Merge branch 'app-passwd-daveas' into staging

2021-10-29 06:50:23 +02:00 · 2021-10-29 06:50:23 +02:00 · 09d763548c
parent 6bf70cf846 e391b054d3
commit 09d763548c
26 changed files with 209 additions and 57 deletions
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@ -163,12 +163,13 @@ function auth_password_verify(req, pass)
    row = cur:fetch (row, "a")
  end
-  -- check against app passwds
+  -- check against app passwds for imap and smtp
-  -- removed on 22nd Oct 2021: AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.force_pw_update')), 0) != '1'
+  -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
-  local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, app_passwd.password FROM app_passwd
+  if req.service == "smtp" or req.service == "imap" or req.service == "sieve" or req.service == "pop3" then
    local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, app_passwd.imap_access, app_passwd.smtp_access, app_passwd.sieve_access, app_passwd.pop3_access, app_passwd.password FROM app_passwd
      INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox
      WHERE mailbox = '%s'
-      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.%s_access')), 1) = '1'
+        AND app_passwd.%s_access = '1'
        AND app_passwd.active = '1'
        AND mailbox.active = '1'
        AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.user), con:escape(req.service), con:escape(req.domain)))
@ -182,6 +183,7 @@ function auth_password_verify(req, pass)
      end
      row = cur:fetch (row, "a")
    end
  end
  return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@ -68,7 +68,7 @@ if (empty($_SERVER['PHP_AUTH_USER']) || empty($_SERVER['PHP_AUTH_PW'])) {
  exit(0);
 }
-$login_role = check_login($login_user, $login_pass);
+$login_role = check_login($login_user, $login_pass, true);
 if ($login_role === "user") {
  header("Content-Type: application/xml");
--- a/data/web/inc/functions.app_passwd.inc.php
+++ b/data/web/inc/functions.app_passwd.inc.php
@ -27,6 +27,13 @@ function app_passwd($_action, $_data = null) {
      $password = $_data['app_passwd'];
      $password2 = $_data['app_passwd2'];
      $active = intval($_data['active']);
      $protocols = (array)$_data['protocols'];
      $imap_access = (in_array('imap_access', $protocols)) ? 1 : 0;
      $dav_access = (in_array('dav_access', $protocols)) ? 1 : 0;
      $smtp_access = (in_array('smtp_access', $protocols)) ? 1 : 0;
      $eas_access = (in_array('eas_access', $protocols)) ? 1 : 0;
      $pop3_access = (in_array('pop3_access', $protocols)) ? 1 : 0;
      $sieve_access = (in_array('sieve_access', $protocols)) ? 1 : 0;
      $domain = mailbox('get', 'mailbox_details', $username)['domain'];
      if (empty($domain)) {
        $_SESSION['return'][] = array(
@ -61,13 +68,19 @@ function app_passwd($_action, $_data = null) {
        );
        return false;
      }
-      $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `active`)
+      $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `imap_access`, `smtp_access`, `eas_access`, `dav_access`, `pop3_access`, `sieve_access`, `active`)
-        VALUES (:app_name, :mailbox, :domain, :password, :active)");
+        VALUES (:app_name, :mailbox, :domain, :password, :imap_access, :smtp_access, :eas_access, :dav_access, :pop3_access, :sieve_access, :active)");
      $stmt->execute(array(
        ':app_name' => $app_name,
        ':mailbox' => $username,
        ':domain' => $domain,
        ':password' => $password_hashed,
        ':imap_access' => $imap_access,
        ':smtp_access' => $smtp_access,
        ':eas_access' => $eas_access,
        ':dav_access' => $dav_access,
        ':pop3_access' => $pop3_access,
        ':sieve_access' => $sieve_access,
        ':active' => $active
      ));
      $_SESSION['return'][] = array(
@ -84,6 +97,23 @@ function app_passwd($_action, $_data = null) {
          $app_name = (!empty($_data['app_name'])) ? $_data['app_name'] : $is_now['name'];
          $password = (!empty($_data['password'])) ? $_data['password'] : null;
          $password2 = (!empty($_data['password2'])) ? $_data['password2'] : null;
          if (isset($_data['protocols'])) {
            $protocols = (array)$_data['protocols'];
            $imap_access = (in_array('imap_access', $protocols)) ? 1 : 0;
