Home Explore Help
Sign In
mirrors
/
mailcow-dockerized
mirror of https://github.com/mailcow/mailcow-dockerized
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Prevent user login if protocol access has been disabled

FreddleSpl0it 2 days ago
parent
2f75039194
commit
13f7f9830b
2 changed files with 20 additions and 4 deletions
Unified View Show Diff Stats
  1. 4 4
      data/conf/dovecot/auth/mailcowauth.php
  2. 16 0
      data/web/inc/functions.auth.inc.php

+ 4 - 4
data/conf/dovecot/auth/mailcowauth.php
View File 

@@ -86,7 +86,7 @@ if ($result === false){
 
     'remote_addr' => $post['real_rip']
 
     'remote_addr' => $post['real_rip']
 
   ));
 
   ));
 
   if ($result) {
 
   if ($result) {
 
-    error_log('MAILCOWAUTH: App auth for user ' . $post['username']);
 
+    error_log('MAILCOWAUTH: App auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
 
     set_sasl_log($post['username'], $post['real_rip'], $post['service']);
 
     set_sasl_log($post['username'], $post['real_rip'], $post['service']);
 
   }
 
   }
 
 }
 
 }
 
@@ -94,9 +94,9 @@ if ($result === false){
 
   // Init Identity Provider
 
   // Init Identity Provider
 
   $iam_provider = identity_provider('init');
 
   $iam_provider = identity_provider('init');
 
   $iam_settings = identity_provider('get');
 
   $iam_settings = identity_provider('get');
 
-  $result = user_login($post['username'], $post['password'], array('is_internal' => true));
 
+  $result = user_login($post['username'], $post['password'], array('is_internal' => true, 'service' => $post['service']));
 
   if ($result) {
 
   if ($result) {
 
-    error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
 
+    error_log('MAILCOWAUTH: User auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
 
     set_sasl_log($post['username'], $post['real_rip'], $post['service']);
 
     set_sasl_log($post['username'], $post['real_rip'], $post['service']);
 
   }
 
   }
 
 }
 
 }
 
@@ -105,7 +105,7 @@ if ($result) {
 
   http_response_code(200); // OK
 
   http_response_code(200); // OK
 
   $return['success'] = true;
 
   $return['success'] = true;
 
 } else {
 
 } else {
 
-  error_log("MAILCOWAUTH: Login failed for user " . $post['username']);
 
+  error_log("MAILCOWAUTH: Login failed for user " . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
 
   http_response_code(401); // Unauthorized
 
   http_response_code(401); // Unauthorized
 
 }
 
 }

+ 16 - 0
data/web/inc/functions.auth.inc.php
View File 

@@ -193,6 +193,7 @@ function user_login($user, $pass, $extra = null){
 
   global $iam_settings;
 
   global $iam_settings;
 
 
 
   $is_internal = $extra['is_internal'];
 
   $is_internal = $extra['is_internal'];
 
+  $service = $extra['service'];
 
 
 
   if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
 
   if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
 
     if (!$is_internal){
 
     if (!$is_internal){
 
@@ -235,6 +236,14 @@ function user_login($user, $pass, $extra = null){
 
       $row = $stmt->fetch(PDO::FETCH_ASSOC);
 
       $row = $stmt->fetch(PDO::FETCH_ASSOC);
 
 
 
       if (!empty($row)) {
 
       if (!empty($row)) {
 
+        // check if user has access to service (imap, smtp, pop3, sieve) if service is set
 
+        $row['attributes'] = json_decode($row['attributes'], true);
 
+        if (isset($service)) {
 
+          $key = strtolower($service) . "_access";
 
+          if (isset($row['attributes'][$key]) && $row['attributes'][$key] != '1') {
 
+            return false;
 
+          }
 
+        }
 
         return true;
 
         return true;
 
       }
 
       }
 
     }
 
     }
 
@@ -242,7 +251,14 @@ function user_login($user, $pass, $extra = null){
 
     return false;
 
     return false;
 
   }
 
   }
 
 
 
+  // check if user has access to service (imap, smtp, pop3, sieve) if service is set
 
   $row['attributes'] = json_decode($row['attributes'], true);
 
   $row['attributes'] = json_decode($row['attributes'], true);
 
+  if (isset($service)) {
 
+    $key = strtolower($service) . "_access";
 
+    if (isset($row['attributes'][$key]) && $row['attributes'][$key] != '1') {
 
+      return false;
 
+    }
 
+  }
 
   switch ($row['authsource']) {
 
   switch ($row['authsource']) {
 
     case 'keycloak':
 
     case 'keycloak':
 
       // user authsource is keycloak, try using via rest flow
 
       // user authsource is keycloak, try using via rest flow