From 6928eb632efbb0862d890005f54e314f272f3c81 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 26 Feb 2024 13:10:08 +0100 Subject: [PATCH 1/4] [Dovecot] move sogo sso to mailcowauth.php --- data/Dockerfiles/dovecot/docker-entrypoint.sh | 7 ------- data/conf/dovecot/auth/mailcowauth.php | 20 ++++++++++++++----- data/conf/dovecot/dovecot.conf | 1 - docker-compose.yml | 2 +- 4 files changed, 16 insertions(+), 14 deletions(-) diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh index fef099cc..1f6a7dc2 100755 --- a/data/Dockerfiles/dovecot/docker-entrypoint.sh +++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh @@ -200,13 +200,6 @@ EOF # Create random master Password for SOGo SSO RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1) echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass -cat < /etc/dovecot/sogo-sso.conf -# Autogenerated by mailcow -passdb { - driver = static - args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS} -} -EOF if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php index d2da4659..2c3c01b3 100644 --- a/data/conf/dovecot/auth/mailcowauth.php +++ b/data/conf/dovecot/auth/mailcowauth.php @@ -45,20 +45,30 @@ require_once 'functions.auth.inc.php'; require_once 'sessions.inc.php'; require_once 'functions.mailbox.inc.php'; -// Init provider -$iam_provider = identity_provider('init'); - +$isSOGoRequest = $post['real_rip'] == getenv('IPV4_NETWORK') . '.248'; +$result = false; $protocol = $post['protocol']; -if ($post['real_rip'] == getenv('IPV4_NETWORK') . '.248') { +if ($isSOGoRequest) { $protocol = null; + // This is a SOGo Auth request. First check for SSO password. + $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass"); + if ($sogo_sso_pass === $post['password']){ + error_log('MAILCOWAUTH: SOGo SSO auth for user ' . $post['username']); + $result = true; + } + } -$result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true)); if ($result === false){ $result = apppass_login($post['username'], $post['password'], $protocol, array( 'is_internal' => true, 'remote_addr' => $post['real_rip'] )); + if ($result) error_log('MAILCOWAUTH: App auth for user ' . $post['username']); +} +if ($result === false){ + $result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true)); + if ($result) error_log('MAILCOWAUTH: User auth for user ' . $post['username']); } if ($result) { diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf index c61d9a1b..e14c445f 100644 --- a/data/conf/dovecot/dovecot.conf +++ b/data/conf/dovecot/dovecot.conf @@ -303,7 +303,6 @@ replication_dsync_parameters = -d -l 30 -U -n INBOX !include_try /etc/dovecot/sni.conf !include_try /etc/dovecot/sogo_trusted_ip.conf !include_try /etc/dovecot/extra.conf -!include_try /etc/dovecot/sogo-sso.conf !include_try /etc/dovecot/shared_namespace.conf # default_client_limit = 10400 diff --git a/docker-compose.yml b/docker-compose.yml index ea8f7feb..f882d94a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -237,7 +237,7 @@ services: - sogo dovecot-mailcow: - image: mailcow/dovecot:nightly-20240208 + image: mailcow/dovecot:nightly-20240226 depends_on: - mysql-mailcow - netfilter-mailcow From d237157c0b743434ce213d895a130e02a0b06b3e Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 26 Feb 2024 13:12:44 +0100 Subject: [PATCH 2/4] init identity_provider only after all conditions are met --- data/conf/phpfpm/crons/keycloak-sync.php | 5 +++-- data/conf/phpfpm/crons/ldap-sync.php | 5 +++-- data/web/inc/functions.auth.inc.php | 4 ++-- data/web/inc/functions.inc.php | 8 ++++++++ 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php index 0525f957..3a7b1da7 100644 --- a/data/conf/phpfpm/crons/keycloak-sync.php +++ b/data/conf/phpfpm/crons/keycloak-sync.php @@ -70,8 +70,6 @@ $_SESSION['acl']['protocol_access'] = "1"; $_SESSION['acl']['mailbox_relayhost'] = "1"; $_SESSION['acl']['unlimited_quota'] = "1"; -// Init Keycloak Provider -$iam_provider = identity_provider('init'); $iam_settings = identity_provider('get'); if ($iam_settings['authsource'] != "keycloak" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) { session_destroy(); @@ -109,6 +107,9 @@ $lock_file_handle = fopen($lock_file, 'w'); fwrite($lock_file_handle, getmypid()); fclose($lock_file_handle); +// Init Keycloak Provider +$iam_provider = identity_provider('init'); + // Loop until all users have been retrieved while (true) { // Get admin access token diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php index 20cf7f29..1a53884c 100644 --- a/data/conf/phpfpm/crons/ldap-sync.php +++ b/data/conf/phpfpm/crons/ldap-sync.php @@ -70,8 +70,6 @@ $_SESSION['acl']['protocol_access'] = "1"; $_SESSION['acl']['mailbox_relayhost'] = "1"; $_SESSION['acl']['unlimited_quota'] = "1"; -// Init Provider -$iam_provider = identity_provider('init'); $iam_settings = identity_provider('get'); if ($iam_settings['authsource'] != "ldap" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) { session_destroy(); @@ -109,6 +107,9 @@ $lock_file_handle = fopen($lock_file, 'w'); fwrite($lock_file_handle, getmypid()); fclose($lock_file_handle); +// Init Provider +$iam_provider = identity_provider('init'); + // Get ldap users $ldap_query = $iam_provider->query(); if (!empty($iam_settings['filter'])) { diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php index b7b8dbc6..78aca3c6 100644 --- a/data/web/inc/functions.auth.inc.php +++ b/data/web/inc/functions.auth.inc.php @@ -476,8 +476,8 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){ } function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){ global $pdo; - global $iam_provider; - + + $iam_provider = identity_provider(); $is_internal = $extra['is_internal']; $create = $extra['create']; diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 88aa811e..bba46935 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -2099,12 +2099,20 @@ function uuid4() { } function identity_provider($_action, $_data = null, $_extra = null) { global $pdo; + global $iam_provider; $data_log = $_data; if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*'; if (isset($data_log['access_token'])) $data_log['access_token'] = '*'; switch ($_action) { + case NULL: + if ($iam_provider) { + return $iam_provider; + } else { + $iam_provider = identity_provider("init"); + } + break; case 'get': $settings = array(); $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;"); From 881c2d6e022a69f41fd6b773f24413f7fa5a181b Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 26 Feb 2024 13:13:50 +0100 Subject: [PATCH 3/4] [SOGo] remove custom logout from toolbar --- data/conf/sogo/custom-sogo.js | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/data/conf/sogo/custom-sogo.js b/data/conf/sogo/custom-sogo.js index 0f1d5d34..e794372f 100644 --- a/data/conf/sogo/custom-sogo.js +++ b/data/conf/sogo/custom-sogo.js @@ -32,18 +32,16 @@ document.addEventListener('DOMContentLoaded', function () { return false; } function mcElementsExists() { - if (document.getElementById("mc_logout")) + if (document.getElementById("mc_backlink")) return true; else return false; } function addMCElements() { const toolbarElement = document.body.querySelector('.md-toolbar-tools.sg-toolbar-group-last.layout-align-end-center.layout-row'); - var htmlCode = '' + + var htmlCode = '' + 'build' + - '' + - 'settings_power' + - '
'; + ''; toolbarElement.insertAdjacentHTML('beforeend', htmlCode); } From 39a4b115ed11028a96afc191a089993a77372d30 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Mon, 26 Feb 2024 13:14:08 +0100 Subject: [PATCH 4/4] [SOGo] fix plist_ldap.sh example --- data/conf/sogo/plist_ldap.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/data/conf/sogo/plist_ldap.sh b/data/conf/sogo/plist_ldap.sh index c35949c6..1911cd18 100755 --- a/data/conf/sogo/plist_ldap.sh +++ b/data/conf/sogo/plist_ldap.sh @@ -3,15 +3,15 @@ domain="$1" gal_status="$2" -echo ' +echo " ' + -->"