add random masterpass for sogo admin login
add required headers for sogo proxy auth with password add SOGoEncryptionKey add SOGoTrustProxyAuthentication only conditionally if feature is enabledmaster
Marcel Hofer
parent
937cdadd36
commit
dd6d253ac0
|
|
@ -118,17 +118,6 @@ default_pass_scheme = SSHA256
|
||||||
password_query = SELECT password FROM mailbox WHERE active = '1' AND username = '%u' AND domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') AND JSON_EXTRACT(attributes, '$.force_pw_update') NOT LIKE '%%1%%'
|
password_query = SELECT password FROM mailbox WHERE active = '1' AND username = '%u' AND domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') AND JSON_EXTRACT(attributes, '$.force_pw_update') NOT LIKE '%%1%%'
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [[ "${ALLOW_ADMIN_EMAIL_LOGIN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
|
|
||||||
cat <<EOF > /usr/local/etc/dovecot/sogo-sso.conf
|
|
||||||
passdb {
|
|
||||||
driver = static
|
|
||||||
args = password= allow_real_nets=${IPV4_NETWORK}.248/32
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
else
|
|
||||||
rm -f /usr/local/etc/dovecot/sogo-sso.conf
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Create global sieve_after script
|
# Create global sieve_after script
|
||||||
cat /usr/local/etc/dovecot/sieve_after > /var/vmail/sieve/global.sieve
|
cat /usr/local/etc/dovecot/sieve_after > /var/vmail/sieve/global.sieve
|
||||||
|
|
||||||
|
|
@ -146,6 +135,21 @@ echo ${RAND_USER}@mailcow.local:{SHA1}$(echo -n ${RAND_PASS} | sha1sum | awk '{p
|
||||||
echo ${RAND_USER}@mailcow.local::5000:5000:::: > /usr/local/etc/dovecot/dovecot-master.userdb
|
echo ${RAND_USER}@mailcow.local::5000:5000:::: > /usr/local/etc/dovecot/dovecot-master.userdb
|
||||||
echo ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/sieve.creds
|
echo ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/sieve.creds
|
||||||
|
|
||||||
|
if [[ "${ALLOW_ADMIN_EMAIL_LOGIN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
|
||||||
|
# Create random master Password for SOGo 'login as user' via proxy auth
|
||||||
|
RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
|
||||||
|
echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
|
||||||
|
cat <<EOF > /usr/local/etc/dovecot/sogo-sso.conf
|
||||||
|
passdb {
|
||||||
|
driver = static
|
||||||
|
args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
rm -f /usr/local/etc/dovecot/sogo-sso.pass
|
||||||
|
rm -f /usr/local/etc/dovecot/sogo-sso.conf
|
||||||
|
fi
|
||||||
|
|
||||||
# 401 is user dovecot
|
# 401 is user dovecot
|
||||||
if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then
|
if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then
|
||||||
openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem
|
openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem
|
||||||
|
|
|
||||||
|
|
@ -88,6 +88,13 @@ mkdir -p /var/lib/sogo/GNUstep/Defaults/
|
||||||
# Force-remove lines from sogo.conf
|
# Force-remove lines from sogo.conf
|
||||||
sed -i '/SOGoIMAPServer/d' /etc/sogo/sogo.conf
|
sed -i '/SOGoIMAPServer/d' /etc/sogo/sogo.conf
|
||||||
|
|
||||||
|
if [[ "${ALLOW_ADMIN_EMAIL_LOGIN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
|
||||||
|
TRUST_PROXY="YES"
|
||||||
|
else
|
||||||
|
TRUST_PROXY="NO"
|
||||||
|
fi
|
||||||
|
RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 24 | head -n 1)
|
||||||
|
|
||||||
# Generate plist header with timezone data
|
# Generate plist header with timezone data
|
||||||
cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
|
cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
|
||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
|
@ -98,6 +105,10 @@ cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
|
||||||
<string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_acl</string>
|
<string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_acl</string>
|
||||||
<key>SOGoIMAPServer</key>
|
<key>SOGoIMAPServer</key>
|
||||||
<string>imap://${IPV4_NETWORK}.250:143/?tls=YES</string>
|
<string>imap://${IPV4_NETWORK}.250:143/?tls=YES</string>
|
||||||
|
<key>SOGoTrustProxyAuthentication</key>
|
||||||
|
<string>${TRUST_PROXY}</string>
|
||||||
|
<key>SOGoEncryptionKey</key>
|
||||||
|
<string>${RAND_PASS}</string>
|
||||||
<key>OCSCacheFolderURL</key>
|
<key>OCSCacheFolderURL</key>
|
||||||
<string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_cache_folder</string>
|
<string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_cache_folder</string>
|
||||||
<key>OCSEMailAlarmsFolderURL</key>
|
<key>OCSEMailAlarmsFolderURL</key>
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,10 @@
|
||||||
if printf "%s\n" "${ALLOW_ADMIN_EMAIL_LOGIN}" | grep -E '^([yY][eE][sS]|[yY])+$' >/dev/null; then
|
if printf "%s\n" "${ALLOW_ADMIN_EMAIL_LOGIN}" | grep -E '^([yY][eE][sS]|[yY])+$' >/dev/null; then
|
