Gnous/mailcow
2
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

add random masterpass for sogo admin login

Browse Source 
add required headers for sogo proxy auth with password
add SOGoEncryptionKey
add SOGoTrustProxyAuthentication only conditionally if feature is enabled
This commit is contained in:
Marcel Hofer 2019-02-26 09:02:35 +01:00
parent 937cdadd36
commit dd6d253ac0
7 changed files with 51 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
data/Dockerfiles/dovecot/docker-entrypoint.sh
View File

@ -118,17 +118,6 @@ default_pass_scheme = SSHA256
password_query = SELECT password FROM mailbox WHERE active = '1' AND username = '%u' AND domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') AND JSON_EXTRACT(attributes, '$.force_pw_update') NOT LIKE '%%1%%' password_query = SELECT password FROM mailbox WHERE active = '1' AND username = '%u' AND domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') AND JSON_EXTRACT(attributes, '$.force_pw_update') NOT LIKE '%%1%%'
EOF EOF
if [[ "${ALLOW_ADMIN_EMAIL_LOGIN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
cat <<EOF > /usr/local/etc/dovecot/sogo-sso.conf
passdb {
driver = static
args = password= allow_real_nets=${IPV4_NETWORK}.248/32
}
EOF
else
rm -f /usr/local/etc/dovecot/sogo-sso.conf
fi
# Create global sieve_after script # Create global sieve_after script
cat /usr/local/etc/dovecot/sieve_after > /var/vmail/sieve/global.sieve cat /usr/local/etc/dovecot/sieve_after > /var/vmail/sieve/global.sieve
@ -146,6 +135,21 @@ echo ${RAND_USER}@mailcow.local:{SHA1}$(echo -n ${RAND_PASS} | sha1sum | awk '{p
echo ${RAND_USER}@mailcow.local::5000:5000:::: > /usr/local/etc/dovecot/dovecot-master.userdb echo ${RAND_USER}@mailcow.local::5000:5000:::: > /usr/local/etc/dovecot/dovecot-master.userdb
echo ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/sieve.creds echo ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/sieve.creds
if [[ "${ALLOW_ADMIN_EMAIL_LOGIN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
# Create random master Password for SOGo 'login as user' via proxy auth
RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
cat <<EOF > /usr/local/etc/dovecot/sogo-sso.conf
passdb {
driver = static
args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
}
EOF
else
rm -f /usr/local/etc/dovecot/sogo-sso.pass
rm -f /usr/local/etc/dovecot/sogo-sso.conf
fi
# 401 is user dovecot # 401 is user dovecot
if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then
openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem

11
data/Dockerfiles/sogo/bootstrap-sogo.sh
View File

@ -88,6 +88,13 @@ mkdir -p /var/lib/sogo/GNUstep/Defaults/
# Force-remove lines from sogo.conf # Force-remove lines from sogo.conf
sed -i '/SOGoIMAPServer/d' /etc/sogo/sogo.conf sed -i '/SOGoIMAPServer/d' /etc/sogo/sogo.conf
if [[ "${ALLOW_ADMIN_EMAIL_LOGIN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
TRUST_PROXY="YES"
else
TRUST_PROXY="NO"
fi
RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 24 | head -n 1)
# Generate plist header with timezone data # Generate plist header with timezone data
cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
@ -98,6 +105,10 @@ cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
<string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_acl</string> <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_acl</string>
<key>SOGoIMAPServer</key> <key>SOGoIMAPServer</key>
<string>imap://${IPV4_NETWORK}.250:143/?tls=YES</string> <string>imap://${IPV4_NETWORK}.250:143/?tls=YES</string>
<key>SOGoTrustProxyAuthentication</key>
<string>${TRUST_PROXY}</string>
<key>SOGoEncryptionKey</key>
<string>${RAND_PASS}</string>
<key>OCSCacheFolderURL</key> <key>OCSCacheFolderURL</key>
<string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_cache_folder</string> <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_cache_folder</string>
<key>OCSEMailAlarmsFolderURL</key> <key>OCSEMailAlarmsFolderURL</key>

12
data/conf/nginx/templates/sogo.auth_request.template.sh
View File

@ -1,8 +1,10 @@
if printf "%s\n" "${ALLOW_ADMIN_EMAIL_LOGIN}" | grep -E '^([yY][eE][sS]|[yY])+$' >/dev/null; then if printf "%s\n" "${ALLOW_ADMIN_EMAIL_LOGIN}" | grep -E '^([yY][eE][sS]|[yY])+$' >/dev/null; then
echo 'auth_request /sogo-auth-verify; echo 'auth_request /sogo-auth-verify;
auth_request_set $user $upstream_http_x_username; auth_request_set $user $upstream_http_x_user;
proxy_set_header x-webobjects-remote-user $user; auth_request_set $auth $upstream_http_x_auth;
if ($args ~* (.*)(account=(?!0))(.*)) { auth_request_set $auth_type $upstream_http_x_auth_type;
return 401; proxy_set_header x-webobjects-remote-user "$user";
}' proxy_set_header Authorization "$auth";
proxy_set_header x-webobjects-auth-type "$auth_type";
'
fi fi

0
data/conf/phpfpm/sogo-sso/.gitkeep Normal file
View File

2
data/conf/sogo/sogo.conf
View File

@ -82,6 +82,4 @@
//SOGoUIxDebugEnabled = YES; //SOGoUIxDebugEnabled = YES;
//WODontZipResponse = YES; //WODontZipResponse = YES;
WOLogFile = "/dev/sogo_log"; WOLogFile = "/dev/sogo_log";
SOGoTrustProxyAuthentication = YES;
} }

23
data/web/sogo-auth.php
View File

@ -30,7 +30,8 @@ $ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
$_ENV["ALLOW_ADMIN_EMAIL_LOGIN"] $_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
)); ));
$session_variable = 'sogo-sso-user'; $session_var_user = 'sogo-sso-user';
$session_var_pass = 'sogo-sso-pass';
if (!$ALLOW_ADMIN_EMAIL_LOGIN) { if (!$ALLOW_ADMIN_EMAIL_LOGIN) {
header("Location: /"); header("Location: /");
@ -42,7 +43,9 @@ elseif (isset($_GET['login'])) {
$login = html_entity_decode(rawurldecode($_GET["login"])); $login = html_entity_decode(rawurldecode($_GET["login"]));
if (filter_var($login, FILTER_VALIDATE_EMAIL)) { if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
if (!empty(mailbox('get', 'mailbox_details', $login))) { if (!empty(mailbox('get', 'mailbox_details', $login))) {
$_SESSION[$session_variable] = $login; $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
$_SESSION[$session_var_user] = $login;
$_SESSION[$session_var_pass] = $sogo_sso_pass;
header("Location: /SOGo/"); header("Location: /SOGo/");
exit; exit;
} }
@ -54,11 +57,17 @@ elseif (isset($_GET['login'])) {
else { else {
// this is an nginx auth_request call, we check for an existing sogo-sso-user session variable // this is an nginx auth_request call, we check for an existing sogo-sso-user session variable
session_start(); session_start();
$username = ""; if (isset($_SESSION[$session_var_user]) && filter_var($_SESSION[$session_var_user], FILTER_VALIDATE_EMAIL)) {
if (isset($_SESSION[$session_variable]) && filter_var($_SESSION[$session_variable], FILTER_VALIDATE_EMAIL)) { $username = $_SESSION[$session_var_user];
$username = $_SESSION[$session_variable]; $password = $_SESSION[$session_var_pass];
} header("X-User: $username");
header("X-Auth: Basic ".base64_encode("$username:$password"));
header("X-Auth-Type: Basic");
} else {
// if username is empty, SOGo will display the normal login form // if username is empty, SOGo will display the normal login form
header("X-Username: $username"); header("X-User: ");
header("X-Auth: ");
header("X-Auth-Type: ");
}
exit; exit;
} }

2
docker-compose.yml
View File

@ -106,6 +106,7 @@ services:
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/
- ./data/conf/sogo/:/etc/sogo/ - ./data/conf/sogo/:/etc/sogo/
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro
- ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/
- ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf - ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf
- ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini - ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini
- ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini - ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini
@ -175,6 +176,7 @@ services:
- ./data/conf/dovecot:/usr/local/etc/dovecot - ./data/conf/dovecot:/usr/local/etc/dovecot
- ./data/assets/ssl:/etc/ssl/mail/:ro - ./data/assets/ssl:/etc/ssl/mail/:ro
- ./data/conf/sogo/:/etc/sogo/ - ./data/conf/sogo/:/etc/sogo/
- ./data/conf/phpfpm/sogo-sso/:/etc/phpfpm/
- vmail-vol-1:/var/vmail - vmail-vol-1:/var/vmail
- vmail-attachments-vol-1:/var/attachments - vmail-attachments-vol-1:/var/attachments
- crypt-vol-1:/mail_crypt/ - crypt-vol-1:/mail_crypt/