Allow setting ACL_ANYONE in the configuration

.gitignore

@@ -20,6 +20,7 @@ data/conf/rspamd/override.d/*
 data/conf/nginx/*.conf
 data/conf/nginx/*.custom
 data/conf/nginx/*.bak
+data/conf/dovecot/acl_anyone
 data/conf/dovecot/extra.conf
 data/conf/rspamd/custom/*
 data/conf/portainer/

data/Dockerfiles/dovecot/docker-entrypoint.sh

@@ -85,6 +85,7 @@ map {
 }
 EOF
 
+echo -n ${ACL_ANYONE} > /usr/local/etc/dovecot/acl_anyone
 
 # Create userdb dict for Dovecot
 cat <<EOF > /usr/local/etc/dovecot/sql/dovecot-dict-sql-userdb.conf

data/Dockerfiles/sogo/bootstrap-sogo.sh

@@ -204,9 +204,17 @@ sed -i \
   /usr/lib/GNUstep/SOGo/WebServerResources/js/Common/Common.app.js \
   /usr/lib/GNUstep/SOGo/WebServerResources/js/Common.js
 
-# Patch ACLs (comment this out to enable any or authenticated targets for ACL)
-if patch -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
-  patch /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
+# Patch ACLs
+if [[ ${ACL_ANYONE} == 'allow' ]]; then
+  #enable any or authenticated targets for ACL
+  if patch -R -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
+    patch -R /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
+  fi
+else
+  #disable any or authenticated targets for ACL
+  if patch -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
+    patch /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
+  fi
 fi
 
 exec gosu sogo /usr/sbin/sogod

data/conf/dovecot/dovecot.conf

@@ -275,7 +275,7 @@ protocol sieve {
 }
 plugin {
   # Allow "any" or "authenticated" to be used in ACLs
-  #acl_anyone = allow
+  acl_anyone = </usr/local/etc/dovecot/acl_anyone
   acl_shared_dict = file:/var/vmail/shared-mailboxes.db
   acl = vfile
   quota = dict:Userquota::proxy::sqlquota

docker-compose.yml

@@ -147,6 +147,7 @@ services:
         - TZ=${TZ}
         - LOG_LINES=${LOG_LINES:-9999}
         - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
+        - ACL_ANYONE=${ACL_ANYONE:-disallow}
       volumes:
         - ./data/conf/sogo/:/etc/sogo/
         - ./data/web/inc/init_db.inc.php:/init_db.inc.php
@@ -183,6 +184,7 @@ services:
         - DBPASS=${DBPASS}
         - TZ=${TZ}
         - MAILDIR_GC_TIME=${MAILDIR_GC_TIME:-1440}
+        - ACL_ANYONE=${ACL_ANYONE:-disallow}
       ports:
         - "${DOVEADM_PORT:-127.0.0.1:19991}:12345"
         - "${IMAP_PORT:-143}:143"

update.sh

@@ -121,6 +121,7 @@ CONFIG_ARRAY=(
   "API_KEY"
   "API_ALLOW_FROM"
   "MAILDIR_GC_TIME"
+  "ACL_ANYONE"
 )
 
 sed -i '$a\' mailcow.conf
@@ -202,6 +203,19 @@ for option in ${CONFIG_ARRAY[@]}; do
       echo '# Check interval is hourly' >> mailcow.conf
       echo 'MAILDIR_GC_TIME=1440' >> mailcow.conf
     fi
+  elif [[ ${option} == "ACL_ANYONE" ]]; then
+    if ! grep -q ${option} mailcow.conf; then
+      echo "Adding new option \"${option}\" to mailcow.conf"
+      echo '# Set this to allow to enable the anyone pseudo user. Disabled by default.
+' >> mailcow.conf
+      echo '# When enabled, ACL can be created, that apply to "All authenticated users"
+' >> mailcow.conf
+      echo '# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
+' >> mailcow.conf
+      echo '# Otherwise a user might share data with too many other users.
+' >> mailcow.conf
+      echo 'ACL_ANYONE=disallow' >> mailcow.conf
+    fi
   elif ! grep -q ${option} mailcow.conf; then
     echo "Adding new option \"${option}\" to mailcow.conf"
     echo "${option}=n" >> mailcow.conf