Merge pull request #5764 from mailcow/fix/nightly-issues

Fix nightly issues with new ldap provider

data/Dockerfiles/dovecot/docker-entrypoint.sh

@@ -200,13 +200,6 @@ EOF
 # Create random master Password for SOGo SSO
 RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
 echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
-cat <<EOF > /etc/dovecot/sogo-sso.conf
-# Autogenerated by mailcow
-passdb {
-  driver = static
-  args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
-}
-EOF
 
 if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
   # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated

data/conf/dovecot/auth/mailcowauth.php

@@ -45,20 +45,30 @@ require_once 'functions.auth.inc.php';
 require_once 'sessions.inc.php';
 require_once 'functions.mailbox.inc.php';
 
-// Init provider
-$iam_provider = identity_provider('init');
-
 
+$isSOGoRequest = $post['real_rip'] == getenv('IPV4_NETWORK') . '.248';
+$result = false;
 $protocol = $post['protocol'];
-if ($post['real_rip'] == getenv('IPV4_NETWORK') . '.248') {
+if ($isSOGoRequest) {
   $protocol = null;
+  // This is a SOGo Auth request. First check for SSO password.
+  $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
+  if ($sogo_sso_pass === $post['password']){
+    error_log('MAILCOWAUTH: SOGo SSO auth for user ' . $post['username']);
+    $result = true;
+  }
+  
 }
-$result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
 if ($result === false){
   $result = apppass_login($post['username'], $post['password'], $protocol, array(
     'is_internal' => true,
     'remote_addr' => $post['real_rip']
   ));
+  if ($result) error_log('MAILCOWAUTH: App auth for user ' . $post['username']);
+}
+if ($result === false){
+  $result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
+  if ($result) error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
 }
 
 if ($result) {

data/conf/dovecot/dovecot.conf

@@ -303,7 +303,6 @@ replication_dsync_parameters = -d -l 30 -U -n INBOX
 !include_try /etc/dovecot/sni.conf
 !include_try /etc/dovecot/sogo_trusted_ip.conf
 !include_try /etc/dovecot/extra.conf
-!include_try /etc/dovecot/sogo-sso.conf
 !include_try /etc/dovecot/shared_namespace.conf
 # </Includes>
 default_client_limit = 10400

data/conf/phpfpm/crons/keycloak-sync.php

@@ -70,8 +70,6 @@ $_SESSION['acl']['protocol_access'] = "1";
 $_SESSION['acl']['mailbox_relayhost'] = "1";
 $_SESSION['acl']['unlimited_quota'] = "1";
 
-// Init Keycloak Provider
-$iam_provider = identity_provider('init');
 $iam_settings = identity_provider('get');
 if ($iam_settings['authsource'] != "keycloak" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) {
   session_destroy();
@@ -109,6 +107,9 @@ $lock_file_handle = fopen($lock_file, 'w');
 fwrite($lock_file_handle, getmypid());
 fclose($lock_file_handle);
 
+// Init Keycloak Provider
+$iam_provider = identity_provider('init');
+
 // Loop until all users have been retrieved
 while (true) {
   // Get admin access token

data/conf/phpfpm/crons/ldap-sync.php

@@ -70,8 +70,6 @@ $_SESSION['acl']['protocol_access'] = "1";
 $_SESSION['acl']['mailbox_relayhost'] = "1";
 $_SESSION['acl']['unlimited_quota'] = "1";
 
-// Init Provider
-$iam_provider = identity_provider('init');
 $iam_settings = identity_provider('get');
 if ($iam_settings['authsource'] != "ldap" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) {
   session_destroy();
@@ -109,6 +107,9 @@ $lock_file_handle = fopen($lock_file, 'w');
 fwrite($lock_file_handle, getmypid());
 fclose($lock_file_handle);
 
+// Init Provider
+$iam_provider = identity_provider('init');
+
 // Get ldap users
 $ldap_query = $iam_provider->query();
 if (!empty($iam_settings['filter'])) {

data/conf/sogo/custom-sogo.js

@@ -32,18 +32,16 @@ document.addEventListener('DOMContentLoaded', function () {
             return false;
     }
     function mcElementsExists() {
-        if (document.getElementById("mc_logout"))
+        if (document.getElementById("mc_backlink"))
             return true;
         else 
             return false;
     }
     function addMCElements() {
         const toolbarElement = document.body.querySelector('.md-toolbar-tools.sg-toolbar-group-last.layout-align-end-center.layout-row');
-        var htmlCode = '<a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="/user" aria-hidden="false" tabindex="-1">' +
+        var htmlCode = '<a id="mc_backlink" class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="/user" aria-hidden="false" tabindex="-1">' +
             '<md-icon class="material-icons" role="img" aria-label="build">build</md-icon>' +
-            '</a><a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="#" onclick="mc_logout.submit()" aria-hidden="false" tabindex="-1">' +
-            '<md-icon class="material-icons" role="img" aria-label="settings_power">settings_power</md-icon>' +
-            '</a><form action="/" method="post" id="mc_logout"><input type="hidden" name="logout"></form>';
+            '</a>';
         toolbarElement.insertAdjacentHTML('beforeend', htmlCode);
     }
 

data/conf/sogo/plist_ldap.sh

@@ -3,15 +3,15 @@
 domain="$1"
 gal_status="$2"
 
-echo '
+echo "
                 <!--
                 <example>
                     <key>canAuthenticate</key>
                     <string>YES</string>
                     <key>id</key>
-                    <string>'"${domain}_ldap"'</string>
+                    <string>"${domain}"_ldap</string>
                     <key>isAddressBook</key>
-                    <string>'"${gal_status}"'</string>
+                    <string>"${gal_status}"</string>
                     <key>IDFieldName</key>
                     <string>mail</string>
                     <key>UIDFieldName</key>
@@ -31,4 +31,4 @@ echo '
                     <key>hostname</key>
                     <string>ldap://1.2.3.4:389</string>
                 </example>
-                -->'
+                -->"

data/web/inc/functions.auth.inc.php

@@ -476,8 +476,8 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
 }
 function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
   global $pdo;
-  global $iam_provider;
-
+  
+  $iam_provider = identity_provider();
   $is_internal = $extra['is_internal'];
   $create = $extra['create'];
 

data/web/inc/functions.inc.php

@@ -2099,12 +2099,20 @@ function uuid4() {
 }
 function identity_provider($_action, $_data = null, $_extra = null) {
   global $pdo;
+  global $iam_provider;
 
   $data_log = $_data;
   if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*';
   if (isset($data_log['access_token'])) $data_log['access_token'] = '*';
 
   switch ($_action) {
+    case NULL:
+      if ($iam_provider) {
+        return $iam_provider;
+      } else {
+        $iam_provider = identity_provider("init");
+      }
+    break;
     case 'get':
       $settings = array();
       $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;");

docker-compose.yml

@@ -237,7 +237,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: mailcow/dovecot:nightly-20240208
+      image: mailcow/dovecot:nightly-20240226
       depends_on:
         - mysql-mailcow
         - netfilter-mailcow