Home Explore Help
Sign In
mirrors
/
mailcow-dockerized
mirror of https://github.com/mailcow/mailcow-dockerized
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

[Web, Dovecot] Allow to define scope of services for app passwords

andryyy 3 years ago
parent
f01de1a5c0
commit
e13bc242a4
14 changed files with 161 additions and 41 deletions
Split View Show Diff Stats
  1. 19 17
      data/Dockerfiles/dovecot/docker-entrypoint.sh
  2. 1 1
      data/web/edit.php
  3. 34 9
      data/web/inc/functions.app_passwd.inc.php
  4. 42 2
      data/web/inc/functions.inc.php
  5. 5 1
      data/web/inc/init_db.inc.php
  6. 10 3
      data/web/js/site/user.js
  7. 3 0
      data/web/lang/lang.de.json
  8. 3 0
      data/web/lang/lang.en.json
  9. 18 5
      data/web/sogo-auth.php
  10. 1 1
      data/web/templates/base.twig
  11. 12 0
      data/web/templates/edit/app-passwd.twig
  12. 11 0
      data/web/templates/modals/user.twig
  13. 1 1
      data/web/templates/user/tab-user-auth.twig
  14. 1 1
      docker-compose.yml

+ 19 - 17
data/Dockerfiles/dovecot/docker-entrypoint.sh
View File 

@@ -163,24 +163,26 @@ function auth_password_verify(req, pass)
 
     row = cur:fetch (row, "a")
 
   end
 
 
-  -- check against app passwds
 
-  -- removed on 22nd Oct 2021: AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.force_pw_update')), 0) != '1'
 
-  local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, app_passwd.password FROM app_passwd
 
-    INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox
 
-    WHERE mailbox = '%s'
 
-      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.%s_access')), 1) = '1'
 
-      AND app_passwd.active = '1'
 
-      AND mailbox.active = '1'
 
-      AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.user), con:escape(req.service), con:escape(req.domain)))
 
-  local row = cur:fetch ({}, "a")
 
-  while row do
 
-    if req.password_verify(req, row.password, pass) == 1 then
 
-      cur:close()
 
-      con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
 
-        VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
 
-      return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
 
+  -- check against app passwds for imap and smtp
 
+  -- app passwords are only available for imap and smtp in dovecot
 
+  if req.service == "smtp" or req.service == "imap" then
 
+    local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, app_passwd.imap_access, app_passwd.smtp_access, app_passwd.password FROM app_passwd
 
+      INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox
 
+      WHERE mailbox = '%s'
 
+        AND app_passwd.%s_access = '1'
 
+        AND app_passwd.active = '1'
 
+        AND mailbox.active = '1'
 
+        AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.user), con:escape(req.service), con:escape(req.domain)))
 
+    local row = cur:fetch ({}, "a")
 
+    while row do
 
+      if req.password_verify(req, row.password, pass) == 1 then
 
+        cur:close()
 
+        con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
 
+          VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
 
+        return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
 
+      end
 
+      row = cur:fetch (row, "a")
 
     end
 
-    row = cur:fetch (row, "a")
 
   end
 
 
   return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"

+ 1 - 1
data/web/edit.php
View File 

@@ -11,7 +11,7 @@ $template = 'edit.twig';
 
 $template_data = [];
 
 $result = null;
 
 if (isset($_SESSION['mailcow_cc_role'])) {
 
-  if ($_SESSION['mailcow_cc_role'] == "admin"  || $_SESSION['mailcow_cc_role'] == "domainadmin") {
 
+  if ($_SESSION['mailcow_cc_role'] == "admin" || $_SESSION['mailcow_cc_role'] == "domainadmin") {
 
     if (isset($_GET["alias"]) &&
 
       !empty($_GET["alias"])) {
 
         $alias = html_entity_decode(rawurldecode($_GET["alias"]));

+ 34 - 9
data/web/inc/functions.app_passwd.inc.php
View File 

@@ -27,6 +27,11 @@ function app_passwd($_action, $_data = null) {
 
       $password = $_data['app_passwd'];

