in
Have a look at the original configuration file in your
pysieved directory for further configuration options.
Step 5: Test your setup
Now it's time for a first test. Start
pysieved by typing
/usr/local/pysieved-1.1/pysieved.py -d -v 9
This should produce output like this
= Listening on INADDR_ANY port 2000
If this is the case open a second terminal (
pysieved should still be running, so you cannot use its terminal to execute further commands). Use the second terminal to find out what to use as authentication credentials:
echo -e 'import base64\nprint(base64.b64encode("\\email@example.com\\0secret"))' | python
You need to replace firstname.lastname@example.org with your e-mail address and secret with your password. Write down the output of that command (it's
AHVzZXJAZXhhbXBsZS5jb20Ac2VjcmV0 in this case).
Now connect via
telnet localhost 2000
You should be greeted by
pysieved, which looks like
"IMPLEMENTATION" "1.1" "SASL" "PLAIN" "SIEVE" "fileinto reject redirect moderator pipe vacation test-spamd test-list test-timestamp comparator-i;ascii-numeric" OK
"SASL" line (called a cabability in ManageSieve lingo) tells the client, which authentication methods are available. In this case, it's only
"SIEVE" cabability tells the client, what Sieve extensions can be executed on the server. Sieve is an extensible language and not all implementations know all extensions. The
"SIEVE" cabability can be used by GUI clients to hide comperators, tests and actions from the user, that the server cannot execute.
To verify that authentication works properly, type
AUTHENTICATE "PLAIN" "AHVzZXJAZXhhbXBsZS5jb20Ac2VjcmV0"
in the second terminal. You should see a reply of
NO "Bad username or password"
(remember, AHVzZXJAZXhhbXBsZS5jb20Ac2VjcmV0 is for email@example.com with password secret). However, if you substitute the output of the echo command you wrote down earlier, you should see a simple
indicating that you authenticated successfully. If you encounter any unexpected behaviour, take a look at the first terminal window where you started
pysieved. Due to the
-d -v 9 command line options, every request and every response is logged there. If you are satisfied, type
in the second terminal windows to close the connection to the
pysieved service and press Ctrl+C in the first terminal windows to stop the
Step 6: Install a client and test again
If you have a webmail application installed, check whether it has ManageSieve support. If not, install a separate web client specifically for ManageSieve. A list can be found at sieve.info: Web-Based Clients. Since the ManageSieve deamon is only listening on the loopback device, you will not be able to use a desktop client such as the Thunderbird Sieve Add-On.
pysieved again as described in Step 5, but this time use your web client to create some filters. Check the terminal and your web client for errors. If you encounter no errors, stop the
Step 7: Make
pysieved start automatically
Plesk uses the
xinetd super server to start various services on request.
pysieved provides a configuration file for
xinetd in its contrib directory. Copy that file to
/etc/xinetd.d/pysieved, edit to taste (especialy
server) and restart
xinetd by issueing
and you're done.