Merge commit 'refs/pull/4296/head' of github.com:mailcow/mailcow-dockerized into app-passwd-daveas
commit
cbc3c87b77
|
@ -68,7 +68,8 @@ if (empty($_SERVER['PHP_AUTH_USER']) || empty($_SERVER['PHP_AUTH_PW'])) {
|
||||||
exit(0);
|
exit(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
$login_role = check_login($login_user, $login_pass);
|
$allow_app_passwords = $ALLOW_APP_PASSWORDS_IN_EAS === true || $autodiscover_config['autodiscoverType'] == 'imap';
|
||||||
|
$login_role = check_login($login_user, $login_pass, $allow_app_passwords);
|
||||||
|
|
||||||
if ($login_role === "user") {
|
if ($login_role === "user") {
|
||||||
header("Content-Type: application/xml");
|
header("Content-Type: application/xml");
|
||||||
|
|
|
@ -807,7 +807,7 @@ function verify_hash($hash, $password) {
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
function check_login($user, $pass) {
|
function check_login($user, $pass, $allow_app_passwords = false) {
|
||||||
global $pdo;
|
global $pdo;
|
||||||
global $redis;
|
global $redis;
|
||||||
global $imap_server;
|
global $imap_server;
|
||||||
|
@ -896,6 +896,18 @@ function check_login($user, $pass) {
|
||||||
AND `username` = :user");
|
AND `username` = :user");
|
||||||
$stmt->execute(array(':user' => $user));
|
$stmt->execute(array(':user' => $user));
|
||||||
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
||||||
|
if ($allow_app_passwords === true) {
|
||||||
|
$stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
|
||||||
|
INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
|
||||||
|
INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
|
||||||
|
WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
|
||||||
|
AND `mailbox`.`active` = '1'
|
||||||
|
AND `domain`.`active` = '1'
|
||||||
|
AND `app_passwd`.`active` = '1'
|
||||||
|
AND `app_passwd`.`mailbox` = :user");
|
||||||
|
$stmt->execute(array(':user' => $user));
|
||||||
|
$rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
|
||||||
|
}
|
||||||
foreach ($rows as $row) {
|
foreach ($rows as $row) {
|
||||||
if (verify_hash($row['password'], $pass) !== false) {
|
if (verify_hash($row['password'], $pass) !== false) {
|
||||||
unset($_SESSION['ldelay']);
|
unset($_SESSION['ldelay']);
|
||||||
|
|
|
@ -188,6 +188,9 @@ $MAILBOX_DEFAULT_ATTRIBUTES['mailbox_format'] = 'maildir:';
|
||||||
// Show last IMAP and POP3 logins
|
// Show last IMAP and POP3 logins
|
||||||
$SHOW_LAST_LOGIN = true;
|
$SHOW_LAST_LOGIN = true;
|
||||||
|
|
||||||
|
// Allow app passwords in CardDav, CalDav and ActiveSync
|
||||||
|
$ALLOW_APP_PASSWORDS_IN_EAS = true;
|
||||||
|
|
||||||
// UV flag handling in FIDO2/WebAuthn - defaults to false to allow iOS logins
|
// UV flag handling in FIDO2/WebAuthn - defaults to false to allow iOS logins
|
||||||
// true = required
|
// true = required
|
||||||
// false = preferred
|
// false = preferred
|
||||||
|
|
|
@ -991,7 +991,7 @@
|
||||||
"alias_valid_until": "Gültig bis",
|
"alias_valid_until": "Gültig bis",
|
||||||
"aliases_also_send_as": "Darf außerdem versenden als Benutzer",
|
"aliases_also_send_as": "Darf außerdem versenden als Benutzer",
|
||||||
"aliases_send_as_all": "Absender für folgende Domains und zugehörige Alias-Domains nicht prüfen",
|
"aliases_send_as_all": "Absender für folgende Domains und zugehörige Alias-Domains nicht prüfen",
|
||||||
"app_hint": "App-Passwörter sind alternative Passwörter für den <b>IMAP- und SMTP</b>-Login am Mailserver. Der Benutzername bleibt unverändert.<br>SOGo (und damit ActiveSync) ist mit diesem Kennwort nicht verwendbar.",
|
"app_hint": "App-Passwörter sind alternative Passwörter für den IMAP-, SMTP-, CalDAV-, CardDAV- und EAS-Login am Mailserver. Der Benutzername bleibt unverändert.<br>SOGo Webmail ist mit diesem Kennwort nicht verwendbar.",
|
||||||
"app_name": "App-Name",
|
"app_name": "App-Name",
|
||||||
"app_passwds": "App-Passwörter",
|
"app_passwds": "App-Passwörter",
|
||||||
"apple_connection_profile": "Apple-Verbindungsprofil",
|
"apple_connection_profile": "Apple-Verbindungsprofil",
|
||||||
|
|
|
@ -1033,7 +1033,7 @@
|
||||||
"alias_valid_until": "Valid until",
|
"alias_valid_until": "Valid until",
|
||||||
"aliases_also_send_as": "Also allowed to send as user",
|
"aliases_also_send_as": "Also allowed to send as user",
|
||||||
"aliases_send_as_all": "Do not check sender access for the following domain(s) and its alias domains",
|
"aliases_send_as_all": "Do not check sender access for the following domain(s) and its alias domains",
|
||||||
"app_hint": "App passwords are alternative passwords for your <b>IMAP and SMTP</b> login. The username remains unchanged.<br>SOGo (including ActiveSync) is not available through app passwords.",
|
"app_hint": "App passwords are alternative passwords for your IMAP, SMTP, CalDAV, CardDAV and EAS login. The username remains unchanged. SOGo webmail is not available through app passwords.",
|
||||||
"app_name": "App name",
|
"app_name": "App name",
|
||||||
"app_passwds": "App passwords",
|
"app_passwds": "App passwords",
|
||||||
"apple_connection_profile": "Apple connection profile",
|
"apple_connection_profile": "Apple connection profile",
|
||||||
|
|
|
@ -953,7 +953,7 @@
|
||||||
"alias_valid_until": "Valide jusque",
|
"alias_valid_until": "Valide jusque",
|
||||||
"aliases_also_send_as": "Aussi autorisé à envoyer en tant qu’utilisateur",
|
"aliases_also_send_as": "Aussi autorisé à envoyer en tant qu’utilisateur",
|
||||||
"aliases_send_as_all": "Ne pas vérifier l’accès de l’expéditeur pour les domaines suivants et leurs alias",
|
"aliases_send_as_all": "Ne pas vérifier l’accès de l’expéditeur pour les domaines suivants et leurs alias",
|
||||||
"app_hint": "Les mots de passe d’application sont des mots de passe alternatifs pour votre connexion <b>IMAP et SMTP</b>. Le nom d’utilisateur reste inchangé.<br>SOGo (incluant ActiveSync) n'est pas disponible au travers de mots de passe.",
|
"app_hint": "Les mots de passe d’application sont des mots de passe alternatifs pour votre connexion IMAP, SMTP, Caldav, Carddav et EAS. Le nom d’utilisateur reste inchangé.<br>SOGo n'est pas disponible au travers de mots de passe.",
|
||||||
"app_name": "Nom d'application",
|
"app_name": "Nom d'application",
|
||||||
"app_passwds": "Mots de passe de l'application",
|
"app_passwds": "Mots de passe de l'application",
|
||||||
"apple_connection_profile": "Profil de connexion Apple",
|
"apple_connection_profile": "Profil de connexion Apple",
|
||||||
|
|
|
@ -999,7 +999,7 @@
|
||||||
"alias_valid_until": "Valido fino a",
|
"alias_valid_until": "Valido fino a",
|
||||||
"aliases_also_send_as": "Può inviare come utente",
|
"aliases_also_send_as": "Può inviare come utente",
|
||||||
"aliases_send_as_all": "Do not check sender access for the following domain(s) and its alias domains",
|
"aliases_send_as_all": "Do not check sender access for the following domain(s) and its alias domains",
|
||||||
"app_hint": "App passwords are alternative passwords for your <b>IMAP and SMTP</b> login. The username remains unchanged.<br>SOGo (including ActiveSync) is not available through app passwords.",
|
"app_hint": "App passwords are alternative passwords for your IMAP, SMTP, CalDAV, CardDAV and EAS login. The username remains unchanged. SOGo webmail is not available through app passwords.",
|
||||||
"app_name": "App name",
|
"app_name": "App name",
|
||||||
"app_passwds": "App passwords",
|
"app_passwds": "App passwords",
|
||||||
"apple_connection_profile": "Profilo di connessione Apple",
|
"apple_connection_profile": "Profilo di connessione Apple",
|
||||||
|
|
|
@ -14,7 +14,8 @@ if (isset($_SERVER['PHP_AUTH_USER'])) {
|
||||||
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
|
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
|
||||||
$username = $_SERVER['PHP_AUTH_USER'];
|
$username = $_SERVER['PHP_AUTH_USER'];
|
||||||
$password = $_SERVER['PHP_AUTH_PW'];
|
$password = $_SERVER['PHP_AUTH_PW'];
|
||||||
$login_check = check_login($username, $password);
|
$is_eas = preg_match('/^(\/SOGo|)\/(dav|Microsoft-Server-ActiveSync).*/', $_SERVER['HTTP_X_ORIGINAL_URI']);
|
||||||
|
$login_check = check_login($username, $password, $is_eas && $ALLOW_APP_PASSWORDS_IN_EAS);
|
||||||
if ($login_check === 'user') {
|
if ($login_check === 'user') {
|
||||||
header("X-User: $username");
|
header("X-User: $username");
|
||||||
header("X-Auth: Basic ".base64_encode("$username:$password"));
|
header("X-Auth: Basic ".base64_encode("$username:$password"));
|
||||||
|
|
Loading…
Reference in New Issue