       $password2 = $_data['app_passwd2'];

       $active = intval($_data['active']);

+      $protocols = (array)$_data['protocols'];

+      $imap_access = (in_array('imap_access', $protocols)) ? 1 : 0;

+      $dav_access = (in_array('dav_access', $protocols)) ? 1 : 0;

+      $smtp_access = (in_array('smtp_access', $protocols)) ? 1 : 0;

+      $eas_access = (in_array('eas_access', $protocols)) ? 1 : 0;

       $domain = mailbox('get', 'mailbox_details', $username)['domain'];

       if (empty($domain)) {

         $_SESSION['return'][] = array(

@@ -61,13 +66,17 @@ function app_passwd($_action, $_data = null) {
 
         );

         return false;

       }

-      $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `active`)

-        VALUES (:app_name, :mailbox, :domain, :password, :active)");

+      $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `imap_access`, `smtp_access`, `eas_access`, `dav_access`, `active`)

+        VALUES (:app_name, :mailbox, :domain, :password, :imap_access, :smtp_access, :eas_access, :dav_access, :active)");

       $stmt->execute(array(

         ':app_name' => $app_name,

         ':mailbox' => $username,

         ':domain' => $domain,

         ':password' => $password_hashed,

+        ':imap_access' => $imap_access,

+        ':smtp_access' => $smtp_access,

+        ':eas_access' => $eas_access,

+        ':dav_access' => $dav_access,

         ':active' => $active

       ));

       $_SESSION['return'][] = array(

@@ -84,6 +93,19 @@ function app_passwd($_action, $_data = null) {
 
           $app_name = (!empty($_data['app_name'])) ? $_data['app_name'] : $is_now['name'];

           $password = (!empty($_data['password'])) ? $_data['password'] : null;

           $password2 = (!empty($_data['password2'])) ? $_data['password2'] : null;

+          if (isset($_data['protocols'])) {

+            $protocols = (array)$_data['protocols'];

+            $imap_access = (in_array('imap_access', $protocols)) ? 1 : 0;

+            $dav_access = (in_array('dav_access', $protocols)) ? 1 : 0;

+            $smtp_access = (in_array('smtp_access', $protocols)) ? 1 : 0;

+            $eas_access = (in_array('eas_access', $protocols)) ? 1 : 0;

+          }

+          else {

+            $imap_access = $is_now['imap_access'];

+            $smtp_access = $is_now['smtp_access'];

+            $dav_access = $is_now['dav_access'];

+            $eas_access = $is_now['eas_access'];

+          }

           $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];

         }

         else {

@@ -122,14 +144,23 @@ function app_passwd($_action, $_data = null) {
 
             ':id' => $id

           ));

         }

+

         $stmt = $pdo->prepare("UPDATE `app_passwd` SET

           `name` = :app_name,

           `mailbox` = :username,

+          `imap_access` = :imap_access,

+          `smtp_access` = :smtp_access,

+          `eas_access` = :eas_access,

+          `dav_access` = :dav_access,

           `active` = :active

             WHERE `id` = :id");

         $stmt->execute(array(

           ':app_name' => $app_name,

           ':username' => $username,

+          ':imap_access' => $imap_access,

+          ':smtp_access' => $smtp_access,

+          ':eas_access' => $eas_access,

+          ':dav_access' => $dav_access,

           ':active' => $active,

           ':id' => $id

         ));

@@ -180,13 +211,7 @@ function app_passwd($_action, $_data = null) {
 
     break;

     case 'details':

       $app_passwd_data = array();

-      $stmt = $pdo->prepare("SELECT `id`,

-        `name`,

-        `mailbox`,

-        `domain`,

-        `created`,

-        `modified`,

-        `active`

+      $stmt = $pdo->prepare("SELECT *

           FROM `app_passwd`

             WHERE `id` = :id");

       $stmt->execute(array(':id' => $_data));

