View Issue Details

IDProjectCategoryView StatusLast Update
0005669SOGoWeb Mailpublic2023-01-05 10:19
Reporterandaga Assigned Tosebastien  
PriorityurgentSeveritycrashReproducibilityalways
Status resolvedResolutionno change required 
PlatformLinuxOSAlmaLinuxOS Version8.7
Product Version5.8.0 
Summary0005669: Can see all users of all domains
Description

We installed the new SOGo extension in a Plesk server.

We have a big security concern. All users can see all users of all domains! So when we want to share a calendar for example, we can see all users of all domains by doing a simple search.

Is this a bug? Or a configuration problem?

Here are the details of our sogo.conf file

SOGoLanguage = English;
SOGoTimeZone = UTC;
SOGoFirstDayOfWeek = 0;
SOGoMailMessageCheck = manually;
SOGoMailAuxiliaryUserAccountsEnabled = YES;
SOGoMemcachedHost = "127.0.0.1";
SOGoRefreshViewCheck = every_5_minutes;

WOWorkersCount = 10;
SOGoMaximumMessageSizeLimit = 20480;
SxVMemLimit = 3840;

SOGoAppointmentSendEMailNotifications = NO;
SOGoPasswordChangeEnabled = NO;

SOGoProfileURL = "mysql://sogo_63b5xxxxxxxxxxc380bad/sogo_user_profile";
OCSFolderInfoURL = "mysql://sogo_63b527c38xxxxxxxxxad/sogo_folder_info";
OCSSessionsFolderURL = "mysql://sogo_63b52xxxxxxxxxxxxad/sogo_sessions_folder";
OCSEMailAlarmsFolderURL = "mysql://sogo_63b5xxxxxxxxxxxxx27c380bad/sogo_alarms_folder";
OCSStoreURL = "mysql://sogo_6xxxxxxxxc380bad/sogo_store";
OCSAclURL = "mysql://sogo_63b527xxxxxxxxxxxxx80bad/sogo_acl";
OCSCacheFolderURL = "mysql://sogo_63bxxxxxxxxxx380bad/sogo_cache_folder";

SOGoUserSources =
(
    {
        type = sql;
        id = plesk;
        viewURL = "mysql://sogo_xxxxxxxxxxxxxxxxxxxxad/sogo_users_view";
        canAuthenticate = YES;
        isAddressBook = NO;
        userPasswordAlgorithm = sym-aes-128-cbc;
        keyPath = "/etc/sogo/private/secret_key";
    }
);

SOGoMailingMechanism = smtp;
SOGoSMTPServer = "smtp://localhost:25/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
SOGoSMTPAuthenticationType = PLAIN;

SOGoSentFolderName = "INBOX/Sent";
SOGoTrashFolderName = "INBOX/Trash";
SOGoDraftsFolderName = "INBOX/Drafts";
SOGoJunkFolderName = "INBOX/Junk";
SOGoIMAPServer = "imaps://localhost:143/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
SOGoSieveServer = "sieve://localhost:4190/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
SOGoIMAPAclConformsToIMAPExt = NO;
SOGoVacationEnabled = YES;
SOGoForwardEnabled = YES;
SOGoSieveScriptsEnabled = YES;

}

TagsNo tags attached.

Activities

sebastien

sebastien

2023-01-05 09:17

administrator   ~0016534

For clean multi domain you have to follow this documentation : https://www.sogo.nu/files/docs/SOGoInstallationGuide.html#_multi_domains_configuration

However assuming you're using SQL source, you can add a column for example domain in users table and add this in your user source configuration : DomainFieldName = "domain";

Issue History

Date Modified Username Field Change
2023-01-04 20:03 andaga New Issue
2023-01-05 09:17 sebastien Note Added: 0016534
2023-01-05 10:19 sebastien Assigned To => sebastien
2023-01-05 10:19 sebastien Status new => resolved
2023-01-05 10:19 sebastien Resolution open => no change required