From 766c5e85801b9719e3447b935f03bb5dd84fda9e Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 9 Apr 2025 08:02:30 +0200 Subject: [PATCH 1/6] [Dovecot] Ignore app passwords protocol access on SOGo request --- data/conf/dovecot/auth/mailcowauth.php | 4 +++- data/conf/dovecot/auth/passwd-verify.lua | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php index 667419c57..4eda382b7 100644 --- a/data/conf/dovecot/auth/mailcowauth.php +++ b/data/conf/dovecot/auth/mailcowauth.php @@ -79,7 +79,9 @@ if ($isSOGoRequest) { } } if ($result === false){ - $result = apppass_login($post['username'], $post['password'], array($post['service'] => true), array( + // If it's a SOGo Request, don't check for protocol access + $service = (isSOGoRequest) ? false : array($post['service'] => true); + $result = apppass_login($post['username'], $post['password'], $service, array( 'is_internal' => true, 'remote_addr' => $post['real_rip'] )); diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua index 18c18dbe3..19dcc4bd6 100644 --- a/data/conf/dovecot/auth/passwd-verify.lua +++ b/data/conf/dovecot/auth/passwd-verify.lua @@ -29,7 +29,7 @@ function auth_password_verify(request, password) insecure = true } - if c ~= 200 then + if c ~= 200 and c ~= 401 then dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user) return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error" end From c4d0f35008b9dfa1f8f2e87e55d308cc220bf181 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Tue, 15 Apr 2025 10:49:56 +0200 Subject: [PATCH 2/6] [Dovecot] Fix EAS login and improve logging --- data/conf/dovecot/auth/mailcowauth.php | 2 +- data/conf/dovecot/auth/passwd-verify.lua | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php index 4eda382b7..c625522ba 100644 --- a/data/conf/dovecot/auth/mailcowauth.php +++ b/data/conf/dovecot/auth/mailcowauth.php @@ -80,7 +80,7 @@ if ($isSOGoRequest) { } if ($result === false){ // If it's a SOGo Request, don't check for protocol access - $service = (isSOGoRequest) ? false : array($post['service'] => true); + $service = ($isSOGoRequest) ? false : array($post['service'] => true); $result = apppass_login($post['username'], $post['password'], $service, array( 'is_internal' => true, 'remote_addr' => $post['real_rip'] diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua index 19dcc4bd6..b8843c996 100644 --- a/data/conf/dovecot/auth/passwd-verify.lua +++ b/data/conf/dovecot/auth/passwd-verify.lua @@ -34,8 +34,15 @@ function auth_password_verify(request, password) return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error" end - local api_response = json.decode(table.concat(res)) - if api_response.success == true then + local response_str = table.concat(res) + local is_response_valid, response_json = pcall(json.decode, response_str) + + if not is_response_valid then + dovecot.i_info("Invalid JSON received: " .. response_str) + return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Invalid response format" + end + + if response_json.success == true then return dovecot.auth.PASSDB_RESULT_OK, "" end From d8c6ed919144b0b97eaa9a329fe3366a04c422e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20K=C3=BChn?= Date: Tue, 22 Apr 2025 14:23:33 +0200 Subject: [PATCH 3/6] Check if skip_sogo is not set before redirecting to SOGo --- data/web/inc/triggers.user.inc.php | 4 ++-- data/web/index.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/data/web/inc/triggers.user.inc.php b/data/web/inc/triggers.user.inc.php index 33eb83e7b..07dc0372e 100644 --- a/data/web/inc/triggers.user.inc.php +++ b/data/web/inc/triggers.user.inc.php @@ -76,7 +76,7 @@ if (isset($_POST["verify_tfa_login"])) { $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']); $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false; - if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) { + if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual && getenv('SKIP_SOGO') != "y") { header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}"); die(); } else { @@ -139,7 +139,7 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) { $user_details = mailbox("get", "mailbox_details", $login_user); $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false; - if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) { + if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual && getenv('SKIP_SOGO') != "y") { header("Location: /SOGo/so/{$login_user}"); die(); } else { diff --git a/data/web/index.php b/data/web/index.php index 1e91cb785..f306f1aed 100644 --- a/data/web/index.php +++ b/data/web/index.php @@ -11,7 +11,7 @@ if (isset($_SESSION['mailcow_cc_role']) && isset($_SESSION['oauth2_request'])) { elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') { $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']); $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false; - if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) { + if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual && getenv('SKIP_SOGO') != "y") { header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}"); } else { header("Location: /user"); From aa4125fe62d3a0e7ebfe5899ab614fb9f3ba01ec Mon Sep 17 00:00:00 2001 From: DerLinkman Date: Wed, 23 Apr 2025 15:13:52 +0200 Subject: [PATCH 4/6] sogo: enabled SOGoEnableMailCleaning per default --- data/conf/sogo/sogo.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/data/conf/sogo/sogo.conf b/data/conf/sogo/sogo.conf index 8455f0cf3..2c8d80a12 100644 --- a/data/conf/sogo/sogo.conf +++ b/data/conf/sogo/sogo.conf @@ -16,6 +16,9 @@ SOGoFoldersSendEMailNotifications = YES; SOGoForwardEnabled = YES; + // Added with SOGo 5.12 - Allows users to cleanup there maildirectories by deleting mails oder than X + SOGoEnableMailCleaning = YES; + // Fixes "MODIFICATION_FAILED" error (HTTP 412) in Clients when accepting invitations from external services SOGoDisableOrganizerEventCheck = YES; @@ -91,7 +94,7 @@ //SoDebugBaseURL = YES; //ImapDebugEnabled = YES; //SOGoEASDebugEnabled = YES; - SOGoEASSearchInBody = YES; // Experimental. Enabled since 2023-10 + SOGoEASSearchInBody = YES; //LDAPDebugEnabled = YES; //PGDebugEnabled = YES; //MySQL4DebugEnabled = YES; From 06b3ba91a045330daaa786203c897c4df7174653 Mon Sep 17 00:00:00 2001 From: milkmaker Date: Sun, 27 Apr 2025 18:47:08 +0200 Subject: [PATCH 5/6] [Web] Updated lang.zh-cn.json (#6502) Co-authored-by: Easton Man --- data/web/lang/lang.zh-cn.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json index f9bb481da..486e8dcc3 100644 --- a/data/web/lang/lang.zh-cn.json +++ b/data/web/lang/lang.zh-cn.json @@ -108,7 +108,8 @@ "timeout2": "本地主机连接超时时间", "username": "用户名", "validate": "验证", - "validation_success": "验证成功" + "validation_success": "验证成功", + "dry": "模拟同步(Dry run)" }, "admin": { "access": "权限管理", @@ -994,7 +995,7 @@ "neutral_danger": "无危险等级", "notified": "已发送通知", "qhandler_success": "已成功向系统发送请求,现在你可以关闭这个窗口了。", - "qid": "Rspamd QID", + "qid": "Rspamd 队列ID(QID)", "qinfo": "隔离系统会把已被拒绝接收的邮件以及作为拷贝发送到垃圾箱的邮件保存到数据库中 (发件人会知道)。\r\n
\"学习为垃圾并删除\" 会根据贝叶斯定理将消息作为垃圾学习并计算其模糊特征以拒绝未来收到相似消息。\r\n
请注意,这取决于你的系统资源,学习多个消息可能会花费较长时间。
黑名单中项目会被隔离系统排除。", "qitem": "隔离项目", "quarantine": "隔离", From 401b744808ff127b625001d8512d80d108d58a6a Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Thu, 8 May 2025 11:38:29 +0200 Subject: [PATCH 6/6] [Dovecot] return PASSDB_RESULT_PASSWORD_MISMATCH instead of PASSDB_RESULT_INTERNAL_FAILURE --- data/conf/dovecot/auth/passwd-verify.lua | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua index b8843c996..ea847932d 100644 --- a/data/conf/dovecot/auth/passwd-verify.lua +++ b/data/conf/dovecot/auth/passwd-verify.lua @@ -29,9 +29,12 @@ function auth_password_verify(request, password) insecure = true } + -- Returning PASSDB_RESULT_PASSWORD_MISMATCH will reset the user's auth cache entry. + -- Returning PASSDB_RESULT_INTERNAL_FAILURE keeps the existing cache entry, + -- even if the TTL has expired. Useful to avoid cache eviction during backend issues. if c ~= 200 and c ~= 401 then dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user) - return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error" + return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Upstream error" end local response_str = table.concat(res) @@ -39,7 +42,7 @@ function auth_password_verify(request, password) if not is_response_valid then dovecot.i_info("Invalid JSON received: " .. response_str) - return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Invalid response format" + return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Invalid response format" end if response_json.success == true then