From 10d675e8a545afeaea009d37028dc9bc4221af1c Mon Sep 17 00:00:00 2001
From: Mauro Torrez <maurete@users.noreply.github.com>
Date: Sun, 7 Aug 2022 18:19:52 -0300
Subject: [PATCH] add antispam support using imap sieve

---
 15-mailboxes.conf                  |  44 ------
 90-antispam.conf                   |  50 -------
 90-sieve.conf                      | 214 -----------------------------
 Dockerfile                         | 106 +++++++-------
 confd/conf.d/imap.toml             |   1 +
 confd/conf.d/lmtp.toml             |   4 +-
 confd/conf.d/sieve.toml            |   7 +
 confd/conf.d/ssl.toml              |   1 +
 confd/templates/10-auth.conf.tmpl  |   2 +-
 confd/templates/10-ssl.conf.tmpl   |  48 +------
 confd/templates/20-imap.conf.tmpl  |   2 +-
 confd/templates/20-lmtp.conf.tmpl  |   4 +-
 confd/templates/90-sieve.conf.tmpl |  22 +++
 report-ham.sieve                   |  15 ++
 report-spam.sieve                  |   7 +
 sievec                             |   6 +
 spamtrain => spamtrain.sh          |   5 +-
 17 files changed, 120 insertions(+), 418 deletions(-)
 delete mode 100644 90-antispam.conf
 delete mode 100644 90-sieve.conf
 create mode 100644 confd/conf.d/sieve.toml
 create mode 100644 confd/templates/90-sieve.conf.tmpl
 create mode 100644 report-ham.sieve
 create mode 100644 report-spam.sieve
 create mode 100755 sievec
 rename spamtrain => spamtrain.sh (78%)

diff --git a/15-mailboxes.conf b/15-mailboxes.conf
index 1a5ac41..43729da 100644
--- a/15-mailboxes.conf
+++ b/15-mailboxes.conf
@@ -1,47 +1,3 @@
-##
-## Mailbox definitions
-##
-
-# Each mailbox is specified in a separate mailbox section. The section name
-# specifies the mailbox name. If it has spaces, you can put the name
-# "in quotes". These sections can contain the following mailbox settings:
-#
-# auto:
-#   Indicates whether the mailbox with this name is automatically created
-#   implicitly when it is first accessed. The user can also be automatically
-#   subscribed to the mailbox after creation. The following values are
-#   defined for this setting:
-#
-#     no        - Never created automatically.
-#     create    - Automatically created, but no automatic subscription.
-#     subscribe - Automatically created and subscribed.
-#
-# special_use:
-#   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
-#   mailbox. There are no validity checks, so you could specify anything
-#   you want in here, but it's not a good idea to use flags other than the
-#   standard ones specified in the RFC:
-#
-#     \All      - This (virtual) mailbox presents all messages in the
-#                 user's message store.
-#     \Archive  - This mailbox is used to archive messages.
-#     \Drafts   - This mailbox is used to hold draft messages.
-#     \Flagged  - This (virtual) mailbox presents all messages in the
-#                 user's message store marked with the IMAP \Flagged flag.
-#     \Junk     - This mailbox is where messages deemed to be junk mail
-#                 are held.
-#     \Sent     - This mailbox is used to hold copies of messages that
-#                 have been sent.
-#     \Trash    - This mailbox is used to hold messages that have been
-#                 deleted.
-#
-# comment:
-#   Defines a default comment or note associated with the mailbox. This
-#   value is accessible through the IMAP METADATA mailbox entries
-#   "/shared/comment" and "/private/comment". Users with sufficient
-#   privileges can override the default value for entries with a custom
-#   value.
