[Dovecot] move sogo sso to mailcowauth.php

mailcow · Feb 26, 2024 · 6928eb6 · 6928eb6
1 parent 010d898
commit 6928eb6
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 14 deletions.
diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -200,13 +200,6 @@ EOF
 # Create random master Password for SOGo SSO
 RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
 echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
-cat <<EOF > /etc/dovecot/sogo-sso.conf
-# Autogenerated by mailcow
-passdb {
-  driver = static
-  args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
-}
-EOF
 
 if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
   # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
@@ -45,20 +45,30 @@
 require_once 'sessions.inc.php';
 require_once 'functions.mailbox.inc.php';
 
-// Init provider
-$iam_provider = identity_provider('init');
-
 
+$isSOGoRequest = $post['real_rip'] == getenv('IPV4_NETWORK') . '.248';
+$result = false;
 $protocol = $post['protocol'];
-if ($post['real_rip'] == getenv('IPV4_NETWORK') . '.248') {
+if ($isSOGoRequest) {
   $protocol = null;
+  // This is a SOGo Auth request. First check for SSO password.
+  $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
+  if ($sogo_sso_pass === $post['password']){
+    error_log('MAILCOWAUTH: SOGo SSO auth for user ' . $post['username']);
+    $result = true;
+  }
+
 }
-$result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
 if ($result === false){
   $result = apppass_login($post['username'], $post['password'], $protocol, array(
     'is_internal' => true,
     'remote_addr' => $post['real_rip']
   ));
+  if ($result) error_log('MAILCOWAUTH: App auth for user ' . $post['username']);
+}
+if ($result === false){
+  $result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
+  if ($result) error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
 }
 
 if ($result) {

diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
@@ -303,7 +303,6 @@ replication_dsync_parameters = -d -l 30 -U -n INBOX
 !include_try /etc/dovecot/sni.conf
 !include_try /etc/dovecot/sogo_trusted_ip.conf
 !include_try /etc/dovecot/extra.conf
-!include_try /etc/dovecot/sogo-sso.conf
 !include_try /etc/dovecot/shared_namespace.conf
 # </Includes>
 default_client_limit = 10400

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -237,7 +237,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: mailcow/dovecot:nightly-20240208
+      image: mailcow/dovecot:nightly-20240226
       depends_on:
         - mysql-mailcow
         - netfilter-mailcow