|
|
Please show your sogo.conf. |
|
|
|
Default configuration from iRedAdmin, most standard comments stripped for size.
{
WOPort = 127.0.0.1:20000;
LDAPDebugEnabled = YES;
WOWorkersCount = 40;
SOGoMaximumPingInterval = 3540;
SOGoMaximumSyncInterval = 3540;
SOGoInternalSyncInterval = 30;
WOWatchDogRequestTimeout = 60;
SOGoMaximumSyncWindowSize = 100;
SOGoMaximumSyncResponseSize = 2048;
SxVMemLimit = 1024;
SOGoProfileURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_user_profile";
OCSFolderInfoURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_alarms_folder";
SOGoLanguage = English;
SOGoLoginModule = Mail;
SOGoForceExternalLoginWithEmail = YES;
SOGoMailCustomFromEnabled = YES;
SOGoEnableEMailAlarms = YES;
SOGoPageTitle = Mail;
SOGoIMAPServer = "imap://127.0.0.1:143/";
SOGoSMTPServer = 127.0.0.1;
SOGoMailingMechanism = smtp;
SOGoSieveServer = sieve://127.0.0.1:4190;
SOGoSieveScriptsEnabled = YES;
SOGoVacationEnabled = YES;
SOGoForwardEnabled = YES;
SOGoSieveFolderEncoding = UTF-8;
SOGoMemcachedHost = 127.0.0.1;
SOGoTimeZone = "Europe/Zurich";
SOGoFirstDayOfWeek = 1;
SOGoRefreshViewCheck = every_5_minutes;
SOGoMailReplyPlacement = below;
SOGoAppointmentSendEMailNotifications = YES;
SOGoFoldersSendEMailNotifications = YES;
SOGoACLsSendEMailNotifications = YES;
SOGoPasswordChangeEnabled = YES;
// Authentication using SQL
/* SQL backend
SOGoUserSources = (
{
type = sql;
id = users;
viewURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/users";
canAuthenticate = YES;
userPasswordAlgorithm = ssha;
prependPasswordScheme = YES;
isAddressBook = NO;
displayName = "Domain Address Book";
SOGoEnableDomainBasedUID = YES;
DomainFieldName = "domain";
}
);
SQL backend */
// Authentication using LDAP
SOGoUserSources = (
{
type = ldap;
hostname = "ldap://127.0.0.1:389";
baseDN = "o=domains,dc=server1,dc=organisation,dc=com";
//bindAsCurrentUser = YES;
bindDN = "cn=vmailadmin,dc=server1,dc=organisation,dc=com";
bindPassword = "<redacted>";
filter = "objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo";
scope = SUB;
userPasswordAlgorithm = ssha;
IDFieldName = mail;
bindFields = (mail);
CNFieldName = cn;
UIDFieldName = mail;
IMAPLoginFieldName = mail;
SearchFieldNames = (cn, sn, displayName, telephoneNumber, mail, shadowAddress);
canAuthenticate = YES;
displayName = "Global Address Book";
id = ldap_auth;
isAddressBook = NO;
}
);
} |
|
|
|
That is normal - DomainFieldName is for SQL sources only.
For LDAP sources, correctly define domains in SOGo.conf and set a SOGoUserSources per domain. |
|
|
|
The LDAP is our repository for all customer domains. This would mean I would have to add every domain (about 20 at the moment) into that configuration file. Is there a limit for SOGoUserSources and how does it impact performance?
After inserting two SOGoUserSources entries on the test system, ldap debug showed that all UserSources where queried regardless of the domain field, and again all emails were shown. So even when entered manually as described in https://sogo.nu/files/docs/SOGoInstallationGuide.html#_multi_domains_configuration the issue remains. |
|
|
|
There is no limit in SOGo for the number of domains usable.
If your LDAp can handle it, there is no performance impact.
Did you set "SOGoEnableDomainBasedUID = YES;" ?
What have you set in SOGoDomainsVisibility ? |
|
|
|
As stated, I configured the system as described in your installation guide.
If it is incomplete, please add the missing information.
Or make clear that it is not possible to use SOGo with one ldap server and multiple domains/tenants that shall not see each others cid in the frontend.
I assume that it is working but I configured it wrong:
Is it planed to get this multi domain support with ldap without having to alter the configuration file each time a domain is added to the ldap/system, so the
functionality as in the sql version? |
|
|
|
Perhaps you should provide your changed sogo.conf, so we can see where your problem is. |
|
|
|
Hello again.
Just had the time now to set up a test environment again - still with this issue.
I have one ldap server for all domains. I have attached the sogo.conf - no worries about the unredacted passwords, they are autogenerated at each new installation and exist on that internal VM only.
With this configuration, according to https://sogo.nu/files/docs/SOGoInstallationGuide.html#_multi_domains_configuration and https://sogo.nu/bugs/view.php?id=4192#c11990 I should be able to login to the system and not have access to other users data.
But I have.
Setup again:
- example1.com with user1@example1.com, user2@example2.com
- example2.com with user1@example2.com, user2@example2.com
- vipdomain.com with user1@vipdomain.com
My steps again:
- Login as user1@vipdomain.com
- Goto Calendar
- Click on Subscriptions "+" (dialog Subscribe to a shared folder opens)
- Enter "user"
- Dialog shows list "user1@example1.com, user2@example1.com, user1@example2.com, user2@example2.com"
So user1@vipdomain.com sees ALL email adresses on the system. This does not happen when not using ldap, but we rely on that ldap and need this functionality. |
|
|
|
sogo.conf (12,708 bytes)
{
//
// - Official SOGo document: http://sogo.nu/support/index.html#/documentation
// - Mailing list: http://sogo.nu/support/index.html#/community
//
// Daemon address and port
WOPort = 127.0.0.1:20000;
// PID file
//WOPidFile = /var/run/sogo/sogo.pid;
// Log file
//WOLogFile = /var/log/sogo/sogo.log;
// Enable verbose logging. Reference:
// http://www.sogo.nu/nc/support/faq/article/how-to-enable-more-verbose-logging-in-sogo.html
//SOGoDebugRequests = YES;
//SOGoEASDebugEnabled = YES;
//ImapDebugEnabled = YES;
LDAPDebugEnabled = YES;
//MySQL4DebugEnabled = YES;
//PGDebugEnabled = YES;
// Define the URL to online help for SOGo. When set, an additional icon
// will appear near the logout button in SOGo's web interface. The URL
// will always be open in a blank target.
//SOGoHelpURL = '';
// set the maximum allowed size for content being sent to SOGo, this can
// also limit the file attachment size being uploaded to SOGo when
// composing a mail.
// The value is in kilobyte. Default is 0 or disabled (unlimit).
WOMaxUploadSize = 15360;
// Parameter used to set the maximum allowed email message size when
// composing a mail.
// The value is in kilobytes. By default, the value is 0, or disabled so
// no limit will be set.
SOGoMaximumMessageSizeLimit = 15360;
// Performance Tuning
//
// The amount of instances of SOGo that will be spawned to handle multiple
// requests simultaneously. When started from the init script, that amount
// is overriden by the `PREFORK=` setting in /etc/sysconfig/sogo or
// /etc/default/sogo. A value of 3 is a reasonable default for low usage.
// The maximum value depends on the CPU and IO power provided by your
// machine: a value set too high will actually decrease performances under
// high load.
//
// You should have at least one child per EAS device configured to use
// "push". You must also have more children than you have EAS devices
// configured to use "push" - in order to handle normal SOGo requests to
// its Web or DAV interfaces.
//
// Defaults to 1 when unset, increase it if you see below error message in
// sogo log file: 'No child available to handle incoming request'
//
// WARNING:
// - on RHEL/CentOS, this setting is controlled by parameter
// 'PREFORK=' defined in /etc/sysconfig/sogo.
// - on Debian/Ubuntu, this setting is controlled by parameter
// 'PREFORK=' defined in /etc/default/sogo.
WOWorkersCount = 10;
// Parameter used to set the maximum amount of time, in seconds, SOGo will
// wait before replying to a Ping command.
// If not set, it defaults to 10 seconds.
SOGoMaximumPingInterval = 3540;
// Parameter used to set the maximum amount of time, in seconds, SOGo will
// wait before replying to a Sync command.
// If not set, it defaults to 30 seconds.
SOGoMaximumSyncInterval = 3540;
// Parameter used to set the maximum amount of time, in seconds, SOGo will
// wait before doing an internal check for data changes (add, delete, and
// update). This parameter must be lower than SOGoMaximumSyncInterval and
// SOGoMaximumPingInterval.
// If not set, it defaults to 10 seconds.
SOGoInternalSyncInterval = 30;
// Specifies the number of minutes after which a busy child process will be
// killed by the parent process.
// Defaults to 10 (minutes).
WOWatchDogRequestTimeout = 61;
// Overwrite the maximum number of items returned during a Sync operation.
// Defaults to 0, which means no overwrite is performed.
// Setting this parameter to a value greater than 512 will have unexpected
// behaviour with various ActiveSync clients.
//SOGoMaximumSyncWindowSize = 100;
// Overwrite the maximum response size during a Sync operation.
// The value is in kilobytes. Setting this to 512 means the response size
// will be of 524288 bytes or less (or a bit greater if needed for syncing
// one item). Note that if you set the value too low and a mail message
// (or any other object like calendar events, tasks and contacts) surpasses
// it, it will still be synced but only this item will be.
// Defaults to 0, which means no overwrite is performed.
//
// Say you have these five mails and you set the limit to 512KB:
// 1. 250 KB
// 2. 250 KB
// 3. 25 KB
// 4. 750 KB
// 5. 10 KB
// Sync iteration no. 1 will pick message 1, 2 and 3.
// Sync iteration no. 2 will pick message 4.
// Sync iteration no. 3 will pick message 5.
SOGoMaximumSyncResponseSize = 2048;
// The maximum amount of memory (in megabytes) that a child can use.
// Reaching that value will force children processes to restart, in order
// to preserve system memory.
//
// Error message when it reaches the value:
// "terminating app, vMem size limit (xxx MB) has been reached (currently xxx MB)"
//
// Defaults to 384.
SxVMemLimit = 500;
// Enable XSRF (also known as CSRF) protection.
SOGoXSRFValidationEnabled = YES;
// IMAP connection pool.
// Your performance will slightly increase, as you won't open a new
// connection for every access to your IMAP server.
// But you will get a lot of simultaneous open connections to your IMAP
// server, so make sure he can handle them.
// For debugging it is reasonable to turn pooling off.
//NGImap4DisableIMAP4Pooling = NO;
SOGoProfileURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_user_profile";
OCSFolderInfoURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_alarms_folder";
// With 3 parameters below, SOGo requires only 9 SQL tables in total
// instead of creating 4 SQL tables for each user.
OCSCacheFolderURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_cache_folder";
OCSStoreURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_store";
OCSAclURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_acl";
// Default language in the web interface
SOGoLanguage = English;
// Specify which module to show after login: Calendar, Mail, Contacts.
SOGoLoginModule = Mail;
// Must login with full email address
SOGoForceExternalLoginWithEmail = YES;
// Allow user to change full name and email address.
SOGoMailCustomFromEnabled = NO;
// IMAP server
// Local connection is considered as secure by Dovecot, so 'imap://' is fine.
// With remote IMAP server, use 'imaps://127.0.0.1:143/?tls=YES' instead;
SOGoIMAPServer = "imap://127.0.0.1:143/";
// Allow user to add other IMAP accounts that will be visible from the SOGo
// Webmail interface.
// Default is NO.
//SOGoMailAuxiliaryUserAccountsEnabled = YES;
// SMTP server
SOGoSMTPServer = 127.0.0.1;
SOGoMailingMechanism = smtp;
//SOGoSMTPAuthenticationType = PLAIN;
// Enable managesieve service
//
// WARNING: Sieve scripts generated by SOGo is not compatible with Roundcube
// webmail, don't use sieve service in both webmails, otherwise
// it will be messy.
//
//SOGoSieveServer = sieve://127.0.0.1:4190;
//SOGoSieveScriptsEnabled = YES;
//SOGoVacationEnabled = YES;
//SOGoForwardEnabled = YES;
SOGoSieveFolderEncoding = UTF-8;
// Memcached
SOGoMemcachedHost = 127.0.0.1;
// Parameter used to set which usernames require administrative privileges
// over all the users tables. For example, this could be used to post
// events in the users calendar without requiring the user to configure
// his/her ACLs. In this case you will need to specify those superuser's
// usernames like this :
// SOGoSuperUsernames = (<username1>[,<username2>, ...]);
//SOGoSuperUsernames = ();
SOGoTimeZone = "America/New_York";
SOGoFirstDayOfWeek = 1;
SOGoRefreshViewCheck = every_5_minutes;
SOGoMailReplyPlacement = below;
// Disable gravatar
SOGoExternalAvatarsEnabled = NO;
SOGoGravatarEnabled = NO;
//
// Notifications
//
// Enable email-based alarms on events and tasks.
SOGoEnableEMailAlarms = YES;
// Notify meeting participants
SOGoAppointmentSendEMailNotifications = YES;
// Notify if a calendar or an address book has been created.
SOGoFoldersSendEMailNotifications = YES;
// Notify involved users of a calendar or address book’s ACLs.
SOGoACLsSendEMailNotifications = YES;
// Notify when a modification is being done to his/her own calendar by someone else.
SOGoNotifyOnExternalModifications = YES;
// NOTE: PostgreSQL cannot update view in iRedMail
SOGoPasswordChangeEnabled = YES;
// Authentication using SQL
/* SQL backend
SOGoUserSources = (
{
type = sql;
id = users;
viewURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/users";
canAuthenticate = YES;
// The algorithm used for password encryption when changing
// passwords without Password Policies enabled.
// Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
userPasswordAlgorithm = ssha;
prependPasswordScheme = YES;
// Use `vmail.mailbox` as per-domain address book.
isAddressBook = YES;
displayName = "Domain Address Book";
SOGoEnableDomainBasedUID = YES;
DomainFieldName = "domain";
},
//{
// //
// // WARNING: all mail users can see/search ALL accounts.
// //
// displayName = "Global Address Book";
// type = sql;
// id = global_address_book;
// viewURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/users";
// canAuthenticate = NO;
// isAddressBook = YES;
//}
);
SQL backend */
// Authentication using LDAP
domains = {
example1.com = {
SOGoMailDomain = example1.com;
SOGoDraftsFolderName = Drafts;
SOGoUserSources = (
{
type = ldap;
userPasswordAlgorithm = ssha;
CNFieldName = cn;
IDFieldName = mail;
bindFields = (mail);
UIDFieldName = mail;
IMAPLoginFieldName = mail;
SOGoEnableDomainBasedUID = YES;
hostname = "ldap://127.0.0.1:389";
baseDN = "o=domains,dc=example,dc=com";
bindDN = "cn=vmail,dc=example,dc=com";
bindPassword = "kVV5DuLtKjdAU8GXdDN096a83l9D6W";
filter = "objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo";
scope = SUB;
canAuthenticate = YES;
displayName = "example1 Addresses";
id = users;
isAddressBook = no;
port = 389;
}
);
};
example2.com = {
SOGoMailDomain = example2.com;
SOGoUserSources = (
{
type = ldap;
userPasswordAlgorithm = ssha;
CNFieldName = cn;
IDFieldName = mail;
bindFields = (mail);
UIDFieldName = mail;
IMAPLoginFieldName = mail;
SOGoEnableDomainBasedUID = YES;
hostname = "ldap://127.0.0.1:389";
baseDN = "o=domains,dc=example,dc=com";
bindDN = "cn=vmail,dc=example,dc=com";
bindPassword = "kVV5DuLtKjdAU8GXdDN096a83l9D6W";
filter = "objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo";
scope = SUB;
canAuthenticate = YES;
displayName = "example2 Addresses";
id = users;
isAddressBook = no;
port = 389;
}
);
};
};
}
|
|
|
|
There should be no SOGoUserSources outside the domains.
You use a non domain aware sql SOGoUserSources:
SOGoUserSources = (
{
type = sql;
id = users;
viewURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/users";
canAuthenticate = YES;
// The algorithm used for password encryption when changing
// passwords without Password Policies enabled.
// Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
userPasswordAlgorithm = ssha;
prependPasswordScheme = YES;
// Use `vmail.mailbox` as per-domain address book.
isAddressBook = YES;
displayName = "Domain Address Book";
SOGoEnableDomainBasedUID = YES;
DomainFieldName = "domain";
},
That is your problem, just remove it. |
|
|
|
In my file, this section is commented out and not used ?! |
|
|
|
Just confirmed: I removed the commented section and restarted the vm, to be sure to be sure.. same issue. |
|
|
|
You have "id = users;" set for both domains.
They must be different.
Also you have identical filter for both domains, which do not restrict based on email domain at all.
Add an filter option with e.g. mail='*@example1.com' |
|
