diff --git a/README.md b/README.md index dc9b76be0c..40288f10e7 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,22 @@ You can also [get a SAL](https://www.servercow.de/mailcow?lang=en#sal) which is Or just spread the word: moo. +## Many thanks to our GitHub Sponsors ❤️ +A big thank you to everyone supporting us on GitHub Sponsors—your contributions mean the world to us! Special thanks to the following amazing supporters: + +### 100$/Month Sponsors + + + +### 50$/Month Sponsors + + ## Info, documentation and support Please see [the official documentation](https://docs.mailcow.email/) for installation and support instructions. 🐄 diff --git a/data/Dockerfiles/sogo/navMailcowBtns.diff b/data/Dockerfiles/sogo/navMailcowBtns.diff index 1b469aa60c..2107b5b1fe 100644 --- a/data/Dockerfiles/sogo/navMailcowBtns.diff +++ b/data/Dockerfiles/sogo/navMailcowBtns.diff @@ -1,20 +1,15 @@ -59,65d58 -< ng-show="::!activeUser.isSuperUser" +60,65d58 < var:ng-click="navButtonClick" < ng-href="/https/github.com/user"> < build -< +< mailcow < < ng-show="::activeUser.path.logoff.length" 85c78 < ng-href="#"> --- > ng-href="{{::activeUser.path.logoff}}"> -89,91d81 -<
-< -<
diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php index fc17df7242..667419c575 100644 --- a/data/conf/dovecot/auth/mailcowauth.php +++ b/data/conf/dovecot/auth/mailcowauth.php @@ -69,29 +69,34 @@ $isSOGoRequest = $post['real_rip'] == getenv('IPV4_NETWORK') . '.248'; $result = false; -$protocol = $post['protocol']; if ($isSOGoRequest) { - $protocol = null; // This is a SOGo Auth request. First check for SSO password. $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass"); if ($sogo_sso_pass === $post['password']){ error_log('MAILCOWAUTH: SOGo SSO auth for user ' . $post['username']); + set_sasl_log($post['username'], $post['real_rip'], "SOGO"); $result = true; } } if ($result === false){ - $result = apppass_login($post['username'], $post['password'], $protocol, array( + $result = apppass_login($post['username'], $post['password'], array($post['service'] => true), array( 'is_internal' => true, 'remote_addr' => $post['real_rip'] )); - if ($result) error_log('MAILCOWAUTH: App auth for user ' . $post['username']); + if ($result) { + error_log('MAILCOWAUTH: App auth for user ' . $post['username']); + set_sasl_log($post['username'], $post['real_rip'], $post['service']); + } } if ($result === false){ // Init Identity Provider $iam_provider = identity_provider('init'); $iam_settings = identity_provider('get'); $result = user_login($post['username'], $post['password'], array('is_internal' => true)); - if ($result) error_log('MAILCOWAUTH: User auth for user ' . $post['username']); + if ($result) { + error_log('MAILCOWAUTH: User auth for user ' . $post['username']); + set_sasl_log($post['username'], $post['real_rip'], $post['service']); + } } if ($result) { diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua index cb2e928d02..18c18dbe3d 100644 --- a/data/conf/dovecot/auth/passwd-verify.lua +++ b/data/conf/dovecot/auth/passwd-verify.lua @@ -3,21 +3,20 @@ function auth_password_verify(request, password) return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user" end - json = require "cjson" - ltn12 = require "ltn12" - https = require "ssl.https" - https.TIMEOUT = 5 + local json = require "cjson" + local ltn12 = require "ltn12" + local https = require "ssl.https" + https.TIMEOUT = 30 local req = { username = request.user, password = password, real_rip = request.real_rip, - protocol = {} + service = request.service } - req.protocol[request.service] = true local req_json = json.encode(req) - local res = {} - + local res = {} + local b, c = https.request { method = "POST", url = "https://nginx:9082", @@ -29,11 +28,17 @@ function auth_password_verify(request, password) sink = ltn12.sink.table(res), insecure = true } + + if c ~= 200 then + dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user) + return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error" + end + local api_response = json.decode(table.concat(res)) if api_response.success == true then return dovecot.auth.PASSDB_RESULT_OK, "" end - + return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate" end diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf index 15be77fcec..05d9264fa8 100644 --- a/data/conf/dovecot/dovecot.conf +++ b/data/conf/dovecot/dovecot.conf @@ -53,7 +53,7 @@ mail_shared_explicit_inbox = yes mail_prefetch_count = 30 passdb { driver = lua - args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes cache_key=%u:%w + args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes cache_key=%s:%u:%w result_success = return-ok result_failure = continue result_internalfail = continue diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php index c9655a8ec1..f09a47d790 100644 --- a/data/conf/phpfpm/crons/keycloak-sync.php +++ b/data/conf/phpfpm/crons/keycloak-sync.php @@ -196,7 +196,7 @@ function logMsg($priority, $message, $task = "Keycloak Sync") { logMsg("err", "Could not create user " . $user['email']); continue; } - } else if ($row && intval($iam_settings['periodic_sync']) == 1) { + } else if ($row && intval($iam_settings['periodic_sync']) == 1 && $row['authsource'] == "keycloak") { if ($mapper_key === false){ logMsg("warning", "No matching attribute mapping found for user " . $user['email']); continue; diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php index 66b76e64af..32026c071e 100644 --- a/data/conf/phpfpm/crons/ldap-sync.php +++ b/data/conf/phpfpm/crons/ldap-sync.php @@ -168,7 +168,7 @@ function logMsg($priority, $message, $task = "LDAP Sync") { logMsg("err", "Could not create user " . $user[$iam_settings['username_field']][0]); continue; } - } else if ($row && intval($iam_settings['periodic_sync']) == 1) { + } else if ($row && intval($iam_settings['periodic_sync']) == 1 && $row['authsource'] == "ldap") { if ($mapper_key === false){ logMsg("warning", "No matching attribute mapping found for user " . $user[$iam_settings['username_field']][0]); continue; diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr index c6ed2be93d..36c7e9fcaf 100644 --- a/data/conf/postfix/postscreen_access.cidr +++ b/data/conf/postfix/postscreen_access.cidr @@ -1,6 +1,6 @@ -# Whitelist generated by Postwhite v3.4 on Sat Mar 1 00:19:29 UTC 2025 +# Whitelist generated by Postwhite v3.4 on Tue Apr 1 00:20:51 UTC 2025 # https://github.com/stevejenkins/postwhite/ -# 2000 total rules +# 2067 total rules 2a00:1450:4000::/36 permit 2a01:111:f400::/48 permit 2a01:111:f403:8000::/50 permit @@ -26,7 +26,12 @@ 8.20.114.31 permit 8.25.194.0/23 permit 8.25.196.0/23 permit +8.39.54.0/23 permit +8.39.54.250/31 permit +8.40.222.0/23 permit +8.40.222.250/31 permit 12.130.86.238 permit +13.107.246.59 permit 13.110.208.0/21 permit 13.110.209.0/24 permit 13.110.216.0/22 permit @@ -60,8 +65,6 @@ 20.59.80.4/30 permit 20.63.210.192/28 permit 20.69.8.108/30 permit -20.70.246.20 permit -20.76.201.171 permit 20.83.222.104/30 permit 20.88.157.184/30 permit 20.94.180.64/28 permit @@ -70,14 +73,11 @@ 20.98.194.68/30 permit 20.105.209.76/30 permit 20.107.239.64/30 permit -20.112.250.133 permit 20.118.139.208/30 permit 20.141.10.196 permit 20.185.214.0/27 permit 20.185.214.32/27 permit 20.185.214.64/27 permit -20.231.239.246 permit -20.236.44.162 permit 23.103.224.0/19 permit 23.249.208.0/20 permit 23.251.224.0/19 permit @@ -103,6 +103,24 @@ 27.123.206.80/28 permit 31.25.48.222 permit 31.47.251.17 permit +34.2.64.0/22 permit +34.2.68.0/23 permit +34.2.70.0/23 permit +34.2.71.64/26 permit +34.2.72.0/22 permit +34.2.75.0/26 permit +34.2.78.0/23 permit +34.2.80.0/23 permit +34.2.82.0/23 permit +34.2.84.0/24 permit +34.2.84.64/26 permit +34.2.85.0/24 permit +34.2.85.64/26 permit +34.2.86.0/23 permit +34.2.88.0/23 permit +34.2.90.0/23 permit +34.2.92.0/23 permit +34.2.94.0/23 permit 34.195.217.107 permit 34.212.163.75 permit 34.215.104.144 permit @@ -215,7 +233,6 @@ 52.95.49.88/29 permit 52.96.91.34 permit 52.96.111.82 permit -52.96.172.98 permit 52.96.214.50 permit 52.96.222.194 permit 52.96.222.226 permit @@ -255,6 +272,7 @@ 54.244.54.130 permit 54.244.242.0/24 permit 54.255.61.23 permit +56.124.6.228 permit 57.103.64.0/18 permit 62.13.128.0/24 permit 62.13.129.128/25 permit @@ -341,6 +359,7 @@ 65.110.161.77 permit 65.123.29.213 permit 65.123.29.220 permit +65.154.166.0/24 permit 65.212.180.36 permit 66.102.0.0/20 permit 66.119.150.192/26 permit @@ -1304,6 +1323,9 @@ 117.120.16.0/21 permit 119.42.242.52/31 permit 119.42.242.156 permit +121.244.91.48 permit +121.244.91.52 permit +122.15.156.182 permit 123.126.78.64/29 permit 124.108.96.24/31 permit 124.108.96.28/31 permit @@ -1366,7 +1388,21 @@ 134.170.141.64/26 permit 134.170.143.0/24 permit 134.170.174.0/24 permit +135.84.80.0/24 permit +135.84.81.0/24 permit +135.84.82.0/24 permit +135.84.83.0/24 permit 135.84.216.0/22 permit +136.143.160.0/24 permit +136.143.161.0/24 permit +136.143.162.0/24 permit +136.143.176.0/24 permit +136.143.177.0/24 permit +136.143.178.49 permit +136.143.182.0/23 permit +136.143.184.0/24 permit +136.143.188.0/24 permit +136.143.190.0/23 permit 136.147.128.0/20 permit 136.147.135.0/24 permit 136.147.176.0/20 permit @@ -1381,6 +1417,7 @@ 139.138.46.219 permit 139.138.57.55 permit 139.138.58.119 permit +139.167.79.86 permit 139.180.17.0/24 permit 140.238.148.191 permit 141.148.159.229 permit @@ -1498,6 +1535,9 @@ 163.114.135.16 permit 164.152.23.32 permit 164.177.132.168/30 permit +165.173.128.0/24 permit +165.173.180.250/31 permit +165.173.182.250/31 permit 166.78.68.0/22 permit 166.78.68.221 permit 166.78.69.169 permit @@ -1526,6 +1566,12 @@ 168.245.12.252 permit 168.245.46.9 permit 168.245.127.231 permit +169.148.129.0/24 permit +169.148.131.0/24 permit +169.148.142.10 permit +169.148.144.0/25 permit +169.148.144.10 permit +169.148.146.0/23 permit 170.10.128.0/24 permit 170.10.129.0/24 permit 170.10.132.56/29 permit @@ -1667,6 +1713,14 @@ 198.61.254.231 permit 198.178.234.57 permit 198.244.48.0/20 permit +198.244.56.107 permit +198.244.56.108 permit +198.244.56.109 permit +198.244.56.111 permit +198.244.56.112 permit +198.244.56.113 permit +198.244.56.114 permit +198.244.56.115 permit 198.244.59.30 permit 198.244.59.33 permit 198.244.59.35 permit @@ -1679,7 +1733,15 @@ 199.16.156.0/22 permit 199.33.145.1 permit 199.33.145.32 permit +199.34.22.36 permit 199.59.148.0/22 permit +199.67.80.2 permit +199.67.80.20 permit +199.67.82.2 permit +199.67.82.20 permit +199.67.84.0/24 permit +199.67.86.0/24 permit +199.67.88.0/24 permit 199.101.161.130 permit 199.101.162.0/25 permit 199.122.120.0/21 permit @@ -1736,6 +1798,8 @@ 204.92.114.187 permit 204.92.114.203 permit 204.92.114.204/31 permit +204.141.32.0/23 permit +204.141.42.0/23 permit 204.220.160.0/21 permit 204.220.168.0/21 permit 204.220.176.0/20 permit @@ -1988,6 +2052,9 @@ 2603:1030:20e:3::23c permit 2603:1030:b:3::152 permit 2603:1030:c02:8::14 permit +2607:13c0:0001:0000:0000:0000:0000:7000/116 permit +2607:13c0:0002:0000:0000:0000:0000:1000/116 permit +2607:13c0:0004:0000:0000:0000:0000:0000/116 permit 2607:f8b0:4000::/36 permit 2620:109:c003:104::/64 permit 2620:109:c003:104::215 permit diff --git a/data/conf/sogo/custom-sogo.js b/data/conf/sogo/custom-sogo.js index e1f27e8ff8..d3b90b0856 100644 --- a/data/conf/sogo/custom-sogo.js +++ b/data/conf/sogo/custom-sogo.js @@ -5,6 +5,16 @@ document.addEventListener('DOMContentLoaded', function () { window.location.href = '/user'; } }); +// logout function +function mc_logout() { + fetch("/", { + method: "POST", + headers: { + "Content-Type": "application/x-www-form-urlencoded" + }, + body: "logout=1" + }).then(() => window.location.href = '/'); +} // Custom SOGo JS diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php index f432c38340..994915efc1 100644 --- a/data/web/inc/functions.auth.inc.php +++ b/data/web/inc/functions.auth.inc.php @@ -9,25 +9,52 @@ function check_login($user, $pass, $app_passwd_data = false, $extra = null) { // Try validate admin if (!isset($role) || $role == "admin") { $result = admin_login($user, $pass); - if ($result !== false) return $result; + if ($result !== false){ + return $result; + } } // Try validate domain admin if (!isset($role) || $role == "domain_admin") { $result = domainadmin_login($user, $pass); - if ($result !== false) return $result; + if ($result !== false) { + return $result; + } } - // Try validate user - if (!isset($role) || $role == "user") { - $result = user_login($user, $pass); - if ($result !== false) return $result; - } // Try validate app password if (!isset($role) || $role == "app") { $result = apppass_login($user, $pass, $app_passwd_data); - if ($result !== false) return $result; + if ($result !== false) { + if ($app_passwd_data['eas'] === true) { + $service = 'EAS'; + } elseif ($app_passwd_data['dav'] === true) { + $service = 'DAV'; + } else { + $service = 'NONE'; + } + $real_rip = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']); + set_sasl_log($user, $real_rip, $service, $pass); + return $result; + } + } + + // Try validate user + if (!isset($role) || $role == "user") { + $result = user_login($user, $pass); + if ($result !== false) { + if ($app_passwd_data['eas'] === true) { + $service = 'EAS'; + } elseif ($app_passwd_data['dav'] === true) { + $service = 'DAV'; + } else { + $service = 'MAILCOWUI'; + } + $real_rip = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']); + set_sasl_log($user, $real_rip, $service); + return $result; + } } // skip log and only return false if it's an internal request @@ -415,21 +442,7 @@ function apppass_login($user, $pass, $app_passwd_data, $extra = null){ // verify password if (verify_hash($row['password'], $pass) !== false) { - if ($is_internal){ - $remote_addr = $extra['remote_addr']; - } else { - $remote_addr = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']); - } - - $service = strtoupper($is_app_passwd); - $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)"); - $stmt->execute(array( - ':service' => $service, - ':app_id' => $row['app_passwd_id'], - ':username' => $user, - ':remote_addr' => $remote_addr - )); - + $_SESSION['app_passwd_id'] = $row['app_passwd_id']; unset($_SESSION['ldelay']); return "user"; } diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 6a70eb6e31..49e26b978e 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -350,6 +350,34 @@ function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) { } } +function set_sasl_log($username, $real_rip, $service){ + global $pdo; + + try { + if (!empty($_SESSION['app_passwd_id'])) { + $app_password = $_SESSION['app_passwd_id']; + } else { + $app_password = 0; + } + + $stmt = $pdo->prepare('REPLACE INTO `sasl_log` (`username`, `real_rip`, `service`, `app_password`) VALUES (:username, :real_rip, :service, :app_password)'); + $stmt->execute(array( + ':username' => $username, + ':real_rip' => $real_rip, + ':service' => $service, + ':app_password' => $app_password + )); + } catch (PDOException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('mysql_error', $e) + ); + return false; + } + + return true; +} function flush_memcached() { try { $m = new Memcached(); diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js index 90c00002aa..847c25aa8a 100644 --- a/data/web/js/site/admin.js +++ b/data/web/js/site/admin.js @@ -681,7 +681,7 @@ jQuery(function($){ $(this).html(' '); $.ajax({ type: 'GET', - url: 'inc/ajax/transport_check.php', + url: '/inc/ajax/transport_check.php', dataType: 'text', data: $('#test_transport_form').serialize(), complete: function (data) { diff --git a/data/web/js/site/user.js b/data/web/js/site/user.js index 8f64d4e206..678e23b197 100644 --- a/data/web/js/site/user.js +++ b/data/web/js/site/user.js @@ -90,13 +90,7 @@ jQuery(function($){ console.log('error reading last logins'); }, success: function (data) { - $('.last-ui-login').html(''); $('.last-sasl-login').html(''); - if (data.ui.time) { - $('.last-ui-login').html(' ' + lang.last_ui_login + ': ' + unix_time_format(data.ui.time)); - } else { - $('.last-ui-login').text(lang.no_last_login); - } if (data.sasl) { $('.last-sasl-login').append('