+ 42 - 2
data/web/inc/functions.inc.php
View File 

@@ -807,10 +807,17 @@ function verify_hash($hash, $password) {
 
   }

   return false;

 }

-function check_login($user, $pass, $allow_app_passwords = false) {

+function check_login($user, $pass, $app_passwd_data = false) {

   global $pdo;

   global $redis;

   global $imap_server;

+

+  if ($app_passwd_data === false) {

+    $app_passwd_data['eas'] = false;

+    $app_passwd_data['dav'] = false;

+    $app_passwd_data['proxyauth'] = false;

+  }

+

   if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {

     $_SESSION['return'][] =  array(

       'type' => 'danger',

@@ -819,6 +826,8 @@ function check_login($user, $pass, $allow_app_passwords = false) {
 
     );

     return false;

   }

+

+  // Validate admin

   $user = strtolower(trim($user));

   $stmt = $pdo->prepare("SELECT `password` FROM `admin`

       WHERE `superadmin` = '1'

@@ -854,6 +863,8 @@ function check_login($user, $pass, $allow_app_passwords = false) {
 
       }

     }

   }

+

+  // Validate domain admin

   $stmt = $pdo->prepare("SELECT `password` FROM `admin`

       WHERE `superadmin` = '0'

       AND `active`='1'

@@ -888,6 +899,8 @@ function check_login($user, $pass, $allow_app_passwords = false) {
 
       }

     }

   }

+

+  // Validate mailbox user

   $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`

       INNER JOIN domain on mailbox.domain = domain.domain

       WHERE `kind` NOT REGEXP 'location|thing|group'

@@ -896,7 +909,7 @@ function check_login($user, $pass, $allow_app_passwords = false) {
 
         AND `username` = :user");

   $stmt->execute(array(':user' => $user));

   $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

-  if ($allow_app_passwords === true) {

+  if ($app_passwd_data['eas'] === true) {

     $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`

         INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`

         INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`

@@ -904,6 +917,20 @@ function check_login($user, $pass, $allow_app_passwords = false) {
 
           AND `mailbox`.`active` = '1'

           AND `domain`.`active` = '1'

           AND `app_passwd`.`active` = '1'

+          AND `app_passwd`.`eas_access` = '1'

+          AND `app_passwd`.`mailbox` = :user");

+    $stmt->execute(array(':user' => $user));

+    $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));

+  }

+  elseif ($app_passwd_data['dav'] === true) {

+    $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`

+        INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`

+        INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`

+        WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'

+          AND `mailbox`.`active` = '1'

+          AND `domain`.`active` = '1'

+          AND `app_passwd`.`active` = '1'

+          AND `app_passwd`.`dav_access` = '1'

           AND `app_passwd`.`mailbox` = :user");

     $stmt->execute(array(':user' => $user));

     $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));

@@ -916,9 +943,20 @@ function check_login($user, $pass, $allow_app_passwords = false) {
 
         'log' => array(__FUNCTION__, $user, '*'),

         'msg' => array('logged_in_as', $user)

       );

+      if ($app_passwd_data['proxyauth'] === true) {

+        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : (($app_passwd_data['dav'] === true) ? 'DAV' : 'SSO');

+        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");

+        $stmt->execute(array(

+          ':service' => $service,

+          ':app_id' => $row['app_passwd_id'],

+          ':username' => $user,

+          ':remote_addr' => $_SERVER['REMOTE_ADDR']

+        ));

+      }

       return "user";

     }

   }

+

   if (!isset($_SESSION['ldelay'])) {

     $_SESSION['ldelay'] = "0";

     $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);

@@ -929,11 +967,13 @@ function check_login($user, $pass, $allow_app_passwords = false) {
 
     $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);

     error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);

   }

+

   $_SESSION['return'][] =  array(

     'type' => 'danger',

     'log' => array(__FUNCTION__, $user, '*'),

     'msg' => 'login_failed'

   );

+

   sleep($_SESSION['ldelay']);

   return false;