||||||
echo 'auth_request /sogo-auth-verify;
|
echo 'auth_request /sogo-auth-verify;
|
||||||
auth_request_set $user $upstream_http_x_username;
|
auth_request_set $user $upstream_http_x_user;
|
||||||
proxy_set_header x-webobjects-remote-user $user;
|
auth_request_set $auth $upstream_http_x_auth;
|
||||||
if ($args ~* (.*)(account=(?!0))(.*)) {
|
auth_request_set $auth_type $upstream_http_x_auth_type;
|
||||||
return 401;
|
proxy_set_header x-webobjects-remote-user "$user";
|
||||||
}'
|
proxy_set_header Authorization "$auth";
|
||||||
|
proxy_set_header x-webobjects-auth-type "$auth_type";
|
||||||
|
'
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
|
|
@ -82,6 +82,4 @@
|
||||||
//SOGoUIxDebugEnabled = YES;
|
//SOGoUIxDebugEnabled = YES;
|
||||||
//WODontZipResponse = YES;
|
//WODontZipResponse = YES;
|
||||||
WOLogFile = "/dev/sogo_log";
|
WOLogFile = "/dev/sogo_log";
|
||||||
|
|
||||||
SOGoTrustProxyAuthentication = YES;
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,8 @@ $ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
|
||||||
$_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
|
$_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
|
||||||
));
|
));
|
||||||
|
|
||||||
$session_variable = 'sogo-sso-user';
|
$session_var_user = 'sogo-sso-user';
|
||||||
|
$session_var_pass = 'sogo-sso-pass';
|
||||||
|
|
||||||
if (!$ALLOW_ADMIN_EMAIL_LOGIN) {
|
if (!$ALLOW_ADMIN_EMAIL_LOGIN) {
|
||||||
header("Location: /");
|
header("Location: /");
|
||||||
|
|
@ -42,7 +43,9 @@ elseif (isset($_GET['login'])) {
|
||||||
$login = html_entity_decode(rawurldecode($_GET["login"]));
|
$login = html_entity_decode(rawurldecode($_GET["login"]));
|
||||||
if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
|
if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
|
||||||
if (!empty(mailbox('get', 'mailbox_details', $login))) {
|
if (!empty(mailbox('get', 'mailbox_details', $login))) {
|
||||||
$_SESSION[$session_variable] = $login;
|
$sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
|
||||||
|
$_SESSION[$session_var_user] = $login;
|
||||||
|
$_SESSION[$session_var_pass] = $sogo_sso_pass;
|
||||||
header("Location: /SOGo/");
|
header("Location: /SOGo/");
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
@ -54,11 +57,17 @@ elseif (isset($_GET['login'])) {
|
||||||
else {
|
else {
|
||||||
// this is an nginx auth_request call, we check for an existing sogo-sso-user session variable
|
// this is an nginx auth_request call, we check for an existing sogo-sso-user session variable
|
||||||
session_start();
|
session_start();
|
||||||
$username = "";
|
if (isset($_SESSION[$session_var_user]) && filter_var($_SESSION[$session_var_user], FILTER_VALIDATE_EMAIL)) {
|
||||||
if (isset($_SESSION[$session_variable]) && filter_var($_SESSION[$session_variable], FILTER_VALIDATE_EMAIL)) {
|
$username = $_SESSION[$session_var_user];
|
||||||
$username = $_SESSION[$session_variable];
|
$password = $_SESSION[$session_var_pass];
|
||||||
}
|
header("X-User: $username");
|
||||||
|
header("X-Auth: Basic ".base64_encode("$username:$password"));
|
||||||
|
header("X-Auth-Type: Basic");
|
||||||
|
} else {
|
||||||
// if username is empty, SOGo will display the normal login form
|
// if username is empty, SOGo will display the normal login form
|
||||||
header("X-Username: $username");
|
header("X-User: ");
|
||||||
|
header("X-Auth: ");
|
||||||
|
header("X-Auth-Type: ");
|
||||||
|
}
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -106,6 +106,7 @@ services:
|
||||||
- mysql-socket-vol-1:/var/run/mysqld/
|
- mysql-socket-vol-1:/var/run/mysqld/
|
||||||
- ./data/conf/sogo/:/etc/sogo/
|
- ./data/conf/sogo/:/etc/sogo/
|
||||||
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro
|
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro
|
||||||
|
- ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/
|
||||||
- ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf
|
- ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf
|
||||||
- ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini
|
- ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini
|
||||||
- ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini
|
- ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini
|
||||||
|
|
@ -175,6 +176,7 @@ services:
|
||||||
- ./data/conf/dovecot:/usr/local/etc/dovecot
|
- ./data/conf/dovecot:/usr/local/etc/dovecot
|
||||||
- ./data/assets/ssl:/etc/ssl/mail/:ro
|
- ./data/assets/ssl:/etc/ssl/mail/:ro
|
||||||
- ./data/conf/sogo/:/etc/sogo/
|
- ./data/conf/sogo/:/etc/sogo/
|
||||||
|
- ./data/conf/phpfpm/sogo-sso/:/etc/phpfpm/
|
||||||
- vmail-vol-1:/var/vmail
|
- vmail-vol-1:/var/vmail
|
||||||
- vmail-attachments-vol-1:/var/attachments
|
- vmail-attachments-vol-1:/var/attachments
|
||||||
- crypt-vol-1:/mail_crypt/
|
- crypt-vol-1:/mail_crypt/
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue