View Issue Details

IDProjectCategoryView StatusLast Update
0005433SOGoBackend Mailpublic2021-11-29 19:40
Reporterzhb Assigned Tofrancis  
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.3.0 
Fixed in Version5.4.0 
Summary0005433: Is SOGoMailAuxiliaryUserAccountsEnabled broken?
Description

Dear developers,

I have SOGoMailAuxiliaryUserAccountsEnabled = YES; in sogo.conf, and successfully added an imap account which is hosted on same host (localhost), but always have this error:

Nov 25 22:27:58 sogod [256711]: [ERROR] <0x564666d7dcd0[SOGoMailFolder]:folderINBOX> Trying to use localhost for additional IMAP account - aborting.
Nov 25 22:27:58 sogod [256711]: [WARN] <0x564666d7dcd0[SOGoMailFolder]:folderINBOX> IMAP connection is broken, trying to reconnect...
Nov 25 22:27:58 sogod [256711]: [ERROR] <0x564666d7dcd0[SOGoMailFolder]:folderINBOX> Could not get a valid IMAP connection

PREFORK is set to 100, and no other users use SOGo at all at this stage, so it should have enough child processes.
Interesting thing is, i didn't see log of new IMAP connection in Dovecot log file. It seems SOGo has issue before trying to establish IMAP connection.

TagsNo tags attached.

Activities

zhb

zhb

2021-11-26 03:35

reporter   ~0015641

Forgot to attach my sogo.conf:

{
    WOPort = 127.0.0.1:20000;
    WOPidFile = /var/run/sogo/sogo.pid;
    WOLogFile = /var/log/sogo/sogo.log;
    WOMaxUploadSize = 51200;
    SOGoMaximumMessageSizeLimit = 51200;
    WOWorkersCount = 5;
    SOGoMaximumPingInterval = 3540;
    SOGoMaximumSyncInterval = 3540;
    SOGoInternalSyncInterval = 60;
    WOWatchDogRequestTimeout = 60;
    SOGoMaximumSyncWindowSize = 100;
    SOGoMaximumSyncResponseSize = 512;
    SxVMemLimit = 500;
    SOGoXSRFValidationEnabled = YES;
    NGImap4DisableIMAP4Pooling = NO;
    SOGoProfileURL = "mysql://...";
    OCSFolderInfoURL = "mysql://...";
    OCSSessionsFolderURL = "mysql://...";
    OCSEMailAlarmsFolderURL = "mysql://...";
    OCSCacheFolderURL = "mysql://...";
    OCSStoreURL = "mysql://...";
    OCSAclURL = "mysql://...";
    SOGoLanguage = English;
    SOGoLoginModule = Mail;
    SOGoForceExternalLoginWithEmail = YES;
    SOGoMailCustomFromEnabled = YES;
    SOGoIMAPServer = "imap://127.0.0.1:143";
    SOGoMailAuxiliaryUserAccountsEnabled = YES;
        SOGoSMTPServer = "smtp://127.0.0.1:587/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
        SOGoMailingMechanism = smtp;
    SOGoSMTPAuthenticationType = PLAIN;
        SOGoSieveServer = "sieve://127.0.0.1:4190/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
        SOGoSieveScriptsEnabled = YES;
    SOGoVacationEnabled = YES;
    SOGoForwardEnabled = YES;
    SOGoSieveFolderEncoding = UTF-8;
    SOGoMemcachedHost = 127.0.0.1;
    SOGoTimeZone = "America/New_York";
    SOGoFirstDayOfWeek = 1;
    SOGoRefreshViewCheck = every_5_minutes;
    SOGoMailReplyPlacement = below;
    SOGoExternalAvatarsEnabled = NO;
    SOGoGravatarEnabled = NO;
    SOGoEnableEMailAlarms = YES;
    SOGoAppointmentSendEMailNotifications = YES;
    SOGoFoldersSendEMailNotifications = NO;
    SOGoACLsSendEMailNotifications = YES;
    SOGoNotifyOnExternalModifications = YES;
    SOGoPasswordChangeEnabled = YES;

    SOGoUserSources = (
        {
            type = sql;
            id = users;
            viewURL = "mysql://...";
            canAuthenticate = YES;
            userPasswordAlgorithm = ssha512;
            prependPasswordScheme = YES;
            isAddressBook = YES;
            displayName = "Domain Address Book";
            listRequiresDot = NO;
            SOGoEnableDomainBasedUID = YES;
            DomainFieldName = "domain";
            ModulesConstraints = {
                Mail = { c_webmail = y; };
                Calendar = { c_calendar = y; };
                ActiveSync = { c_activesync = d; };
            };
        },
        {
            displayName = "Mailing Aliases";
            type = sql;
            id = aliases;
            viewURL = "mysql://...";
            canAuthenticate = NO;
            isAddressBook = YES;
            listRequiresDot = NO;
            SOGoEnableDomainBasedUID = YES;
            DomainFieldName = "domain";
        },
        {
            displayName = "Mailing Lists";
            type = sql;
            id = maillists;
            viewURL = "mysql://...";
            canAuthenticate = NO;
            isAddressBook = YES;
            listRequiresDot = NO;
            SOGoEnableDomainBasedUID = YES;
            DomainFieldName = "domain";
        },
    );
}
zhb

zhb

2021-11-26 03:40

reporter   ~0015642

I also tried to add imap account with 'sogo-tool' like below, but same error:

/usr/sbin/sogo-tool user-preferences set defaults user@domain.com AuxiliaryMailAccounts '{"AuxiliaryMailAccounts": [{"password": "xxx", "userName": "imapaccount", "identities": [{"email": "another-user@domain.com", "signature": "test signature", "fullName": "my full name"}], "encryption": "tls", "serverName": "my-imap-server-hostname", "name": "my name"}]}'
francis

francis

2021-11-26 13:14

administrator   ~0015643

As the log entry tells, it's prohibited by design. From commit 68ddcd7045:

// We first check if we're trying to establish an IMAP connection to localhost
// for an account number greater than 0 (default account). We prevent that
// for security reasons if admins use an IMAP trust.

zhb

zhb

2021-11-29 12:59

reporter   ~0015644

Excuse me, why is using localhost as imap server a security concern/issue? That means user can not add any account under same domain as the Auxiliary User Account.

Actually i use FQDN as imap server address, but /etc/hosts maps it to 127.0.0.1 which is expected.

zhb

zhb

2021-11-29 13:03

reporter   ~0015645

And what is "an account number greater than 0 (default account)"?
Seems it's for some IMAP server but not Dovecot? Maybe we should introduce a new parameter for this case to:

  • With SOGoMailAuxiliaryUserAccountsEnabled = YES, user can add use any imap server, including localhost or 127.0.0.1.
  • With new parameter <X> = YES, user can not use localhost and 127.0.0.1 as imap server address.
francis

francis

2021-11-29 17:29

administrator   ~0015648

IMAP trusts are configured when using SSO. We could disable this host constraint when CAS or SAML is enabled.

Related Changesets

sogo: master 8cb5ef36

2021-11-29 14:38

francis


Details Diff
fix(mail): only apply IMAP host constraint when SSO is enabled

Fixes 0005433
Affected Issues
0005433
mod - SoObjects/Mailer/SOGoMailBaseObject.m Diff File
mod - UI/WebServerResources/js/Preferences/AccountDialogController.js Diff File

Issue History

Date Modified Username Field Change
2021-11-26 03:32 zhb New Issue
2021-11-26 03:35 zhb Note Added: 0015641
2021-11-26 03:40 zhb Note Added: 0015642
2021-11-26 13:14 francis Assigned To => francis
2021-11-26 13:14 francis Status new => closed
2021-11-26 13:14 francis Resolution open => fixed
2021-11-26 13:14 francis Note Added: 0015643
2021-11-26 13:15 francis Resolution fixed => no change required
2021-11-29 12:59 zhb Status closed => feedback
2021-11-29 12:59 zhb Resolution no change required => reopened
2021-11-29 12:59 zhb Note Added: 0015644
2021-11-29 13:03 zhb Note Added: 0015645
2021-11-29 13:03 zhb Status feedback => assigned
2021-11-29 17:29 francis Note Added: 0015648
2021-11-29 19:40 francis Changeset attached => sogo master 8cb5ef36
2021-11-29 19:40 francis Resolution reopened => fixed
2021-11-29 19:40 francis Status assigned => resolved
2021-11-29 19:40 francis Fixed in Version => 5.4.0