[Web] Add User ACL to manage SOGo access

data/conf/phpfpm/crons/keycloak-sync.php

@@ -66,7 +66,7 @@ $_SESSION['acl']['tls_policy'] = "1";
 $_SESSION['acl']['quarantine_notification'] = "1";
 $_SESSION['acl']['quarantine_category'] = "1";
 $_SESSION['acl']['ratelimit'] = "1";
-$_SESSION['acl']['sogo_access'] = "1";
+$_SESSION['acl']['sogo_redirection'] = "1";
 $_SESSION['acl']['protocol_access'] = "1";
 $_SESSION['acl']['mailbox_relayhost'] = "1";
 $_SESSION['acl']['unlimited_quota'] = "1";

data/conf/phpfpm/crons/ldap-sync.php

@@ -66,7 +66,7 @@ $_SESSION['acl']['tls_policy'] = "1";
 $_SESSION['acl']['quarantine_notification'] = "1";
 $_SESSION['acl']['quarantine_category'] = "1";
 $_SESSION['acl']['ratelimit'] = "1";
-$_SESSION['acl']['sogo_access'] = "1";
+$_SESSION['acl']['sogo_redirection'] = "1";
 $_SESSION['acl']['protocol_access'] = "1";
 $_SESSION['acl']['mailbox_relayhost'] = "1";
 $_SESSION['acl']['unlimited_quota'] = "1";

data/web/api/openapi.yaml

@@ -754,7 +754,7 @@ paths:
                             - syncjobs
                             - quarantine
                             - login_as
-                            - sogo_access
+                            - sogo_redirection
                             - app_passwds
                             - bcc_maps
                             - pushover
@@ -807,7 +807,7 @@ paths:
                     - syncjobs
                     - quarantine
                     - login_as
-                    - sogo_access
+                    - sogo_redirection
                     - app_passwds
                     - bcc_maps
                     - pushover
@@ -3339,7 +3339,7 @@ paths:
                             - info@domain2.tld
                             - domain3.tld
                             - "*"
-                          sogo_access: "1"
+                          sogo_redirection: "1"
                           username:
                             - info@domain.tld
                           tags: ["tag3", "tag4"]
@@ -3390,7 +3390,7 @@ paths:
                     - info@domain2.tld
                     - domain3.tld
                     - "*"
-                  sogo_access: "1"
+                  sogo_redirection: "1"
                   tags: ["tag3", "tag4"]
                 items:
                   - info@domain.tld
@@ -3422,8 +3422,8 @@ paths:
                     sender_acl:
                       description: list of allowed send from addresses
                       type: object
-                    sogo_access:
-                      description: is access to SOGo webmail active or not
+                    sogo_redirection:
+                      description: is redirection to SOGo webmail active or not
                       type: boolean
                   type: object
                 items:
@@ -4799,7 +4799,7 @@ paths:
                         force_pw_update: "0"
                         mailbox_format: "maildir:"
                         quarantine_notification: never
-                        sogo_access: "1"
+                        sogo_redirection: "1"
                         tls_enforce_in: "0"
                         tls_enforce_out: "0"
                       domain: doman3.tld
@@ -5723,7 +5723,7 @@ paths:
                         force_pw_update: "0"
                         mailbox_format: "maildir:"
                         quarantine_notification: never
-                        sogo_access: "1"
+                        sogo_redirection: "1"
                         tls_enforce_in: "0"
                         tls_enforce_out: "0"
                       custom_attributes: {}

data/web/inc/functions.inc.php

@@ -3371,9 +3371,14 @@ function set_user_loggedin_session($user) {
   session_regenerate_id(true);
   $_SESSION['mailcow_cc_username'] = $user;
   $_SESSION['mailcow_cc_role'] = 'user';
-  $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
-  $_SESSION['sogo-sso-user-allowed'][] = $user;
-  $_SESSION['sogo-sso-pass'] = $sogo_sso_pass;
+
+  acl('to_session');
+  if (hasACLAccess("sogo_access")) {
+    $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
+    $_SESSION['sogo-sso-user-allowed'][] = $user;
+    $_SESSION['sogo-sso-pass'] = $sogo_sso_pass;
+  }
+
   unset($_SESSION['pending_mailcow_cc_username']);
   unset($_SESSION['pending_mailcow_cc_role']);
   unset($_SESSION['pending_tfa_methods']);