-
 # NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
 namespace inbox {
   # These mailboxes are widely used and could perhaps be created automatically:
diff --git a/90-antispam.conf b/90-antispam.conf
deleted file mode 100644
index e6223f9..0000000
--- a/90-antispam.conf
+++ /dev/null
@@ -1,50 +0,0 @@
-plugin {
-
-# antispam_debug_target = syslog
-# antispam_debug_target = stderr
-# antispam_verbose_debug = 1
-
-antispam_backend = pipe
-
-# mail signature (used with any backend requiring a signature)
-antispam_signature = X-Bogosity
-
-# antispam_signature_missing = move # move silently without training
-antispam_signature_missing = error
-
-# semicolon-separated list of Trash folders (default unset i.e. none)
-# antispam_trash =
-# antispam_trash = trash;Trash;Deleted Items; Deleted Messages
-# antispam_trash_pattern = trash;Trash;Deleted *
-# antispam_trash_pattern_ignorecase =trash;deleted *
-antispam_trash = Trash;trash;mail/trash;Deleted Messages
-
-# semicolon-separated list of spam folders
-# antispam_spam = SPAM
-# antispam_spam_pattern = SPAM
-# antispam_spam_pattern_ignorecase = junk*;spam*
-antispam_spam = Junk;junk;Junk Mail;Spam;spam;SPAM
-
-# semicolon-separated list of unsure folders (default unset i.e. none)
-# antispam_unsure =
-# antispam_unsure_pattern =
-# antispam_unsure_pattern_ignorecase =
-
-# Whether to allow APPENDing to SPAM folders or not
-# antispam_allow_append_to_spam = no
-
-#=====================
-# pipe plugin
-
-# temporary directory
-antispam_pipe_tmpdir = /tmp
-
-# spam/not-spam argument (default unset which will is not what you want)
-antispam_pipe_program_spam_arg    = spam
-antispam_pipe_program_notspam_arg = ham
-
-# binary to pipe mail to
-antispam_pipe_program = /usr/local/bin/spamtrain
-#antispam_pipe_program_args = -f;%u@example.com # % expansion done by dovecot
-
-}
diff --git a/90-sieve.conf b/90-sieve.conf
deleted file mode 100644
index 12af1c9..0000000
--- a/90-sieve.conf
+++ /dev/null
@@ -1,214 +0,0 @@
-##
-## Settings for the Sieve interpreter
-##
-
-# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
-# by adding it to the respective mail_plugins= settings.
-
-# The Sieve interpreter can retrieve Sieve scripts from several types of
-# locations. The default `file' location type is a local filesystem path
-# pointing to a Sieve script file or a directory containing multiple Sieve
-# script files. More complex setups can use other location types such as
-# `ldap' or `dict' to fetch Sieve scripts from remote databases.
-#
-# All settings that specify the location of one ore more Sieve scripts accept
-# the following syntax:
-#
-# location = [<type>:]path[;<option>[=<value>][;...]]
-#
-# If the type prefix is omitted, the script location type is 'file' and the
-# location is interpreted as a local filesystem path pointing to a Sieve script
-# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
-# information.
-
-plugin {
-  # The location of the user's main Sieve script or script storage. The LDA
-  # Sieve plugin uses this to find the active script for Sieve filtering at
-  # delivery. The "include" extension uses this location for retrieving
-  # :personal" scripts. This is also where the  ManageSieve service will store
-  # the user's scripts, if supported.
-  #
-  # Currently only the 'file:' location type supports ManageSieve operation.
-  # Other location types like 'dict:' and 'ldap:' can currently only
-  # be used as a read-only script source ().
-  #
-  # For the 'file:' type: use the ';active=' parameter to specify where the
-  # active script symlink is located.
-  # For other types: use the ';name=' parameter to specify the name of the
-  # default/active script.
-  sieve = file:~/sieve;active=~/.dovecot.sieve
-
-  # The default Sieve script when the user has none. This is the location of a
-  # global sieve script file, which gets executed ONLY if user's personal Sieve
-  # script doesn't exist. Be sure to pre-compile this script manually using the
-  # sievec command line tool if the binary is not stored in a global location.
-  # --> See sieve_before for executing scripts before the user's personal
-  #     script.
-  #sieve_default = /var/lib/dovecot/sieve/default.sieve
-
-  # The name by which the default Sieve script (as configured by the
-  # sieve_default setting) is visible to the user through ManageSieve.
-  #sieve_default_name =
-
-  # Location for ":global" include scripts as used by the "include" extension.
-  #sieve_global =
-
-  # The location of a Sieve script that is run for any message that is about to
-  # be discarded; i.e., it is not delivered anywhere by the normal Sieve
-  # execution. This only happens when the "implicit keep" is canceled, by e.g.
-  # the "discard" action, and no actions that deliver the message are executed.
-  # This "discard script" can prevent discarding the message, by executing
-  # alternative actions. If the discard script does nothing, the message is
-	# still discarded as it would be when no discard script is configured.
-  #sieve_discard =
-
-  # Location Sieve of scripts that need to be executed before the user's
-  # personal script. If a 'file' location path points to a directory, all the
-  # Sieve scripts contained therein (with the proper `.sieve' extension) are
-  # executed. The order of execution within that directory is determined by the
-  # file names, using a normal 8bit per-character comparison.
-  #
-  # Multiple script locations can be specified by appending an increasing number
-  # to the setting name. The Sieve scripts found from these locations are added
-  # to the script execution sequence in the specified order. Reading the
-  # numbered sieve_before settings stops at the first missing setting, so no
-  # numbers may be skipped.
-  sieve_before = /etc/dovecot/sieve/before
-  #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
-  #sieve_before3 = (etc...)
-
-  # Identical to sieve_before, only the specified scripts are executed after the
-  # user's script (only when keep is still in effect!). Multiple script
-  # locations can be specified by appending an increasing number.
-  sieve_after = /etc/dovecot/sieve/after
-  #sieve_after2 =
-  #sieve_after2 = (etc...)
-
-  # Which Sieve language extensions are available to users. By default, all
-  # supported extensions are available, except for deprecated extensions or
-  # those that are still under development. Some system administrators may want
-  # to disable certain Sieve extensions or enable those that are not available
-  # by default. This setting can use '+' and '-' to specify differences relative
-  # to the default. For example `sieve_extensions = +imapflags' will enable the
-  # deprecated imapflags extension in addition to all extensions were already
-  # enabled by default.
-  #sieve_extensions = +notify +imapflags
-
-  # Which Sieve language extensions are ONLY available in global scripts. This
-  # can be used to restrict the use of certain Sieve extensions to administrator
-  # control, for instance when these extensions can cause security concerns.
-  # This setting has higher precedence than the `sieve_extensions' setting
-  # (above), meaning that the extensions enabled with this setting are never
-  # available to the user's personal script no matter what is specified for the
-  # `sieve_extensions' setting. The syntax of this setting is similar to the
-  # `sieve_extensions' setting, with the difference that extensions are
-  # enabled or disabled for exclusive use in global scripts. Currently, no
-  # extensions are marked as such by default.
-  #sieve_global_extensions =
-
-  # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
-  # setting, the used plugins can be specified. Check the Dovecot wiki
-  # (wiki2.dovecot.org) or the pigeonhole website
-  # (http://pigeonhole.dovecot.org) for available plugins.
-  # The sieve_extprograms plugin is included in this release.
-  #sieve_plugins =
-
-  # The separator that is expected between the :user and :detail
-  # address parts introduced by the subaddress extension. This may
-  # also be a sequence of characters (e.g. '--'). The current
-  # implementation looks for the separator from the left of the
-  # localpart and uses the first one encountered. The :user part is
-  # left of the separator and the :detail part is right. This setting
-  # is also used by Dovecot's LMTP service.
-  #recipient_delimiter = +
-
-  # The maximum size of a Sieve script. The compiler will refuse to compile any
-  # script larger than this limit. If set to 0, no limit on the script size is
-  # enforced.
-  #sieve_max_script_size = 1M
-
-  # The maximum number of actions that can be performed during a single script
-  # execution. If set to 0, no limit on the total number of actions is enforced.
-  #sieve_max_actions = 32
-
-  # The maximum number of redirect actions that can be performed during a single
-  # script execution. If set to 0, no redirect actions are allowed.
-  #sieve_max_redirects = 4
-
-  # The maximum number of personal Sieve scripts a single user can have. If set
-  # to 0, no limit on the number of scripts is enforced.
-  # (Currently only relevant for ManageSieve)
-  #sieve_quota_max_scripts = 0
-
-  # The maximum amount of disk storage a single user's scripts may occupy. If
-  # set to 0, no limit on the used amount of disk storage is enforced.
-  # (Currently only relevant for ManageSieve)
-  #sieve_quota_max_storage = 0
-
-  # The primary e-mail address for the user. This is used as a default when no
-  # other appropriate address is available for sending messages. If this setting
-  # is not configured, either the postmaster or null "<>" address is used as a
-  # sender, depending on the action involved. This setting is important when
-  # there is no message envelope to extract addresses from, such as when the
-  # script is executed in IMAP.
-  #sieve_user_email =
-
-  # The path to the file where the user log is written. If not configured, a
-  # default location is used. If the main user's personal Sieve (as configured
-  # with sieve=) is a file, the logfile is set to <filename>.log by default. If
-  # it is not a file, the default user log file is ~/.dovecot.sieve.log.
-  #sieve_user_log =
-
-  # Specifies what envelope sender address is used for redirected messages.
-  # The following values are supported for this setting:
-  #
-  #   "sender"         - The sender address is used (default).
-  #   "recipient"      - The final recipient address is used.
-  #   "orig_recipient" - The original recipient is used.
-  #   "user_email"     - The user's primary address is used. This is
-  #                      configured with the "sieve_user_email" setting. If
-  #                      that setting is unconfigured, "user_mail" is equal to
-  #                      "recipient".
-  #   "postmaster"     - The postmaster_address configured for the LDA.
-  #   "<user@domain>"  - Redirected messages are always sent from user@domain.
-  #                      The angle brackets are mandatory. The null "<>" address
-  #                      is also supported.
-  #
-  # This setting is ignored when the envelope sender is "<>". In that case the
-  # sender of the redirected message is also always "<>".
-  #sieve_redirect_envelope_from = sender
-
-  ## TRACE DEBUGGING
-  # Trace debugging provides detailed insight in the operations performed by
-  # the Sieve script. These settings apply to both the LDA Sieve plugin and the
-  # IMAPSIEVE plugin.
-  #
-  # WARNING: On a busy server, this functionality can quickly fill up the trace
-  # directory with a lot of trace files. Enable this only temporarily and as
-  # selective as possible.
-
-  # The directory where trace files are written. Trace debugging is disabled if
-  # this setting is not configured or if the directory does not exist. If the
-  # path is relative or it starts with "~/" it is interpreted relative to the
-  # current user's home directory.
-  #sieve_trace_dir =
-
-  # The verbosity level of the trace messages. Trace debugging is disabled if
-  # this setting is not configured. Possible values are:
-  #
-  #   "actions"        - Only print executed action commands, like keep,
-  #                      fileinto, reject and redirect.
-  #   "commands"       - Print any executed command, excluding test commands.
-  #   "tests"          - Print all executed commands and performed tests.
-  #   "matching"       - Print all executed commands, performed tests and the
-  #                      values matched in those tests.
-  #sieve_trace_level =
-
-  # Enables highly verbose debugging messages that are usually only useful for
-  # developers.
-  #sieve_trace_debug = no
-
-  # Enables showing byte code addresses in the trace output, rather than only
-  # the source line numbers.
-  #sieve_trace_addresses = no
-}
diff --git a/Dockerfile b/Dockerfile
index bfcbe48..931333d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,55 +1,19 @@
-FROM eumau/debian:buster-slim
+FROM eumau/debian:bullseye-slim
 LABEL maintainer "Mauro Torrez <mauro@mau.ro>"
 ARG DEBIAN_FRONTEND=noninteractive
 ENV LC_ALL C
-ENV \
-    MAIL_DOMAINS= \
-    AUTH_MECHANISMS=plain \
-    AUTH_USERNAME_FORMAT="%Lu" \
-    AUTH_MASTER_ENABLE= \
-    SUBMISSION_HOSTNAME=dovecot.dockernet \
-    SUBMISSION_RELAY_HOST= \
-    SUBMISSION_RELAY_PORT=25 \
-    SUBMISSION_RELAY_TRUSTED=yes \
-    SUBMISSION_RELAY_USER= \
-    SUBMISSION_RELAY_MASTER_USER= \
-    SUBMISSION_RELAY_PASSWORD= \
-    SUBMISSION_RELAY_SSL=starttls \
-    SUBMISSION_RELAY_SSL_VERIFY=no \
-    SUBMISSION_RELAY_RAWLOG_DIR= \
-    LDAP_ENABLE= \
-    LDAP_HOSTS="ldap:389" \
-    LDAP_URIS= \
-    LDAP_BIND=yes \
-    LDAP_VERSION=3 \
-    LDAP_BASE="dc=example,dc=org" \
-    LDAP_SCOPE=subtree \
-    LDAP_USER_ATTRS="=home=/vmail/mail/%d/%n, =uid=5000, =gid=5000" \
-    LDAP_USER_FILTER="(&(objectClass=inetOrgPerson)(uid=%n))" \
-    LDAP_PASS_ATTRS="userPassword=password, =userdb_home=/vmail/mail/%d/%n, =userdb_uid=5000, =userdb_gid=5000" \
-    LDAP_PASS_FILTER="(&(objectClass=inetOrgPerson)(uid=%n))" \
-    LDAP_ITERATE_ATTRS="=user=%{ldap:uid}@%d" \
-    LDAP_ITERATE_FILTER="(objectClass=inetOrgPerson)" \
-    LDAP_DEFAULT_PASS_SCHEME=CRYPT \
-    ANTISPAM_ENABLE=yes \
-    IMAP_URLAUTH_HOST="*" \
-    SSL_CLIENT_CA_DIR="/etc/ssl/certs" \
-    SSL_CERT="/ssl/cert.pem" \
-    SSL_KEY="/ssl/key.pem"
-
 RUN groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
   && mkdir -p /vmail/bogofilter && chown vmail:vmail /vmail \
   && apt-get update && apt-get install -y --no-install-recommends \
-     dovecot-lmtpd \
-     dovecot-imapd \
-     dovecot-ldap \
-     dovecot-sieve \
-     dovecot-submissiond \
-     dovecot-managesieved \
-     dovecot-antispam \
-     bogofilter-sqlite \
-     ssl-cert \
-     ca-certificates \
+  dovecot-lmtpd \
+  dovecot-imapd \
+  dovecot-ldap \
+  dovecot-sieve \
+  dovecot-submissiond \
+  dovecot-managesieved \
+  bogofilter-sqlite \
+  ssl-cert \
+  ca-certificates \
   && rm -rf /var/lib/apt/lists/* \
   && mkdir -p /ssl && chmod 700 /ssl \
   && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \
@@ -61,20 +25,52 @@ ADD 10-auth.conf \
   10-mail.conf \
   10-master.conf \
   15-mailboxes.conf \
-  90-antispam.conf \
-  90-sieve.conf \
   /etc/dovecot/conf.d/
 
-ADD junk-filter.sieve /etc/dovecot/sieve/before/
+ENV \
+  MAIL_DOMAINS= \
+  POSTMASTER_ADDRESS= \
+  AUTH_MECHANISMS=plain \
+  AUTH_USERNAME_FORMAT="%Lu" \
+  AUTH_MASTER_ENABLE= \
+  SUBMISSION_HOSTNAME=dovecot.dockernet \
+  SUBMISSION_RELAY_HOST= \
+  SUBMISSION_RELAY_PORT=25 \
+  SUBMISSION_RELAY_TRUSTED=yes \
+  SUBMISSION_RELAY_USER= \
+  SUBMISSION_RELAY_MASTER_USER= \
+  SUBMISSION_RELAY_PASSWORD= \
+  SUBMISSION_RELAY_SSL=starttls \
+  SUBMISSION_RELAY_SSL_VERIFY=no \
+  SUBMISSION_RELAY_RAWLOG_DIR= \
+  LDAP_ENABLE= \
+  LDAP_HOSTS="ldap:389" \
+  LDAP_URIS= \
+  LDAP_BIND=yes \
+  LDAP_VERSION=3 \
+  LDAP_BASE="dc=example,dc=org" \
+  LDAP_SCOPE=subtree \
+  LDAP_USER_ATTRS="=home=/vmail/mail/%d/%n, =uid=5000, =gid=5000" \
+  LDAP_USER_FILTER="(&(objectClass=inetOrgPerson)(uid=%n))" \
+  LDAP_PASS_ATTRS="userPassword=password, =userdb_home=/vmail/mail/%d/%n, =userdb_uid=5000, =userdb_gid=5000" \
+  LDAP_PASS_FILTER="(&(objectClass=inetOrgPerson)(uid=%n))" \
+  LDAP_ITERATE_ATTRS="=user=%{ldap:uid}@%d" \
+  LDAP_ITERATE_FILTER="(objectClass=inetOrgPerson)" \
+  LDAP_DEFAULT_PASS_SCHEME=CRYPT \
+  SINGLE_USER= \
+  ANTISPAM_ENABLE=yes \
+  SIEVE_ENABLE=yes \
+  IMAP_URLAUTH_HOST="*" \
+  SSL_CLIENT_CA_DIR="/etc/ssl/certs" \
+  SSL_CLIENT_CA_FILE= \
+  SSL_CERT="/ssl/cert.pem" \
+  SSL_KEY="/ssl/key.pem"
 
 ADD confd /etc/confd/
-
-ADD spamtrain /usr/local/bin/
-
-RUN sievec /etc/dovecot/sieve/before
+ADD spamtrain.sh report-ham.sieve report-spam.sieve /etc/dovecot/sieve/
+ADD junk-filter.sieve /etc/dovecot/sieve/before/
+ADD sievec /start.d/
 
 VOLUME ["/ssl","/vmail"]
-
 EXPOSE 110/tcp 143/tcp 587/tcp 993/tcp 995/tcp 2000/tcp
-
 CMD ["dovecot","-F"]
diff --git a/confd/conf.d/imap.toml b/confd/conf.d/imap.toml
index 5f7829a..802b048 100644
--- a/confd/conf.d/imap.toml
+++ b/confd/conf.d/imap.toml
@@ -3,5 +3,6 @@ src = "20-imap.conf.tmpl"
 dest = "/etc/dovecot/local.d/20-imap.conf"
 keys = [
     "/antispam/enable",
+    "/sieve/enable",
     "/imap/urlauth/host"
 ]
diff --git a/confd/conf.d/lmtp.toml b/confd/conf.d/lmtp.toml
index 5d46a0d..75d0ab7 100644
--- a/confd/conf.d/lmtp.toml
+++ b/confd/conf.d/lmtp.toml
@@ -2,5 +2,7 @@
 src = "20-lmtp.conf.tmpl"
 dest = "/etc/dovecot/local.d/20-lmtp.conf"
 keys = [
-    "/mail/domains"
+    "/mail/domains",
+    "/postmaster/address",
+    "/sieve/enable",
 ]
diff --git a/confd/conf.d/sieve.toml b/confd/conf.d/sieve.toml
new file mode 100644
index 0000000..bed3429
--- /dev/null
+++ b/confd/conf.d/sieve.toml
@@ -0,0 +1,7 @@
+[template]
+src = "90-sieve.conf.tmpl"
+dest = "/etc/dovecot/local.d/90-sieve.conf"
+keys = [
+    "/sieve/enable",
+    "/antispam/enable",
+]
diff --git a/confd/conf.d/ssl.toml b/confd/conf.d/ssl.toml
index 2b0eef3..0668440 100644
--- a/confd/conf.d/ssl.toml
+++ b/confd/conf.d/ssl.toml
@@ -5,4 +5,5 @@ keys = [
     "/ssl/cert",
     "/ssl/key",
     "/ssl/client/ca/dir",
+    "/ssl/client/ca/file",
 ]
diff --git a/confd/templates/10-auth.conf.tmpl b/confd/templates/10-auth.conf.tmpl
index 40060a5..64f007b 100644
--- a/confd/templates/10-auth.conf.tmpl
+++ b/confd/templates/10-auth.conf.tmpl
@@ -10,7 +10,7 @@ passdb {
   master = yes
   args = /etc/dovecot/master-users
 
-# Unless you're using PAM, you probably still want the destination user to
+  # Unless you're using PAM, you probably still want the destination user to
   # be looked up from passdb that it really exists. pass=yes does that.
   pass = yes
 }
diff --git a/confd/templates/10-ssl.conf.tmpl b/confd/templates/10-ssl.conf.tmpl
index 586991e..875fa39 100644
--- a/confd/templates/10-ssl.conf.tmpl
+++ b/confd/templates/10-ssl.conf.tmpl
@@ -1,7 +1,3 @@
-##
-## SSL settings
-##
-
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
 ssl = yes
 
@@ -12,51 +8,9 @@ ssl = yes
 {{ with getv "/ssl/cert" }}ssl_cert = <{{.}}{{ end }}
 {{ with getv "/ssl/key" }}ssl_key = <{{.}}{{ end }}
 
-# If key file is password protected, give the password here. Alternatively
-# give it when starting dovecot with -p parameter. Since this file is often
-# world-readable, you may want to place this setting instead to a different
-# root owned 0600 file by using ssl_key_password = <path.
-#ssl_key_password =
-
-# PEM encoded trusted certificate authority. Set this only if you intend to use
-# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
-# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
-#ssl_ca =
-
-# Require that CRL check succeeds for client certificates.
-#ssl_require_crl = yes
-
 # Directory and/or file for trusted SSL CA certificates. These are used only
 # when Dovecot needs to act as an SSL client (e.g. imapc backend). The
 # directory is usually /etc/ssl/certs in Debian-based systems and the file is
 # /etc/pki/tls/cert.pem in RedHat-based systems.
 {{ with getv "/ssl/client/ca/dir" }}ssl_client_ca_dir = {{.}}{{ end }}
-#ssl_client_ca_file =
-
-# Request client to send a certificate. If you also want to require it, set
-# auth_ssl_require_client_cert=yes in auth section.
-#ssl_verify_client_cert = no
-
-# Which field from certificate to use for username. commonName and
-# x500UniqueIdentifier are the usual choices. You'll also need to set
-# auth_ssl_username_from_cert=yes.
-#ssl_cert_username_field = commonName
-
-# DH parameters length to use.
-#ssl_dh_parameters_length = 1024
-
-# SSL protocols to use
-#ssl_protocols = !SSLv3
-
-# SSL ciphers to use
-#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
-
-# Prefer the server's order of ciphers over client's.
-#ssl_prefer_server_ciphers = no
-
-# SSL crypto device to use, for valid values run "openssl engine"
-#ssl_crypto_device =
-
-# SSL extra options. Currently supported options are:
-#   no_compression - Disable compression.
-#ssl_options =
+{{ with getv "/ssl/client/ca/file" }}ssl_client_ca_file = {{.}}{{ end }}
diff --git a/confd/templates/20-imap.conf.tmpl b/confd/templates/20-imap.conf.tmpl
index efe8cee..c4c8217 100644
--- a/confd/templates/20-imap.conf.tmpl
+++ b/confd/templates/20-imap.conf.tmpl
@@ -1,6 +1,6 @@
 imap_capability = +SPECIAL_USE
 imap_urlauth_host = {{ getv "/imap/urlauth/host" }}
 protocol imap {
-  mail_plugins = $mail_plugins {{ if eq (getv "/antispam/enable") "yes" }}antispam{{ end }}
+  mail_plugins = $mail_plugins {{ if eq (getv "/sieve/enable") "yes" }}imap_sieve{{ end }}
   imap_metadata = yes
 }
diff --git a/confd/templates/20-lmtp.conf.tmpl b/confd/templates/20-lmtp.conf.tmpl
index 0129829..785af6f 100644
--- a/confd/templates/20-lmtp.conf.tmpl
+++ b/confd/templates/20-lmtp.conf.tmpl
@@ -1,5 +1,5 @@
 protocol lmtp {
   # postmaster_address aparentemente es obligatorio
-  postmaster_address = postmaster@{{ index (split (index (split (getv "/mail/domains") " ") 0) ",") 0 }}
-  mail_plugins = $mail_plugins sieve
+  postmaster_address = {{ with getv "/postmaster/address" }}{{.}}{{ else }}postmaster@{{ index (split (index (split (getv "/mail/domains") " ") 0) ",") 0 }}{{ end }}
+  mail_plugins = $mail_plugins {{ if eq (getv "/sieve/enable") "yes" }}sieve{{end}}
 }
diff --git a/confd/templates/90-sieve.conf.tmpl b/confd/templates/90-sieve.conf.tmpl
new file mode 100644
index 0000000..dad5e84
--- /dev/null
+++ b/confd/templates/90-sieve.conf.tmpl
@@ -0,0 +1,22 @@
+plugin {
+  sieve_plugins = {{ if eq (getv "/sieve/enable") "yes" }}sieve_imapsieve{{ if eq (getv "/antispam/enable") "yes" }} sieve_extprograms{{ end }}{{ end }}
+
+  sieve_before = /etc/dovecot/sieve/before
+  sieve_after = /etc/dovecot/sieve/after
+
+  {{ if eq (getv "/antispam/enable") "yes" }}
+  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
+  sieve_pipe_bin_dir = /etc/dovecot/sieve
+
+  # From elsewhere to Spam folder
+  imapsieve_mailbox1_name = Junk
+  imapsieve_mailbox1_causes = COPY
+  imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve
+
+  # From Spam folder to elsewhere
+  imapsieve_mailbox2_name = *
+  imapsieve_mailbox2_from = Junk
+  imapsieve_mailbox2_causes = COPY
+  imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
+  {{ end }}
+}
diff --git a/report-ham.sieve b/report-ham.sieve
new file mode 100644
index 0000000..bdd6787
--- /dev/null
+++ b/report-ham.sieve
@@ -0,0 +1,15 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
+
+if environment :matches "imap.mailbox" "*" {
+  set "mailbox" "${1}";
+}
+
+if string "${mailbox}" "Trash" {
+  stop;
+}
+
+if environment :matches "imap.user" "*" {
+  set "username" "${1}";
+}
+
+pipe :copy "spamtrain.sh" [ "ham" ];
diff --git a/report-spam.sieve b/report-spam.sieve
new file mode 100644
index 0000000..111731f
--- /dev/null
+++ b/report-spam.sieve
@@ -0,0 +1,7 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
+
+if environment :matches "imap.user" "*" {
+  set "username" "${1}";
+}
+
+pipe :copy "spamtrain.sh" [ "spam" ];
diff --git a/sievec b/sievec
new file mode 100755
index 0000000..e1c6957
--- /dev/null
+++ b/sievec
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+echo -n "Compiling sieve scripts... "
+sievec /etc/dovecot/sieve/before
+sievec /etc/dovecot/sieve
+echo done.
diff --git a/spamtrain b/spamtrain.sh
similarity index 78%
rename from spamtrain
rename to spamtrain.sh
index 4e231de..6deb4a9 100755
--- a/spamtrain
+++ b/spamtrain.sh
@@ -1,6 +1,5 @@
 #!/bin/bash
-
-# train the spam filter.
+# train the spam filter
 # arg 1 - spam or ham
 
 if [ "$1" == "ham" ]; then
@@ -8,7 +7,7 @@ if [ "$1" == "ham" ]; then
   exit 0
 fi
 
-if [ "$2" == "spam" ]; then
+if [ "$1" == "spam" ]; then
   /usr/bin/bogofilter -d /vmail/bogofilter -e -p -Ns
   exit 0
 fi