 }

+ 5 - 1
data/web/inc/init_db.inc.php
View File 

@@ -3,7 +3,7 @@ function init_db_schema() {
 
   try {

     global $pdo;

 

-    $db_version = "23082021_2224";

+    $db_version = "28102021_1600";

 

     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");

     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));

@@ -364,6 +364,10 @@ function init_db_schema() {
 
           "password" => "VARCHAR(255) NOT NULL",

           "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",

           "modified" => "DATETIME ON UPDATE CURRENT_TIMESTAMP",

+          "imap_access" => "TINYINT(1) NOT NULL DEFAULT '1'",

+          "smtp_access" => "TINYINT(1) NOT NULL DEFAULT '1'",

+          "dav_access" => "TINYINT(1) NOT NULL DEFAULT '1'",

+          "eas_access" => "TINYINT(1) NOT NULL DEFAULT '1'",

           "active" => "TINYINT(1) NOT NULL DEFAULT '1'"

         ),

         "keys" => array(

+ 10 - 3
data/web/js/site/user.js
View File 

@@ -101,8 +101,8 @@ jQuery(function($){
 
             $.each(data.sasl, function (i, item) {

               var datetime = new Date(item.datetime.replace(/-/g, "/"));

               var local_datetime = datetime.toLocaleDateString(undefined, {year: "numeric", month: "2-digit", day: "2-digit", hour: "2-digit", minute: "2-digit", second: "2-digit"});

-              item.app_password ? app_password = ' <a href="/edit/app-passwd/' + item.app_password + '">(App)</a>' : app_password = "", item.location ? ip_location = ' <span class="flag-icon flag-icon-' + item.location.toLowerCase() + '"></span>' : ip_location = "";

-              "smtp" == item.service ? service = '<div class="label label-default">' + item.service.toUpperCase() + '<i class="bi bi-chevron-compact-right"></i></div>' : "imap" == item.service ? service = '<div class="label label-default"><i class="bi bi-chevron-compact-left"></i> ' + item.service.toUpperCase() + "</div>" : service = '<div class="label label-default">' + item.service.toUpperCase() + "</div>";

+              item.app_password ? app_password = ' <a href="/edit/app-passwd/' + item.app_password + '"><i class="bi bi-pen"></i> App</a>' : app_password = "", item.location ? ip_location = ' <span class="flag-icon flag-icon-' + item.location.toLowerCase() + '"></span>' : ip_location = "";

+              service = '<div class="label label-default">' + item.service.toUpperCase() + '</div>';

               item.real_rip.startsWith("Web") ? real_rip = item.real_rip : real_rip = '<a href="https://bgp.he.net/ip/' + item.real_rip + '" target="_blank">' + item.real_rip + "</a>";

               ip_data = real_rip + ip_location + app_password;

               $(".last-login").append('<li class="list-group-item">' + local_datetime + " " + service + " " + lang.from + " " + ip_data + "</li>");

@@ -258,6 +258,7 @@ jQuery(function($){
 
         {"name":"chkbox","title":"","style":{"maxWidth":"60px","width":"60px","text-align":"center"},"filterable": false,"sortable": false,"type":"html"},

         {"sorted": true,"name":"id","title":"ID","style":{"maxWidth":"60px","width":"60px","text-align":"center"}},

         {"name":"name","title":lang.app_name},

+        {"name":"protocols","title":lang.allowed_protocols},

         {"name":"active","filterable": false,"style":{"maxWidth":"70px","width":"70px"},"title":lang.active,"formatter": function(value){return 1==value?'<i class="bi bi-check-lg"></i>':0==value&&'<i class="bi bi-x-lg"></i>';}},

         {"name":"action","filterable": false,"sortable": false,"style":{"text-align":"right","min-width":"220px","width":"220px"},"type":"html","title":lang.action,"breakpoints":"xs sm"}

       ],

@@ -271,7 +272,13 @@ jQuery(function($){
 
         },

         success: function (data) {

           $.each(data, function (i, item) {

-            item.name = escapeHtml(item.name);

+            item.name = escapeHtml(item.name)

+            item.protocols = []

+            if (item.imap_access == 1) { item.protocols.push("<code>IMAP</code>"); }

+            if (item.smtp_access == 1) { item.protocols.push("<code>SMTP</code>"); }

+            if (item.eas_access == 1) { item.protocols.push("<code>EAS/ActiveSync</code>"); }

+            if (item.dav_access == 1) { item.protocols.push("<code>DAV</kbd>"); }

+            item.protocols = item.protocols.join(" ")

             if (acl_data.app_passwds === 1) {

               item.action = '<div class="btn-group footable-actions">' +

                 '<a href="/edit/app-passwd/' + item.id + '" class="btn btn-xs btn-xs-half btn-default"><i class="bi bi-pencil-fill"></i> ' + lang.edit + '</a>' +

+ 3 - 0
data/web/lang/lang.de.json
View File 

@@ -42,6 +42,7 @@
 
         "alias_domain_info": "<small>Nur gültige Domains. Getrennt durch Komma.</small>",
 
         "app_name": "App-Name",
 
         "app_password": "App-Passwort hinzufügen",
 
+        "app_passwd_protocols": "Zugelassene Protokolle für App-Passwort",
 
         "automap": "Ordner automatisch mappen (\"Sent items\", \"Sent\" => \"Sent\" etc.)",
 
         "backup_mx_options": "Relay-Optionen",
 
         "bcc_dest_format": "BCC-Ziel muss eine gültige E-Mail-Adresse sein.",
 
@@ -508,6 +509,7 @@
 
         "allowed_protocols": "Erlaubte Protokolle",
 
         "app_name": "App-Name",
 
         "app_passwd": "App-Passwörter",
 
+        "app_passwd_protocols": "Zugelassene Protokolle für App-Passwort",
 
         "automap": "Ordner automatisch mappen (\"Sent items\", \"Sent\" => \"Sent\" etc.)",
 
         "backup_mx_options": "Relay-Optionen",
 
         "bcc_dest_format": "BCC-Ziel muss eine gültige E-Mail-Adresse sein.",
 
@@ -992,6 +994,7 @@
 
         "aliases_also_send_as": "Darf außerdem versenden als Benutzer",
 
         "aliases_send_as_all": "Absender für folgende Domains und zugehörige Alias-Domains nicht prüfen",
 
         "app_hint": "App-Passwörter sind alternative Passwörter für den IMAP-, SMTP-, CalDAV-, CardDAV- und EAS-Login am Mailserver. Der Benutzername bleibt unverändert.<br>SOGo Webmail ist mit diesem Kennwort nicht verwendbar.",
 
+        "allowed_protocols": "Erlaubte Protokolle",
 
         "app_name": "App-Name",
 
         "app_passwds": "App-Passwörter",
 
         "apple_connection_profile": "Apple-Verbindungsprofil",

+ 3 - 0
data/web/lang/lang.en.json
View File 

@@ -42,6 +42,7 @@
 
         "alias_domain_info": "<small>Valid domain names only (comma-separated).</small>",
 
         "app_name": "App name",
 
         "app_password": "Add app password",
 
+        "app_passwd_protocols": "Allowed protocols for app password",
 
         "automap": "Try to automap folders (\"Sent items\", \"Sent\" => \"Sent\" etc.)",
 
         "backup_mx_options": "Relay options",
 
         "bcc_dest_format": "BCC destination must be a single valid email address.<br>If you need to send a copy to multiple addresses, create an alias and use it here.",
 
@@ -514,6 +515,7 @@
 
         "allowed_protocols": "Allowed protocols",
 
         "app_name": "App name",
 
         "app_passwd": "App password",
 
+        "app_passwd_protocols": "Allowed protocols for app password",
 
         "automap": "Try to automap folders (\"Sent items\", \"Sent\" => \"Sent\" etc.)",
 
         "backup_mx_options": "Relay options",
 
         "bcc_dest_format": "BCC destination must be a single valid email address.<br>If you need to send a copy to multiple addresses, create an alias and use it here.",
 
