1
0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2024-12-25 02:29:32 +02:00

add config ALLOW_ADMIN_EMAIL_LOGIN and implement password-less SOGo login admins

This commit is contained in:
Marcel Hofer 2019-02-23 17:59:18 +01:00
parent 9213d65c85
commit cac67db203
12 changed files with 1104 additions and 991 deletions

1
.gitignore vendored
View File

@ -24,6 +24,7 @@ data/conf/nginx/*.custom
data/conf/nginx/*.bak
data/conf/dovecot/acl_anyone
data/conf/dovecot/mail_plugins*
data/conf/dovecot/sogo-sso.conf
data/conf/dovecot/extra.conf
data/conf/rspamd/custom/*
data/conf/portainer/

View File

@ -118,6 +118,17 @@ default_pass_scheme = SSHA256
password_query = SELECT password FROM mailbox WHERE active = '1' AND username = '%u' AND domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') AND JSON_EXTRACT(attributes, '$.force_pw_update') NOT LIKE '%%1%%'
EOF
if [[ "${ALLOW_ADMIN_EMAIL_LOGIN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
cat <<EOF > /usr/local/etc/dovecot/sogo-sso.conf
passdb {
driver = static
args = password= allow_real_nets=${IPV4_NETWORK}.248/32
}
EOF
else
rm -f /usr/local/etc/dovecot/sogo-sso.conf
fi
# Create global sieve_after script
cat /usr/local/etc/dovecot/sieve_after > /var/vmail/sieve/global.sieve

View File

@ -389,4 +389,5 @@ auth_cache_negative_ttl = 0
auth_cache_ttl = 30 s
auth_cache_size = 2 M
!include_try /usr/local/etc/dovecot/extra.conf
!include_try /usr/local/etc/dovecot/sogo-sso.conf
default_client_limit = 10400

View File

@ -164,6 +164,17 @@ server {
client_max_body_size 0;
}
# auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set
location /sogo-auth-verify {
internal;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header Content-Length "";
proxy_pass http://127.0.0.1:80/sogo-auth;
proxy_pass_request_body off;
}
location ^~ /SOGo {
include /etc/nginx/conf.d/sogo.active;
proxy_set_header X-Real-IP $remote_addr;

View File

@ -0,0 +1,7 @@
if printf "%s\n" "${ALLOW_ADMIN_EMAIL_LOGIN}" | grep -E '^([yY][eE][sS]|[yY])+$' >/dev/null; then
echo '
auth_request /sogo-auth-verify;
auth_request_set $user $upstream_http_x_username;
proxy_set_header x-webobjects-remote-user $user;
'
fi

View File

@ -83,4 +83,6 @@
//SOGoUIxDebugEnabled = YES;
//WODontZipResponse = YES;
WOLogFile = "/dev/sogo_log";
SOGoTrustProxyAuthentication = YES;
}

File diff suppressed because it is too large Load Diff

View File

@ -348,6 +348,11 @@ $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? 'true' : 'false';
echo "var role = '". $role . "';\n";
echo "var is_dual = " . $is_dual . ";\n";
echo "var pagination_size = '". $PAGINATION_SIZE . "';\n";
$ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
"/^([yY][eE][sS]|[yY])+$/",
$_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
)) ? "true" : "false";
echo "var ALLOW_ADMIN_EMAIL_LOGIN = " . $ALLOW_ADMIN_EMAIL_LOGIN . ";\n";
?>
</script>
<?php

62
data/web/sogo-auth.php Normal file
View File

@ -0,0 +1,62 @@
<?php
/**
* currently disabled: we could add auth_request to ningx sogo_eas.template
* but this seems to be not required with the postfix allow_real_nets option
*/
/*
if (substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 28) === "/Microsoft-Server-ActiveSync") {
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
$server=print_r($_SERVER, true);
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
$login_check = check_login($username, $password);
if ($login_check !== 'user') {
header('HTTP/1.0 401 Unauthorized');
echo 'Invalid login';
exit;
} else {
echo 'Login OK';
exit;
}
} else {
// other code
}
*/
$ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
"/^([yY][eE][sS]|[yY])+$/",
$_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
));
$session_variable = 'sogo-sso-user';
if (!$ALLOW_ADMIN_EMAIL_LOGIN) {
header("Location: /");
exit;
} else if (isset($_GET['login'])) {
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['acl']['login_as'] == "1") {
$login = html_entity_decode(rawurldecode($_GET["login"]));
if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
if (!empty(mailbox('get', 'mailbox_details', $login))) {
$_SESSION[$session_variable] = $login;
header("Location: /SOGo/");
exit;
}
}
}
header("Location: /");
exit;
} else {
// this is an nginx auth_request call, we check for an existing sogo-sso-user session variable
session_start();
$username = "";
if (isset($_SESSION[$session_variable]) && filter_var($_SESSION[$session_variable], FILTER_VALIDATE_EMAIL)) {
$username = $_SESSION[$session_variable];
}
// if username is empty, SOGo will display the normal login form
header("X-Username: $username");
exit;
}

View File

@ -130,6 +130,7 @@ services:
- API_ALLOW_FROM=${API_ALLOW_FROM:-invalid}
- COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
- SKIP_SOLR=${SKIP_SOLR:-y}
- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
restart: always
dns:
- ${IPV4_NETWORK:-172.22.1}.254
@ -185,6 +186,8 @@ services:
- DBUSER=${DBUSER}
- DBPASS=${DBPASS}
- TZ=${TZ}
- IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
- MAILDIR_GC_TIME=${MAILDIR_GC_TIME:-1440}
- ACL_ANYONE=${ACL_ANYONE:-disallow}
- SKIP_SOLR=${SKIP_SOLR:-y}
@ -260,7 +263,8 @@ services:
command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
envsubst < /etc/nginx/conf.d/templates/server_name.template > /etc/nginx/conf.d/server_name.active &&
envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
. /etc/nginx/conf.d/templates/sogo.auth_request.template.sh > /etc/nginx/conf.d/sogo.active &&
envsubst < /etc/nginx/conf.d/templates/sogo.template >> /etc/nginx/conf.d/sogo.active &&
envsubst < /etc/nginx/conf.d/templates/sogo_eas.template > /etc/nginx/conf.d/sogo_eas.active &&
nginx -qt &&
until ping phpfpm -c1 > /dev/null; do sleep 1; done &&
@ -274,6 +278,7 @@ services:
- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
- IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
- TZ=${TZ}
- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
volumes:
- ./data/web:/web:ro
- ./data/conf/rspamd/dynmaps:/dynmaps:ro

View File

@ -200,6 +200,10 @@ SOLR_HEAP=1024
USE_WATCHDOG=n
# Allow admins to log into SOGo as email user (without any password)
ALLOW_ADMIN_EMAIL_LOGIN=n
# Send notifications by mail (no DKIM signature, sent from watchdog@MAILCOW_HOSTNAME)
# Can by multiple rcpts, NO quotation marks

View File

@ -130,6 +130,7 @@ CONFIG_ARRAY=(
"ACL_ANYONE"
"SOLR_HEAP"
"SKIP_SOLR"
"ALLOW_ADMIN_EMAIL_LOGIN"
)
sed -i '$a\' mailcow.conf