6 years ago · 5087d5ce96
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -256,6 +256,25 @@ function hasMailboxObjectAccess($username, $role, $object) {
 
				   }

			
 
				 	return false;

			
 
				 }

			
 
				+function hasAliasObjectAccess($username, $role, $object) {

			
 
				+	global $pdo;

			
 
				+	if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {

			
 
				+		return false;

			
 
				+	}

			
 
				+	if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') {

			
 
				+		return false;

			
 
				+	}

			
 
				+	if ($username == $object) {

			
 
				+		return true;

			
 
				+	}

			
 
				+  $stmt = $pdo->prepare("SELECT `domain` FROM `alias` WHERE `address` = :object");

			
 
				+  $stmt->execute(array(':object' => $object));

			
 
				+  $row = $stmt->fetch(PDO::FETCH_ASSOC);

			
 
				+  if (isset($row['domain']) && hasDomainAccess($username, $role, $row['domain'])) {

			
 
				+    return true;

			
 
				+  }

			
 
				+	return false;

			
 
				+}

			
 
				 function pem_to_der($pem_key) {

			
 
				   // Need to remove BEGIN/END PUBLIC KEY

			
 
				   $lines = explode("\n", trim($pem_key));

			
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -2119,9 +2119,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
 
				                     unset($sender_acl_domain_admin[$key]);

			
 
				                     continue;

			
 
				                   }

			
 
				-                  // Check if user has mailbox access (if object is email)

			
 
				+                  // Check if user has alias access (if object is email)

			
 
				                   if (filter_var($val, FILTER_VALIDATE_EMAIL)) {

			
 
				-                    if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $val)) {

			
 
				+                    if (!hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $val)) {

			
 
				                       $_SESSION['return'][] = array(

			
 
				                         'type' => 'danger',

			
 
				                         'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),

			
@@ -2351,11 +2351,11 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
 
				           $stmt->execute(array(':logged_in_as' => $_data));

			
 
				           $address_rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

			
 
				           while ($address_row = array_shift($address_rows)) {

			
 
				-            if (filter_var($address_row['send_as'], FILTER_VALIDATE_EMAIL) && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $address_row['send_as'])) {

			
 
				+            if (filter_var($address_row['send_as'], FILTER_VALIDATE_EMAIL) && !hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $address_row['send_as'])) {

			
 
				               $data['sender_acl_addresses']['ro'][] = $address_row['send_as'];

			
 
				               continue;

			
 
				             }

			
 
				-            if (filter_var($address_row['send_as'], FILTER_VALIDATE_EMAIL) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $address_row['send_as'])) {

			
 
				+            if (filter_var($address_row['send_as'], FILTER_VALIDATE_EMAIL) && hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $address_row['send_as'])) {

			
 
				               $data['sender_acl_addresses']['rw'][] = $address_row['send_as'];

			
 
				               continue;

			
 
				             }

			
@@ -2398,7 +2398,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
 
				           ));

			
 
				           $rows_mbox = $stmt->fetchAll(PDO::FETCH_ASSOC);

			
 
				           while ($row = array_shift($rows_mbox)) {

			
 
				-            if (filter_var($row['address'], FILTER_VALIDATE_EMAIL) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $row['address'])) {

			
 
				+            if (filter_var($row['address'], FILTER_VALIDATE_EMAIL) && hasAliasObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $row['address'])) {

			
 
				               $data['sender_acl_addresses']['selectable'][] = $row['address'];

			
 
				             }

			
 
				           }

			
--- a/data/web/mta_sts.php
+++ b/data/web/mta_sts.php
@@ -0,0 +1,18 @@
 
				+<?php

			
 
				+error_reporting(0);

			
 
				+header('Content-Type: text/plain');

			
 
				+

			
 
				+echo $_SERVER['HTTP_HOST'];

			
 
				+

			
 
				+foreach (dns_get_record('mailcow.email', DNS_MX) as $mx_r) {

			
 
				+  $mx_s[] = $mx_r['target'];

			
 
				+}

			
 
				+

			
 
				+!empty($mx_s) ?: exit();

			
 
				+

			
 
				+echo 'version: STSv1' . PHP_EOL;

			
 
				+echo 'mode: enforce' . PHP_EOL;

			
 
				+foreach ($mx_s as $mx_r) {

			
 
				+  printf('mx: %s' . PHP_EOL, $mx_r);

			
 
				+}

			
 
				+echo 'max_age: 86400' . PHP_EOL;