@@ -1034,6 +1036,7 @@
 
         "aliases_also_send_as": "Also allowed to send as user",
 
         "aliases_send_as_all": "Do not check sender access for the following domain(s) and its alias domains",
 
         "app_hint": "App passwords are alternative passwords for your IMAP, SMTP, CalDAV, CardDAV and EAS login. The username remains unchanged. SOGo webmail is not available through app passwords.",
 
+        "allowed_protocols": "Allowed protocols",
 
         "app_name": "App name",
 
         "app_passwds": "App passwords",
 
         "apple_connection_profile": "Apple connection profile",

+ 18 - 5
data/web/sogo-auth.php
View File 

@@ -14,8 +14,16 @@ if (isset($_SERVER['PHP_AUTH_USER'])) {
 
   require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
 
   $username = $_SERVER['PHP_AUTH_USER'];
 
   $password = $_SERVER['PHP_AUTH_PW'];
 
-  $is_eas = preg_match('/^(\/SOGo|)\/(dav|Microsoft-Server-ActiveSync).*/', $_SERVER['HTTP_X_ORIGINAL_URI']);
 
-  $login_check = check_login($username, $password, $is_eas);
 
+  $is_eas = false;
 
+  $is_dav = false;
 
+  $original_uri = isset($_SERVER['HTTP_X_ORIGINAL_URI']) ? $_SERVER['HTTP_X_ORIGINAL_URI'] : '';
 
+  if (preg_match('/^(\/SOGo|)\/dav.*/', $original_uri) === 1) {
 
+    $is_dav = true;
 
+  }
 
+  elseif (preg_match('/^(\/SOGo|)\/Microsoft-Server-ActiveSync.*/', $original_uri) === 1) {
 
+    $is_eas = true;
 
+  }
 
+  $login_check = check_login($username, $password, array('dav' => $is_dav, 'eas' => $is_eas, 'proxyauth' => true));
 
   if ($login_check === 'user') {
 
     header("X-User: $username");
 
     header("X-Auth: Basic ".base64_encode("$username:$password"));
 
@@ -44,6 +52,13 @@ elseif (isset($_GET['login'])) {
 
         // register username and password in session
 
         $_SESSION[$session_var_user_allowed][] = $login;
 
         $_SESSION[$session_var_pass] = $sogo_sso_pass;
 
+        // update sasl logs
 
+        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
 
+        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
 
+        $stmt->execute(array(
 
+          ':username' => $login,
 
+          ':remote_addr' => $_SERVER['REMOTE_ADDR']
 
+        ));
 
         // redirect to sogo (sogo will get the correct credentials via nginx auth_request
 
         header("Location: /SOGo/so/${login}");
 
         exit;
 
@@ -55,9 +70,7 @@ elseif (isset($_GET['login'])) {
 
   exit;
 
 }
 
 // only check for admin-login on sogo GUI requests
 
-elseif (
 
-  strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0
 
-) {
 
+elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HTTP_X_ORIGINAL_URI'], 0, 9), "/SOGo/so/") === 0) {
 
   // this is an nginx auth_request call, we check for existing sogo-sso session variables
 
   session_start();
 
   // extract email address from "/SOGo/so/user@domain/xy"

+ 1 - 1
data/web/templates/base.twig
View File 

@@ -170,7 +170,7 @@ function recursiveBase64StrToArrayBuffer(obj) {
 
     // TFA, CSRF, Alerts in footer.inc.php
 
     // Other general functions in mailcow.js
 
     {% for alert_type, alert_msg in alerts %}
 
-    mailcow_alert_box('{{ alert_msg|raw }}', '{{ alert_type }}');
 
+    mailcow_alert_box('{{ alert_msg|raw|replace({"\n": "", "\r": "", "\t": "<br>"}) }}', '{{ alert_type }}');
 
