SOGo | BTS - Issues

0006181: SOGo OpenID Problem - Redirect URI?

Thu, 12 Mar 2026 07:35:28 +0000

Dear SOGo Team,

While setting up OpenID login for SOGo, I noticed that the required SOGo redirect URI isn't mentioned in any of the instructions. That's why I'm reporting this here, so that this information can be added to the instructions.

As an alternative, I looked up the address in the compound URL of the link that initially leads to the OpenID provider. For example, it looks like this:
"https://sogo.domain.tld/SOGo/"

Buit, isn't something missing?
Because when I access this URI, I end up, as expected, at "https://sogo.domain.tld/SOGo/so" and thus back in the SOGo login window.

And if I enter this address as the redirect URI in the OpenID provider anyway, the OpenID login process logically results in a redirect loop (which eventually terminates).

As a workaround, I then enter this address as the redirect URI in the OpenID provider.
If I add to the address, for example:
"/oauth2/callback" (found somewhere)
or "/SOGo/so/oidc/callback" (found in the mailing list),
...the redirect is rejected as invalid.

Unfortunately, I haven't found anything useful about this problem in the mailing list—only the aforementioned non-functional URIs.

Could someone please confirm what a correct redirect URI would be? Or what else should I consider?

My SOGo is version 5.12.4 (build@9a1f640bd211 202511171326) and is running as a container within a Nethserver 8 container orchestrator.

Otherwise, SOGo is a great piece of software and has been running very reliably for years—excellent!

Regards, Yummiweb

0006180: HTML emails from Outlook/Word render incorrectly in SOGo webmail (mso-* CSS)

Tue, 10 Mar 2026 16:54:11 +0000

Hello,

We are running SOGo v5.12.4 as webmail for our clients and have identified a rendering issue with HTML emails generated by Microsoft Outlook/Word.

**Problem:**
Emails composed in Outlook/Word contain proprietary Microsoft CSS properties (mso-*, mso-line-height, mso-margin-top-alt, etc.) that SOGo's HTML viewer does not process.

This results in:
- Excessive whitespace / broken layout in the message body
- In some cases, the message body appears completely blank

0006179: CardDAV Shared Read only Address books has empty property current-user-privilege-set in discovery

Tue, 10 Mar 2026 11:55:09 +0000

Hello Sogo Team,

I'd Like to report a bug with the CardDAV Implementation for address books that are shared with read only privileges.

System is sogo 5.9.1 using Thunderbird 148 as client.

Thunderbird will get a response in CardDAV calendar discovery that contains a empty current-user-privilege-set instead of the correct read privilege prop. That's why Thunderbird won't show this address book as "addable".

Ways to make Thundebird discover the adress book:

1) If one would override this check in the debug mode of Thunderbird by changing the variables to readable=true. It shows up and is usable perfectly fine (thus showing that it is indeed readable).

2) Also, if the property would be omitted completely (which I did also in the Thunderbird debugger) one is able to discover, add and use the address books just fine.

3) Perfectly correct would be to include the read privilege as shown below.

Example response for a "bad" read only shared address book response:

/SOGo/dav/sharinguser/Contacts/6DDF-6551C400-B-23F36E80/HTTP/1.1 200 OK

http://groupdav.org/"/> xmlns="urn:ietf:params:xml:ns:carddav"/>

Adressbook( <sharinguser@domain.de>)

/SOGo/dav/myuser

Correctly it should be:

'/SOGo/dav/sharinguser/Contacts/6DDF-6551C400-B-23F36E80/HTTP/1.1 200 OK

http://groupdav.org/"/> xmlns="urn:ietf:params:xml:ns:carddav"/>

Adressbook( <sharinguser@domain.de>)

/SOGo/dav/myuser

0006167: Email preview fails when message contains more than 250 embedded HTML tags

Tue, 10 Mar 2026 11:37:52 +0000

Symptoms:

- Email preview does not render/display correctly
- No errors are shown in the logs
- The email displays correctly when opened in edit mode
- Other email clients (Thunderbird, Roundcube) display the same emails correctly in preview mode

0006178: SOGo5 fails to build on opensuse LINUX - NON DOCKER

Fri, 06 Mar 2026 17:22:19 +0000

Hi team,

starting from version 5.12.2 the build of SOGo5 fails.
Last working version was 5.12.1

You switched to libcurl https://github.com/Alinto/sogo/commit/a782424a30cfe8e9c6f2769a45bcdd3498679237#diff-29c8fb0a4a95e2d446edfa1c9ddb2e8f2293a28c0a0d1a7498bca0d6a2772dc1 , and this causes problems here:

0006168: Signature duplication when switching identities while composing email

Wed, 04 Mar 2026 09:28:02 +0000

We have identified an issue with signature management when composing emails with accounts that have multiple identities configured.

Symptoms:

- When composing a new email, the default user signature is inserted automatically
- When switching to a different identity, the new identity's signature is added to the message
- The original default signature is NOT removed, resulting in duplicate signatures
- Both the default user signature and the identity-specific signature appear in the email body

Expected behavior:
When switching to a different identity while composing an email, the previous signature should be removed and replaced with the signature associated with the newly selected identity. Only one signature should be present at any time.

0006173: Contact search fails for names starting with umlauts / diacritics (e.g. Ä, Ö)

Wed, 04 Mar 2026 09:27:52 +0000

Hello,

we are seeing an issue with SOGo contact search when contact display names contain multiple umlauts/diacritics, especially when the name starts with an umlaut (e.g. Ä).

It looks like certain partial search terms do not return the expected contact, even though other partial terms or the full name work.

Expected result:
The contact should be returned for all matching partial queries (prefix / substring search), regardless of umlauts/diacritics.

Actual result:
The contact "Aböabc" can be found with:
- "Ab"
- "Abc"
- "öabc"
- "Aböabc"

But it cannot be found with:
- "Abö"
- "bö"
- "öa"
- "öab"

This is confusing but still workable because the contact can be found with the full name.

However, the issue becomes more problematic when the name starts with an umlaut:

Example contact: "Äböa"

Searching for "Äböa" does NOT return the contact.
Only the following searches return it:
- "böa"
- "öa"

0006177: List in adress book : no more autocomplete to add contact

Wed, 04 Mar 2026 09:27:29 +0000

Impossible to add a contact to a list, the member field doesn't provide autocomplete functionality.

0006002: When inviting someone to an event on someone else's calendar the organizer ir wrong

Tue, 17 Feb 2026 15:45:04 +0000

When creating an event on someone else's calendar and choosing the first attendee, the organizer is shown incorrectly.

Instead of showing the owner of the calendar as organizer, the user shown is the first in alphabetical order.

When checking the event details afterwards, the organizer is then shown correctly.

We are using LDAP authentication and feeding groups via LDAP too.

0006145: Build packages for Debian 13 (trixie)

Fri, 13 Feb 2026 10:47:16 +0000

Dear developers,

Debian 13 was released[1] on Aug 9th 2025, any plan to build packages for it?
I didn't find packages in current repos[2][3].

[1] https://www.debian.org/News/2025/20250809
[2] https://packages.sogo.nu/nightly/5/debian/dists/
[3] https://packagingv2.sogo.nu/sogo-nightly-debian/dists/index.html

0006176: Webdav PUT request fails if ICS file or VCF files containts non-ascii characters

Mon, 09 Feb 2026 08:53:25 +0000

Uploading a VCF or ICS file with non-ascii characters in its content through Webdav on SOGo results on an error.

This error is "500 Request Failed" for VCF files, and "400 Request Failed" for ICS files

This error occurs even though the VCF or ICS file was downloaded from the same SOGo server without any edit.

Removing the non-ascii characters from the ICS or VCF file and uploading it again does not generate an error.

0006073: Unsubcribing from shared calendar in Thunderbird from an admin account deletes the calendar.

Mon, 09 Feb 2026 08:03:50 +0000

When an admin account unsubscribe from a shared calendar from Thunderbird, a DELETE is sent to the sogo server, resulting in deleting the whole calendar from the database.
Hence, when the owner of the calendar tries to access it, a new empty calendar is created.

A calendar should not be able to be wholly deleted when the user is not the owner (or with sogo-tools). Unsubcribing from Thunderbird should unsubscribe and not delete the calendar.

0004600: Multiple reminders per event

Wed, 04 Feb 2026 14:03:52 +0000

I am using mailcow which implements SOGo. As of now it is not possible for me to set multiple reminders (which I can using the standard iCloud Cal).
But to be honest, I am not sure whether the problem is on iOS/MacOS, Mailcow or SOGo.

If it's the latter, it would be really great if this could be supported in the future.

0006172: HTML sanitizer removes clickable area for newsletters using wrapping
Mon, 19 Jan 2026 08:47:56 +0000
We are SOGo administrators and have received multiple user reports regarding newsletters from well-known companies and media outlets where “Read more” buttons or large clickable areas are not clickable in SOGo, while they work as expected in other mail clients such as Roundcube, Thunderbird, and Gmail.

After analysis, this behavior is caused by SOGo sanitizing HTML patterns where an element wraps a block-level

. When sanitized, the anchor is removed or neutralized, leaving visually styled buttons (usually
elements) without an actual inside, making them non-clickable.

Technically, the HTML in these newsletters is not ideal, as the button text itself is not wrapped in an anchor. Instead, the layout relies on a parent element wrapping a table. Other mail clients apply heuristic rendering and still make the area clickable. SOGo, correctly prioritizing security and standards, does not.

However, from an operational and user-experience perspective, this leads to a recurring issue:
end users cannot interact with legitimate content from widely used senders, and administrators are repeatedly asked to justify why SOGo behaves differently.

Minimal example (simplified)

">https://example.com">

Read more

After sanitization, the is removed or detached, leaving a styled without a clickable link.

0005992: Repeating events are not shown in Webmail BEFORE importing into calendar

Sun, 18 Jan 2026 13:15:08 +0000
If you get an invite for an repeating event from a companies e-mail sent by Microsoft Outlook via Exchange the preview by SoGo shows only the first occurence of the meeting but neither that's a repeating event nor the other and last occurences.
This is very annoying as the user will crosscheck with first occurence, agrees to one meeting and will learn that he accepted unintentionally a whole bunch of meetings.

A (blurred) screenshot is attached as well an excerpt of the ics file:

RRULE:FREQ=WEEKLY;UNTIL=20241119T120000Z;INTERVAL=2;BYDAY=TU;WKST=MO
DTSTART;TZID=W. Europe Standard Time:20240730T130000
DTEND;TZID=W. Europe Standard Time:20240730T140000
CLASS:PUBLIC
PRIORITY:1
DTSTAMP:20240722T114355Z
LOCATION;LANGUAGE=de-DE:Microsoft Teams-Besprechung

Currently we are looking into the *.ics file manually before accepting an event from people who want to invite us.
As this is a very hard workaround we would favour if this clould be fixed soon. Thank you very much!

The Bahnkonzept team from Dresden/Germany

0006143: Data Loss When Exporting Contacts with Multiple Phone Numbers

Sun, 18 Jan 2026 12:39:25 +0000
When exporting contacts from the address book, not all phone numbers are included if a contact contains multiple numbers of the same type (e.g., two "Work" phone numbers). Only the first number is exported, while all subsequent numbers of the same type are lost.

Expected Behavior:
All phone numbers should be exported regardless of type, as this complies with the VCard standard (RFC 6350 allows multiple values per property type).

0006085: Details of an event are not correct reset/modified when copying this event (causes invitations that cannot be accepted)

Sun, 18 Jan 2026 12:34:55 +0000
When events are copied by the three dot menu in same or other calendar only the UID is changed (CORRECT BEHAVIOUR) but other details of the event like CREATED, LAST-MODIFIED and SEQUENCE (if changed before) are not set in same manner like new event. This prevents the participants from accepting the copied event in some clients as well the creator to insert / update the notifications. Other malfunctions cannot be ruled out.
Please read the reproduction steps to follow in order to eliminate the certainly minor error.

So please, whenever coping an event in SoGo Webmail:
- Create new UID (already working)
- Set SEQUENCE to 0 or remove (not working in 5.11.2)
- Set CREATED to copy time like in new created events (not working in 5.11.2)
- Set LAST-MODIFIED to CREATED like in new created events (not working in 5.11.2)

Maybe the proposal 0005820 can be solved too, when working on this bug.

Thanks a lot.

0005348: Invitation send to alias address cannot be accepted nor added to calendar

Sun, 18 Jan 2026 12:27:01 +0000
If an invitation is send to alias@example.com which redirects to the SoGO user user1@example.com, then user1@example.com is not able to accept this invitation nor is there any possibility to add the invitation to the calendar.

0003981: images are not handled properly in forwarded or replied to messages

Sun, 18 Jan 2026 12:26:39 +0000
I use SOGo demo web interface here: http://demo.sogo.nu/SOGo/

1. Compose new message and paste an image from clipboard in the message body (image mustn't be copied from web browser; it has to be copied from external program, i.e. snipping tool or mspaint)

2. Send this message to yourself (to be sure that it is sent and received in SOGo web interface)

3a. When message arrives in your inbox, open it and choose "Forward". Image from message body is no longer in the body. Instead it is just attached as ordinary attachment (PROBLEM 1)

3b. When message arrives in your inbox, open it and choose "Reply". Image from message body disappears completely (PROBLEM 2)

0006158: Cross-Site Scripting (XSS) - Stored

Wed, 14 Jan 2026 16:19:27 +0000
Stored Cross-Site Scripting occurs when an application receives data from an untrusted source and then includes that data in its subsequent HTTP responses in an insecure manner

It is possible to set other undefined values in the category name, and to add XSS scripts.

Endpoint: /Preferences#!/addressbooks

0006171: Calendar ACLs set via sogo-tool are lost when accessing the web interface

Wed, 14 Jan 2026 08:55:16 +0000
We have a problem with our users losing access to some of the SOGo calendars they should be subscribed to.

We have a script that ensures all of our users are subscribed to certain important company calendars.
So basically, we first set the permissions for a given group (we do this just once, when a shared calendar is created).

```
sogo-tool manage-acl add calendaruser Calendar/XXX-XXXXXXXX-XX-12345678 '@somegroup' '["ObjectCreator", "PublicModifier", "ConfidentialModifier", "PrivateModifier"]'
```

and then we subscribe the group via a cron that is run daily, to ensure new users get added to where they belong:

```
sogo-tool manage-acl subscribe calendaruser Calendar/XXX-XXXXXXXX-XX-12345678 '@somegroup'
```

After this command is run, the status in the database is apparently correct, with `someuser` (a member of @somegroup) having `FolderShowAlarms`, `FoldersOrder` and `SubscribedFolders`. So far, so good and as expected.
However, as soon as someuser logs into the web interface and uses SOGo, they will drop the SubscribedFolders item, and thus will stop seeing the calendar.
Are we managing ACLs correctly, or is there a bug here in recent 5.12.X versions?

0006170: Allow to display remote images from known senders

Mon, 12 Jan 2026 08:05:28 +0000
It would be nice to have ability not only display remote images in case of "always" or "never", but:
1. do never display remote images from "Spam/Junk" folders, no matter what settings configured, due to security reasons
2. in addition to "always" and "never" add new option: display remote images from emails listed in "contact book"

I understand that it would be hard (in terms of performance) to save and read data about "user preferences" per email or per remote site like apps like Thunderbird allows to "always display images from sender X", but at least we can utilize existing functionality of "contact book" to decide if user "trust" sender or not, thank you in advance.

0006169: Image signature scaling issue: missing height attribute in style tag causes display problems in other email clients

Tue, 30 Dec 2025 11:09:37 +0000
We have found a bug related to image scaling in email signatures. When an image is resized within the signature editor, the generated HTML code is incomplete, causing display issues when the email is received by other email clients.

Symptoms:

- When resizing an image in the signature editor, the style tag only includes the width attribute
- The height attribute is missing from the style tag
- The original height attribute remains in the tag
- This causes a mismatch: width from style + height from img tag
- Recipients using other email clients see distorted/broken images due to incorrect aspect ratio

0006166: SOGo Connector subscribe buttons are missing for address books in Thunderbird 128+

Thu, 25 Dec 2025 21:25:00 +0000
When using Thunderbird 128/140 with SOGo Connector installed.
Subscribe buttons for calendars are displayed when SOGo Connector is installed, however they are missing in address books.

0006038: PLain text emails must be possible

Wed, 17 Dec 2025 07:34:59 +0000
1. It must be possible to write emails in plain text.
2. It must be possible to read emails in plain text.

Both is currently not possible but crucial to fight spam and fishing.

details 1.:
The admins must be able to disable the WYSIWYG editor installation wide.
The users must be able to disable the WYSIWYG editor in their account in general or disable it on a per message basis.

details 2.:
The admins must be able to force "read messages in plain text" installation wide.
The users must be able to force "read messages in plain text" as default in their account or on a per message basis.