diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index 798078bd..6645331b 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -163,24 +163,26 @@ function auth_password_verify(req, pass)
row = cur:fetch (row, "a")
end
- -- check against app passwds
- -- removed on 22nd Oct 2021: AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.force_pw_update')), 0) != '1'
- local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, app_passwd.password FROM app_passwd
- INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox
- WHERE mailbox = '%s'
- AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.%s_access')), 1) = '1'
- AND app_passwd.active = '1'
- AND mailbox.active = '1'
- AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.user), con:escape(req.service), con:escape(req.domain)))
- local row = cur:fetch ({}, "a")
- while row do
- if req.password_verify(req, row.password, pass) == 1 then
- cur:close()
- con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
- VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
- return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
+ -- check against app passwds for imap and smtp
+ -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
+ if req.service == "smtp" or req.service == "imap" or req.service == "sieve" or req.service == "pop3" then
+ local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, app_passwd.imap_access, app_passwd.smtp_access, app_passwd.sieve_access, app_passwd.pop3_access, app_passwd.password FROM app_passwd
+ INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox
+ WHERE mailbox = '%s'
+ AND app_passwd.%s_access = '1'
+ AND app_passwd.active = '1'
+ AND mailbox.active = '1'
+ AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.user), con:escape(req.service), con:escape(req.domain)))
+ local row = cur:fetch ({}, "a")
+ while row do
+ if req.password_verify(req, row.password, pass) == 1 then
+ cur:close()
+ con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
+ VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
+ return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
+ end
+ row = cur:fetch (row, "a")
end
- row = cur:fetch (row, "a")
end
return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index c2eb0ad5..cc6807ba 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -68,7 +68,7 @@ if (empty($_SERVER['PHP_AUTH_USER']) || empty($_SERVER['PHP_AUTH_PW'])) {
exit(0);
}
-$login_role = check_login($login_user, $login_pass);
+$login_role = check_login($login_user, $login_pass, true);
if ($login_role === "user") {
header("Content-Type: application/xml");
diff --git a/data/web/edit.php b/data/web/edit.php
index bc27c6f2..dfba8479 100644
--- a/data/web/edit.php
+++ b/data/web/edit.php
@@ -11,7 +11,7 @@ $template = 'edit.twig';
$template_data = [];
$result = null;
if (isset($_SESSION['mailcow_cc_role'])) {
- if ($_SESSION['mailcow_cc_role'] == "admin" || $_SESSION['mailcow_cc_role'] == "domainadmin") {
+ if ($_SESSION['mailcow_cc_role'] == "admin" || $_SESSION['mailcow_cc_role'] == "domainadmin") {
if (isset($_GET["alias"]) &&
!empty($_GET["alias"])) {
$alias = html_entity_decode(rawurldecode($_GET["alias"]));
diff --git a/data/web/inc/functions.app_passwd.inc.php b/data/web/inc/functions.app_passwd.inc.php
index 68cc85cd..b493fc91 100644
--- a/data/web/inc/functions.app_passwd.inc.php
+++ b/data/web/inc/functions.app_passwd.inc.php
@@ -27,6 +27,13 @@ function app_passwd($_action, $_data = null) {
$password = $_data['app_passwd'];
$password2 = $_data['app_passwd2'];
$active = intval($_data['active']);
+ $protocols = (array)$_data['protocols'];
+ $imap_access = (in_array('imap_access', $protocols)) ? 1 : 0;
+ $dav_access = (in_array('dav_access', $protocols)) ? 1 : 0;
+ $smtp_access = (in_array('smtp_access', $protocols)) ? 1 : 0;
+ $eas_access = (in_array('eas_access', $protocols)) ? 1 : 0;
+ $pop3_access = (in_array('pop3_access', $protocols)) ? 1 : 0;
+ $sieve_access = (in_array('sieve_access', $protocols)) ? 1 : 0;
$domain = mailbox('get', 'mailbox_details', $username)['domain'];
if (empty($domain)) {
$_SESSION['return'][] = array(
@@ -61,13 +68,19 @@ function app_passwd($_action, $_data = null) {
);
return false;
}
- $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `active`)
- VALUES (:app_name, :mailbox, :domain, :password, :active)");
+ $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `imap_access`, `smtp_access`, `eas_access`, `dav_access`, `pop3_access`, `sieve_access`, `active`)
+ VALUES (:app_name, :mailbox, :domain, :password, :imap_access, :smtp_access, :eas_access, :dav_access, :pop3_access, :sieve_access, :active)");
$stmt->execute(array(
':app_name' => $app_name,
':mailbox' => $username,
':domain' => $domain,
':password' => $password_hashed,
+ ':imap_access' => $imap_access,
+ ':smtp_access' => $smtp_access,
+ ':eas_access' => $eas_access,
+ ':dav_access' => $dav_access,
+ ':pop3_access' => $pop3_access,
+ ':sieve_access' => $sieve_access,
':active' => $active
));
$_SESSION['return'][] = array(
@@ -84,6 +97,23 @@ function app_passwd($_action, $_data = null) {
$app_name = (!empty($_data['app_name'])) ? $_data['app_name'] : $is_now['name'];
$password = (!empty($_data['password'])) ? $_data['password'] : null;
$password2 = (!empty($_data['password2'])) ? $_data['password2'] : null;
+ if (isset($_data['protocols'])) {
+ $protocols = (array)$_data['protocols'];
+ $imap_access = (in_array('imap_access', $protocols)) ? 1 : 0;
+ $dav_access = (in_array('dav_access', $protocols)) ? 1 : 0;
+ $smtp_access = (in_array('smtp_access', $protocols)) ? 1 : 0;
+ $eas_access = (in_array('eas_access', $protocols)) ? 1 : 0;
+ $pop3_access = (in_array('pop3_access', $protocols)) ? 1 : 0;
+ $sieve_access = (in_array('sieve_access', $protocols)) ? 1 : 0;
+ }
+ else {
+ $imap_access = $is_now['imap_access'];
+ $smtp_access = $is_now['smtp_access'];
+ $dav_access = $is_now['dav_access'];
+ $eas_access = $is_now['eas_access'];
+ $pop3_access = $is_now['pop3_access'];
+ $sieve_access = $is_now['sieve_access'];
+ }
$active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
}
else {
@@ -122,14 +152,27 @@ function app_passwd($_action, $_data = null) {
':id' => $id
));
}
+
$stmt = $pdo->prepare("UPDATE `app_passwd` SET
`name` = :app_name,
`mailbox` = :username,
+ `imap_access` = :imap_access,
+ `smtp_access` = :smtp_access,
+ `eas_access` = :eas_access,
+ `dav_access` = :dav_access,
+ `pop3_access` = :pop3_access,
+ `sieve_access` = :sieve_access,
`active` = :active
WHERE `id` = :id");
$stmt->execute(array(
':app_name' => $app_name,
':username' => $username,
+ ':imap_access' => $imap_access,
+ ':smtp_access' => $smtp_access,
+ ':eas_access' => $eas_access,
+ ':dav_access' => $dav_access,
+ ':pop3_access' => $pop3_access,
+ ':sieve_access' => $sieve_access,
':active' => $active,
':id' => $id
));
@@ -180,13 +223,7 @@ function app_passwd($_action, $_data = null) {
break;
case 'details':
$app_passwd_data = array();
- $stmt = $pdo->prepare("SELECT `id`,
- `name`,
- `mailbox`,
- `domain`,
- `created`,
- `modified`,
- `active`
+ $stmt = $pdo->prepare("SELECT *
FROM `app_passwd`
WHERE `id` = :id");
$stmt->execute(array(':id' => $_data));
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 072bf0b4..1425ea3a 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -807,10 +807,11 @@ function verify_hash($hash, $password) {
}
return false;
}
-function check_login($user, $pass) {
+function check_login($user, $pass, $app_passwd_data = false) {
global $pdo;
global $redis;
global $imap_server;
+
if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
$_SESSION['return'][] = array(
'type' => 'danger',
@@ -819,6 +820,8 @@ function check_login($user, $pass) {
);
return false;
}
+
+ // Validate admin
$user = strtolower(trim($user));
$stmt = $pdo->prepare("SELECT `password` FROM `admin`
WHERE `superadmin` = '1'
@@ -854,6 +857,8 @@ function check_login($user, $pass) {
}
}
}
+
+ // Validate domain admin
$stmt = $pdo->prepare("SELECT `password` FROM `admin`
WHERE `superadmin` = '0'
AND `active`='1'
@@ -888,6 +893,8 @@ function check_login($user, $pass) {
}
}
}
+
+ // Validate mailbox user
$stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
INNER JOIN domain on mailbox.domain = domain.domain
WHERE `kind` NOT REGEXP 'location|thing|group'
@@ -896,6 +903,32 @@ function check_login($user, $pass) {
AND `username` = :user");
$stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+ if ($app_passwd_data['eas'] === true) {
+ $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
+ INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
+ INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
+ WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
+ AND `mailbox`.`active` = '1'
+ AND `domain`.`active` = '1'
+ AND `app_passwd`.`active` = '1'
+ AND `app_passwd`.`eas_access` = '1'
+ AND `app_passwd`.`mailbox` = :user");
+ $stmt->execute(array(':user' => $user));
+ $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
+ }
+ elseif ($app_passwd_data['dav'] === true) {
+ $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
+ INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
+ INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
+ WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
+ AND `mailbox`.`active` = '1'
+ AND `domain`.`active` = '1'
+ AND `app_passwd`.`active` = '1'
+ AND `app_passwd`.`dav_access` = '1'
+ AND `app_passwd`.`mailbox` = :user");
+ $stmt->execute(array(':user' => $user));
+ $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
+ }
foreach ($rows as $row) {
if (verify_hash($row['password'], $pass) !== false) {
unset($_SESSION['ldelay']);
@@ -904,9 +937,20 @@ function check_login($user, $pass) {
'log' => array(__FUNCTION__, $user, '*'),
'msg' => array('logged_in_as', $user)
);
+ if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
+ $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
+ $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
+ $stmt->execute(array(
+ ':service' => $service,
+ ':app_id' => $row['app_passwd_id'],
+ ':username' => $user,
+ ':remote_addr' => $_SERVER['REMOTE_ADDR']
+ ));
+ }
return "user";
}
}
+
if (!isset($_SESSION['ldelay'])) {
$_SESSION['ldelay'] = "0";
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
@@ -917,11 +961,13 @@ function check_login($user, $pass) {
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
}
+
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $user, '*'),
'msg' => 'login_failed'
);
+
sleep($_SESSION['ldelay']);
return false;
}
diff --git a/data/web/inc/header.inc.php b/data/web/inc/header.inc.php
index feea441f..6c783a0b 100644
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@@ -44,6 +44,7 @@ $globalVariables = [
'available_languages' => $AVAILABLE_LANGUAGES,
'lang' => $lang,
'skip_sogo' => (getenv('SKIP_SOGO') == 'y'),
+ 'allow_admin_email_login' => (getenv('ALLOW_ADMIN_EMAIL_LOGIN') == 'n'),
'mailcow_apps' => $MAILCOW_APPS,
'app_links' => customize('get', 'app_links'),
'is_root_uri' => (parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) == '/'),
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index c0c984b8..395ce2e1 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -3,7 +3,7 @@ function init_db_schema() {
try {
global $pdo;
- $db_version = "23082021_2224";
+ $db_version = "29102021_0620";
$stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -364,6 +364,12 @@ function init_db_schema() {
"password" => "VARCHAR(255) NOT NULL",
"created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
"modified" => "DATETIME ON UPDATE CURRENT_TIMESTAMP",
+ "imap_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
+ "smtp_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
+ "dav_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
+ "eas_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
+ "pop3_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
+ "sieve_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
"active" => "TINYINT(1) NOT NULL DEFAULT '1'"
),
"keys" => array(
diff --git a/data/web/js/site/debug.js b/data/web/js/site/debug.js
index ba08248f..8f2aa663 100644
--- a/data/web/js/site/debug.js
+++ b/data/web/js/site/debug.js
@@ -707,9 +707,7 @@ jQuery(function($){
$.each(data, function (i, item) {
if (item === null) { return true; }
item.username = escapeHtml(item.username);
- if (item.service == "smtp") { item.service = '' + item.service.toUpperCase() + '
'; }
- else if (item.service == "imap") { item.service = ' ' + item.service.toUpperCase() + '
'; }
- else { item.service = '' + item.service.toUpperCase() + '
'; }
+ item.service = '' + item.service.toUpperCase() + '
';
});
} else if (table == 'general_syslog') {
$.each(data, function (i, item) {
diff --git a/data/web/js/site/user.js b/data/web/js/site/user.js
index 6bfd8478..f37ae747 100644
--- a/data/web/js/site/user.js
+++ b/data/web/js/site/user.js
@@ -101,8 +101,8 @@ jQuery(function($){
$.each(data.sasl, function (i, item) {
var datetime = new Date(item.datetime.replace(/-/g, "/"));
var local_datetime = datetime.toLocaleDateString(undefined, {year: "numeric", month: "2-digit", day: "2-digit", hour: "2-digit", minute: "2-digit", second: "2-digit"});
- item.app_password ? app_password = ' (App)' : app_password = "", item.location ? ip_location = ' ' : ip_location = "";
- "smtp" == item.service ? service = '' + item.service.toUpperCase() + '
' : "imap" == item.service ? service = ' ' + item.service.toUpperCase() + "
" : service = '' + item.service.toUpperCase() + "
";
+ item.app_password ? app_password = ' App' : app_password = "", item.location ? ip_location = ' ' : ip_location = "";
+ service = '' + item.service.toUpperCase() + '
';
item.real_rip.startsWith("Web") ? real_rip = item.real_rip : real_rip = '' + item.real_rip + "";
ip_data = real_rip + ip_location + app_password;
$(".last-login").append('' + local_datetime + " " + service + " " + lang.from + " " + ip_data + "");
@@ -258,6 +258,7 @@ jQuery(function($){
{"name":"chkbox","title":"","style":{"maxWidth":"60px","width":"60px","text-align":"center"},"filterable": false,"sortable": false,"type":"html"},
{"sorted": true,"name":"id","title":"ID","style":{"maxWidth":"60px","width":"60px","text-align":"center"}},
{"name":"name","title":lang.app_name},
+ {"name":"protocols","title":lang.allowed_protocols},
{"name":"active","filterable": false,"style":{"maxWidth":"70px","width":"70px"},"title":lang.active,"formatter": function(value){return 1==value?'':0==value&&'';}},
{"name":"action","filterable": false,"sortable": false,"style":{"text-align":"right","min-width":"220px","width":"220px"},"type":"html","title":lang.action,"breakpoints":"xs sm"}
],
@@ -271,7 +272,15 @@ jQuery(function($){
},
success: function (data) {
$.each(data, function (i, item) {
- item.name = escapeHtml(item.name);
+ item.name = escapeHtml(item.name)
+ item.protocols = []
+ if (item.imap_access == 1) { item.protocols.push("IMAP"); }
+ if (item.smtp_access == 1) { item.protocols.push("SMTP"); }
+ if (item.eas_access == 1) { item.protocols.push("EAS/ActiveSync"); }
+ if (item.dav_access == 1) { item.protocols.push("DAV"); }
+ if (item.pop3_access == 1) { item.protocols.push("POP3"); }
+ if (item.sieve_access == 1) { item.protocols.push("Sieve"); }
+ item.protocols = item.protocols.join(" ")
if (acl_data.app_passwds === 1) {
item.action = '
+
+