Until version 1.5, a managesieve service was exposed by Mailu. This was removed for multiple reasons including:
- the protocol is cumbersome to proxify,
- there are almost no good client available anymore, except in webmails,
- we want to add a filtering interface to the admin UI, with more complete options.
In the process, we did not test enough the internal managesieve, with the webmails especially, and the authentication is currently broken.
kaiyou
All 4 comments
The problem is: the authentication is now performed by nginx, but it does not support managesieve. This is not a long term issue, but currently prevents from using the filtering interface in webmails.
After some thinking, I checked both Rainloop and Rouncube code, it seems that they enforce authentication before sieve can be accessed. My current reasoning would be: since the webmails enforce authentication before even try to access sieve, we could treat the webmail as the authentication endpoint for sieve.
Thus, we would disable authentication when the connection comes from the Webmail. Attack schemes include first attacking the webmail, then accessing sieve from there. But that would also mean getting all the emails of authenticated users, which is much (much) worse.
I am still trying to wrap my head around this, any input is welcome.
kaiyou
on 7 Nov 2017
I'm trying to add again managesieve option to my setup. This is a requirement for me to use Mailu. If I understand well how nginx authentication works, nginx is asking the admin container for authentication and the admin interface answers with the host of the back end service.
But as far as I can see, dovecot still authenticates the incoming connections... Isn't it possible to have dovecot as frontend for managesieve ? It can do reverse proxy and authenticate against imap if needed...
mildred
on 4 Feb 2018
Dovecot does not perform any authentication. Currently it trusts that authentication is done by the front container and basically rejects everything else.
So, to expose managesieve, you would need to proxy it through the front container, which I don't know how to perform, or you would need a separate authenticating container for managesieve. I guess you could create a separate Dovecot container with managesieve port exposed and the managesieve service enabled, and use local authentication against the sqlite database.
kaiyou
on 6 Feb 2018
As far as I understand, there is currently no way to manage Sieve filters in the Mailu admin panel, nor using external Sieve clients or in the internal webmails. I'd be satisfied with using Rainloop or Roundcube to manage the filters. Is there anything that we can expect in the near future on this matter ? Or is there any workaround for existing setups ?
nshaud
on 11 Feb 2018
Related issues
v1ru535
路
4Comments
chrisch-hh
路
4Comments
hoellen
路
4Comments
Angedestenebres
路
3Comments
micw
路
4Comments
Most helpful comment
As far as I understand, there is currently no way to manage Sieve filters in the Mailu admin panel, nor using external Sieve clients or in the internal webmails. I'd be satisfied with using Rainloop or Roundcube to manage the filters. Is there anything that we can expect in the near future on this matter ? Or is there any workaround for existing setups ?