From 4feceb08da75ef70321f8664c94a9c07ed4c13d5 Mon Sep 17 00:00:00 2001 From: Shea Ramage Date: Wed, 10 Mar 2021 15:06:32 -0500 Subject: [PATCH 1/2] Refactor support for pre-hashed passwords (#4024) --- data/web/inc/functions.inc.php | 40 +++++++++++++++----------- data/web/inc/functions.mailbox.inc.php | 8 +----- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index db2b3dfd..0269c9fc 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -88,23 +88,29 @@ function hash_password($password) { // in case default pass scheme is not defined, falling back to BLF-CRYPT. global $default_pass_scheme; $pw_hash = NULL; - switch (strtoupper($default_pass_scheme)) { - case "SSHA": - $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); - $pw_hash = "{SSHA}".base64_encode(hash('sha1', $password . $salt_str, true) . $salt_str); - break; - case "SSHA256": - $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); - $pw_hash = "{SSHA256}".base64_encode(hash('sha256', $password . $salt_str, true) . $salt_str); - break; - case "SSHA512": - $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); - $pw_hash = "{SSHA512}".base64_encode(hash('sha512', $password . $salt_str, true) . $salt_str); - break; - case "BLF-CRYPT": - default: - $pw_hash = "{BLF-CRYPT}" . password_hash($password, PASSWORD_BCRYPT); - break; + // support pre-hashed passwords + if (preg_match('/^{(ARGON2I|ARGON2ID|BLF-CRYPT|CLEAR|CLEARTEXT|CRYPT|DES-CRYPT|LDAP-MD5|MD5|MD5-CRYPT|PBKDF2|PLAIN|PLAIN-MD4|PLAIN-MD5|PLAIN-TRUNC|PLAIN-TRUNC|SHA|SHA1|SHA256|SHA256-CRYPT|SHA512|SHA512-CRYPT|SMD5|SSHA|SSHA256|SSHA512)}/i', $password)) { + $pw_hash = $password; + } + else { + switch (strtoupper($default_pass_scheme)) { + case "SSHA": + $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); + $pw_hash = "{SSHA}".base64_encode(hash('sha1', $password . $salt_str, true) . $salt_str); + break; + case "SSHA256": + $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); + $pw_hash = "{SSHA256}".base64_encode(hash('sha256', $password . $salt_str, true) . $salt_str); + break; + case "SSHA512": + $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); + $pw_hash = "{SSHA512}".base64_encode(hash('sha512', $password . $salt_str, true) . $salt_str); + break; + case "BLF-CRYPT": + default: + $pw_hash = "{BLF-CRYPT}" . password_hash($password, PASSWORD_BCRYPT); + break; + } } return $pw_hash; } diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index 8e0c6e7c..e22abdd2 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -1062,13 +1062,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); return false; } - // support pre hashed passwords - if (preg_match('/^{(ARGON2I|ARGON2ID|BLF-CRYPT|CLEAR|CLEARTEXT|CRYPT|DES-CRYPT|LDAP-MD5|MD5|MD5-CRYPT|PBKDF2|PLAIN|PLAIN-MD4|PLAIN-MD5|PLAIN-TRUNC|PLAIN-TRUNC|SHA|SHA1|SHA256|SHA256-CRYPT|SHA512|SHA512-CRYPT|SMD5|SSHA|SSHA256|SSHA512)}/i', $password)) { - $password_hashed = $password; - } - else { - $password_hashed = hash_password($password); - } + $password_hashed = hash_password($password); } else { $_SESSION['return'][] = array( From 3255c08813b2ce6c30b03898d45b522ad8f75622 Mon Sep 17 00:00:00 2001 From: Valentin Brandner <63976048+the-voidl@users.noreply.github.com> Date: Sat, 13 Mar 2021 12:36:29 +0100 Subject: [PATCH 2/2] [Update, Config] Add subject for watchdog emails (#4027) Co-authored-by: Valentin --- data/Dockerfiles/watchdog/watchdog.sh | 2 +- docker-compose.yml | 1 + generate_config.sh | 3 +++ update.sh | 7 +++++++ 4 files changed, 12 insertions(+), 1 deletion(-) diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh index 177a5304..c4b22506 100755 --- a/data/Dockerfiles/watchdog/watchdog.sh +++ b/data/Dockerfiles/watchdog/watchdog.sh @@ -109,7 +109,7 @@ function mail_error() { SUBJECT="${BODY}" BODY="Please see netfilter-mailcow for more details and triggered rules." else - SUBJECT="Watchdog ALERT: ${1}" + SUBJECT="${WATCHDOG_SUBJECT}: ${1}" fi IFS=',' read -r -a MAIL_RCPTS <<< "${WATCHDOG_NOTIFY_EMAIL}" for rcpt in "${MAIL_RCPTS[@]}"; do diff --git a/docker-compose.yml b/docker-compose.yml index 0d027d3d..dc69c57c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -437,6 +437,7 @@ services: - USE_WATCHDOG=${USE_WATCHDOG:-n} - WATCHDOG_NOTIFY_EMAIL=${WATCHDOG_NOTIFY_EMAIL} - WATCHDOG_NOTIFY_BAN=${WATCHDOG_NOTIFY_BAN:-y} + - WATCHDOG_SUBJECT=${WATCHDOG_SUBJECT:-Watchdog ALERT} - WATCHDOG_EXTERNAL_CHECKS=${WATCHDOG_EXTERNAL_CHECKS:-n} - WATCHDOG_MYSQL_REPLICATION_CHECKS=${WATCHDOG_MYSQL_REPLICATION_CHECKS:-n} - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} diff --git a/generate_config.sh b/generate_config.sh index 978a32fa..61a90aa0 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -279,6 +279,9 @@ USE_WATCHDOG=y # Notify about banned IP (includes whois lookup) WATCHDOG_NOTIFY_BAN=n +# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message. +#WATCHDOG_SUBJECT= + # Checks if mailcow is an open relay. Requires a SAL. More checks will follow. # https://www.servercow.de/mailcow?lang=en # https://www.servercow.de/mailcow?lang=de diff --git a/update.sh b/update.sh index 138e01f3..d5114c9f 100755 --- a/update.sh +++ b/update.sh @@ -191,6 +191,7 @@ CONFIG_ARRAY=( "WATCHDOG_NOTIFY_EMAIL" "WATCHDOG_NOTIFY_BAN" "WATCHDOG_EXTERNAL_CHECKS" + "WATCHDOG_SUBJECT" "SKIP_CLAMD" "SKIP_IP_CHECK" "ADDITIONAL_SAN" @@ -361,6 +362,12 @@ for option in ${CONFIG_ARRAY[@]}; do echo '# Notify about banned IP. Includes whois lookup.' >> mailcow.conf echo "WATCHDOG_NOTIFY_BAN=y" >> mailcow.conf fi + elif [[ ${option} == "WATCHDOG_SUBJECT" ]]; then + if ! grep -q ${option} mailcow.conf; then + echo "Adding new option \"${option}\" to mailcow.conf" + echo '# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.' >> mailcow.conf + echo "#WATCHDOG_SUBJECT=" >> mailcow.conf + fi elif [[ ${option} == "WATCHDOG_EXTERNAL_CHECKS" ]]; then if ! grep -q ${option} mailcow.conf; then echo "Adding new option \"${option}\" to mailcow.conf"