From 2ac5294d550021d9c24690ba3ba1547cf458576d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrgen=20Kellerer?= Date: Sun, 24 Oct 2021 13:12:34 +0200 Subject: [PATCH 1/3] Supporting app-passwds in cal/carddav & ActiveSync --- data/web/autodiscover.php | 3 ++- data/web/inc/functions.inc.php | 14 +++++++++++++- data/web/inc/vars.inc.php | 3 +++ data/web/sogo-auth.php | 3 ++- 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php index c18edbfc..265d138e 100644 --- a/data/web/autodiscover.php +++ b/data/web/autodiscover.php @@ -67,7 +67,8 @@ if (empty($_SERVER['PHP_AUTH_USER']) || empty($_SERVER['PHP_AUTH_PW'])) { exit(0); } -$login_role = check_login($login_user, $login_pass); +$allow_app_passwords = $ALLOW_APP_PASSWORDS_IN_EAS === true || $autodiscover_config['autodiscoverType'] == 'imap'; +$login_role = check_login($login_user, $login_pass, $allow_app_passwords); if ($login_role === "user") { header("Content-Type: application/xml"); diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 072bf0b4..8245c46e 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -807,7 +807,7 @@ function verify_hash($hash, $password) { } return false; } -function check_login($user, $pass) { +function check_login($user, $pass, $allow_app_passwords = false) { global $pdo; global $redis; global $imap_server; @@ -896,6 +896,18 @@ function check_login($user, $pass) { AND `username` = :user"); $stmt->execute(array(':user' => $user)); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + if ($allow_app_passwords === true) { + $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd` + INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox` + INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain` + WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group' + AND `mailbox`.`active` = '1' + AND `domain`.`active` = '1' + AND `app_passwd`.`active` = '1' + AND `app_passwd`.`mailbox` = :user"); + $stmt->execute(array(':user' => $user)); + $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC)); + } foreach ($rows as $row) { if (verify_hash($row['password'], $pass) !== false) { unset($_SESSION['ldelay']); diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php index 91d2145d..8a83f964 100644 --- a/data/web/inc/vars.inc.php +++ b/data/web/inc/vars.inc.php @@ -188,6 +188,9 @@ $MAILBOX_DEFAULT_ATTRIBUTES['mailbox_format'] = 'maildir:'; // Show last IMAP and POP3 logins $SHOW_LAST_LOGIN = true; +// Allow app passwords in CardDav, CalDav and ActiveSync +$ALLOW_APP_PASSWORDS_IN_EAS = true; + // UV flag handling in FIDO2/WebAuthn - defaults to false to allow iOS logins // true = required // false = preferred diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php index 3bd19c6e..e3557cc8 100644 --- a/data/web/sogo-auth.php +++ b/data/web/sogo-auth.php @@ -14,7 +14,8 @@ if (isset($_SERVER['PHP_AUTH_USER'])) { require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php'; $username = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; - $login_check = check_login($username, $password); + $is_eas = preg_match('/^(\/SOGo|)\/(dav|Microsoft-Server-ActiveSync).*/', $_SERVER['HTTP_X_ORIGINAL_URI']); + $login_check = check_login($username, $password, $is_eas && $ALLOW_APP_PASSWORDS_IN_EAS); if ($login_check === 'user') { header("X-User: $username"); header("X-Auth: Basic ".base64_encode("$username:$password")); From 06ac1a14643e4718629f187045407b6a3cd0f348 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrgen=20Kellerer?= Date: Sun, 24 Oct 2021 17:30:33 +0200 Subject: [PATCH 2/3] Updated L10N DE,EN,FR,IT(EN) --- data/web/lang/lang.de.json | 2 +- data/web/lang/lang.en.json | 2 +- data/web/lang/lang.fr.json | 2 +- data/web/lang/lang.it.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/data/web/lang/lang.de.json b/data/web/lang/lang.de.json index ed516240..15e981e2 100644 --- a/data/web/lang/lang.de.json +++ b/data/web/lang/lang.de.json @@ -991,7 +991,7 @@ "alias_valid_until": "Gültig bis", "aliases_also_send_as": "Darf außerdem versenden als Benutzer", "aliases_send_as_all": "Absender für folgende Domains und zugehörige Alias-Domains nicht prüfen", - "app_hint": "App-Passwörter sind alternative Passwörter für den IMAP- und SMTP-Login am Mailserver. Der Benutzername bleibt unverändert.
SOGo (und damit ActiveSync) ist mit diesem Kennwort nicht verwendbar.", + "app_hint": "App-Passwörter sind alternative Passwörter für den IMAP-, SMTP-, CalDAV-, CardDAV- und EAS-Login am Mailserver. Der Benutzername bleibt unverändert.
SOGo Webmail ist mit diesem Kennwort nicht verwendbar.", "app_name": "App-Name", "app_passwds": "App-Passwörter", "apple_connection_profile": "Apple-Verbindungsprofil", diff --git a/data/web/lang/lang.en.json b/data/web/lang/lang.en.json index 3f8be347..3f4a6220 100644 --- a/data/web/lang/lang.en.json +++ b/data/web/lang/lang.en.json @@ -1033,7 +1033,7 @@ "alias_valid_until": "Valid until", "aliases_also_send_as": "Also allowed to send as user", "aliases_send_as_all": "Do not check sender access for the following domain(s) and its alias domains", - "app_hint": "App passwords are alternative passwords for your IMAP and SMTP login. The username remains unchanged.
SOGo (including ActiveSync) is not available through app passwords.", + "app_hint": "App passwords are alternative passwords for your IMAP, SMTP, CalDAV, CardDAV and EAS login. The username remains unchanged. SOGo webmail is not available through app passwords.", "app_name": "App name", "app_passwds": "App passwords", "apple_connection_profile": "Apple connection profile", diff --git a/data/web/lang/lang.fr.json b/data/web/lang/lang.fr.json index baf407c0..9ba9e279 100644 --- a/data/web/lang/lang.fr.json +++ b/data/web/lang/lang.fr.json @@ -953,7 +953,7 @@ "alias_valid_until": "Valide jusque", "aliases_also_send_as": "Aussi autorisé à envoyer en tant qu’utilisateur", "aliases_send_as_all": "Ne pas vérifier l’accès de l’expéditeur pour les domaines suivants et leurs alias", - "app_hint": "Les mots de passe d’application sont des mots de passe alternatifs pour votre connexion IMAP et SMTP. Le nom d’utilisateur reste inchangé.
SOGo (incluant ActiveSync) n'est pas disponible au travers de mots de passe.", + "app_hint": "Les mots de passe d’application sont des mots de passe alternatifs pour votre connexion IMAP, SMTP, Caldav, Carddav et EAS. Le nom d’utilisateur reste inchangé.
SOGo n'est pas disponible au travers de mots de passe.", "app_name": "Nom d'application", "app_passwds": "Mots de passe de l'application", "apple_connection_profile": "Profil de connexion Apple", diff --git a/data/web/lang/lang.it.json b/data/web/lang/lang.it.json index a7422d8b..aa7a8dc2 100644 --- a/data/web/lang/lang.it.json +++ b/data/web/lang/lang.it.json @@ -999,7 +999,7 @@ "alias_valid_until": "Valido fino a", "aliases_also_send_as": "Può inviare come utente", "aliases_send_as_all": "Do not check sender access for the following domain(s) and its alias domains", - "app_hint": "App passwords are alternative passwords for your IMAP and SMTP login. The username remains unchanged.
SOGo (including ActiveSync) is not available through app passwords.", + "app_hint": "App passwords are alternative passwords for your IMAP, SMTP, CalDAV, CardDAV and EAS login. The username remains unchanged. SOGo webmail is not available through app passwords.", "app_name": "App name", "app_passwds": "App passwords", "apple_connection_profile": "Profilo di connessione Apple", From 2a4764aa4164f92865e206e47f97f3f4baaffb8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrgen=20Kellerer?= Date: Sun, 24 Oct 2021 17:42:00 +0200 Subject: [PATCH 3/3] Updated L10N CS,DA,NL,RO,RU,SK,SV --- data/web/lang/lang.cs.json | 2 +- data/web/lang/lang.da.json | 2 +- data/web/lang/lang.nl.json | 2 +- data/web/lang/lang.ro.json | 2 +- data/web/lang/lang.ru.json | 2 +- data/web/lang/lang.sk.json | 2 +- data/web/lang/lang.sv.json | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/data/web/lang/lang.cs.json b/data/web/lang/lang.cs.json index edddb44e..10cdc235 100644 --- a/data/web/lang/lang.cs.json +++ b/data/web/lang/lang.cs.json @@ -1015,7 +1015,7 @@ "alias_valid_until": "Platný do", "aliases_also_send_as": "Smí odesílat také jako uživatel", "aliases_send_as_all": "Nekontrolovat přístup odesílatele pro následující doménu(y) a jejich aliasy domény:", - "app_hint": "Hesla aplikací jsou alternativní heslo pro přihlášení k IMAP a SMTP. Uživatelské jméno zůstává stejné.
SOGo (včetně ActiveSync) však nelze s heslem aplikace použít.", + "app_hint": "Hesla aplikací jsou alternativní heslo pro přihlášení k IMAP, SMTP, CalDAV, CardDAV a EAS. Uživatelské jméno zůstává stejné.
SOGo však nelze s heslem aplikace použít.", "app_name": "Název aplikace", "app_passwds": "Hesla aplikací", "apple_connection_profile": "Profil připojení Apple", diff --git a/data/web/lang/lang.da.json b/data/web/lang/lang.da.json index 5a854cfa..95169179 100644 --- a/data/web/lang/lang.da.json +++ b/data/web/lang/lang.da.json @@ -944,7 +944,7 @@ "alias_valid_until": "Gyldig indtil", "aliases_also_send_as": "Også tilladt at sende som bruger", "aliases_send_as_all": "Do not check sender access for the following domain(s) and its alias domains", - "app_hint": "App adgangskoder er alternative adgangskoder til din IMAP og SMTP login. Brugernavnet forbliver uændret.
SOGo (inklusive AktivSync) er ikke tilgængelig via app-adgangskoder.", + "app_hint": "App adgangskoder er alternative adgangskoder til din IMAP, SMTP, CalDAV, CardDAV og EAS login. Brugernavnet forbliver uændret.
SOGo er ikke tilgængelig via app-adgangskoder.", "app_name": "App navn", "app_passwds": "App kodeord", "apple_connection_profile": "Apple forbindelses profil", diff --git a/data/web/lang/lang.nl.json b/data/web/lang/lang.nl.json index 3ec00d54..4afd4b14 100644 --- a/data/web/lang/lang.nl.json +++ b/data/web/lang/lang.nl.json @@ -968,7 +968,7 @@ "alias_valid_until": "Geldig tot", "aliases_also_send_as": "Toegestaan om te verzenden als", "aliases_send_as_all": "Controleer verzendtoegang voor de volgende domeinen, inclusief aliassen, niet", - "app_hint": "Appwachtwoorden zijn alternatieve wachtwoorden voor IMAP en SMTP. De gebruikersnaam blijft ongewijzigd.
SOGo (inclusief ActiveSync) is niet toegankelijk met een appwachtwoord.", + "app_hint": "Appwachtwoorden zijn alternatieve wachtwoorden voor IMAP, SMTP, CalDAV, CardDAV en EAS. De gebruikersnaam blijft ongewijzigd.
SOGo is niet toegankelijk met een appwachtwoord.", "app_name": "Naam van app", "app_passwds": "Appwachtwoorden", "apple_connection_profile": "Apple-verbindingsprofiel", diff --git a/data/web/lang/lang.ro.json b/data/web/lang/lang.ro.json index 289fbc05..3e03351d 100644 --- a/data/web/lang/lang.ro.json +++ b/data/web/lang/lang.ro.json @@ -1003,7 +1003,7 @@ "alias_valid_until": "Valabil până la", "aliases_also_send_as": "De asemenea, este permis să trimită ca utilizator", "aliases_send_as_all": "Nu se verifică accesul expeditorului pentru următorul(arele) domeniu(i) și domeniile sale alias", - "app_hint": "Parolele aplicației sunt parole alternative pentru autentificarea IMAP și SMTP. Numele de utilizator rămâne neschimbat.
SOGo (inclusiv ActiveSync) nu este disponibil prin parolele aplicației.", + "app_hint": "Parolele aplicației sunt parole alternative pentru autentificarea IMAP, SMTP, CalDAV, CardDAV și EAS. Numele de utilizator rămâne neschimbat.
SOGo nu este disponibil prin parolele aplicației.", "app_name": "Nume aplicație", "app_passwds": "Parole aplicație", "apple_connection_profile": "Profil de conexiune Apple", diff --git a/data/web/lang/lang.ru.json b/data/web/lang/lang.ru.json index a77025c2..8c8ab887 100644 --- a/data/web/lang/lang.ru.json +++ b/data/web/lang/lang.ru.json @@ -1034,7 +1034,7 @@ "alias_valid_until": "Действителен до", "aliases_also_send_as": "Разрешено отправлять письма от имени", "aliases_send_as_all": "Разрешено отправлять письма от любого имени для домена и его псевдонимов", - "app_hint": "Пароли приложений - это альтернативные пароли для авторизации в IMAP и SMTP. При этом имя пользователя остается неизменным.
SOGo (включая ActiveSync) недоступен через пароли приложений.", + "app_hint": "Пароли приложений - это альтернативные пароли для авторизации в IMAP, SMTP, CalDAV, CardDAV и EAS. При этом имя пользователя остается неизменным.
SOGo недоступен через пароли приложений.", "app_name": "Название приложения", "app_passwds": "Пароли приложений", "apple_connection_profile": "Профиль подключения Apple", diff --git a/data/web/lang/lang.sk.json b/data/web/lang/lang.sk.json index 8be8efce..bdf81425 100644 --- a/data/web/lang/lang.sk.json +++ b/data/web/lang/lang.sk.json @@ -1034,7 +1034,7 @@ "alias_valid_until": "Platné do", "aliases_also_send_as": "Môže odosielať ako používateľ", "aliases_send_as_all": "Nekontrolovať prístup odosielateľa pre nasledujúcu doménu/y a jej alias domény", - "app_hint": "Heslá aplikácií sú alternatívne heslá pre vaše IMAP a SMTP prihlásenie. Používateľské meno zostáva nezmenené.
SOGo (zahŕňajúc ActiveSync) nie je momentálne podporovaný.", + "app_hint": "Heslá aplikácií sú alternatívne heslá pre vaše IMAP, SMTP, CalDAV, CardDAV a EAS prihlásenie. Používateľské meno zostáva nezmenené.
SOGo nie je momentálne podporovaný.", "app_name": "Meno aplikácie", "app_passwds": "Heslá aplikácií", "apple_connection_profile": "Apple konfiguračný profil", diff --git a/data/web/lang/lang.sv.json b/data/web/lang/lang.sv.json index a68b8602..063a8f4a 100644 --- a/data/web/lang/lang.sv.json +++ b/data/web/lang/lang.sv.json @@ -986,7 +986,7 @@ "alias_valid_until": "Giltig till", "aliases_also_send_as": "Som också har tillåtelse att skicka som användare", "aliases_send_as_all": "Kontrollera inte avsändaråtkomsten för följande domän/domäner och aliasdomäner", - "app_hint": "Applikationslösenord är ett alternativt lösenord för IMAP och SMTP inloggning på e-postservern. Användarnamnet förblir oförändrat.
SOGo (och därmed ActiveSync) kan inte användas med det här lösenordet.", + "app_hint": "Applikationslösenord är ett alternativt lösenord för IMAP, SMTP, CalDAV, CardDAV och EAS inloggning på e-postservern. Användarnamnet förblir oförändrat.
SOGo kan inte användas med det här lösenordet.", "app_name": "Applikationsnamn", "app_passwds": "Applikationslösenord", "apple_connection_profile": "Apple-anslutningsprofil",