[Dovecot, Web] Fix remaining issues of app password enhancements from #4296

data/Dockerfiles/dovecot/docker-entrypoint.sh

@@ -177,7 +177,11 @@ function auth_password_verify(req, pass)
     while row do
       if req.password_verify(req, row.password, pass) == 1 then
         -- if password is valid and protocol access is 1 OR real_rip matches SOGo, proceed
-        if tostring(req.real_ip) == "__IPV4_SOGO__" or row.has_prot_access == "1" then
+        if tostring(req.real_rip) == "__IPV4_SOGO__" then
+          cur:close()
+          con:close()
+          return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
+        if row.has_prot_access == "1" then
           con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
             VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
           cur:close()

data/web/inc/functions.inc.php

@@ -944,7 +944,7 @@ function check_login($user, $pass, $app_passwd_data = false) {
           ':service' => $service,
           ':app_id' => $row['app_passwd_id'],
           ':username' => $user,
-          ':remote_addr' => $_SERVER['REMOTE_ADDR']
+          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
         ));
       }
       return "user";

data/web/sogo-auth.php

@@ -57,7 +57,7 @@ elseif (isset($_GET['login'])) {
         $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
         $stmt->execute(array(
           ':username' => $login,
-          ':remote_addr' => $_SERVER['REMOTE_ADDR']
+          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
         ));
         // redirect to sogo (sogo will get the correct credentials via nginx auth_request
         header("Location: /SOGo/so/${login}");