Example Sieve external lists with properties

The MTA supports a private feature of Sieve external lists, whereby  external lists can return properties associated with list entries. This can be a powerful additional tool. This section presents two examples below, both variants on "capturing" copies of particular  messages passing through the MTA.

Capturing a user&#x27;s "external" messages

Suppose that you wish to capture copies of certain users&#x27; Internet correspondence, without bothering to capture copies of those users&#x27;  internal correspondence (meaning that direct use of an     LDAP attribute would capture unneeded messages), and that you&#x27;d like to  keep track of which users are in this category in LDAP, rather than  hard-coding such a list directly into a Sieve script. One approach for doing this would be to use channel-level source and destination Sieve  scripts on the    channel (which is the channel handling  messages coming in from, or going to, the Internet), where such Sieve  scripts make use of an external list to check LDAP to determine which  users&#x27; messages are eligible for  capture. Using the properties feature of the MTA&#x27;s Sieve external lists implementation, the external list  will also return the capturer address to use (the address to which to  send the captured message copies). The components of such an approach are:



 Add some user-level LDAP attribute to the schema (or disable schema checking) and set that attribute on the users for whom you want  capture, with a value which is the address to which to send the  captured message copies. (Note that typically such an attribute should have    ACIs    so that users themselves can&#x27;t even see the attribute, let    alone change its value.) This example will assume there is an attribute    named   for this purpose. (Note that if   you already have   defined and pointing to the name of some    LDAP attribute used for unconditional capture, then you probably don&#x27;t    want to use the same attribute for this "conditional"    capture, as that would merely result in an additional capture copy in    the "conditional" cases. Instead you want a different LDAP    attribute, which will only be consulted and have an effect in this    special case.) 



Set the  MTA option to  the name of  this "conditional capture" attribute; in unified configuration: msconfig&#x3e; set mta.ldap_spare_4 "mailCaptureInternet" or in legacy MTA configuration mode, set in the  file: LDAP_SPARE_4=mailCaptureInternet Pointing  at this attribute means that the attribute&#x27;s  value will be included in probes of the    mapping table, which will turn out to be convenient.





Define Sieve external lists named   " " and    " " via a    mapping table  as follows. (In legacy configuration mode, this  mapping table should be placed in the MTA mappings file; in Unified Configuration mode, the mapping table can be created by editting from within the   utility.) SIEVE_EXTLISTS ! Define an external list named "capture-to" for use in "envelope" tests of ! the To address. Because the LDAP_SPARE_4 field of the pattern has a ! match pattern of %&#x2a;, a probe will match this entry only when the envelope ! To recipient being tested has a non-empty mailCaptureInternet value: !   envelope&#x7c;&#x2a;&#x7c;%&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;capture-to&#x7c;&#x2a;   $Y$&#x2a;$1$2 envelope&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;capture-to&#x7c;&#x2a;   $N ! ! When the probe matches, the test succeeds ($Y) and the entry returns ! &#x3c;mailCaptureInternet-value&#x3e; for the matched address as the first (indeed ! only) property, so it will be accessible via Sieve ${1} variable. ! Note that because this is a recipient-specific test, making use of the ! LDAP_SPARE_4 value, the entry includes $&#x2a; in the template. ! ! Now define an external list named "capture-from" for use in "envelope" tests ! of the From address. Because the Sieve language is oriented towards ! performing actions on behalf of message recipients, obtaining information ! from LDAP regarding the message sender (envelope From) requires some ! additional, explicit LDAP lookups (more than is required for the "capture-to" ! external list case). ! First, get the base DN for the user entries in the domain of the From ! address and rebuild a new probe: !   envelope&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;&#x2a;&#x7c;capture-from&#x7c;&#x2a;@&#x2a;  $N$CBASEDN&#x7c;FROM&#x7c;$4@$5&#x7c;$}$5,_base_dn_{ ! ! If the envelope From was that of a user in one of "our" domains, then ! the $}&#x3c;domain-name&#x3e;,_base_dn_{ lookup should succeed, so the entry ! succeeded and the probe is now: ! BASEDN&#x7c;FROM&#x7c;&#x3c;from-address&#x3e;&#x7c;&#x3c;basedn-of-from-domain&#x3e; !   BASEDN&#x7c;FROM&#x7c;&#x2a;&#x7c;&#x2a;     \ $C$&#x5d;ldap:///$1?mailCaptureInternet?sub?(&(&#x7c;(mail=$=$0$_)(mailEquivalentAddress=$=$0$_))(mailCaptureInternet=$=&#x2a;$_))&#x5b;$Y ! ! When this probe matched and the LDAP lookup succeeds, then the test ! succeeds ($Y) and the entry returns &#x3c;mailCaptureInternet-value&#x3e; ! as a first property (so accessible via Sieve ${1} variable), thus the ! capture attribute value for that matched address is available. 



On the   channel (and any other    dedicated-to-Internet-correspondence channel(s)), use a    Sieve along the lines of: require &#x5b;"envelope","extlists","variables"&#x5d;; if envelope :list "to" "capture-to" { capture "${1}"; } and a    Sieve along the lines of: require &#x5b;"envelope","extlists","variables"&#x5d;; if envelope :list "from" "capture-from" { capture "${1}"; } 



Note that this example used the same LDAP attribute   to determine capture for both incoming  and outgoing directions. (The incoming, " ", list took advantage of setting     to conveniently fetch the value of this attribute for the  recipient; for the outgoing, " ",  list, two separate, explicitly configured LDAP lookups were required to  first locate where in the directory to search, and second fetch the  actual attribute value.) But separate attributes could be used, if  different criteria were desired for incoming vs. outgoing. Also, in this example the Sieve external list itself simply checks the attribute value---and the fact that the capture is (intended) for  Internet correspondence is incorporated by virtue of the Sieve filters  being placed on the Internet correspondence channel. More complicated Sieve filter tests combined with this external list  consultation could further refine which messages are captured; see for  instance, the additional, "attachment type" testing shown in  the example below. Or use of a Sieve filter consulting these external lists on different MTA channels could completely alter which messages  get captured.

See also:
 * Testing Sieve external lists
 * Sieve capture extension
 * ldap_capture MTA Option
 * ldap_spare_4 MTA Option
 * Access controls on LDAP attributes
 * Typical TCPIP channels and servers
 * sourcefilter Option
 * destinationfilter Option
 * Sieve variables extension
 * Sieve external lists