data/web/inc/functions.mailbox.inc.php

@@ -1073,7 +1073,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $force_pw_update = (isset($_data['force_pw_update'])) ? intval($_data['force_pw_update']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['force_pw_update']);
           $tls_enforce_in = (isset($_data['tls_enforce_in'])) ? intval($_data['tls_enforce_in']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_in']);
           $tls_enforce_out = (isset($_data['tls_enforce_out'])) ? intval($_data['tls_enforce_out']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_out']);
-          $sogo_access = (isset($_data['sogo_access'])) ? intval($_data['sogo_access']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['sogo_access']);
+          $sogo_redirection = (isset($_data['sogo_redirection'])) ? intval($_data['sogo_redirection']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['sogo_redirection']);
           $imap_access = (isset($_data['imap_access'])) ? intval($_data['imap_access']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['imap_access']);
           $pop3_access = (isset($_data['pop3_access'])) ? intval($_data['pop3_access']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['pop3_access']);
           $smtp_access = (isset($_data['smtp_access'])) ? intval($_data['smtp_access']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['smtp_access']);
@@ -1091,7 +1091,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'force_pw_update' => strval($force_pw_update),
               'tls_enforce_in' => strval($tls_enforce_in),
               'tls_enforce_out' => strval($tls_enforce_out),
-              'sogo_access' => strval($sogo_access),
+              'sogo_redirection' => strval($sogo_redirection),
               'imap_access' => strval($imap_access),
               'pop3_access' => strval($pop3_access),
               'smtp_access' => strval($smtp_access),
@@ -1280,6 +1280,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $_data['syncjobs'] = (in_array('syncjobs', $_data['acl'])) ? 1 : 0;
             $_data['eas_reset'] = (in_array('eas_reset', $_data['acl'])) ? 1 : 0;
             $_data['sogo_profile_reset'] = (in_array('sogo_profile_reset', $_data['acl'])) ? 1 : 0;
+            $_data['sogo_access'] = (in_array('sogo_access', $_data['acl'])) ? 1 : 0;
             $_data['pushover'] = (in_array('pushover', $_data['acl'])) ? 1 : 0;
             $_data['quarantine'] = (in_array('quarantine', $_data['acl'])) ? 1 : 0;
             $_data['quarantine_attachments'] = (in_array('quarantine_attachments', $_data['acl'])) ? 1 : 0;
@@ -1296,6 +1297,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $_data['syncjobs'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_syncjobs']);
             $_data['eas_reset'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_eas_reset']);
             $_data['sogo_profile_reset'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_sogo_profile_reset']);
+            $_data['sogo_access'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_sogo_access']);
             $_data['pushover'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_pushover']);
             $_data['quarantine'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_quarantine']);
             $_data['quarantine_attachments'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_quarantine_attachments']);
@@ -1704,7 +1706,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $attr["rl_frame"]                    = (!empty($_data['rl_frame'])) ? $_data['rl_frame'] : "s";
           $attr["rl_value"]                    = (!empty($_data['rl_value'])) ? $_data['rl_value'] : "";
           $attr["force_pw_update"]             = isset($_data['force_pw_update']) ? intval($_data['force_pw_update']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['force_pw_update']);
-          $attr["sogo_access"]                 = isset($_data['sogo_access']) ? intval($_data['sogo_access']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['sogo_access']);
+          $attr["sogo_redirection"]            = isset($_data['sogo_redirection']) ? intval($_data['sogo_redirection']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['sogo_redirection']);
           $attr["active"]                      = isset($_data['active']) ? intval($_data['active']) : 1;
           $attr["tls_enforce_in"]              = isset($_data['tls_enforce_in']) ? intval($_data['tls_enforce_in']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_in']);
           $attr["tls_enforce_out"]             = isset($_data['tls_enforce_out']) ? intval($_data['tls_enforce_out']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_out']);
@@ -1731,6 +1733,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $attr['acl_syncjobs'] = (in_array('syncjobs', $_data['acl'])) ? 1 : 0;
             $attr['acl_eas_reset'] = (in_array('eas_reset', $_data['acl'])) ? 1 : 0;
             $attr['acl_sogo_profile_reset'] = (in_array('sogo_profile_reset', $_data['acl'])) ? 1 : 0;
+            $attr['acl_sogo_access'] = (in_array('sogo_access', $_data['acl'])) ? 1 : 0;
             $attr['acl_pushover'] = (in_array('pushover', $_data['acl'])) ? 1 : 0;
             $attr['acl_quarantine'] = (in_array('quarantine', $_data['acl'])) ? 1 : 0;
             $attr['acl_quarantine_attachments'] = (in_array('quarantine_attachments', $_data['acl'])) ? 1 : 0;
@@ -1748,6 +1751,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $attr['acl_syncjobs'] = 0;
             $attr['acl_eas_reset'] = 0;
             $attr['acl_sogo_profile_reset'] = 0;
+            $attr['acl_sogo_access'] = 0;
             $attr['acl_pushover'] = 0;
             $attr['acl_quarantine'] = 0;
             $attr['acl_quarantine_attachments'] = 0;
@@ -3030,23 +3034,23 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $_data['sieve_access'] = (in_array('sieve', $_data['protocol_access'])) ? 1 : 0;
             }
             if (!empty($is_now)) {
-              $active               = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
-              (int)$force_pw_update = (isset($_data['force_pw_update'])) ? intval($_data['force_pw_update']) : intval($is_now['attributes']['force_pw_update']);
-              (int)$sogo_access     = (isset($_data['sogo_access']) && hasACLAccess("sogo_access")) ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
-              (int)$imap_access     = (isset($_data['imap_access']) && hasACLAccess("protocol_access")) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
-              (int)$pop3_access     = (isset($_data['pop3_access']) && hasACLAccess("protocol_access")) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
-              (int)$smtp_access     = (isset($_data['smtp_access']) && hasACLAccess("protocol_access")) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
-              (int)$sieve_access    = (isset($_data['sieve_access']) && hasACLAccess("protocol_access")) ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
-              (int)$relayhost       = (isset($_data['relayhost']) && hasACLAccess("mailbox_relayhost")) ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
-              (int)$quota_m         = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576);
-              $name                 = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
-              $domain               = $is_now['domain'];
-              $quota_b              = $quota_m * 1048576;
-              $password             = (!empty($_data['password'])) ? $_data['password'] : null;
-              $password2            = (!empty($_data['password2'])) ? $_data['password2'] : null;
-              $tags                 = (is_array($_data['tags']) ? $_data['tags'] : array());
-              $attribute_hash       = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
-              $authsource           = $is_now['authsource'];
+              $active                = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
+              (int)$force_pw_update  = (isset($_data['force_pw_update'])) ? intval($_data['force_pw_update']) : intval($is_now['attributes']['force_pw_update']);
+              (int)$sogo_redirection = (isset($_data['sogo_redirection'])) ? intval($_data['sogo_redirection']) : intval($is_now['attributes']['sogo_redirection']);
+              (int)$imap_access      = (isset($_data['imap_access']) && hasACLAccess("protocol_access")) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
+              (int)$pop3_access      = (isset($_data['pop3_access']) && hasACLAccess("protocol_access")) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
+              (int)$smtp_access      = (isset($_data['smtp_access']) && hasACLAccess("protocol_access")) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
+              (int)$sieve_access     = (isset($_data['sieve_access']) && hasACLAccess("protocol_access")) ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
+              (int)$relayhost        = (isset($_data['relayhost']) && hasACLAccess("mailbox_relayhost")) ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
+              (int)$quota_m          = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576);
+              $name                  = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
+              $domain                = $is_now['domain'];
+              $quota_b               = $quota_m * 1048576;
+              $password              = (!empty($_data['password'])) ? $_data['password'] : null;
+              $password2             = (!empty($_data['password2'])) ? $_data['password2'] : null;
+              $tags                  = (is_array($_data['tags']) ? $_data['tags'] : array());
+              $attribute_hash        = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
+              $authsource            = $is_now['authsource'];
               if ($_data['authsource'] == "mailcow" ||
                   in_array($_data['authsource'], array('keycloak', 'generic-oidc', 'ldap')) && $iam_settings['authsource'] == $_data['authsource']){
                 $authsource = $_data['authsource'];
@@ -3314,7 +3318,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                   `quota` = :quota_b,
                   `authsource` = :authsource,
                   `attributes` = JSON_SET(`attributes`, '$.force_pw_update', :force_pw_update),
-                  `attributes` = JSON_SET(`attributes`, '$.sogo_access', :sogo_access),
+                  `attributes` = JSON_SET(`attributes`, '$.sogo_redirection', :sogo_redirection),
                   `attributes` = JSON_SET(`attributes`, '$.imap_access', :imap_access),
                   `attributes` = JSON_SET(`attributes`, '$.sieve_access', :sieve_access),
                   `attributes` = JSON_SET(`attributes`, '$.pop3_access', :pop3_access),
@@ -3329,7 +3333,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 ':quota_b' => $quota_b,
                 ':attribute_hash' => $attribute_hash,
                 ':force_pw_update' => $force_pw_update,
-                ':sogo_access' => $sogo_access,
+                ':sogo_redirection' => $sogo_redirection,
                 ':imap_access' => $imap_access,
                 ':pop3_access' => $pop3_access,
                 ':sieve_access' => $sieve_access,
@@ -3706,7 +3710,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $attr["rl_frame"]                    = (!empty($_data['rl_frame'])) ? $_data['rl_frame'] : $is_now['rl_frame'];
             $attr["rl_value"]                    = (!empty($_data['rl_value'])) ? $_data['rl_value'] : $is_now['rl_value'];
             $attr["force_pw_update"]             = isset($_data['force_pw_update']) ? intval($_data['force_pw_update']) : $is_now['force_pw_update'];
-            $attr["sogo_access"]                 = isset($_data['sogo_access']) ? intval($_data['sogo_access']) : $is_now['sogo_access'];
+            $attr["sogo_redirection"]            = isset($_data['sogo_redirection']) ? intval($_data['sogo_redirection']) : $is_now['sogo_redirection'];
             $attr["active"]                      = isset($_data['active']) ? intval($_data['active']) : $is_now['active'];
             $attr["tls_enforce_in"]              = isset($_data['tls_enforce_in']) ? intval($_data['tls_enforce_in']) : $is_now['tls_enforce_in'];
             $attr["tls_enforce_out"]             = isset($_data['tls_enforce_out']) ? intval($_data['tls_enforce_out']) : $is_now['tls_enforce_out'];
@@ -3732,6 +3736,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $attr['acl_syncjobs'] = (in_array('syncjobs', $_data['acl'])) ? 1 : 0;
               $attr['acl_eas_reset'] = (in_array('eas_reset', $_data['acl'])) ? 1 : 0;
               $attr['acl_sogo_profile_reset'] = (in_array('sogo_profile_reset', $_data['acl'])) ? 1 : 0;
+              $attr["acl_sogo_access"] = (in_array('sogo_access', $_data['acl'])) ? 1 : 0;
               $attr['acl_pushover'] = (in_array('pushover', $_data['acl'])) ? 1 : 0;
               $attr['acl_quarantine'] = (in_array('quarantine', $_data['acl'])) ? 1 : 0;
               $attr['acl_quarantine_attachments'] = (in_array('quarantine_attachments', $_data['acl'])) ? 1 : 0;

data/web/inc/init_db.inc.php

@@ -4,7 +4,7 @@ function init_db_schema()
   try {
     global $pdo;
 
-    $db_version = "07102025_1015";
+    $db_version = "16102025_1340";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -504,6 +504,7 @@ function init_db_schema()
           "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '0'",
           "eas_reset" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "sogo_profile_reset" => "TINYINT(1) NOT NULL DEFAULT '0'",
+          "sogo_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "pushover" => "TINYINT(1) NOT NULL DEFAULT '1'",
           // quarantine is for quarantine actions, todo: rename
           "quarantine" => "TINYINT(1) NOT NULL DEFAULT '1'",
@@ -702,7 +703,7 @@ function init_db_schema()
           "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "quarantine" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "login_as" => "TINYINT(1) NOT NULL DEFAULT '1'",
-          "sogo_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "sogo_redirection" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "app_passwds" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "bcc_maps" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "pushover" => "TINYINT(1) NOT NULL DEFAULT '0'",
@@ -1389,7 +1390,8 @@ function init_db_schema()
     $pdo->query("UPDATE `mailbox` SET `attributes` =  JSON_SET(`attributes`, '$.relayhost', \"0\") WHERE JSON_VALUE(`attributes`, '$.relayhost') IS NULL;");
     $pdo->query("UPDATE `mailbox` SET `attributes` =  JSON_SET(`attributes`, '$.force_pw_update', \"0\") WHERE JSON_VALUE(`attributes`, '$.force_pw_update') IS NULL;");
     $pdo->query("UPDATE `mailbox` SET `attributes` =  JSON_SET(`attributes`, '$.sieve_access', \"1\") WHERE JSON_VALUE(`attributes`, '$.sieve_access') IS NULL;");
-    $pdo->query("UPDATE `mailbox` SET `attributes` =  JSON_SET(`attributes`, '$.sogo_access', \"1\") WHERE JSON_VALUE(`attributes`, '$.sogo_access') IS NULL;");
+    $pdo->query("UPDATE `mailbox` SET `attributes` =  JSON_SET(`attributes`, '$.sogo_redirection', JSON_VALUE(`attributes`, '$.sogo_access')) WHERE JSON_VALUE(`attributes`, '$.sogo_access') IS NOT NULL;");
+    $pdo->query("UPDATE `mailbox` SET `attributes` =  JSON_REMOVE(`attributes`, '$.sogo_access') WHERE JSON_VALUE(`attributes`, '$.sogo_access') IS NOT NULL;");
     $pdo->query("UPDATE `mailbox` SET `attributes` =  JSON_SET(`attributes`, '$.imap_access', \"1\") WHERE JSON_VALUE(`attributes`, '$.imap_access') IS NULL;");
     $pdo->query("UPDATE `mailbox` SET `attributes` =  JSON_SET(`attributes`, '$.pop3_access', \"1\") WHERE JSON_VALUE(`attributes`, '$.pop3_access') IS NULL;");
     $pdo->query("UPDATE `mailbox` SET `attributes` =  JSON_SET(`attributes`, '$.smtp_access', \"1\") WHERE JSON_VALUE(`attributes`, '$.smtp_access') IS NULL;");
@@ -1445,7 +1447,7 @@ function init_db_schema()
         "rl_frame" => "s",
         "rl_value" => "",
         "force_pw_update" => intval($GLOBALS['MAILBOX_DEFAULT_ATTRIBUTES']['force_pw_update']),
-        "sogo_access" => intval($GLOBALS['MAILBOX_DEFAULT_ATTRIBUTES']['sogo_access']),
+        "sogo_redirection" => intval($GLOBALS['MAILBOX_DEFAULT_ATTRIBUTES']['sogo_redirection']),
         "active" => 1,
         "tls_enforce_in" => intval($GLOBALS['MAILBOX_DEFAULT_ATTRIBUTES']['tls_enforce_in']),
         "tls_enforce_out" => intval($GLOBALS['MAILBOX_DEFAULT_ATTRIBUTES']['tls_enforce_out']),
@@ -1461,6 +1463,7 @@ function init_db_schema()
         "acl_syncjobs" => 0,
         "acl_eas_reset" => 1,
         "acl_sogo_profile_reset" => 0,
+        "acl_sogo_access" => 1,
         "acl_pushover" => 1,
         "acl_quarantine" => 1,
         "acl_quarantine_attachments" => 1,
@@ -1499,6 +1502,14 @@ function init_db_schema()
         ":attributes" => json_encode($default_mailbox_template["attributes"])
       ));
     }
+    $pdo->query("UPDATE `templates`
+      SET `attributes` = JSON_SET(`attributes`, '$.sogo_redirection', JSON_VALUE(`attributes`, '$.sogo_access'))
+      WHERE `type` = 'mailbox' AND JSON_VALUE(`attributes`, '$.sogo_access') IS NOT NULL;
+    ");
+    $pdo->query("UPDATE `templates`
+      SET `attributes` = JSON_REMOVE(`attributes`, '$.sogo_access')
+      WHERE `type` = 'mailbox' AND JSON_VALUE(`attributes`, '$.sogo_access') IS NOT NULL;
+    ");
 
     // remove old sogo views and triggers
     $pdo->query("DROP TRIGGER IF EXISTS sogo_update_password");

data/web/inc/triggers.user.inc.php

@@ -76,8 +76,9 @@ if (isset($_POST["verify_tfa_login"])) {
 
         $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
         $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-        if (intval($user_details['attributes']['sogo_access']) == 1 &&
+        if (intval($user_details['attributes']['sogo_redirection']) == 1 &&
             intval($user_details['attributes']['force_pw_update']) != 1 &&
+            hasACLAccess('sogo_access') &&
             getenv('SKIP_SOGO') != "y" &&
             !$is_dual) {
           header("Location: /SOGo/so/");
@@ -142,8 +143,9 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
 
     $user_details = mailbox("get", "mailbox_details", $login_user);
     $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-    if (intval($user_details['attributes']['sogo_access']) == 1 &&
+    if (intval($user_details['attributes']['sogo_redirection']) == 1 &&
         intval($user_details['attributes']['force_pw_update']) != 1 &&
+        hasACLAccess('sogo_access') &&
         getenv('SKIP_SOGO') != "y" &&
         !$is_dual) {
       header("Location: /SOGo/so/");

data/web/inc/vars.inc.php

@@ -190,8 +190,8 @@ $MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_out'] = false;
 // Force password change on next login (only allows login to mailcow UI)
 $MAILBOX_DEFAULT_ATTRIBUTES['force_pw_update'] = false;
 
-// Enable SOGo access - Users will be redirected to SOGo after login (set to false to disable redirect by default)
-$MAILBOX_DEFAULT_ATTRIBUTES['sogo_access'] = true;
+// Enable SOGo redirection - Users will be redirected to SOGo after login (set to false to disable redirect by default)
+$MAILBOX_DEFAULT_ATTRIBUTES['sogo_redirection'] = true;
 
 // How to handle tagged emails
 // none      - No special handling

data/web/index.php

@@ -11,7 +11,10 @@ if (isset($_SESSION['mailcow_cc_role']) && isset($_SESSION['oauth2_request'])) {
 elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
   $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
   $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-  if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual && getenv('SKIP_SOGO') != "y") {
+  if (intval($user_details['attributes']['sogo_redirection']) == 1 &&
+      hasACLAccess('sogo_access') &&
+      !$is_dual &&
+      getenv('SKIP_SOGO') != "y") {
     header("Location: /SOGo/so/");
   } else {
     header("Location: /user");

data/web/js/site/mailbox.js

@@ -379,6 +379,9 @@ $(document).ready(function() {
     if (template.acl_sogo_profile_reset == 1){
       acl.push("sogo_profile_reset");
     }
+    if (template.acl_sogo_access == 1){
+      acl.push("sogo_access");
+    }
     if (template.acl_pushover == 1){
       acl.push("pushover");
     }
@@ -418,10 +421,10 @@ $(document).ready(function() {
     } else {
       $('#force_pw_update').prop('checked', false);
     }
-    if (template.sogo_access == 1){
-      $('#sogo_access').prop('checked', true);
+    if (template.sogo_redirection == 1){
+      $('#sogo_redirection').prop('checked', true);
     } else {
-      $('#sogo_access').prop('checked', false);
+      $('#sogo_redirection').prop('checked', false);
     }
 
     // load tags
@@ -1209,7 +1212,7 @@ jQuery(function($){
             item.attributes.imap_access = '<i class="text-' + (item.attributes.imap_access == 1 ? 'success' : 'danger') + ' bi bi-' + (item.attributes.imap_access == 1 ? 'check-lg' : 'x-lg') + '"><span class="sorting-value">' + (item.attributes.imap_access == 1 ? '1' : '0') + '</span></i>';
             item.attributes.smtp_access = '<i class="text-' + (item.attributes.smtp_access == 1 ? 'success' : 'danger') + ' bi bi-' + (item.attributes.smtp_access == 1 ? 'check-lg' : 'x-lg') + '"><span class="sorting-value">' + (item.attributes.smtp_access == 1 ? '1' : '0') + '</span></i>';
             item.attributes.sieve_access = '<i class="text-' + (item.attributes.sieve_access == 1 ? 'success' : 'danger') + ' bi bi-' + (item.attributes.sieve_access == 1 ? 'check-lg' : 'x-lg') + '"><span class="sorting-value">' + (item.attributes.sieve_access == 1 ? '1' : '0') + '</span></i>';
-            item.attributes.sogo_access = '<i class="text-' + (item.attributes.sogo_access == 1 ? 'success' : 'danger') + ' bi bi-' + (item.attributes.sogo_access == 1 ? 'check-lg' : 'x-lg') + '"><span class="sorting-value">' + (item.attributes.sogo_access == 1 ? '1' : '0') + '</span></i>';
+            item.attributes.sogo_redirection = '<i class="text-' + (item.attributes.sogo_redirection == 1 ? 'success' : 'danger') + ' bi bi-' + (item.attributes.sogo_redirection == 1 ? 'check-lg' : 'x-lg') + '"><span class="sorting-value">' + (item.attributes.sogo_redirection == 1 ? '1' : '0') + '</span></i>';
             if (item.attributes.quarantine_notification === 'never') {
               item.attributes.quarantine_notification = lang.never;
             } else if (item.attributes.quarantine_notification === 'hourly') {
@@ -1318,8 +1321,8 @@ jQuery(function($){
           defaultContent: '',
         },
         {
-          title: 'SOGO',
-          data: 'attributes.sogo_access',
+          title: 'SOGO redirection',
+          data: 'attributes.sogo_redirection',
           defaultContent: '',
         },
         {

data/web/lang/lang.bg-bg.json

@@ -22,7 +22,7 @@
         "ratelimit": "Ограничение на скоростта",
         "recipient_maps": "Карти на получатели",
         "smtp_ip_access": "Промяна на разрешените хостове за SMTP",
-        "sogo_access": "Разрешаване на управление на достъпа до SOGo",
+        "sogo_redirection": "Разрешаване на управление на достъпа до SOGo",
         "sogo_profile_reset": "Нулиране на профила на SOGo",
         "spam_alias": "Временни псевдоними",
         "spam_policy": "Черен/Бял списък",
@@ -736,8 +736,8 @@
         "sieve_desc": "Кратко описание",
         "sieve_type": "Тип на филтър",
         "skipcrossduplicates": "Пропускане на дублирани съобщения между папки (първи дошъл, първи обслужен)",
-        "sogo_access": "Директно препращане към SOGo",
-        "sogo_access_info": "След влизане, потребителят се пренасочва автоматично към SOGo.",
+        "sogo_redirection": "Директно препращане към SOGo",
+        "sogo_redirection_info": "След влизане, потребителят се пренасочва автоматично към SOGo.",
         "sogo_visible": "Псевдонимът е видим в SOGo",
         "sogo_visible_info": "Тази опция засяга само обекти, които могат да бъдат показани в SOGo (споделени или несподелени адреси на псевдоними, сочещи поне една локална пощенска кутия). Ако е скрит, псевдонимът няма да се появи като избираем адрес на изпращач в SOGo.",
         "spam_alias": "Създаване или промяна на временни псевдоними",

data/web/lang/lang.cs-cz.json

@@ -21,7 +21,7 @@
         "ratelimit": "Omezení provozu",
         "recipient_maps": "Mapy příjemců",
         "smtp_ip_access": "Spravovat povolené hostitele pro SMTP",
-        "sogo_access": "Správa přístupu do SOGo",
+        "sogo_redirection": "Správa přístupu do SOGo",
         "sogo_profile_reset": "Resetování profilu SOGo",
         "spam_alias": "Dočasné aliasy",
         "spam_policy": "Denylist/Allowlist",
@@ -727,8 +727,8 @@
         "sieve_desc": "Krátký popis",
         "sieve_type": "Typ filtru",
         "skipcrossduplicates": "Přeskočit duplicitní zprávy (\"první přijde, první mele\")",
-        "sogo_access": "Přímé předání na SOGo",
-        "sogo_access_info": "Po přihlášení je uživatel automaticky přesměrován do služby SOGo.",
+        "sogo_redirection": "Přímé předání na SOGo",
+        "sogo_redirection_info": "Po přihlášení je uživatel automaticky přesměrován do služby SOGo.",
         "sogo_visible": "Alias dostupný v SOGo",
         "sogo_visible_info": "Tato volba určuje objekty, jež lze zobrazit v SOGo (sdílené nebo nesdílené aliasy, jež ukazuje alespoň na jednu schránku).",
         "spam_alias": "Vytvořit nebo změnit dočasné aliasy",

data/web/lang/lang.da-dk.json

@@ -17,7 +17,7 @@
         "ratelimit": "Satsgrænse",
         "recipient_maps": "Modtagerkort",
         "smtp_ip_access": "Skift tilladte værter til SMTP",
-        "sogo_access": "Tillad styring af SOGo-adgang",
+        "sogo_redirection": "Tillad styring af SOGo-adgang",
         "sogo_profile_reset": "Nulstil SOGo-profil",
         "spam_alias": "Midlertidige aliasser",
         "spam_policy": "Sortliste/hvidliste",

data/web/lang/lang.de-de.json

@@ -22,7 +22,8 @@
         "ratelimit": "Rate limit",
         "recipient_maps": "Empfängerumschreibungen",
         "smtp_ip_access": "Verwalten der erlaubten Hosts für SMTP",
-        "sogo_access": "Verwalten des SOGo-Zugriffsrechts erlauben",
+        "sogo_access": "Zugriff auf SOGo erlauben",
+        "sogo_redirection": "Leite den Benutzer nach dem Login zu SOGo weiter",
         "sogo_profile_reset": "SOGo-Profil zurücksetzen",
         "spam_alias": "Temporäre E-Mail-Aliasse",
         "spam_policy": "Deny/Allowlist",
@@ -763,8 +764,9 @@
         "sieve_desc": "Kurze Beschreibung",
         "sieve_type": "Filtertyp",
         "skipcrossduplicates": "Duplikate auch über Ordner hinweg überspringen (\"first come, first serve\")",
-        "sogo_access": "Direktes weiterleiten an SOGo",
-        "sogo_access_info": "Nach dem Einloggen wird der Benutzer automatisch an SOGo weitergeleitet.",
+        "sogo_access": "Erlaube Zugriff auf SOGo",
+        "sogo_redirection": "Direktes weiterleiten an SOGo",
+        "sogo_redirection_info": "Nach dem Einloggen wird der Benutzer automatisch an SOGo weitergeleitet.",
         "sogo_visible": "Alias in SOGo sichtbar",
         "sogo_visible_info": "Diese Option hat lediglich Einfluss auf Objekte, die in SOGo darstellbar sind (geteilte oder nicht-geteilte Alias-Adressen mit dem Ziel mindestens einer lokalen Mailbox).",
         "spam_alias": "Anpassen temporärer Alias-Adressen",

data/web/lang/lang.en-gb.json

@@ -22,7 +22,8 @@
         "ratelimit": "Rate limit",
         "recipient_maps": "Recipient maps",
         "smtp_ip_access": "Change allowed hosts for SMTP",
-        "sogo_access": "Allow management of SOGo access",
+        "sogo_access": "Allow access to SOGo",
+        "sogo_redirection": "Redirect User to SOGo after login",
         "sogo_profile_reset": "Reset SOGo profile",
         "spam_alias": "Temporary aliases",
         "spam_policy": "Denylist/Allowlist",
@@ -764,8 +765,9 @@
         "sieve_desc": "Short description",
         "sieve_type": "Filter type",
         "skipcrossduplicates": "Skip duplicate messages across folders (first come, first serve)",
-        "sogo_access": "Direct forwarding to SOGo",
-        "sogo_access_info": "After logging in, the user is automatically redirected to SOGo.",
+        "sogo_access": "Allow SOGo access",
+        "sogo_redirection": "Direct forwarding to SOGo",
+        "sogo_redirection_info": "After logging in, the user is automatically redirected to SOGo.",
         "sogo_visible": "Alias is visible in SOGo",
         "sogo_visible_info": "This option only affects objects, that can be displayed in SOGo (shared or non-shared alias addresses pointing to at least one local mailbox). If hidden, an alias will not appear as selectable sender in SOGo.",
         "spam_alias": "Create or change time limited alias addresses",

data/web/lang/lang.es-es.json

@@ -26,7 +26,7 @@
         "domain_relayhost": "Cambiar relayhost por un dominio",
         "extend_sender_acl": "Permitir extender la ACL del remitente por direcciones externas",
         "pw_reset": "Permitir el restablecimiento de la contraseña del usuario mailcow",
-        "sogo_access": "Permitir la gestión del acceso a SOGo",
+        "sogo_redirection": "Permitir la gestión del acceso a SOGo",
         "mailbox_relayhost": "Cambiar el host de reenvío para un buzón",
         "smtp_ip_access": "Cambiar hosts permitidos para SMTP"
     },
@@ -662,10 +662,10 @@
         "app_passwd_protocols": "Protocolos permitidos con contraseña de aplicación",
         "domain_footer_info": "Los pies de página de dominio se añaden a todos los mensajes salientes remitidos por una dirección de dicho dominio.<br> Están disponibles las siguientes variables para el pie de página:",
         "sender_acl_info": "Si el usuario del buzón A tiene permitido enviar como el buzón B, la dirección de remitente no se mostrará automáticamente como seleccionable en el campo \"De\" en SOGo.<br>\n  El usuario del buzón B necesitará crear una delegación en SOGo para permitir al usuario A seleccionar su dirección como remitente. Para delegar un buzón en SOGo, utilice el menú (tres puntos) a la derecha del nombre del buzón en la esquina superior izquierda, en la vista de correo. Este comportamiento no se aplica a direcciones alias.",
-        "sogo_access_info": "Tras iniciar sesión, el usuario será redirigido automáticamente a SOGo.",
+        "sogo_redirection_info": "Tras iniciar sesión, el usuario será redirigido automáticamente a SOGo.",
         "comment_info": "Un comentario privado no es visible para el usuario, mientras que un comentario público se muestra como descripción emergente al pasar el ratón en la vista general del usuario",
         "quota_warning_bcc_info": "Los avisos se enviarán como copias separadas a los siguientes destinatarios. Se indicará en el asunto el usuario afectado entre paréntesis, como por ejemplo: <code>Aviso de cuota (usuario@ejemplo.com)</code>.",
-        "sogo_access": "Redirección directa a SOGo",
+        "sogo_redirection": "Redirección directa a SOGo",
         "sogo_visible_info": "Esta opción solamente afecta a objetos que puedan ser visualizados en SOGo (alias compartidos o no compartidos que apunten al menos a un buzón interno). Si se oculta, el alias no aparecerá como seleccionable en SOGo.",
         "extended_sender_acl_info": "Se aconseja importar una clave de dominio DKIM, si está disponible.<br>\n  Recuerde añadir este servidor al registro SPF correspondiente.<br>\n  Siempre que se añada un dominio o alias a este servidor, que se superponga con una dirección externa, se eliminará la dirección externa.<br>\n  Utilice @dominio.tld para permitir enviar como *@dominio.tld.",
         "pushover_info": "La configuración de notificaciones push se aplicará a todos los mensajes limpios (no spam) entregados a <b>%s</b> incluyendo alias (compartidos, no compartidos, etiquetados).",

data/web/lang/lang.fi-fi.json

@@ -13,7 +13,7 @@
         "quarantine_notification": "Muuta karanteeni-ilmoituksia",
         "ratelimit": "Määrä raja",
         "recipient_maps": "Vastaanottajakartat",
-        "sogo_access": "Salli SOGo-pääsyn hallintaan",
+        "sogo_redirection": "Salli SOGo-pääsyn hallintaan",
         "sogo_profile_reset": "Nollaa SOGo-profiili",
         "spam_alias": "Väliaikaiset aliakset",
         "spam_policy": "Musta lista / sallitut lista",

data/web/lang/lang.fr-fr.json

@@ -18,7 +18,7 @@
         "ratelimit": "Limite d'envoi",
         "recipient_maps": "Cartes destinataire",
         "smtp_ip_access": "Changer les hôtes autorisés pour SMTP",
-        "sogo_access": "Autoriser la gestion des accès à SOGo",
+        "sogo_redirection": "Autoriser la gestion des accès à SOGo",
         "sogo_profile_reset": "Réinitialiser le profil SOGo",
         "spam_alias": "Alias temporaires",
         "spam_policy": "Liste Noire/Liste Blanche",
@@ -724,7 +724,7 @@
         "none_inherit": "Aucun / Héritage",
         "quota_warning_bcc": "Avertissement sur les quotas BCC",
         "quota_warning_bcc_info": "Les avertissements seront envoyés en copies séparées aux destinataires suivants. Le sujet sera précédé du nom d'utilisateur correspondant entre parenthèses, par exemple : <code>Avertissement sur les quotas (user@example.com)</code>.",
-        "sogo_access_info": "Après s'être connecté, l'utilisateur est automatiquement redirigé vers SOGo.",
+        "sogo_redirection_info": "Après s'être connecté, l'utilisateur est automatiquement redirigé vers SOGo.",
         "admin": "Modifier l'administrateur",
         "password_recovery_email": "Adresse email de récupération",
         "mailbox_rename_title": "Nouveau nom de la partie locale de la boîte de réception",
@@ -732,7 +732,7 @@
         "mailbox_rename_agree": "J'ai fait une sauvegarde.",
         "mailbox_rename_warning": "IMPORTANT ! Faites une sauvegarde avant de renommer la boîte de réception.",
         "mailbox_rename_alias": "Créer un alias automatiquement",
-        "sogo_access": "Redirection directe vers SOGo",
+        "sogo_redirection": "Redirection directe vers SOGo",
         "pushover": "Pushover",
         "pushover_sound": "Son"
     },

data/web/lang/lang.hu-hu.json

@@ -415,8 +415,8 @@
         "sieve_desc": "Rövid leírás",
         "sieve_type": "Szűrő típusa",
         "skipcrossduplicates": "Átugrani a duplikált üzeneteket a mappák között (aki előbb jön, előbb kapja)",
-        "sogo_access": "Közvetlen továbbítás a SOGo-ra",
-        "sogo_access_info": "A bejelentkezés után a felhasználó automatikusan átirányításra kerül a SOGo-ra.",
+        "sogo_redirection": "Közvetlen továbbítás a SOGo-ra",
+        "sogo_redirection_info": "A bejelentkezés után a felhasználó automatikusan átirányításra kerül a SOGo-ra.",
         "sogo_visible": "Alias látható a SOGo-ban",
         "sogo_visible_info": "Ez az opció csak azokra az objektumokra vonatkozik, amelyek megjeleníthetők a SOGo-ban (megosztott vagy nem megosztott alias címek, amelyek legalább egy helyi postafiókra mutatnak). Ha el van rejtve, egy alias nem jelenik meg választható feladóként a SOGo-ban.",
         "spam_alias": "Időkorlátos alias címek létrehozása vagy módosítása",
@@ -1048,7 +1048,7 @@
         "syncjobs": "Szinkronizálási feladatok",
         "tls_policy": "TLS szabályzat",
         "unlimited_quota": "Korlátlan kvóta a postafiókok számára",
-        "sogo_access": "A SOGo-hozzáférés kezelésének lehetővé tétele",
+        "sogo_redirection": "A SOGo-hozzáférés kezelésének lehetővé tétele",
         "pw_reset": "Lehetővé teszi a mailcow felhasználói jelszavak visszaállítását"
     },
     "diagnostics": {

data/web/lang/lang.it-it.json

@@ -21,7 +21,7 @@
         "ratelimit": "Limite di invio",
         "recipient_maps": "Mappe dei destinatari",
         "smtp_ip_access": "Modifica gli host consentiti per SMTP",
-        "sogo_access": "Consenti la gestione dell'accesso SOGo",
+        "sogo_redirection": "Consenti la gestione dell'accesso SOGo",
         "sogo_profile_reset": "Ripristina profilo SOGo",
         "spam_alias": "Alias temporanei",
         "spam_policy": "Blacklist/Whitelist",
@@ -671,8 +671,8 @@
         "validate_save": "Convalida e salva",
         "pushover": "Pushover",
         "none_inherit": "Nessuno / Eredita",
-        "sogo_access": "Inoltro diretto a SOGo",
-        "sogo_access_info": "Dopo aver effettuato il login, l'utente viene automaticamente reindirizzato a SOGo.",
+        "sogo_redirection": "Inoltro diretto a SOGo",
+        "sogo_redirection_info": "Dopo aver effettuato il login, l'utente viene automaticamente reindirizzato a SOGo.",
         "acl": "ACL (autorizzazione)",
         "app_passwd_protocols": "Protocolli consentiti per la password dell'app",
         "last_modified": "Ultima modifica",

data/web/lang/lang.ja-jp.json

@@ -22,7 +22,7 @@
         "ratelimit": "レート制限",
         "recipient_maps": "受信者マップ",
         "smtp_ip_access": "SMTPで許可されるホストの変更",
-        "sogo_access": "SOGoアクセス管理を許可",
+        "sogo_redirection": "SOGoアクセス管理を許可",
         "sogo_profile_reset": "SOGoプロファイルをリセット",
         "spam_alias": "一時的なエイリアス",
         "spam_policy": "ブラックリスト/ホワイトリスト",
@@ -691,8 +691,8 @@
         "sieve_desc": "簡単な説明",
         "sieve_type": "フィルタータイプ",
         "skipcrossduplicates": "フォルダー間で重複するメッセージをスキップ（先着順）",
-        "sogo_access": "SOGoへの直接ログインアクセスを許可",
-        "sogo_access_info": "メールUI内からのシングルサインオンは引き続き動作します。この設定は他のすべてのサービスへのアクセスには影響しません。また、ユーザーの既存のSOGoプロファイルを削除または変更するものでもありません。",
+        "sogo_redirection": "SOGoへの直接ログインアクセスを許可",
+        "sogo_redirection_info": "メールUI内からのシングルサインオンは引き続き動作します。この設定は他のすべてのサービスへのアクセスには影響しません。また、ユーザーの既存のSOGoプロファイルを削除または変更するものでもありません。",
         "sogo_visible": "SOGoにエイリアスが表示される",
         "sogo_visible_info": "このオプションは、SOGoで表示可能なオブジェクト（ローカルメールボックスを指す共有または非共有のエイリアスアドレス）にのみ影響します。非表示にすると、SOGoで選択可能な送信者としてエイリアスは表示されません。",
         "spam_alias": "時間制限付きエイリアスアドレスを作成または変更",

data/web/lang/lang.ko-kr.json

@@ -17,7 +17,7 @@
         "ratelimit": "요청 제한",
         "recipient_maps": "수신자 맵",
         "smtp_ip_access": "SMTP에 허용된 호스트 변경",
-        "sogo_access": "SOGo 접근 관리 허용",
+        "sogo_redirection": "SOGo 접근 관리 허용",
         "sogo_profile_reset": "SOGo 프로필 초기화",
         "spam_alias": "일임시 별칭",
         "spam_policy": "블랙리스트/화이트리스트",

data/web/lang/lang.lt-lt.json

@@ -13,7 +13,7 @@
         "ratelimit": "Prieigos limitas",
         "recipient_maps": "Gavėjų sąsajos",
         "smtp_ip_access": "Pakeisti prieinamuosius SMTP serverius",
-        "sogo_access": "Leisti SOGo prieigos valdymą",
+        "sogo_redirection": "Leisti SOGo prieigos valdymą",
         "spam_policy": "Juodasis/Baltasis sąrašas",
         "spam_score": "Šlamsto balas",
         "tls_policy": "TLS politika",

data/web/lang/lang.lv-lv.json

@@ -24,7 +24,7 @@
         "quarantine_category": "Mainīt karantīnas paziņojumu kategoriju",
         "quarantine_notification": "Mainīt karantīnas paziņojumus",
         "smtp_ip_access": "Mainīt SMTP atļautos saimniekdatorus",
-        "sogo_access": "Atļaut SOGo piekļuves pārvaldību",
+        "sogo_redirection": "Atļaut SOGo piekļuves pārvaldību",
         "sogo_profile_reset": "Atiestatīt SOGo profilu"
     },
     "add": {
@@ -319,7 +319,7 @@
         "sogo_visible": "Aizstājvārds ir redzams SOGo",
         "sogo_visible_info": "Šī iespēja ietekmē tikai tos objektus, kurus var parādīt SOGo (koplietojamās vai nekoplietojamās aizstājadreses, kas norāda uz vismaz vienu vietējo pastkasti). Ja paslēpts, netiks parādīts SOGo kā atlasāms sūtītājs.",
         "mbox_rl_info": "Šis pieprasījumu ierobežojums tiek piemērots SASL pieteikšanās vārdam, tas atbilst jebkurai \"from\" adresei, ko izmanto lietotājs, kurš ir pieteicies. Pastkastes pieprasījumu ierobežojums pārraksta domēna mēroga pieprasījumu ierobežojumu.",
-        "sogo_access": "Tieša pārvirzīšana uz SOGo",
+        "sogo_redirection": "Tieša pārvirzīšana uz SOGo",
         "disable_login": "Neļaut pieteikšanos (ienākošais pasts joprojām tiks pieņemts)",
         "app_passwd_protocols": "Atļautie lietotnes paroles protokoli",
         "allowed_protocols": "Atļautie protokoli tiešai lietotāja piekļuvei (neietekmē lietotnes paroles protokolus)",

data/web/lang/lang.nb-no.json

@@ -168,7 +168,7 @@
         "spam_alias": "Midlertidige alias",
         "spam_policy": "Svarteliste/Hvitliste",
         "unlimited_quota": "Ubegrenset kvote for postkasser",
-        "sogo_access": "Tillat administrasjon av SOGo-tilgang",
+        "sogo_redirection": "Tillat administrasjon av SOGo-tilgang",
         "syncjobs": "Synkroniser jobber",
         "spam_score": "Spam-resultat",
         "recipient_maps": "Mottakerkart",

data/web/lang/lang.nl-nl.json

@@ -18,7 +18,7 @@
         "ratelimit": "Ratelimit",
         "recipient_maps": "Ontvanger-maps",
         "smtp_ip_access": "Wijzig toegestane hosts voor SMTP",
-        "sogo_access": "Sta beheer van SOGo-toegang toe",
+        "sogo_redirection": "Sta beheer van SOGo-toegang toe",
         "sogo_profile_reset": "Verwijder SOGo-profiel",
         "spam_alias": "Tijdelijke aliassen",
         "spam_policy": "Blacklist/Whitelist",

data/web/lang/lang.pt-br.json

@@ -22,7 +22,7 @@
         "ratelimit": "Limite de taxa",
         "recipient_maps": "Mapas de destinatários",
         "smtp_ip_access": "Alterar hosts permitidos para SMTP",
-        "sogo_access": "Permitir o gerenciamento do acesso ao SoGo",
+        "sogo_redirection": "Permitir o gerenciamento do acesso ao SoGo",
         "sogo_profile_reset": "Redefinir perfil SoGo",
         "spam_alias": "Aliases temporários",
         "spam_policy": "Lista negra/lista branca",
@@ -746,8 +746,8 @@
         "sieve_desc": "Breve descrição",
         "sieve_type": "Tipo de filtro",
         "skipcrossduplicates": "Ignore mensagens duplicadas entre pastas (primeiro a chegar, primeiro a ser servido)",
-        "sogo_access": "Encaminhamento direto para o SOGoo",
-        "sogo_access_info": "Depois de fazer login, o usuário é automaticamente redirecionado para o SOGo.",
+        "sogo_redirection": "Encaminhamento direto para o SOGoo",
+        "sogo_redirection_info": "Depois de fazer login, o usuário é automaticamente redirecionado para o SOGo.",
         "sogo_visible": "O alias é visível no SoGo",
         "sogo_visible_info": "Essa opção afeta somente objetos, que podem ser exibidos no SoGo (endereços de alias compartilhados ou não compartilhados apontando para pelo menos uma mailbox local). Se estiver oculto, um alias não aparecerá como remetente selecionável no SoGo.",
         "spam_alias": "Crie ou altere endereços de alias com limite de tempo",

data/web/lang/lang.ro-ro.json

@@ -21,7 +21,7 @@
         "ratelimit": "Rata limită",
         "recipient_maps": "Hărți recipient",
         "smtp_ip_access": "Schimbați gazdele permise pentru SMTP",
-        "sogo_access": "Permiteți gestionarea accesului SOGo",
+        "sogo_redirection": "Permiteți gestionarea accesului SOGo",
         "sogo_profile_reset": "Resetează profilul SOGo",
         "spam_alias": "Aliasuri temporare",
         "spam_policy": "Lista neagră/Lista albă",
@@ -604,8 +604,8 @@
         "sieve_desc": "Descriere scurtă",
         "sieve_type": "Tip filtru",
         "skipcrossduplicates": "Sari peste mesajele duplicate din toate folderele (primul venit, primul servit)",
-        "sogo_access": "Redirecționare directă către SOGo",
-        "sogo_access_info": "După logare, utilizatorul este redirecționat automat către SOGo.",
+        "sogo_redirection": "Redirecționare directă către SOGo",
+        "sogo_redirection_info": "După logare, utilizatorul este redirecționat automat către SOGo.",
         "sogo_visible": "Aliasul este vizibil în SOGo",
         "sogo_visible_info": "Această opțiune afectează doar obiecte, care pot fi afișate în SOGo (adrese alias partajate sau ne-partajate cu cel puțin o căsuță poștală locală). Dacă este ascuns, un alias nu va apărea ca expeditor selectabil în SOGo.",
         "spam_alias": "Crează sau modifică adrese alias limitate în funcție de timp",

data/web/lang/lang.ru-ru.json

@@ -22,7 +22,7 @@
         "ratelimit": "Лимиты отправки",
         "recipient_maps": "Перезапись получателя",
         "smtp_ip_access": "Настройка разрешенных IP для SMTP",
-        "sogo_access": "Управление доступом к SOGo",
+        "sogo_redirection": "Управление доступом к SOGo",
         "sogo_profile_reset": "Сброс профиля SOGo",
         "spam_alias": "Временные псевдонимы",
         "spam_policy": "Черные и белый списки",
@@ -745,8 +745,8 @@
         "sieve_desc": "Краткое описание",
         "sieve_type": "Тип фильтра",
         "skipcrossduplicates": "Пропускать повторяющиеся сообщения в папках",
-        "sogo_access": "Прямая переадресация в SOGo",
-        "sogo_access_info": "После входа в систему пользователь автоматически перенаправляется в SOGo.",
+        "sogo_redirection": "Прямая переадресация в SOGo",
+        "sogo_redirection_info": "После входа в систему пользователь автоматически перенаправляется в SOGo.",
         "sogo_visible": "Отображать псевдоним в SOGo",
         "sogo_visible_info": "Влияет только на объекты, которые могут отображаться в SOGo (персональные или общие псевдонимы, указывающие как минимум на один локальный почтовый аккаунт). Учтите, что если функция отключена, у пользователей не будет возможности выбрать адрес псевдонима в качестве отправителя в SOGo.",
         "spam_alias": "Создать или изменить временные (спам) псевдонимы",

data/web/lang/lang.si-si.json

@@ -17,7 +17,7 @@
         "ratelimit": "Omejitev pošiljanja",
         "recipient_maps": "Preslikave prejemnikov",
         "smtp_ip_access": "Spremeni dovoljene gostitelje za SMTP",
-        "sogo_access": "Dovoli upravljanje SOGo dostopa",
+        "sogo_redirection": "Dovoli upravljanje SOGo dostopa",
         "sogo_profile_reset": "Ponastavi SOGo profil",
         "spam_alias": "Začasni vzdevki",
         "spam_policy": "Seznam zavrnjenih/dovoljenih",
@@ -746,8 +746,8 @@
         "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Preverjanje pošiljatelja je onemogočeno</span>",
         "sieve_type": "Vrsta filtra",
         "skipcrossduplicates": "Preskoči podvojena sporočila med mapami (po principu \"kdor prej pride, prej melje\")",
-        "sogo_access": "Neposredno posredovanje na SOGo",
-        "sogo_access_info": "Po prijavi je uporabnik samodejno preusmerjen na SOGo.",
+        "sogo_redirection": "Neposredno posredovanje na SOGo",
+        "sogo_redirection_info": "Po prijavi je uporabnik samodejno preusmerjen na SOGo.",
         "sogo_visible": "Vzdevek je viden v SOGo",
         "sogo_visible_info": "Ta možnost vpliva samo na objekte, ki jih je mogoče prikazati v SOGo (naslovi vzdevkov v skupni rabi ali brez nje, ki kažejo na vsaj en lokalni poštni predal). Če je skrita, vzdevek ne bo prikazan kot izbirni pošiljatelj v SOGo.",
         "spam_alias": "Ustvarjanje ali spreminjanje časovno omejenih vzdevkovnih naslovov",

data/web/lang/lang.sk-sk.json

@@ -21,7 +21,7 @@
         "ratelimit": "Obmedzenie prenosu",
         "recipient_maps": "Mapy príjemcu",
         "smtp_ip_access": "Spravovať povolených hostiteľov pre SMTP",
-        "sogo_access": "Povoliť spravovanie prístupu do SOGo",
+        "sogo_redirection": "Povoliť spravovanie prístupu do SOGo",
         "sogo_profile_reset": "Znovu nastaviť SOGo profil",
         "spam_alias": "Dočasné aliasy",
         "spam_policy": "Čierna listina/Biela listina",
@@ -622,8 +622,8 @@
         "sieve_desc": "Krátky popis",
         "sieve_type": "Typ filtru",
         "skipcrossduplicates": "Preskočiť duplikované správy naprieč priečinkami (akceptuje sa prvý nález)",
-        "sogo_access": "Priame presmerovanie na SOGo",
-        "sogo_access_info": "Po prihlásení je používateľ automaticky presmerovaný na službu SOGo.",
+        "sogo_redirection": "Priame presmerovanie na SOGo",
+        "sogo_redirection_info": "Po prihlásení je používateľ automaticky presmerovaný na službu SOGo.",
         "sogo_visible": "Alias je viditeľný v SOGo",
         "sogo_visible_info": "Táto voľba ovplyvňuje len objekty, ktoré dokážu byť zobrazené v SOGo (zdieľané alebo nezdieľané alias adresy ukazujúc na minimálne jednu lokálnu mailovú schránku). Ak je skrytý, alias nebude prezentovaný ako voliteľný odosielateľ v SOGo.",
         "spam_alias": "Vytvoriť alebo zmeniť časovo limitované alias adresy",

data/web/lang/lang.sv-se.json

@@ -18,7 +18,7 @@
         "ratelimit": "Hastighetsgräns",
         "recipient_maps": "Kartor över mottagare",
         "smtp_ip_access": "Ändra tillåtna värdar för SMTP",
-        "sogo_access": "Tillåt hantering av SOGo-åtkomst",
+        "sogo_redirection": "Tillåt hantering av SOGo-åtkomst",
         "sogo_profile_reset": "Återställ SOGo-profil",
         "spam_alias": "Tillfälliga e-postalias",
         "spam_policy": "Svartlista/Vitlista",

data/web/lang/lang.tr-tr.json

@@ -21,7 +21,7 @@
         "ratelimit": "Rate limit",
         "recipient_maps": "Alıcı haritaları",
         "smtp_ip_access": "SMTP için izin verilen host değerlerini değiştirme",
-        "sogo_access": "SOGo erişiminin yönetilmesine izin verin",
+        "sogo_redirection": "SOGo erişiminin yönetilmesine izin verin",
         "sogo_profile_reset": "SOGo profilini sıfırla",
         "spam_alias": "Geçici alias değerleri",
         "spam_policy": "Kara Liste/Beyaz Liste",
@@ -409,7 +409,7 @@
         "footer_exclude": "Footerdan hariç tut",
         "last_modified": "Son değişiklik",
         "lookup_mx": "Hedef, MX adıyla eşleşecek normal bir ifadedir (google.com ile biten bir MX'e hedeflenen tüm postaları bu atlama üzerinden yönlendirmek için <code>.*google\\\\.com</code>)",
-        "sogo_access_info": "Posta kullanıcı arayüzünden tek oturum açma çalışmaya devam eder. Bu ayar, diğer tüm hizmetlere erişimi etkilemez veya bir kullanıcının mevcut SOGo profilini silmez veya değiştirmez.",
+        "sogo_redirection_info": "Posta kullanıcı arayüzünden tek oturum açma çalışmaya devam eder. Bu ayar, diğer tüm hizmetlere erişimi etkilemez veya bir kullanıcının mevcut SOGo profilini silmez veya değiştirmez.",
         "comment_info": "Gizli bir yorum kullanıcı tarafından görülmezken, genel bir yorum, kullanıcının genel bakışında üzerine gelindiğinde araç ipucu olarak gösterilir.",
         "sender_acl_info": "Posta kutusu A kullanıcısının posta kutusu kullanıcısı B olarak göndermesine izin veriliyorsa, gönderen adresi SOGo'da seçilebilir \\\"gönderen\\\" alanı olarak otomatik olarak görüntülenmez.<br>\\r\\n Posta kutusu B kullanıcısının izin vermesi için SOGo'da bir yetkilendirme oluşturması gerekir. posta kutusu kullanıcısı A, adresini gönderen olarak seçmek için. SOGo'da bir posta kutusuna yetki vermek için, posta görünümündeyken sol üstteki posta kutusu adınızın sağındaki menüyü (üç nokta) kullanın. Bu davranış, diğer ad adresleri için geçerli değildir.",
         "sogo_visible_info": "Bu seçenek yalnızca SOGo'da görüntülenebilen nesneleri etkiler (en az bir yerel posta kutusuna işaret eden paylaşılan veya paylaşılmayan diğer ad adresleri). Gizliyse, bir takma ad SOGo'da seçilebilir gönderici olarak görünmez.",
@@ -518,7 +518,7 @@
         "relay_all_info": "↪ Tüm alıcıları geçirmek için <b>değil</b> seçerseniz, aktarılması gereken her alıcı için bir (\\\"kör\\\") posta kutusu eklemeniz gerekir.",
         "relay_domain": "Bu etki alanını aktar",
         "relay_transport_info": "<div class=\\\"label label-info\\\">Bilgi</div> Bu etki alanı için özel bir hedef için taşıma haritaları tanımlayabilirsiniz. Ayarlanmazsa, bir MX araması yapılır.",
-        "sogo_access": "SOGo'ya doğrudan giriş erişimi verin",
+        "sogo_redirection": "SOGo'ya doğrudan giriş erişimi verin",
         "spam_alias": "Zaman sınırlı takma ad adresleri oluşturun veya değiştirin",
         "spam_filter": "Spam filtresi",
         "disable_login": "Oturum açmaya izin verme (gelen posta hala kabul edilir)",

data/web/lang/lang.uk-ua.json

@@ -6,7 +6,7 @@
         "quarantine_category": "Категорія повідомлень про спам",
         "recipient_maps": "Перезапис одержувача",
         "smtp_ip_access": "Налаштування дозволених IP для SMTP",
-        "sogo_access": "Управління доступом до SOGo",
+        "sogo_redirection": "Управління доступом до SOGo",
         "spam_score": "Політика фільтрації спаму",
         "protocol_access": "Налаштування дозволених протоколів",
         "quarantine_notification": "Сповіщення про спам",
@@ -614,8 +614,8 @@
         "sieve_desc": "Короткий опис",
         "sieve_type": "Тип фільтра",
         "skipcrossduplicates": "Пропускати в папках повідомлення, що повторюються",
-        "sogo_access": "Пряме перенаправлення до SOGo",
-        "sogo_access_info": "Після входу користувач автоматично перенаправляється на SOGo.",
+        "sogo_redirection": "Пряме перенаправлення до SOGo",
+        "sogo_redirection_info": "Після входу користувач автоматично перенаправляється на SOGo.",
         "sogo_visible": "Відображати псевдонім у SOGo",
         "spam_alias": "Створити або змінити тимчасові (спам) псевдоніми",
         "spam_filter": "Спам фільтр",

data/web/lang/lang.zh-cn.json

@@ -21,7 +21,7 @@
         "ratelimit": "频率限制",
         "recipient_maps": "收件人映射",
         "smtp_ip_access": "更改 SMTP 允许主机",
-        "sogo_access": "允许管理 SOGo 访问权限",
+        "sogo_redirection": "允许管理 SOGo 访问权限",
         "sogo_profile_reset": "重置 SOGo 个人资料",
         "spam_alias": "临时别名",
         "spam_policy": "阻止名单/允许名单",
@@ -700,8 +700,8 @@
         "sieve_desc": "简短描述",
         "sieve_type": "过滤器类型",
         "skipcrossduplicates": "跳过其他文件夹中已存在的邮件(保留已经存在的邮件)",
-        "sogo_access": "直接转到 SOGo",
-        "sogo_access_info": "登录后，用户会自动跳转到 SOGo。",
+        "sogo_redirection": "直接转到 SOGo",
+        "sogo_redirection_info": "登录后，用户会自动跳转到 SOGo。",
         "sogo_visible": "SOGo 显示的别名",
         "sogo_visible_info": "此设置只影响 SOGo 上可显示的对象 (指向本地邮箱的共享或非共享别名地址)。如果设置为隐藏，则别名地址不会作为可选发件人的下拉项显示。",
         "spam_alias": "添加或更改临时别名地址",

data/web/lang/lang.zh-tw.json

@@ -21,7 +21,7 @@
         "ratelimit": "速率限制",
         "recipient_maps": "收件人規則表",
         "smtp_ip_access": "更改允許 SMTP 的主機",
-        "sogo_access": "管理 SOGo 存取權",
+        "sogo_redirection": "管理 SOGo 存取權",
         "sogo_profile_reset": "重設 SOGo 個人資料",
         "spam_alias": "臨時別名",
         "spam_policy": "黑名單/白名單",
@@ -642,8 +642,8 @@
         "sieve_desc": "簡短描述",
         "sieve_type": "過濾器類型",
         "skipcrossduplicates": "跳過在其他資料夾中重複的郵件 (優先使用先找到的郵件)",
-        "sogo_access": "直接轉寄至SOGo",
-        "sogo_access_info": "登入後，使用者會自動重新導向至SOGo。",
+        "sogo_redirection": "直接轉寄至SOGo",
+        "sogo_redirection_info": "登入後，使用者會自動重新導向至SOGo。",
         "sogo_visible": "別名會在 SOGo 中顯示",
         "sogo_visible_info": "此選項只會影響可以顯示於 SOGo 上物件 (指向至少一個本地信箱的共享或非共享別名地址)。如果設為隱藏，別名地址將不會顯示於寄件人下拉選項中。",
         "spam_alias": "新增或更改臨時別名地址",

data/web/sogo-auth.php

@@ -24,7 +24,7 @@ if (isset($_SERVER['PHP_AUTH_USER'])) {
     $is_eas = true;
   }
   $login_check = check_login($username, $password, array('dav' => $is_dav, 'eas' => $is_eas));
-  if ($login_check === 'user') {
+  if ($login_check === 'user' && hasACLAccess('sogo_access')) {
     header("X-User: $username");
     header("X-Auth: Basic ".base64_encode("$username:$password"));
     header("X-Auth-Type: Basic");
@@ -44,6 +44,7 @@ elseif (isset($_GET['login'])) {
   // check permissions (if dual_login is active, deny sso when acl is not given)
   $login = html_entity_decode(rawurldecode($_GET["login"]));
   if (isset($_SESSION['mailcow_cc_role']) &&
+     hasACLAccess('sogo_access') &&
     (($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0) || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) {
     if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
       if (user_get_alias_details($login) !== false) {

data/web/templates/edit/mailbox-templates.twig

@@ -8,7 +8,7 @@
 
     <input type="hidden" value="default" name="sender_acl">
     <input type="hidden" value="0" name="force_pw_update">
-    <input type="hidden" value="0" name="sogo_access">
+    <input type="hidden" value="0" name="sogo_redirection">
     <input type="hidden" value="0" name="protocol_access">
 
     <div class="row mb-4">
@@ -123,6 +123,7 @@
           <option value="syncjobs" {% if template.attributes.acl_syncjobs == '1' %} selected{% endif %}>{{ lang.acl["syncjobs"] }}</option>
           <option value="eas_reset" {% if template.attributes.acl_eas_reset == '1' %} selected{% endif %}>{{ lang.acl["eas_reset"] }}</option>
           <option value="sogo_profile_reset" {% if template.attributes.acl_sogo_profile_reset == '1' %} selected{% endif %}>{{ lang.acl["sogo_profile_reset"] }}</option>
+          <option value="sogo_access" {% if template.attributes.acl_sogo_access == '1' %} selected{% endif %}>{{ lang.acl["sogo_access"] }}</option>
           <option value="pushover" {% if template.attributes.acl_pushover == '1' %} selected{% endif %}>{{ lang.acl["pushover"] }}</option>
           <option value="quarantine" {% if template.attributes.acl_quarantine == '1' %} selected{% endif %}>{{ lang.acl["quarantine"] }}</option>
           <option value="quarantine_attachments" {% if template.attributes.acl_quarantine_attachments == '1' %} selected{% endif %}>{{ lang.acl["quarantine_attachments"] }}</option>
@@ -167,8 +168,8 @@
     <div class="row">
       <div class="offset-sm-2 col-sm-10">
         <div class="form-check">
-          <label><input type="checkbox" class="form-check-input" value="1" name="sogo_access"{% if template.attributes.sogo_access == '1' %} checked{% endif %}> {{ lang.edit.sogo_access }}</label>
-          <small class="text-muted">{{ lang.edit.sogo_access_info }}</small>
+          <label><input type="checkbox" class="form-check-input" value="1" name="sogo_redirection"{% if template.attributes.sogo_redirection == '1' %} checked{% endif %}> {{ lang.edit.sogo_redirection }}</label>
+          <small class="text-muted">{{ lang.edit.sogo_redirection_info }}</small>
         </div>
       </div>
     </div>

data/web/templates/edit/mailbox.twig

@@ -24,7 +24,7 @@
                 <form class="form-horizontal" data-id="editmailbox" role="form" method="post">
                   <input type="hidden" value="default" name="sender_acl">
                   <input type="hidden" value="0" name="force_pw_update">
-                  <input type="hidden" value="0" name="sogo_access">
+                  <input type="hidden" value="0" name="sogo_redirection">
                   <input type="hidden" value="0" name="protocol_access">
                   <div class="row mb-2">
                     <label class="control-label col-sm-2">{{ lang.admin.iam }}</label>
@@ -310,11 +310,11 @@
                     </div>
                   </div>
                   {% if not skip_sogo %}
-                  <div data-acl="{{ acl.sogo_access }}" class="row">
+                  <div data-acl="{{ acl.sogo_redirection }}" class="row">
                     <div class="offset-sm-2 col-sm-10">
                       <div class="form-check">
-                        <label><input type="checkbox" class="form-check-input" value="1" name="sogo_access"{% if result.attributes.sogo_access == '1' %} checked{% endif %}> {{ lang.edit.sogo_access }}</label>
-                        <small class="text-muted">{{ lang.edit.sogo_access_info }}</small>
+                        <label><input type="checkbox" class="form-check-input" value="1" name="sogo_redirection"{% if result.attributes.sogo_redirection == '1' %} checked{% endif %}> {{ lang.edit.sogo_redirection }}</label>
+                        <small class="text-muted">{{ lang.edit.sogo_redirection_info }}</small>
                       </div>
                     </div>
                   </div>
@@ -485,9 +485,22 @@
                     </div>
                     <div class="col-sm-10">
                       <select id="user_acl" name="user_acl" size="10" multiple>
-                        {% for acl, val in user_acls %}
-                          <option value="{{ acl }}"{% if val == 1 %} selected{% endif %}>{{ lang.acl[acl] }}</option>
-                        {% endfor %}
+                        <option value="spam_alias" {% if user_acls.spam_alias == '1' %} selected{% endif %}>{{ lang.acl["spam_alias"] }}</option>
+                        <option value="tls_policy" {% if user_acls.tls_policy == '1' %} selected{% endif %}>{{ lang.acl["tls_policy"] }}</option>
+                        <option value="spam_score" {% if user_acls.spam_score == '1' %} selected{% endif %}>{{ lang.acl["spam_score"] }}</option>
+                        <option value="spam_policy" {% if user_acls.spam_policy == '1' %} selected{% endif %}>{{ lang.acl["spam_policy"] }}</option>
+                        <option value="delimiter_action" {% if user_acls.delimiter_action == '1' %} selected{% endif %}>{{ lang.acl["delimiter_action"] }}</option>
+                        <option value="syncjobs" {% if user_acls.syncjobs == '1' %} selected{% endif %}>{{ lang.acl["syncjobs"] }}</option>
+                        <option value="eas_reset" {% if user_acls.eas_reset == '1' %} selected{% endif %}>{{ lang.acl["eas_reset"] }}</option>
+                        <option value="sogo_profile_reset" {% if user_acls.sogo_profile_reset == '1' %} selected{% endif %}>{{ lang.acl["sogo_profile_reset"] }}</option>
+                        <option value="sogo_access" {% if user_acls.sogo_access == '1' %} selected{% endif %}>{{ lang.acl["sogo_access"] }}</option>
+                        <option value="pushover" {% if user_acls.pushover == '1' %} selected{% endif %}>{{ lang.acl["pushover"] }}</option>
+                        <option value="quarantine" {% if user_acls.quarantine == '1' %} selected{% endif %}>{{ lang.acl["quarantine"] }}</option>
+                        <option value="quarantine_attachments" {% if user_acls.quarantine_attachments == '1' %} selected{% endif %}>{{ lang.acl["quarantine_attachments"] }}</option>
+                        <option value="quarantine_notification" {% if user_acls.quarantine_notification == '1' %} selected{% endif %}>{{ lang.acl["quarantine_notification"] }}</option>
+                        <option value="quarantine_category" {% if user_acls.quarantine_category == '1' %} selected{% endif %}>{{ lang.acl["quarantine_category"] }}</option>
+                        <option value="app_passwds" {% if user_acls.app_passwds == '1' %} selected{% endif %}>{{ lang.acl["app_passwds"] }}</option>
+                        <option value="pw_reset" {% if user_acls.pw_reset == '1' %} selected{% endif %}>{{ lang.acl["pw_reset"] }}</option>
                       </select>
                       <button class="btn btn-xs-lg d-block d-sm-inline btn-secondary" data-action="edit_selected" data-id="useracl" data-item="{{ mailbox }}" data-api-url='edit/user-acl' data-api-attr='{}' href="#">{{ lang.edit.save }}</button>
                     </div>

data/web/templates/modals/mailbox.twig

@@ -9,7 +9,7 @@
       <div class="modal-body">
         <form class="form-horizontal" data-cached-form="true" data-id="add_mailbox" role="form" autocomplete="off">
           <input type="hidden" value="0" name="force_pw_update">
-          <input type="hidden" value="0" name="sogo_access">
+          <input type="hidden" value="0" name="sogo_redirection">
           <input type="hidden" value="0" name="protocol_access">
           <input type="hidden" value="mailcow" name="authsource">
 
@@ -163,6 +163,7 @@
                   <option value="syncjobs">{{ lang.acl["syncjobs"] }}</option>
                   <option value="eas_reset" selected>{{ lang.acl["eas_reset"] }}</option>
                   <option value="sogo_profile_reset">{{ lang.acl["sogo_profile_reset"] }}</option>
+                  <option value="sogo_access">{{ lang.acl["sogo_access"] }}</option>
                   <option value="pushover" selected>{{ lang.acl["pushover"] }}</option>
                   <option value="quarantine" selected>{{ lang.acl["quarantine"] }}</option>
                   <option value="quarantine_attachments" selected>{{ lang.acl["quarantine_attachments"] }}</option>
@@ -206,8 +207,8 @@
           <div class="row">
             <div class="offset-sm-2 col-sm-10">
               <div class="form-check">
-                <label><input type="checkbox" class="form-check-input" value="1" name="sogo_access" id="sogo_access"> {{ lang.edit.sogo_access }}</label>
-                <small class="text-muted">{{ lang.edit.sogo_access_info }}</small>
+                <label><input type="checkbox" class="form-check-input" value="1" name="sogo_redirection" id="sogo_redirection"> {{ lang.edit.sogo_redirection }}</label>
+                <small class="text-muted">{{ lang.edit.sogo_redirection_info }}</small>
               </div>
             </div>
           </div>
@@ -235,7 +236,7 @@
         <form class="form-horizontal" data-id="addmailbox_template" role="form" method="post">
           <input type="hidden" value="default" name="sender_acl">
           <input type="hidden" value="0" name="force_pw_update">
-          <input type="hidden" value="0" name="sogo_access">
+          <input type="hidden" value="0" name="sogo_redirection">
           <input type="hidden" value="0" name="protocol_access">
 
           <div class="row mb-4">
@@ -350,6 +351,7 @@
                 <option value="syncjobs">{{ lang.acl["syncjobs"] }}</option>
                 <option value="eas_reset" selected>{{ lang.acl["eas_reset"] }}</option>
                 <option value="sogo_profile_reset">{{ lang.acl["sogo_profile_reset"] }}</option>
+                <option value="sogo_access">{{ lang.acl["sogo_access"] }}</option>
                 <option value="pushover" selected>{{ lang.acl["pushover"] }}</option>
                 <option value="quarantine" selected>{{ lang.acl["quarantine"] }}</option>
                 <option value="quarantine_attachments" selected>{{ lang.acl["quarantine_attachments"] }}</option>
@@ -394,8 +396,8 @@
           <div class="row">
             <div class="offset-sm-2 col-sm-10">
               <div class="form-check">
-                <label><input type="checkbox" class="form-check-input" value="1" name="sogo_access"> {{ lang.edit.sogo_access }}</label>
-                <small class="text-muted">{{ lang.edit.sogo_access_info }}</small>
+                <label><input type="checkbox" class="form-check-input" value="1" name="sogo_redirection"> {{ lang.edit.sogo_redirection }}</label>
+                <small class="text-muted">{{ lang.edit.sogo_redirection_info }}</small>
               </div>
             </div>
           </div>

data/web/templates/user/tab-user-auth.twig

@@ -23,10 +23,14 @@
                 <a href="/sogo-auth.php?login={{ mailcow_cc_username  }}" role="button" class="btn btn-primary btn-lg btn-block btn-xs-lg w-100">
                   {{ lang.user.open_webmail_sso }} <i class="bi bi-arrow-right"></i>
                 </a>
-              {% else %}
+              {% elseif acl.sogo_access == 1 %}
                 <a href="/SOGo/so" role="button" class="btn btn-primary btn-lg btn-block btn-xs-lg w-100">
                   {{ lang.user.open_webmail_sso }} <i class="bi bi-arrow-right"></i>
                 </a>
+              {% else %}
+                <button disabled class="btn btn-secondary btn-block btn-xs-lg w-100">
+                  {{ lang.user.open_webmail_sso }} <i class="bi bi-arrow-right"></i>
+                </button>
               {% endif %}
             </div>
           </div>