            $dav_access = (in_array('dav_access', $protocols)) ? 1 : 0;
            $smtp_access = (in_array('smtp_access', $protocols)) ? 1 : 0;
            $eas_access = (in_array('eas_access', $protocols)) ? 1 : 0;
            $pop3_access = (in_array('pop3_access', $protocols)) ? 1 : 0;
            $sieve_access = (in_array('sieve_access', $protocols)) ? 1 : 0;
          }
          else {
            $imap_access = $is_now['imap_access'];
            $smtp_access = $is_now['smtp_access'];
            $dav_access = $is_now['dav_access'];
            $eas_access = $is_now['eas_access'];
            $pop3_access = $is_now['pop3_access'];
            $sieve_access = $is_now['sieve_access'];
          }
          $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
        }
        else {
@ -122,14 +152,27 @@ function app_passwd($_action, $_data = null) {
            ':id' => $id
          ));
        }
        $stmt = $pdo->prepare("UPDATE `app_passwd` SET
          `name` = :app_name,
          `mailbox` = :username,
          `imap_access` = :imap_access,
          `smtp_access` = :smtp_access,
          `eas_access` = :eas_access,
          `dav_access` = :dav_access,
          `pop3_access` = :pop3_access,
          `sieve_access` = :sieve_access,
          `active` = :active
            WHERE `id` = :id");
        $stmt->execute(array(
          ':app_name' => $app_name,
          ':username' => $username,
          ':imap_access' => $imap_access,
          ':smtp_access' => $smtp_access,
          ':eas_access' => $eas_access,
          ':dav_access' => $dav_access,
          ':pop3_access' => $pop3_access,
          ':sieve_access' => $sieve_access,
          ':active' => $active,
          ':id' => $id
        ));
@ -180,13 +223,7 @@ function app_passwd($_action, $_data = null) {
    break;
    case 'details':
      $app_passwd_data = array();
-      $stmt = $pdo->prepare("SELECT `id`,
+      $stmt = $pdo->prepare("SELECT *
        `name`,
        `mailbox`,
        `domain`,
        `created`,
        `modified`,
        `active`
          FROM `app_passwd`
            WHERE `id` = :id");
      $stmt->execute(array(':id' => $_data));
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@ -807,10 +807,11 @@ function verify_hash($hash, $password) {
  }
  return false;
 }
-function check_login($user, $pass) {
+function check_login($user, $pass, $app_passwd_data = false) {
  global $pdo;
  global $redis;
  global $imap_server;
  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
    $_SESSION['return'][] =  array(
      'type' => 'danger',
@ -819,6 +820,8 @@ function check_login($user, $pass) {
    );
    return false;
  }
  // Validate admin
  $user = strtolower(trim($user));
  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
      WHERE `superadmin` = '1'
@ -854,6 +857,8 @@ function check_login($user, $pass) {
      }
    }
  }
  // Validate domain admin
  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
      WHERE `superadmin` = '0'
      AND `active`='1'
@ -888,6 +893,8 @@ function check_login($user, $pass) {
      }
    }
  }
  // Validate mailbox user
  $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
      INNER JOIN domain on mailbox.domain = domain.domain
      WHERE `kind` NOT REGEXP 'location|thing|group'
@ -896,6 +903,32 @@ function check_login($user, $pass) {
        AND `username` = :user");
  $stmt->execute(array(':user' => $user));
  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
  if ($app_passwd_data['eas'] === true) {
    $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
        INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
        INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
        WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
          AND `mailbox`.`active` = '1'
          AND `domain`.`active` = '1'
          AND `app_passwd`.`active` = '1'
          AND `app_passwd`.`eas_access` = '1'
          AND `app_passwd`.`mailbox` = :user");
    $stmt->execute(array(':user' => $user));
    $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
  }
  elseif ($app_passwd_data['dav'] === true) {
    $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
        INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
        INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
        WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
          AND `mailbox`.`active` = '1'
          AND `domain`.`active` = '1'
          AND `app_passwd`.`active` = '1'
          AND `app_passwd`.`dav_access` = '1'
          AND `app_passwd`.`mailbox` = :user");
    $stmt->execute(array(':user' => $user));
    $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
  }
  foreach ($rows as $row) {
    if (verify_hash($row['password'], $pass) !== false) {
      unset($_SESSION['ldelay']);
@ -904,9 +937,20 @@ function check_login($user, $pass) {
        'log' => array(__FUNCTION__, $user, '*'),
        'msg' => array('logged_in_as', $user)
      );
      if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
        $stmt->execute(array(
          ':service' => $service,
          ':app_id' => $row['app_passwd_id'],
          ':username' => $user,
          ':remote_addr' => $_SERVER['REMOTE_ADDR']
        ));
      }
      return "user";
    }
  }
  if (!isset($_SESSION['ldelay'])) {
    $_SESSION['ldelay'] = "0";
    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
@ -917,11 +961,13 @@ function check_login($user, $pass) {
    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
  }
  $_SESSION['return'][] =  array(
    'type' => 'danger',
    'log' => array(__FUNCTION__, $user, '*'),
    'msg' => 'login_failed'
  );
  sleep($_SESSION['ldelay']);
  return false;
 }
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@ -44,6 +44,7 @@ $globalVariables = [
  'available_languages' => $AVAILABLE_LANGUAGES,
  'lang' => $lang,
  'skip_sogo' => (getenv('SKIP_SOGO') == 'y'),
  'allow_admin_email_login' => (getenv('ALLOW_ADMIN_EMAIL_LOGIN') == 'n'),
  'mailcow_apps' => $MAILCOW_APPS,
  'app_links' => customize('get', 'app_links'),
  'is_root_uri' => (parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) == '/'),
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@ -3,7 +3,7 @@ function init_db_schema() {
  try {
    global $pdo;
-    $db_version = "23082021_2224";
+    $db_version = "29102021_0620";
    $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
    $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@ -364,6 +364,12 @@ function init_db_schema() {
          "password" => "VARCHAR(255) NOT NULL",
          "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
          "modified" => "DATETIME ON UPDATE CURRENT_TIMESTAMP",
          "imap_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "smtp_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "dav_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "eas_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "pop3_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "sieve_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
          "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
        ),
        "keys" => array(
--- a/data/web/js/site/debug.js
+++ b/data/web/js/site/debug.js
@ -707,9 +707,7 @@ jQuery(function($){
      $.each(data, function (i, item) {
        if (item === null) { return true; }
        item.username = escapeHtml(item.username);
-        if (item.service == "smtp") { item.service = '<div class="label label-default">' + item.service.toUpperCase() + '<i class="bi bi-chevron-compact-right"></i></div>'; }
+        item.service = '<div class="label label-default">' + item.service.toUpperCase() + '</div>';
        else if (item.service == "imap") { item.service = '<div class="label label-default"><i class="bi bi-chevron-compact-left"></i> ' + item.service.toUpperCase() + '</div>'; }
        else { item.service = '<div class="label label-default">' + item.service.toUpperCase() + '</div>'; }
    });
    } else if (table == 'general_syslog') {
      $.each(data, function (i, item) {
--- a/data/web/js/site/user.js
+++ b/data/web/js/site/user.js
@ -101,8 +101,8 @@ jQuery(function($){
            $.each(data.sasl, function (i, item) {
              var datetime = new Date(item.datetime.replace(/-/g, "/"));
              var local_datetime = datetime.toLocaleDateString(undefined, {year: "numeric", month: "2-digit", day: "2-digit", hour: "2-digit", minute: "2-digit", second: "2-digit"});
-              item.app_password ? app_password = ' <a href="/edit/app-passwd/' + item.app_password + '">(App)</a>' : app_password = "", item.location ? ip_location = ' <span class="flag-icon flag-icon-' + item.location.toLowerCase() + '"></span>' : ip_location = "";