     {% endfor %}
 
 
     // Confirm TFA modal

+ 12 - 0
data/web/templates/edit/app-passwd.twig
View File 

@@ -5,6 +5,7 @@
 
 <h4>{{ lang.edit.app_passwd }}</h4>
 
 <form class="form-horizontal" data-pwgen-length="32" data-id="editapp" role="form" method="post">
 
   <input type="hidden" value="0" name="active">
 
+  <input type="hidden" value="0" name="protocols">
 
   <div class="form-group">
 
     <label class="control-label col-sm-2" for="app_name">{{ lang.edit.app_name }}</label>
 
     <div class="col-sm-10">
 
@@ -30,6 +31,17 @@
 
       </div>
 
     </div>
 
   </div>
 
+  <div class="form-group">
 
+    <label class="control-label col-sm-2" for="protocols">{{ lang.edit.app_passwd_protocols }}</label>
 
+    <div class="col-sm-10">
 
+      <select class="full-width-select" data-live-search="true" id="protocols" name="protocols" multiple>
 
+        <option value="imap_access" {% if result.imap_access == 1 %} selected{% endif %}>IMAP</option>
 
+        <option value="smtp_access" {% if result.smtp_access == 1 %} selected{% endif %}>SMTP</option>
 
+        <option value="eas_access" {% if result.eas_access == 1 %} selected{% endif %}>EAS/ActiveSync</option>
 
+        <option value="dav_access" {% if result.dav_access == 1 %} selected{% endif %}>CardDAV/CalDAV</option>
 
+      </select>
 
+    </div>
 
+  </div>
 
   <div class="form-group">
 
     <div class="col-sm-offset-2 col-sm-10">
 
       <button class="btn btn-xs-lg visible-xs-block visible-sm-inline visible-md-inline visible-lg-inline btn-success" data-action="edit_selected" data-id="editapp" data-item="{{ result.id }}" data-api-url='edit/app-passwd' data-api-attr='{}' href="#">{{ lang.edit.save }}</button>

+ 11 - 0
data/web/templates/modals/user.twig
View File 

@@ -213,6 +213,17 @@
 
               <p class="help-block">{{ lang.user.new_password_description }}</p>
 
             </div>
 
           </div>
 
+          <div class="form-group">
 
+            <label class="control-label col-sm-2" for="protocols">{{ lang.add.app_passwd_protocols }}</label>
 
+            <div class="col-sm-10">
 
+              <select class="full-width-select" data-live-search="true" id="protocols" name="protocols" multiple>
 
+                <option value="imap_access" selected>IMAP</option>
 
+                <option value="smtp_access" selected>SMTP</option>
 
+                <option value="eas_access" selected>EAS/ActiveSync</option>
 
+                <option value="dav_access" selected>CardDAV/CalDAV</option>
 
+              </select>
 
+            </div>
 
+          </div>
 
           <div class="form-group">
 
             <div class="col-sm-offset-2 col-sm-10">
 
               <div class="checkbox">

+ 1 - 1
data/web/templates/user/tab-user-auth.twig
View File 

@@ -11,7 +11,7 @@
 
               <i class="bi bi-inbox-fill"></i> {{ lang.user.open_webmail_sso }}
 
             </button>
 
           {% else %}
 
-            <a target="_blank" href="#" disabled role="button" class="btn btn-default btn-block btn-xs-lg">
 
+            <a target="_blank" href="/sogo-auth.php?login={{ mailcow_cc_username }}" role="button" class="btn btn-default btn-block btn-xs-lg">
 
               <i class="bi bi-inbox-fill"></i> {{ lang.user.open_webmail_sso }}
 
             </a>
 
           {% endif %}

+ 1 - 1
docker-compose.yml
View File 

@@ -211,7 +211,7 @@ services:
 
             - sogo
 
 
     dovecot-mailcow:
 
-      image: mailcow/dovecot:1.157
 
+      image: mailcow/dovecot:1.158
 
       depends_on:
 
         - mysql-mailcow
 
       dns: