From 27c07438f8d243ff891787c91ca924db86d3945a Mon Sep 17 00:00:00 2001 From: carazzim0 Date: Tue, 31 Jan 2017 10:06:56 +0100 Subject: [PATCH 01/15] fix bug where not existing admin is not being created --- data/web/inc/init.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/web/inc/init.sql b/data/web/inc/init.sql index 6dc7fa4b..84e19f74 100644 --- a/data/web/inc/init.sql +++ b/data/web/inc/init.sql @@ -276,6 +276,6 @@ CREATE TABLE IF NOT EXISTS sogo_user_profile ( PRIMARY KEY (c_uid) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC; -INSERT INTO `admin` (username, password, superadmin, created, modified, active) SELECT 'admin', '{SSHA256}K8eVJ6YsZbQCfuJvSUbaQRLr0HPLz5rC9IAp0PAFl0tmNDBkMDc0NDAyOTAxN2Rk', 1, NOW(), NOW(), 1 FROM `admin` WHERE NOT EXISTS (SELECT * FROM `admin`); +INSERT INTO `admin` (username, password, superadmin, created, modified, active) SELECT 'admin', '{SSHA256}K8eVJ6YsZbQCfuJvSUbaQRLr0HPLz5rC9IAp0PAFl0tmNDBkMDc0NDAyOTAxN2Rk', 1, NOW(), NOW(), 1 WHERE NOT EXISTS (SELECT * FROM `admin`); DELETE FROM `domain_admins`; INSERT INTO `domain_admins` (username, domain, created, active) SELECT `username`, 'ALL', NOW(), 1 FROM `admin` WHERE superadmin='1' AND `username` NOT IN (SELECT `username` FROM `domain_admins`); From 74b5c7437ba9f97ba48dc584f548421940261d92 Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 3 Feb 2017 08:33:53 +0100 Subject: [PATCH 02/15] Fix mailbox edit domain --- data/web/inc/functions.inc.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index a4467caa..1750e023 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -3433,7 +3433,6 @@ function mailbox_edit_domain($postarray) { `active` = :active, `quota` = :quota, `maxquota` = :maxquota, - `modified` = :modified, `mailboxes` = :mailboxes, `aliases` = :aliases, `description` = :description @@ -3444,7 +3443,6 @@ function mailbox_edit_domain($postarray) { ':active' => $active, ':quota' => $quota, ':maxquota' => $maxquota, - ':modified' => date('Y-m-d H:i:s'), ':mailboxes' => $mailboxes, ':aliases' => $aliases, ':modified' => date('Y-m-d H:i:s'), From d21ff134ebf4f8f38e1599d0f939aa82c5c44651 Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 3 Feb 2017 08:47:41 +0100 Subject: [PATCH 03/15] Fix mailbox edit domain --- data/web/inc/functions.inc.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 1750e023..d08aacc2 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -3393,8 +3393,6 @@ function mailbox_edit_domain($postarray) { } if ($MailboxData['maxquota'] > $maxquota) { - echo $MailboxData['maxquota']; - die(); $_SESSION['return'] = array( 'type' => 'danger', 'msg' => sprintf($lang['danger']['max_quota_in_use'], $MailboxData['maxquota']) From 0eaee3239c739459f4b2bf6da9d9539a4f434272 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sun, 5 Feb 2017 20:50:49 +0100 Subject: [PATCH 04/15] Fix relay all rcpt display in edit form --- data/web/edit.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/web/edit.php b/data/web/edit.php index a9334833..6a287172 100644 --- a/data/web/edit.php +++ b/data/web/edit.php @@ -181,7 +181,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm

- +

From 95c905e84a53d45b6cd7e8db0a49bcc94a1e9a47 Mon Sep 17 00:00:00 2001 From: andryyy Date: Wed, 8 Feb 2017 17:21:49 +0100 Subject: [PATCH 05/15] Add Roundcube reqs --- data/Dockerfiles/php-fpm/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/data/Dockerfiles/php-fpm/Dockerfile b/data/Dockerfiles/php-fpm/Dockerfile index 0dc1061f..ad4b105d 100644 --- a/data/Dockerfiles/php-fpm/Dockerfile +++ b/data/Dockerfiles/php-fpm/Dockerfile @@ -8,6 +8,7 @@ RUN apt-get update \ RUN docker-php-ext-configure intl RUN docker-php-ext-install intl pdo pdo_mysql xmlrpc +RUN pear install channel://pear.php.net/Net_IDNA2-0.1.1 Auth_SASL Net_IMAP NET_SMTP Net_IDNA2 Mail_mime COPY ./docker-entrypoint.sh / From d9a3e987e901f3d21d6341068eb96a4a6b055dee Mon Sep 17 00:00:00 2001 From: andryyy Date: Wed, 8 Feb 2017 19:12:18 +0100 Subject: [PATCH 06/15] Add mime types and full path to fcgi params --- data/conf/nginx/site.