+              item.app_password ? app_password = ' <a href="/edit/app-passwd/' + item.app_password + '"><i class="bi bi-pen"></i> App</a>' : app_password = "", item.location ? ip_location = ' <span class="flag-icon flag-icon-' + item.location.toLowerCase() + '"></span>' : ip_location = "";
-              "smtp" == item.service ? service = '<div class="label label-default">' + item.service.toUpperCase() + '<i class="bi bi-chevron-compact-right"></i></div>' : "imap" == item.service ? service = '<div class="label label-default"><i class="bi bi-chevron-compact-left"></i> ' + item.service.toUpperCase() + "</div>" : service = '<div class="label label-default">' + item.service.toUpperCase() + "</div>";
+              service = '<div class="label label-default">' + item.service.toUpperCase() + '</div>';
              item.real_rip.startsWith("Web") ? real_rip = item.real_rip : real_rip = '<a href="https://bgp.he.net/ip/' + item.real_rip + '" target="_blank">' + item.real_rip + "</a>";
              ip_data = real_rip + ip_location + app_password;
              $(".last-login").append('<li class="list-group-item">' + local_datetime + " " + service + " " + lang.from + " " + ip_data + "</li>");
@ -258,6 +258,7 @@ jQuery(function($){
        {"name":"chkbox","title":"","style":{"maxWidth":"60px","width":"60px","text-align":"center"},"filterable": false,"sortable": false,"type":"html"},
        {"sorted": true,"name":"id","title":"ID","style":{"maxWidth":"60px","width":"60px","text-align":"center"}},
        {"name":"name","title":lang.app_name},
        {"name":"protocols","title":lang.allowed_protocols},
        {"name":"active","filterable": false,"style":{"maxWidth":"70px","width":"70px"},"title":lang.active,"formatter": function(value){return 1==value?'<i class="bi bi-check-lg"></i>':0==value&&'<i class="bi bi-x-lg"></i>';}},
        {"name":"action","filterable": false,"sortable": false,"style":{"text-align":"right","min-width":"220px","width":"220px"},"type":"html","title":lang.action,"breakpoints":"xs sm"}
      ],
@ -271,7 +272,15 @@ jQuery(function($){
        },
        success: function (data) {
          $.each(data, function (i, item) {
-            item.name = escapeHtml(item.name);
+            item.name = escapeHtml(item.name)
            item.protocols = []
            if (item.imap_access == 1) { item.protocols.push("<code>IMAP</code>"); }
            if (item.smtp_access == 1) { item.protocols.push("<code>SMTP</code>"); }
            if (item.eas_access == 1) { item.protocols.push("<code>EAS/ActiveSync</code>"); }
            if (item.dav_access == 1) { item.protocols.push("<code>DAV</code>"); }
            if (item.pop3_access == 1) { item.protocols.push("<code>POP3</code>"); }
            if (item.sieve_access == 1) { item.protocols.push("<code>Sieve</code>"); }
            item.protocols = item.protocols.join(" ")
            if (acl_data.app_passwds === 1) {
              item.action = '<div class="btn-group footable-actions">' +
                '<a href="/edit/app-passwd/' + item.id + '" class="btn btn-xs btn-xs-half btn-default"><i class="bi bi-pencil-fill"></i> ' + lang.edit + '</a>' +
--- a/data/web/lang/lang.cs.json
+++ b/data/web/lang/lang.cs.json
@ -1015,7 +1015,7 @@
        "alias_valid_until": "Platný do",
        "aliases_also_send_as": "Smí odesílat také jako uživatel",
        "aliases_send_as_all": "Nekontrolovat přístup odesílatele pro následující doménu(y) a jejich aliasy domény:",
-        "app_hint": "Hesla aplikací jsou alternativní heslo pro přihlášení k <b>IMAP a SMTP</b>. Uživatelské jméno zůstává stejné.<br>SOGo (včetně ActiveSync) však nelze s heslem aplikace použít.",
+        "app_hint": "Hesla aplikací jsou alternativní heslo pro přihlášení k IMAP, SMTP, CalDAV, CardDAV a EAS. Uživatelské jméno zůstává stejné.<br>SOGo však nelze s heslem aplikace použít.",
        "app_name": "Název aplikace",
        "app_passwds": "Hesla aplikací",
        "apple_connection_profile": "Profil připojení Apple",
--- a/data/web/lang/lang.da.json
+++ b/data/web/lang/lang.da.json
@ -944,7 +944,7 @@
        "alias_valid_until": "Gyldig indtil",
        "aliases_also_send_as": "Også tilladt at sende som bruger",
        "aliases_send_as_all": "Do not check sender access for the following domain(s) and its alias domains",
-        "app_hint": "App adgangskoder er alternative adgangskoder til din <b>IMAP og SMTP</b> login. Brugernavnet forbliver uændret.<br>SOGo (inklusive AktivSync) er ikke tilgængelig via app-adgangskoder.",
+        "app_hint": "App adgangskoder er alternative adgangskoder til din IMAP, SMTP, CalDAV, CardDAV og EAS login. Brugernavnet forbliver uændret.<br>SOGo er ikke tilgængelig via app-adgangskoder.",
        "app_name": "App navn",
        "app_passwds": "App kodeord",
        "apple_connection_profile": "Apple forbindelses profil",
--- a/data/web/lang/lang.de.json
+++ b/data/web/lang/lang.de.json
@ -42,6 +42,7 @@
        "alias_domain_info": "<small>Nur gültige Domains. Getrennt durch Komma.</small>",
        "app_name": "App-Name",
        "app_password": "App-Passwort hinzufügen",
        "app_passwd_protocols": "Zugelassene Protokolle für App-Passwort",
        "automap": "Ordner automatisch mappen (\"Sent items\", \"Sent\" => \"Sent\" etc.)",
        "backup_mx_options": "Relay-Optionen",
        "bcc_dest_format": "BCC-Ziel muss eine gültige E-Mail-Adresse sein.",
@ -508,6 +509,7 @@
        "allowed_protocols": "Erlaubte Protokolle",
        "app_name": "App-Name",
        "app_passwd": "App-Passwörter",
        "app_passwd_protocols": "Zugelassene Protokolle für App-Passwort",
        "automap": "Ordner automatisch mappen (\"Sent items\", \"Sent\" => \"Sent\" etc.)",
        "backup_mx_options": "Relay-Optionen",
        "bcc_dest_format": "BCC-Ziel muss eine gültige E-Mail-Adresse sein.",
@ -991,7 +993,8 @@
        "alias_valid_until": "Gültig bis",
        "aliases_also_send_as": "Darf außerdem versenden als Benutzer",
        "aliases_send_as_all": "Absender für folgende Domains und zugehörige Alias-Domains nicht prüfen",
-        "app_hint": "App-Passwörter sind alternative Passwörter für den <b>IMAP- und SMTP</b>-Login am Mailserver. Der Benutzername bleibt unverändert.<br>SOGo (und damit ActiveSync) ist mit diesem Kennwort nicht verwendbar.",
+        "app_hint": "App-Passwörter sind alternative Passwörter für den IMAP-, SMTP-, CalDAV-, CardDAV- und EAS-Login am Mailserver. Der Benutzername bleibt unverändert.<br>SOGo Webmail ist mit diesem Kennwort nicht verwendbar.",
        "allowed_protocols": "Erlaubte Protokolle",
        "app_name": "App-Name",
        "app_passwds": "App-Passwörter",
        "apple_connection_profile": "Apple-Verbindungsprofil",
--- a/data/web/lang/lang.en.json
+++ b/data/web/lang/lang.en.json
@ -42,6 +42,7 @@
        "alias_domain_info": "<small>Valid domain names only (comma-separated).</small>",
        "app_name": "App name",
        "app_password": "Add app password",
        "app_passwd_protocols": "Allowed protocols for app password",
        "automap": "Try to automap folders (\"Sent items\", \"Sent\" => \"Sent\" etc.)",
        "backup_mx_options": "Relay options",
        "bcc_dest_format": "BCC destination must be a single valid email address.<br>If you need to send a copy to multiple addresses, create an alias and use it here.",
@ -514,6 +515,7 @@
        "allowed_protocols": "Allowed protocols",
        "app_name": "App name",
        "app_passwd": "App password",
        "app_passwd_protocols": "Allowed protocols for app password",
        "automap": "Try to automap folders (\"Sent items\", \"Sent\" => \"Sent\" etc.)",
        "backup_mx_options": "Relay options",
        "bcc_dest_format": "BCC destination must be a single valid email address.<br>If you need to send a copy to multiple addresses, create an alias and use it here.",
@ -1033,7 +1035,8 @@
        "alias_valid_until": "Valid until",
        "aliases_also_send_as": "Also allowed to send as user",
        "aliases_send_as_all": "Do not check sender access for the following domain(s) and its alias domains",
-        "app_hint": "App passwords are alternative passwords for your <b>IMAP and SMTP</b> login. The username remains unchanged.<br>SOGo (including ActiveSync) is not available through app passwords.",
+        "app_hint": "App passwords are alternative passwords for your IMAP, SMTP, CalDAV, CardDAV and EAS login. The username remains unchanged. SOGo webmail is not available through app passwords.",
        "allowed_protocols": "Allowed protocols",
        "app_name": "App name",
        "app_passwds": "App passwords",
        "apple_connection_profile": "Apple connection profile",
--- a/data/web/lang/lang.fr.json
+++ b/data/web/lang/lang.fr.json
@ -953,7 +953,7 @@
 		"alias_valid_until": "Valide jusque",
 		"aliases_also_send_as": "Aussi autorisé à envoyer en tant qu’utilisateur",
 		"aliases_send_as_all": "Ne pas vérifier l’accès de l’expéditeur pour les domaines suivants et leurs alias",
-		"app_hint": "Les mots de passe d’application sont des mots de passe alternatifs pour votre connexion <b>IMAP et SMTP</b>. Le nom d’utilisateur reste inchangé.<br>SOGo (incluant ActiveSync) n'est pas disponible au travers de mots de passe.",
+		"app_hint": "Les mots de passe d’application sont des mots de passe alternatifs pour votre connexion IMAP, SMTP, Caldav, Carddav et EAS. Le nom d’utilisateur reste inchangé.<br>SOGo n'est pas disponible au travers de mots de passe.",
 		"app_name": "Nom d'application",
 		"app_passwds": "Mots de passe de l'application",
 		"apple_connection_profile": "Profil de connexion Apple",
--- a/data/web/lang/lang.it.json
+++ b/data/web/lang/lang.it.json
@ -999,7 +999,7 @@
        "alias_valid_until": "Valido fino a",
        "aliases_also_send_as": "Può inviare come utente",
        "aliases_send_as_all": "Do not check sender access for the following domain(s) and its alias domains",
-        "app_hint": "App passwords are alternative passwords for your <b>IMAP and SMTP</b> login. The username remains unchanged.<br>SOGo (including ActiveSync) is not available through app passwords.",
+        "app_hint": "App passwords are alternative passwords for your IMAP, SMTP, CalDAV, CardDAV and EAS login. The username remains unchanged. SOGo webmail is not available through app passwords.",
        "app_name": "App name",
        "app_passwds": "App passwords",
        "apple_connection_profile": "Profilo di connessione Apple",
--- a/data/web/lang/lang.nl.json
+++ b/data/web/lang/lang.nl.json
@ -968,7 +968,7 @@
        "alias_valid_until": "Geldig tot",
        "aliases_also_send_as": "Toegestaan om te verzenden als",
        "aliases_send_as_all": "Controleer verzendtoegang voor de volgende domeinen, inclusief aliassen, niet",
-        "app_hint": "Appwachtwoorden zijn alternatieve wachtwoorden voor <b>IMAP en SMTP</b>. De gebruikersnaam blijft ongewijzigd.<br>SOGo (inclusief ActiveSync) is niet toegankelijk met een appwachtwoord.",
+        "app_hint": "Appwachtwoorden zijn alternatieve wachtwoorden voor IMAP, SMTP, CalDAV, CardDAV en EAS. De gebruikersnaam blijft ongewijzigd.<br>SOGo is niet toegankelijk met een appwachtwoord.",
        "app_name": "Naam van app",
        "app_passwds": "Appwachtwoorden",
        "apple_connection_profile": "Apple-verbindingsprofiel",
--- a/data/web/lang/lang.ro.json
+++ b/data/web/lang/lang.ro.json
@ -1003,7 +1003,7 @@
        "alias_valid_until": "Valabil până la",
        "aliases_also_send_as": "De asemenea, este permis să trimită ca utilizator",
        "aliases_send_as_all": "Nu se verifică accesul expeditorului pentru următorul(arele) domeniu(i) și domeniile sale alias",
-        "app_hint": "Parolele aplicației sunt parole alternative pentru autentificarea <b>IMAP și SMTP</b>. Numele de utilizator rămâne neschimbat.<br>SOGo (inclusiv ActiveSync) nu este disponibil prin parolele aplicației.",
+        "app_hint": "Parolele aplicației sunt parole alternative pentru autentificarea IMAP, SMTP, CalDAV, CardDAV și EAS. Numele de utilizator rămâne neschimbat.<br>SOGo nu este disponibil prin parolele aplicației.",
        "app_name": "Nume aplicație",
        "app_passwds": "Parole aplicație",
        "apple_connection_profile": "Profil de conexiune Apple",
--- a/data/web/lang/lang.ru.json
+++ b/data/web/lang/lang.ru.json
@ -1034,7 +1034,7 @@
        "alias_valid_until": "Действителен до",
        "aliases_also_send_as": "Разрешено отправлять письма от имени",
        "aliases_send_as_all": "Разрешено отправлять письма от любого имени для домена и его псевдонимов",
-        "app_hint": "Пароли приложений - это альтернативные пароли для авторизации в <b>IMAP и SMTP</b>. При этом имя пользователя остается неизменным. <br>SOGo (включая ActiveSync) недоступен через пароли приложений.",
+        "app_hint": "Пароли приложений - это альтернативные пароли для авторизации в IMAP, SMTP, CalDAV, CardDAV и EAS. При этом имя пользователя остается неизменным. <br>SOGo недоступен через пароли приложений.",
        "app_name": "Название приложения",
        "app_passwds": "Пароли приложений",
        "apple_connection_profile": "Профиль подключения Apple",
--- a/data/web/lang/lang.sk.json
+++ b/data/web/lang/lang.sk.json
@ -1034,7 +1034,7 @@
        "alias_valid_until": "Platné do",
        "aliases_also_send_as": "Môže odosielať ako používateľ",
        "aliases_send_as_all": "Nekontrolovať prístup odosielateľa pre nasledujúcu doménu/y a jej alias domény",
-        "app_hint": "Heslá aplikácií sú alternatívne heslá pre vaše <b>IMAP a SMTP</b> prihlásenie. Používateľské meno zostáva nezmenené.<br>SOGo (zahŕňajúc ActiveSync) nie je momentálne podporovaný.",
+        "app_hint": "Heslá aplikácií sú alternatívne heslá pre vaše IMAP, SMTP, CalDAV, CardDAV a EAS prihlásenie. Používateľské meno zostáva nezmenené.<br>SOGo nie je momentálne podporovaný.",
        "app_name": "Meno aplikácie",
        "app_passwds": "Heslá aplikácií",
        "apple_connection_profile": "Apple konfiguračný profil",
--- a/data/web/lang/lang.sv.json
+++ b/data/web/lang/lang.sv.json
@ -986,7 +986,7 @@
        "alias_valid_until": "Giltig till",
        "aliases_also_send_as": "Som också har tillåtelse att skicka som användare",
        "aliases_send_as_all": "Kontrollera inte avsändaråtkomsten för följande domän/domäner och aliasdomäner",
-        "app_hint": "Applikationslösenord är ett alternativt lösenord för <b>IMAP och SMTP</b> inloggning på e-postservern. Användarnamnet förblir oförändrat.<br>SOGo (och därmed ActiveSync) kan inte användas med det här lösenordet.",
+        "app_hint": "Applikationslösenord är ett alternativt lösenord för IMAP, SMTP, CalDAV, CardDAV och EAS inloggning på e-postservern. Användarnamnet förblir oförändrat.<br>SOGo kan inte användas med det här lösenordet.",
        "app_name": "Applikationsnamn",
        "app_passwds": "Applikationslösenord",
        "apple_connection_profile": "Apple-anslutningsprofil",
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@ -14,7 +14,16 @@ if (isset($_SERVER['PHP_AUTH_USER'])) {
  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
  $username = $_SERVER['PHP_AUTH_USER'];
  $password = $_SERVER['PHP_AUTH_PW'];
-  $login_check = check_login($username, $password);
+  $is_eas = false;
  $is_dav = false;
  $original_uri = isset($_SERVER['HTTP_X_ORIGINAL_URI']) ? $_SERVER['HTTP_X_ORIGINAL_URI'] : '';
  if (preg_match('/^(\/SOGo|)\/dav.*/', $original_uri) === 1) {
    $is_dav = true;
  }
  elseif (preg_match('/^(\/SOGo|)\/Microsoft-Server-ActiveSync.*/', $original_uri) === 1) {
    $is_eas = true;
  }
  $login_check = check_login($username, $password, array('dav' => $is_dav, 'eas' => $is_eas));
  if ($login_check === 'user') {
    header("X-User: $username");
    header("X-Auth: Basic ".base64_encode("$username:$password"));
@ -43,6 +52,13 @@ elseif (isset($_GET['login'])) {
        // register username and password in session
        $_SESSION[$session_var_user_allowed][] = $login;
        $_SESSION[$session_var_pass] = $sogo_sso_pass;
        // update sasl logs
        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
        $stmt->execute(array(
          ':username' => $login,
          ':remote_addr' => $_SERVER['REMOTE_ADDR']
        ));
        // redirect to sogo (sogo will get the correct credentials via nginx auth_request
        header("Location: /SOGo/so/${login}");
        exit;
@ -54,9 +70,7 @@ elseif (isset($_GET['login'])) {
  exit;
 }
 // only check for admin-login on sogo GUI requests
-elseif (
+elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0) {
  strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0
 ) {
  // this is an nginx auth_request call, we check for existing sogo-sso session variables
  session_start();
  // extract email address from "/SOGo/so/user@domain/xy"
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@ -172,7 +172,7 @@ function recursiveBase64StrToArrayBuffer(obj) {
    // TFA, CSRF, Alerts in footer.inc.php
    // Other general functions in mailcow.js
    {% for alert_type, alert_msg in alerts %}
-    mailcow_alert_box('{{ alert_msg|raw }}', '{{ alert_type }}');
+    mailcow_alert_box('{{ alert_msg|raw|replace({"\n": "", "\r": "", "\t": "<br>"}) }}', '{{ alert_type }}');
    {% endfor %}
    // Confirm TFA modal
--- a/data/web/templates/edit/app-passwd.twig
+++ b/data/web/templates/edit/app-passwd.twig
@ -5,6 +5,7 @@
 <h4>{{ lang.edit.app_passwd }}</h4>
 <form class="form-horizontal" data-pwgen-length="32" data-id="editapp" role="form" method="post">
  <input type="hidden" value="0" name="active">
  <input type="hidden" value="0" name="protocols">
  <div class="form-group">
    <label class="control-label col-sm-2" for="app_name">{{ lang.edit.app_name }}</label>
    <div class="col-sm-10">
@ -30,6 +31,19 @@
      </div>
    </div>
  </div>
  <div class="form-group">
    <label class="control-label col-sm-2" for="protocols">{{ lang.edit.app_passwd_protocols }}</label>
    <div class="col-sm-10">
      <select class="full-width-select" data-live-search="true" id="protocols" name="protocols" multiple>
        <option value="imap_access" {% if result.imap_access == 1 %} selected{% endif %}>IMAP</option>
        <option value="smtp_access" {% if result.smtp_access == 1 %} selected{% endif %}>SMTP</option>
        <option value="eas_access" {% if result.eas_access == 1 %} selected{% endif %}>EAS/ActiveSync</option>
        <option value="dav_access" {% if result.dav_access == 1 %} selected{% endif %}>CardDAV/CalDAV</option>
        <option value="pop3_access" {% if result.pop3_access == 1 %} selected{% endif %}>POP3</option>
        <option value="sieve_access" {% if result.sieve_access == 1 %} selected{% endif %}>Sieve</option>
      </select>
    </div>
  </div>
  <div class="form-group">
    <div class="col-sm-offset-2 col-sm-10">
      <button class="btn btn-xs-lg visible-xs-block visible-sm-inline visible-md-inline visible-lg-inline btn-success" data-action="edit_selected" data-id="editapp" data-item="{{ result.id }}" data-api-url='edit/app-passwd' data-api-attr='{}' href="#">{{ lang.edit.save }}</button>
--- a/data/web/templates/modals/user.twig
+++ b/data/web/templates/modals/user.twig
@ -213,6 +213,19 @@
              <p class="help-block">{{ lang.user.new_password_description }}</p>
            </div>
          </div>
          <div class="form-group">
            <label class="control-label col-sm-2" for="protocols">{{ lang.add.app_passwd_protocols }}</label>
            <div class="col-sm-10">
              <select class="full-width-select" data-live-search="true" id="protocols" name="protocols" multiple>
                <option value="imap_access" selected>IMAP</option>
                <option value="smtp_access" selected>SMTP</option>
                <option value="eas_access" selected>EAS/ActiveSync</option>
                <option value="dav_access" selected>CardDAV/CalDAV</option>
                <option value="pop3_access" selected>POP3</option>
                <option value="sieve_access" selected>Sieve</option>
              </select>
            </div>
          </div>
          <div class="form-group">
            <div class="col-sm-offset-2 col-sm-10">
              <div class="checkbox">
--- a/data/web/templates/user/tab-user-auth.twig
+++ b/data/web/templates/user/tab-user-auth.twig
@ -6,9 +6,15 @@
      <div class="row">
        <div class="hidden-xs col-md-3 col-xs-5 text-right"></div>
        <div class="col-md-3 col-xs-12">
          {% if dual_login and allow_admin_email_login == 'n' %}
            <button disabled class="btn btn-default btn-block btn-xs-lg">
              <i class="bi bi-inbox-fill"></i> {{ lang.user.open_webmail_sso }}
            </button>
          {% else %}
            <a target="_blank" href="/sogo-auth.php?login={{ mailcow_cc_username }}" role="button" class="btn btn-default btn-block btn-xs-lg">
              <i class="bi bi-inbox-fill"></i> {{ lang.user.open_webmail_sso }}
            </a>
          {% endif %}
        </div>
      </div>
      <hr>
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -164,7 +164,7 @@ services:
            - phpfpm
    sogo-mailcow:
-      image: mailcow/sogo:1.101
+      image: mailcow/sogo:1.102
      environment:
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
@ -211,7 +211,7 @@ services:
            - sogo
    dovecot-mailcow:
-      image: mailcow/dovecot:1.157
+      image: mailcow/dovecot:1.158
      depends_on:
        - mysql-mailcow
      dns: