[SOGo] BTS activities for Monday, July 20 2020

2020-07-20 Thread SOGo reporter 
Title: BTS activities for Monday, July 20 2020





  
BTS Activities

  Home page: https://sogo.nu/bugs
  Project: SOGo
  For the period covering: Monday, July 20 2020

  
  
idlast updatestatus (resolution)categorysummary
	
	
	  
	
5083
	2020-07-20 14:49:56
	updated (open)
	Web Mail
	Signature not replaced/removed in Send Dialog
	
	  
	
5031
	2020-07-20 10:16:58
	updated (open)
	with SOGo
	MZLA Thunderbird 78+ Breaks SOGo Connector (68+)
	
	  
	
  
  


-- users@sogo.nuhttps://inverse.ca/sogo/lists

Re: [SOGo] Sogo - Lemonldap - Saml

2020-07-20 Thread "la.jolie@paquerette" 
Hi Mj,

I was sure to have seen that problem in an old post, and indeed I found
it, and it was from you :)
(https://www.mail-archive.com/users@sogo.nu/msg27428.html)

Was the solution given in the answer not good?

Thanks,
Kenny


On 19/07/20 16:51, mj (li...@merit.unu.edu) wrote:
> Hi Kenny,
>
> In the past, we also setup a PoC with SOGo / keycloak / SAML2. For
> IMAP authentication, we used:
> https://github.com/ck-ws/pam-script-saml
>
> But because of the SAML2 sessions timeing out, we went back to regular
> LDAP auth. We would like to move to SAML2, so we're following the
> recent SAML2 list threads with interest.
>
> MJ
>
> On 7/19/20 2:02 PM, Jeroen van Os (jeroen.va...@nevel.io) wrote:
>> Hi Kenny,
>>
>> I have been trying to get SAML to work with SOGo as well. In Keycloak
>> the following configuration works:
>>
>> Client scopes: none
>> Mappers: fill in "email" and "username" with information from your
>> credentials provider
>> Set scope to "full scope allowed"
>>
>> In the SOGo config file we have this line, the rest is similar to
>> what you provided:
>>    SOGoSAML2LoginAttribute = username;
>>
>> Don't forget to take into account that even if you get SAML to work,
>> the connection to your IMAP and SMTP server may not work. Because
>> SOGo has no knowledge of the user's password, it cannot authenticate
>> against regular IMAP and SMTP servers that expect user credentials
>> for authorization. So you will need to find a way to authenticate
>> without knowing the user's password.
>>
>> Kind regards,
>> Jeroen
>>
>>
>> Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette"
>> (la.jo...@paquerette.org):
>>> Going on with my attemps to connect Sogo to LemonLdap, I tried also
>>> with
>>> the SAML protocol.
>>> Few weeks ago, I first tried with Keycloak
>>> (https://www.mail-archive.com/users@sogo.nu/msg29805.html), but I
>>> didn't
>>> find a solution.
>>>
>>> Unfortunately, with LemonLdap, I have the same error:
>>> 
>>> |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
>>>   |SOGo| traverse(acquire): SOGo => saml2-signon-post
>>> |SOGo|   do traverse name: 'SOGo'
>>> |SOGo|   do traverse name: 'saml2-signon-post'
>>> |SOGo| set clientObject: 
>>> sogod[8630:8630] EXCEPTION: 
>>> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
>>> 'login' to dictionary INFO:{}
>>> |SOGo| request took 0.013806 seconds to execute
>>> <0x0x563823b8f410[WOResponse]> Zipping of response disabled
>>> 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 -
>>> - 692K
>>> 
>>>
>>> I'm back to the post https://sogo.nu/bugs/view.php?id=4441
>>> Alas, no clue what Sogo is waiting.
>>>
>>> I attached a saml token example LemonLdap send back to Sogo.
>>> For the attribute with my mail (for the login), I tried the name mail,
>>> email & login, but same error.
>>>
>>> What is the attribute name Sogo wants for the key 'login'?
>>> Is something wrong with the Saml token Sogo is receiving from
>>> LemonLdap?
>>>
>>> Thanks,
>>> Kenny
>>>
>>>
>>> My Sogo config:
>>> 
>>>    SOGoProfileURL =
>>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_user_profile";
>>>    OCSFolderInfoURL =
>>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_folder_info";
>>>    OCSSessionsFolderURL =
>>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_sessions_folder";
>>>    OCSEMailAlarmsFolderURL =
>>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_alarms_folder";
>>>    SOGoLanguage = English;
>>>    SOGoAppointmentSendEMailNotifications = YES;
>>>    SOGoMailingMechanism = smtp;
>>>    SOGoSMTPServer = 127.0.0.1;
>>>    SOGoTimeZone = UTC;
>>>    SOGoSentFolderName = Sent;
>>>    SOGoTrashFolderName = Trash;
>>>    SOGoDraftsFolderName = Drafts;
>>>    SOGoIMAPServer = "imap://localhost:143/";
>>>    SOGoSieveServer = "sieve://localhost:4190/";
>>>    SOGoIMAPAclConformsToIMAPExt = YES;
>>>    SOGoVacationEnabled = NO;
>>>    SOGoForwardEnabled = NO;
>>>    SOGoSieveScriptsEnabled = NO;
>>>    SOGoFirstDayOfWeek = 0;
>>>    SOGoMailMessageCheck = manually;
>>>    SOGoMailAuxiliaryUserAccountsEnabled = NO;
>>>    SOGoMemcachedHost = 127.0.0.1;
>>>
>>> SOGoCacheCleanupInterval = 3600;
>>> SOGoAuthenticationType = saml2;
>>> NGImap4AuthMechanism = PLAIN;    # tried without the option too
>>> SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
>>> SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
>>> SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
>>> SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key";
>>> SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key";
>>> SOGoSAML2LoginAttribute = mail;
>>> SOGoSAML2LogoutEnabled = YES;
>>> SOGoSAML2LogoutURL = "https://";;
>>>
>>> WOWorkersCount = 10;
>>>
>>>  SOGoEASDebugEnabled = YES;
>>>  GCSFolderDebugEnabled = YES;
>>>  GCSFolderStoreDebugEnabled = YES;
>>>  LDAPDebugEnabled = YES;
>>>  MySQL4DebugEnabled = YES;
>>>  NGImap4DisableIMAP4Pooling = YES;
>

Re: [SOGo] Sogo - Lemonldap - Saml

2020-07-20 Thread "la.jolie@paquerette" 
Hi Jeroen,

Thanks for your help.

I put back my keycloak test server on and tried your ideas, but no luck.
The Saml2 assertion includes both email & username fields with the
correct value.

But I still got the same exact error.

I see in sogo logs, when first accessing Sogo, before the redirection to
keycloak, this line:

Jul 20 14:41:59 sogod [8340]: [ERROR]
<0x0x55f3d21a8ad0[SOGoUserManager]> No authentication sources defined -
nobody will be able to login. Check your defaults.


This error comes from the fact I didn't define a:
--
 SOGoUserSources = (
    {
  type = sql or ldap;
...
--
Do I presume correctly that it's a normal error as I'm using saml2 and
not sql or ldap as userSource?

Can I ask you to compare your Sogo client configin Keycloak with mine to
see if there is a difference?
I attached the metadata of my Sogo client to the mail.

I noticed one strange thing.
I must have the option "Client Signature Required: OFF" in my keycloak
sogo client.
If I set to ON, I have a "invalid query param" in keycloak logs (does
that mean Sogo can't sign the request?).

Also, I'm wondering if I'm right to compose the file for the option
SOGoSAML2IdpPublicKeyLocation & SOGoSAML2IdpCertificateLocation in sogo
conf with the attribute "saml.signing.certificate" from the metadata
file (enclosed by "-BEGIN CERTIFICATE-" and "-END
CERTIFICATE-").
I put that in the file /etc/sogo/idp-public.key.

Or I'm wrong to do it like that?

I know about the next step where you can't send a saml assertion to
dovecot for credentials as it is.
You need pam-script-saml or libpam-script + lasso (patched or not, not
sure as the info about it is so old).
I already test pam-script-saml but need the first step to work
(connection to sogo) to be see if it works.

Thanks,
Kenny

On 19/07/20 14:02, Jeroen van Os (jeroen.va...@nevel.io) wrote:
> Hi Kenny,
>
> I have been trying to get SAML to work with SOGo as well. In Keycloak
> the following configuration works:
>
> Client scopes: none
> Mappers: fill in "email" and "username" with information from your
> credentials provider
> Set scope to "full scope allowed"
>
> In the SOGo config file we have this line, the rest is similar to what
> you provided:
>   SOGoSAML2LoginAttribute = username;
>
> Don't forget to take into account that even if you get SAML to work,
> the connection to your IMAP and SMTP server may not work. Because SOGo
> has no knowledge of the user's password, it cannot authenticate
> against regular IMAP and SMTP servers that expect user credentials for
> authorization. So you will need to find a way to authenticate without
> knowing the user's password.
>
> Kind regards,
> Jeroen
>
>
> Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette"
> (la.jo...@paquerette.org):
>> Going on with my attemps to connect Sogo to LemonLdap, I tried also with
>> the SAML protocol.
>> Few weeks ago, I first tried with Keycloak
>> (https://www.mail-archive.com/users@sogo.nu/msg29805.html), but I didn't
>> find a solution.
>>
>> Unfortunately, with LemonLdap, I have the same error:
>> 
>> |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
>>   |SOGo| traverse(acquire): SOGo => saml2-signon-post
>> |SOGo|   do traverse name: 'SOGo'
>> |SOGo|   do traverse name: 'saml2-signon-post'
>> |SOGo| set clientObject: 
>> sogod[8630:8630] EXCEPTION: 
>> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
>> 'login' to dictionary INFO:{}
>> |SOGo| request took 0.013806 seconds to execute
>> <0x0x563823b8f410[WOResponse]> Zipping of response disabled
>> 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 -
>> - 692K
>> 
>>
>> I'm back to the post https://sogo.nu/bugs/view.php?id=4441
>> Alas, no clue what Sogo is waiting.
>>
>> I attached a saml token example LemonLdap send back to Sogo.
>> For the attribute with my mail (for the login), I tried the name mail,
>> email & login, but same error.
>>
>> What is the attribute name Sogo wants for the key 'login'?
>> Is something wrong with the Saml token Sogo is receiving from LemonLdap?
>>
>> Thanks,
>> Kenny
>>
>>
>> My Sogo config:
>> 
>>    SOGoProfileURL =
>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_user_profile";
>>    OCSFolderInfoURL =
>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_folder_info";
>>    OCSSessionsFolderURL =
>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_sessions_folder";
>>    OCSEMailAlarmsFolderURL =
>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_alarms_folder";
>>    SOGoLanguage = English;
>>    SOGoAppointmentSendEMailNotifications = YES;
>>    SOGoMailingMechanism = smtp;
>>    SOGoSMTPServer = 127.0.0.1;
>>    SOGoTimeZone = UTC;
>>    SOGoSentFolderName = Sent;
>>    SOGoTrashFolderName = Trash;
>>    SOGoDraftsFolderName = Drafts;
>>    SOGoIMAPServer = "imap://localhost:143/";
>>    SOGoSieveServer = "sieve://localhost:4190/";
>>    SOGoIMAPAclConformsToIMAPExt = YES;
>>    SOGoVaca

Re: [SOGo] Thunderbird 78

2020-07-20 Thread val...@ziuraitis.lt 

?

Valdas Žiūraitis
+370 698 12291

2020.07.13 17:20, Christian Naumer (c...@brain-biotech.de) rašė:

Hello you all,
ist there any time line for supporting TB78 with the SOGo-Plugins?
Currently they are not working in the Beta. Has someone else tried this?

Regards

Christian



--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Outlook 2016 FreeBusy lookup

2020-07-20 Thread armin.v...@mmlab.de 
To close the case I can confirm that the Outlook FreeBusy lookup works 
now in our SOGo environment.


The solution was:

As our users have to authenticate using their full email address, the 
URL would has to look this way:


https://myserver.mydomain.mytld/SOGo/dav/public/%Name%@mydomain.mytld/freebusy.ifb

Thank you again for your assistance @MJ. Your hint made the difference:

> We see that outlook replaces the %Name% placeholder at lookup time with
> the appropriate localpart of the email address, and thus locates
> freebuzy info for all users on that domain.

Best regards
Armin



__ Information from mm-lab IT security __The message was 
checked by ESET Mail Security.
--
users@sogo.nu
https://inverse.ca/sogo/lists