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf index e543b84a..b349adc1 100644 --- a/data/conf/nginx/site.conf +++ b/data/conf/nginx/site.conf @@ -1,6 +1,7 @@ proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h max_size=1g; server { include /etc/nginx/conf.d/listen.active; + include /etc/nginx/mime.types; charset utf-8; override_charset on; ssl on; @@ -27,7 +28,7 @@ server { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass phpfpm:9000; fastcgi_index index.php; - include fastcgi_params; + include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PHP_VALUE "max_execution_time = 1200 From a6d5bcecb77a6eeb29d08e4dfecb5563bb4a00c8 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 9 Feb 2017 22:22:48 +0100 Subject: [PATCH 07/15] Fix missing mailbox on sender acl --- data/web/inc/functions.inc.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index d08aacc2..91c1a96b 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -4816,7 +4816,8 @@ function mailbox_get_sender_acl_handles($mailbox) { ':logged_in_as' => $mailbox, ':goto' => $mailbox )); - while ($row = array_shift($rows)) { + $rows_mbox = $stmt->fetchAll(PDO::FETCH_ASSOC); + while ($row = array_shift($rows_mbox)) { if (filter_var($row['address'], FILTER_VALIDATE_EMAIL) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $row['address'])) { $data['sender_acl_addresses']['selectable'][] = $row['address']; } From d6297d17c324fc4c48517b42a3decebfad8c440f Mon Sep 17 00:00:00 2001 From: Phoenix Eve Aspacio Date: Sat, 11 Feb 2017 13:20:04 +0800 Subject: [PATCH 08/15] Improved Autodiscover This update is for security purposes. --- data/web/autodiscover.php | 196 +++++++++++++++++++++----------------- 1 file changed, 106 insertions(+), 90 deletions(-) diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php index a503b80c..5f9025e8 100644 --- a/data/web/autodiscover.php +++ b/data/web/autodiscover.php @@ -1,6 +1,4 @@ 'yes', 'autodiscoverType' => 'activesync', @@ -15,22 +13,43 @@ $config = array( 'ssl' => 'on' ), 'activesync' => array( - 'url' => 'https://' . $mailcow_hostname . '/Microsoft-Server-ActiveSync' + 'url' => 'https://'.$mailcow_hostname.'/Microsoft-Server-ActiveSync' ) ); -// If useEASforOutlook == no, the autodiscoverType option will be replaced to imap. + +/* ---------- DO NOT MODIFY ANYTHING BEYOND THIS LINE. IGNORE AT YOUR OWN RISK. ---------- */ + if ($config['useEASforOutlook'] == 'no') { if (strpos($_SERVER['HTTP_USER_AGENT'], 'Outlook')) { $config['autodiscoverType'] = 'imap'; } } -// Workaround for short open tags -echo ''; -?> - - PDO::ERRMODE_EXCEPTION, + PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, + PDO::ATTR_EMULATE_PREPARES => false, +]; +$pdo = new PDO($dsn, $database_user, $database_pass, $opt); +$login_user = strtolower(trim($_SERVER['PHP_AUTH_USER'])); +$as = check_login($login_user, $_SERVER['PHP_AUTH_PW']); + +if (!isset($_SERVER['PHP_AUTH_USER']) OR $as !== "user") { + header('WWW-Authenticate: Basic realm=""'); + header('HTTP/1.0 401 Unauthorized'); + exit; +} else { + if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { + if ($as === "user") { + header("Content-Type: application/xml"); + echo ''; + + $data = trim(file_get_contents("php://input")); + if(!$data) { list($usec, $sec) = explode(' ', microtime()); echo ''; echo ''; @@ -38,84 +57,81 @@ if(!$data) { echo ''; echo ''; exit(0); -} + } + $discover = new SimpleXMLElement($data); + $email = $discover->Request->EMailAddress; -$discover = new SimpleXMLElement($data); -$email = $discover->Request->EMailAddress; - -if ($config['autodiscoverType'] == 'imap') { -?> - - - email - settings - - IMAP - - - off - - off - - on - - - SMTP - - - off - - off - - on - on - off - - - - PDO::ERRMODE_EXCEPTION, - PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, - PDO::ATTR_EMULATE_PREPARES => false, - ]; - $pdo = new PDO($dsn, $database_user, $database_pass, $opt); - $username = trim($email); - try { - $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username"); - $stmt->execute(array(':username' => $username)); - $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC); - } - catch(PDOException $e) { - die("Failed to determine name from SQL"); - } - if (!empty($MailboxData['name'])) { - $displayname = utf8_encode($MailboxData['name']); - } - else { - $displayname = $email; - } -?> - - en:en - - - - - - - - MobileSync - - - - - - - + if ($config['autodiscoverType'] == 'imap') { + ?> + + + email + settings + + IMAP + + + off + + off + + on + + + SMTP + + + off + + off + + on + on + off + + + + prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username"); + $stmt->execute(array(':username' => $username)); + $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC); + } + catch(PDOException $e) { + die("Failed to determine name from SQL"); + } + if (!empty($MailboxData['name'])) { + $displayname = utf8_encode($MailboxData['name']); + } + else { + $displayname = $email; + } + ?> + + en:en + + + + + + + + MobileSync + + + + + + + + From e35910fe4ec25c6c62bee1c2842190a56dddf479 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 11 Feb 2017 21:09:25 +0100 Subject: [PATCH 09/15] Handle alias domains the same way as their parents in sender_acl, thanks to @tehXor --- data/conf/postfix/sql/mysql_virtual_sender_acl.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/conf/postfix/sql/mysql_virtual_sender_acl.cf b/data/conf/postfix/sql/mysql_virtual_sender_acl.cf index 3707a2b2..52fc7d41 100644 --- a/data/conf/postfix/sql/mysql_virtual_sender_acl.cf +++ b/data/conf/postfix/sql/mysql_virtual_sender_acl.cf @@ -2,4 +2,4 @@ user = mailcow password = mysafepasswd hosts = mysql dbname = mailcow -query = SELECT goto FROM alias WHERE address='%s' AND active='1' AND domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') UNION SELECT logged_in_as FROM sender_acl WHERE send_as='@%d' OR send_as='%s' AND logged_in_as NOT IN (SELECT goto FROM alias WHERE address='%s') UNION SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' AND alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active ='1' AND alias_domain.active='1' +query = SELECT goto FROM alias WHERE address='%s' AND active='1' AND domain IN(SELECT domain FROM domain WHERE domain='%d' AND active='1') UNION SELECT logged_in_as FROM sender_acl WHERE send_as='@%d' OR send_as='%s' OR send_as IN ( SELECT CONCAT ('@',target_domain) FROM alias_domain WHERE alias_domain = '%d') OR send_as IN ( SELECT CONCAT ('%u','@',target_domain) FROM alias_domain WHERE alias_domain = '%d' ) AND logged_in_as NOT IN (SELECT goto FROM alias WHERE address='%s') UNION SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' AND alias.address = CONCAT('%u','@',alias_domain.target_domain) AND alias.active ='1' AND alias_domain.active='1 \ No newline at end of file From aa4abcb1bd675fad0a11514851b170c8d45e2131 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 11 Feb 2017 21:10:24 +0100 Subject: [PATCH 10/15] Revert selection of alias domains in sender acl --- data/web/inc/functions.inc.php | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 91c1a96b..d7993388 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -4787,22 +4787,6 @@ function mailbox_get_sender_acl_handles($mailbox) { while ($row_domain = array_shift($rows_domain)) { if (is_valid_domain_name($row_domain['domain']) && hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $row_domain['domain'])) { $data['sender_acl_domains']['selectable'][] = $row_domain['domain']; - $stmt = $pdo->prepare("SELECT `alias_domain` FROM `alias_domain` - WHERE `target_domain` = :target_domain - AND `alias_domain` NOT IN ( - SELECT REPLACE(`send_as`, '@', '') FROM `sender_acl` - WHERE `logged_in_as` = :logged_in_as - AND `send_as` LIKE '@%')"); - $stmt->execute(array( - ':target_domain' => $row_domain['domain'], - ':logged_in_as' => $mailbox, - )); - $rows_ad = $stmt->fetchAll(PDO::FETCH_ASSOC); - while ($row_ad = array_shift($rows_ad)) { - if (is_valid_domain_name($row_ad['alias_domain']) && hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $row_ad['alias_domain'])) { - $data['sender_acl_domains']['selectable'][] = $row_ad['alias_domain']; - } - } } } From ba0448cc2624ca90ff82b8902dcdfb561ae5185f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 12 Feb 2017 19:28:36 +0100 Subject: [PATCH 11/15] Update mysql_virtual_sender_acl.cf Missing ' --- data/conf/postfix/sql/mysql_virtual_sender_acl.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/conf/postfix/sql/mysql_virtual_sender_acl.cf b/data/conf/postfix/sql/mysql_virtual_sender_acl.cf index 52fc7d41..02107e6e 100644 --- a/data/conf/postfix/sql/mysql_virtual_sender_acl.cf +++ b/data/conf/postfix/sql/mysql_virtual_sender_acl.cf @@ -2,4 +2,4 @@ user = mailcow password = mysafepasswd hosts = mysql dbname = mailcow -query = SELECT goto FROM alias WHERE address='%s' AND active='1' AND domain IN(SELECT domain FROM domain WHERE domain='%d' AND active='1') UNION SELECT logged_in_as FROM sender_acl WHERE send_as='@%d' OR send_as='%s' OR send_as IN ( SELECT CONCAT ('@',target_domain) FROM alias_domain WHERE alias_domain = '%d') OR send_as IN ( SELECT CONCAT ('%u','@',target_domain) FROM alias_domain WHERE alias_domain = '%d' ) AND logged_in_as NOT IN (SELECT goto FROM alias WHERE address='%s') UNION SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' AND alias.address = CONCAT('%u','@',alias_domain.target_domain) AND alias.active ='1' AND alias_domain.active='1 \ No newline at end of file +query = SELECT goto FROM alias WHERE address='%s' AND active='1' AND domain IN(SELECT domain FROM domain WHERE domain='%d' AND active='1') UNION SELECT logged_in_as FROM sender_acl WHERE send_as='@%d' OR send_as='%s' OR send_as IN ( SELECT CONCAT ('@',target_domain) FROM alias_domain WHERE alias_domain = '%d') OR send_as IN ( SELECT CONCAT ('%u','@',target_domain) FROM alias_domain WHERE alias_domain = '%d' ) AND logged_in_as NOT IN (SELECT goto FROM alias WHERE address='%s') UNION SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' AND alias.address = CONCAT('%u','@',alias_domain.target_domain) AND alias.active ='1' AND alias_domain.active='1' From ac6eda3e30d4c198cbf0ba803c41878a911c4ff6 Mon Sep 17 00:00:00 2001 From: Phoenix Eve Aspacio Date: Mon, 13 Feb 2017 08:54:11 +0800 Subject: [PATCH 12/15] Fix #46 --- data/web/autodiscover.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php index 5f9025e8..121bab88 100644 --- a/data/web/autodiscover.php +++ b/data/web/autodiscover.php @@ -25,7 +25,9 @@ if ($config['useEASforOutlook'] == 'no') { } } require_once 'inc/vars.inc.php'; -include_once 'inc/vars.local.inc.php'; +if(file_exists('inc/vars.local.inc.php')) { + include_once 'inc/vars.local.inc.php'; +} require_once 'inc/functions.inc.php'; $dsn = "$database_type:host=$database_host;dbname=$database_name"; From 8c496534c4c5cc69009f9f434d86363c70c35d8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 13 Feb 2017 07:51:59 +0100 Subject: [PATCH 13/15] Update autodiscover.php --- data/web/autodiscover.php | 1 + 1 file changed, 1 insertion(+) diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php index 121bab88..745d9da0 100644 --- a/data/web/autodiscover.php +++ b/data/web/autodiscover.php @@ -1,4 +1,5 @@ 'yes', 'autodiscoverType' => 'activesync', From 635ee7c6130d2397d56de6805c4276db5d222294 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 14 Feb 2017 11:45:52 +0100 Subject: [PATCH 14/15] Update autodiscover.php --- data/web/autodiscover.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php index 745d9da0..bdb9c8d3 100644 --- a/data/web/autodiscover.php +++ b/data/web/autodiscover.php @@ -1,4 +1,8 @@ 'yes', @@ -25,12 +29,7 @@ if ($config['useEASforOutlook'] == 'no') { $config['autodiscoverType'] = 'imap'; } } -require_once 'inc/vars.inc.php'; -if(file_exists('inc/vars.local.inc.php')) { - include_once 'inc/vars.local.inc.php'; -} require_once 'inc/functions.inc.php'; - $dsn = "$database_type:host=$database_host;dbname=$database_name"; $opt = [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, From 7781e5f37d4e830282b5780a2818b2a41465f232 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 14 Feb 2017 12:46:48 +0100 Subject: [PATCH 15/15] Update autodiscover.php --- data/web/autodiscover.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php index bdb9c8d3..f1125436 100644 --- a/data/web/autodiscover.php +++ b/data/web/autodiscover.php @@ -1,8 +1,6 @@ 'yes', @@ -22,6 +20,10 @@ $config = array( ) ); +if(file_exists('inc/vars.local.inc.php')) { + include_once 'inc/vars.local.inc.php'; +} + /* ---------- DO NOT MODIFY ANYTHING BEYOND THIS LINE. IGNORE AT YOUR OWN RISK. ---------- */ if ($config['useEASforOutlook'] == 'no') {