≡ Menu

Using Procmail with Plesk: rules via Ingo

In my previous post, I discussed how to get automatic procmail integration working with Plesk, to let you set up procmailrc rules to sort mail into folders. At the end of the post, I mentioned that it would be nice to figure out how to get Plesk’s version of Ingo set up to generate the rules for us automatically. Well, turns out it’s pretty easy! Once you set up procmail (as described in my previous post), and make the changes after the break to your Ingo config, any filters that users define via Plesk’s Horde/Imp/Ingo implementation will become server-side rules automatically. It’s surprisingly easy, and extremely versatile! The one downside is that if you edit the procmailrc files by hand, and then save rules in Ingo, your changes will be overwritten.

First, you need to set a password for the ‘popuser’ user, and remove the user from ‘/etc/ftpusers’. This will allow Ingo to FTP into the system as that user, and update procmailrc entries.

Then, you need to edit the Ingo config. For some reason, Plesk 9’s Ingo package for Debian has config files in two locations:
/etc/psa/webmail/horde/ingo/backends.php
/etc/psa-horde/ingo/backends.php

I’m not sure which one actually gets used, so I created a symlink:

# rm -f /etc/psa-horde/ingo/backends.php
# ln -s /etc/psa/webmail/horde/ingo/backends.php /etc/psa-horde/ingo/backends.php

Then, we need to edit this file. There should be a default entry that looks like:

/* IMAP Example */
$backends['imap'] = array(
'driver' => 'null',
'preferred' => 'localhost',
'hordeauth' => true,
'params' => array(),
'script' => 'imap',
'scriptparams' => array()
);

That’s not going to do anything for us, so nuke it. Then, copy and paste the entry below:


$split = explode('@', Auth::getAuth());
$backends['procmail'] = array(
'driver' => 'vfs',
'preferred' => 'localhost',
'hordeauth' => 'false',
'params' => array(
'vfstype' => 'ftp',
'hostspec' => 'localhost',
'filename' => '/var/qmail/mailnames/'.$split[1].'/'.$split[0].'/.procmailrc',
'port' => 21,
'username' => 'popuser',
'password' => 'password'
),
'script' => 'procmail',
'scriptparams' => array(
'path_style' => 'maildir',
'variables' => array(
'MAILDIR' => '/var/qmail/mailnames/' . $split[1] . '/' . $split[0] . '/Maildir',
'DEFAULT' => '${MAILDIR}/'
)
)
);

Simply change the password entry to the password you set for popuser. Then, log out of webmail and back in, set up a filter, and it should have updated the procmailrc entry for you. It’s magic!

Again, if this is useful or if you have any questions, please leave me a comment!

{ 21 comments… add one }
  • Ben L January 8, 2009, 9:13 am

    If you use squirrelmail to provide webmail, there’s a plugin that allows users to manage their own procmailrcs.

    and lastly, qmail? really?

    • nc January 8, 2009, 12:02 pm

      Ya, Ingo is the Horde plugin that manages procmail, sieve, etc. The hard part isn’t managing procmail; it’s getting it to work properly under Plesk without breaking anytihng else. ;) I’m actually using Postfix; Plesk just didn’t support it until 9.0, and still stores the mail in /var/qmail/mailnames, even though qmail is not used at all.

  • Brazilian joe February 6, 2009, 10:57 am

    OFFTOPIC:
    Yes, way offtopic ;)
    But since I have crossed you blog / articles often in the web ( and found no email address), I decided to ask in your blog. Sorry for the intrusion. By any chance, have you ever tried/managed to set up a IPSec VPN between Linux and a SonicWALL vpn router? If you could spare some tips (for free :) I’d be glad to hear about it.

    • nc February 8, 2009, 8:28 pm

      I’m afraid not. ;( It’s actually been a few years since I’ve really done a whole lot with IPsec, new job just doesn’t demand it like my old one did. ;) However, I know it’s been done.. have you tried the Openswan lists?

  • mJay September 17, 2009, 3:39 pm

    Isn’t it unsecure to save the password of ‘popuser’ in plaintext directly in the backends.php?

    Are there a posibility for a hacker to reach the password?
    What can a hacker access if he has the password of ‘popuser’?

    • nc September 17, 2009, 7:02 pm

      Unfortunately, this is the only way I’ve been able to make this work. It is slightly insecure; however, you can set the perms on that file such that nobody on the system will be able to read it but root and the mail daemons. This is a weakness in the way that Horde does things.

  • mJay September 18, 2009, 5:00 am

    Thanks for answer.
    There is an intresting way to write the .procmailrc with ftp and the auth-infos of the mailuser (mailaccount username and password).
    http://www.thorti.de/procmail-web-frontend.html
    Sorry thats in german but I can translate it if its necessary.

    They are using pureftp and an auth-script to get the mailaccounts password from the MySQL-DB. Qmail is saving the mailaccount-password in an MySQL-DB.

    I think thats much more secure because there are no passwords in plaintext and the user can only reach via ftp the direcory where its own mails are stored. I only have to edit the auth-script for pureftp to get it working with Postfix. The only problem I have, is that I don’t know where Postfix is storing the passwords for the mailaccounts. Do you?

    If I’m able to get it work with Postfix, I will translate the howto in english.

  • Stefan December 4, 2009, 12:38 pm

    Hello,

    i installed your .procmailrc sript, it’s run and create the .procmailrc. Fine!

    I give popuseruser a password and delete it from /etc/ftpusers

    Then i edit the file :
    /* IMAP Example */
    $backends['imap'] = array(
    'driver' => 'null',
    'preferred' => 'localhost',
    'hordeauth' => true,
    'params' => array(),
    'script' => 'imap',
    'scriptparams' => array()
    );
    $split = explode('@', Auth::getAuth());
    $backends['procmail'] = array(
    'driver' => 'vfs',
    'preferred' => 'localhost',
    'hordeauth' => 'false',
    'params' => array(
    'vfstype' => 'ftp',
    'hostspec' => 'localhost',
    'filename' => '/var/qmail/mailnames/'.$split[1].'/'.$split[0].'/.procmailrc',
    'port' => 21,
    'username' => 'popuser',
    'password' => 'mypassword'
    ),
    'script' => 'procmail',
    'scriptparams' => array(
    'path_style' => 'maildir',
    'variables' => array(
    'MAILDIR' => '/var/qmail/mailnames/'.$split[1].'/'.$split[0].'/Maildir',
    'DEFAULT' => '${MAILDIR}/'
    )
    )
    );

    But ingo didn’t write the new procmailrc file. I can login with the ftp password. So where is the problem and how can i solve it :-(

    Stefan

    • nc December 4, 2009, 1:10 pm

      To confirm, can you FTP to localhost as ‘popuser’ with the password you set? If so, can you change to /var/qmail/mailnames//, and upload a .procmailrc file manually?

      If the above works, great! Next step – did you either update backend.php in both of the locations I mentioned above, or symlink them together?

      • Stefan December 4, 2009, 1:23 pm

        Of course, i can change the file with put.

        I don’t have the folder /etc/psa-horde…

        • nc December 4, 2009, 2:10 pm

          Hmm, must not be on Debian/Ubuntu, or maybe they fixed their packaging.. :) Try doing a find in / for ingo, and then look for backend.php in multiple locations.

          There are also ways to get ingo to turn on debug logging; the Horde FAQ’s should have info.

  • Joerg April 20, 2010, 7:55 am

    Hi all,
    maybe someone wants to use this script with a current version of Horde/INGO:
    'hordeauth' => 'false',
    is not working anymore!!! You´ll need to remove the ” ‘ ” !

    'hordeauth' => false,
    and it will work… :-/
    (ca 30mins to find out…)
    Another crazy thing I found out:
    My system won’t accept:
    'hostspec' => 'localhost',
    It wants to have 127.0.0.1 instead… (took be about 8h to find out!)

    *gnarf* ;-)

  • ajai November 11, 2010, 5:56 am

    As far as i know As long as Parallels do not implement SIEVE or another way to filter emails the feature will not work. I need SIEVE in qmail-plesk so that my webmail Open Exchange can use the filter for the end users

    Is there any way to implement SIEVE that you know ?

    • nc November 11, 2010, 8:28 am

      Sieve needs to be implemented in the IMAP server, not in the MTA.. Plesk currently uses Courier-IMAP, which does not (and does not plan to) support Sieve — see this post on the courier imap server list.

      If Parallels added an option to Plesk to support using Dovecot as the IMAP server, it would be relatively easy to add support for Sieve.. however, it does not look like that is a current feature, or an announced future feature.

  • Christopher K. July 19, 2011, 7:39 am

    I’m using this approach. One thing about what to do when you updated Plesk:
    Go into every mail account in Plesk, click “Mailbox” and change the quota (1 KB down and up again or something). If you do not have a quota, set it to 999999999 and back to no quota.
    I first tried not changing anything but only clicking “OK” didn’t work.

    Has anybody a better way up to now? It looks not so much work to invoke the perl-script for every mailbox. We could fetch all mailboxes from the directory structure in /var/qmail/mailnames. There even seems to be an event handler in Plesk that can be called whenever a Plesk package has been updated. If no one has done this yet, I think I will realize this myself.

    • nc July 19, 2011, 10:01 am

      Yeah, I’m using a very similar method to handle the upgrades. It is indeed annoying; if you can figure out a better way, I would *love* to hear about it!

      • Christopher K. July 20, 2011, 11:49 am

        Okay. I automated the update process. What I did:
        – Modified add-procmail-rules.pl so the emailadress can be read from a command line parameter (and it should not sleep in this case as sleeping 5s per mail account would mean several minutes or even hours executing time for hundreds of mail accounts)
        – Wrote a php-script that scans /var/qmail/mailnames for all email-addresses on the system and call add-procmail-rules.pl with these addresses as parameters
        – This script can either be called manually after an update or using a Plesk event handler

        If somebody wants to go the same way, do the following:
        – You need php on the command line. If not already installed, install the package php5-cli (aptitude install php5-cli). Should normally be already installed on a Plesk server I think.
        – You need safe_mode disabled on the command line. Edit /etc/php5/cli/php.ini . Search for safe_mode and change it to “On” if it is currently “Off”. This only affects the command line, so it should not be a security problem. Moreover, safe_mode is deprecated anyway.
        – Copy modified add-procmail-rules.pl from pastebin and replace your version with it
        – Copy mailfilter_after_plesk_update.php from pastebin into the same folder where add-procmail-rules.pl is
        – You might need to change the path to add-procmail-rules.pl in mailfilter_after_plesk_update.php
        – Try calling the script manually: run “php mailfilter_after_plesk_update.php”
        -> It should take 5-10s and does not output anything. You can check date and time of the .qmail and .qmail.old-files to see whether it did anything.
        – To add an event listener in Plesk:
        — Log into Plesk as admin, go to Main->Logs & Statistics->Event Manager
        — Click ‘Add New Event Handler’; you will need to create an event with an event type of ‘Parallels Plesk Panel-Component updated or added’, priority set as desired, ‘User’ is root (or another user with proper perms), and ‘Command’ is the php-script – e.g., “php /usr/local/sbin/mailfilter_after_plesk_update.php”.
        Note that there is a space character between “php” and the path to the php-script

        That’s it.
        I could not try if the Plesk event handler really is called when necessary as I did not do an update since.
        A cleaner solution might be a complete perl-implementation, but my perl skills are very limited and I could not do this in perl that fast, so I used php instead.

        I hope it helps somebody. Let me hear if you have any problems.

        • Christopher K. July 20, 2011, 11:51 am

          Typo: Of course safe_mode needs to be changed from “On” to “Off” and no the other way round. Sorry.

  • Volker Kerkhoff May 24, 2012, 4:52 pm

    Remember to /etc/init.d/httpd restart after implementing these great improvements or Horde will somehow try to do everything the old way and try to use hordeauth => true

Cancel reply

Leave a Comment