Re: [SOGo] Alias for all mailboxes

2019-01-25 Thread Christoph Kreutzer 
Hi Pedro,

Do you use Postfix as MTA? Then it should be possible.
Actually, you can do quite the same with any other lookup instead of LDAP (I 
also use one regexp as you can see):
http://www.postfix.org/DATABASE_README.html#types

If your user source is e.g. MySQL or Postgres, you can use that, too. Or as the 
easiest forms in files there are the hash and texthash types.

So if you want to replace my ldap-internal_user_lookup.cf, you could use a file 
of allowed senders in the following format (type texthash):
us...@example.com OK
us...@example.com OK

ldap-check_recipient_access.cf is the same, but you should have a list that 
returns, so like:
li...@example.com internal_user_lookup
li...@example.com internal_user_lookup

Instead of texthash, it is usually better to use hash. For texthash, you need 
to reload postfix to make it pick up the changes. For hash, you only need to 
run postmap on the file (see the doc above).

Best regards,
Christoph

> Am 25.01.2019 um 17:24 schrieb Pedro Antunes :
> 
> Thanks for your help.
>  
> Without LDAP, I can restrict senders?
>  
> Exists any config file to this?
>  
> Regards,
> Pedro Antunes
>  
> From: Christoph Kreutzer 
> Date: Friday, 25 January 2019 at 15:59
> To: "users@sogo.nu" 
> Cc: "pantu...@suroot.pt" 
> Subject: Re: [SOGo] Alias for all mailboxes
>  
> Hi,
> 
> I implemented something like that in the backend, too. I’m using OpenLDAP.
> 
> I have a script (PHP CLI script as part of a Zend Framework management 
> frontend) that uses a config file containing some LDAP searches to 
> automatically add/remove users to/from groups based on some attributes. That 
> part is hard to share, but it shouldn’t be too hard implementing it with some 
> Shell script if you are using the LDAP backend, too.
> 
> Regarding restrictions:
> As MJ proposed, I handle that in Postfix.
> 
> In main.cf, after smtpd_recipient_restrictions and smtpd_data_restrictions, 
> there is a section:
> # allow setting action internal_user_lookup to disallow non-listed users as 
> sender
> smtpd_restriction_classes =
> internal_user_lookup
> internal_user_lookup =
> check_sender_access ldap:/etc/postfix/ldap-internal_user_lookup.cf,
> # reject if not successful
> check_recipient_access 
> regexp:/etc/postfix/regexp-check_recipient_access-reject,
> reject
> 
> ldap-internal_user_lookup.cf looks like this:
> # resolve all mail addresses to OK (for checking of internal users)
> query_filter = 
> (&(|(objectClass=mailGroup)(objectClass=mailRecipient)(objectClass=inetOrgPerson))(|(mail=%s)(mailAlternateAddress=%s)(mailForwardingAddress=%s)(mailRoutingAddress=%s)))
> result_attribute = mail
> result_format = OK
> (LDAP config is missing here)
> 
> regexp-check_recipient_access-reject:
> # the same message for all
> /^(.*)$/550 5.4.1 Delivery to this mailbox is not permitted for you
> 
> You see the point - if the sender address is somewhere in my Directory, the 
> LDAP result returns OK - Mail is accepted. Otherwise, it returns no result 
> and the second check is performed.
> 
> # postmap -q kreutzer.christ...@yesthatsmymail.com 
> ldap:/etc/postfix/ldap-internal_user_lookup.cf
> OK
> # postmap -q kreutzer.christ...@example.com 
> ldap:/etc/postfix/ldap-internal_user_lookup.cf
> (no result)
> # postmap -q kreutzer.christ...@example.com 
> regexp:/etc/postfix/regexp-check_recipient_access-reject 
> 550 5.4.1 Delivery to this mailbox is not permitted for you
> 
> That always returns the 550 so the message will be rejected.
> 
> 
> But how is internal_user_lookup actually enforced? This is how I’ve got it 
> done:
> ldap-check_recipient_access.cf:
> # get recipient policy for a mail group
> query_filter = (&(objectClass=mailGroup)(|(mail=%s)(mailAlternateAddress=%s)))
> result_attribute = mgrpBroadcasterPolicy
> 
> main.cf again:
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_unlisted_recipient,
> [...]
> check_recipient_access ldap:/etc/postfix/ldap-check_recipient_access.cf,
> reject_unverified_recipient
> 
> So, for every incoming mail I make a call to that LDAP search above. If the 
> group has the attribute mgrpBroadcasterPolicy set to internal_user_lookup 
> (that’s the only value that will be set at the moment, otherwise it won’t 
> exist), the defined smtpd_restriction_class is called. Which does what I 
> described above.
> 
> Hope that helps :-) The postfix docs are actually really good, but it’s 
> complex to implement. Sometimes you just need a test setup. I got started 
> there, I believe: http://www.postfix.org/LDAP_README.html
>  
> Best regards,
&g

Re: [SOGo] Alias for all mailboxes

2019-01-25 Thread Christoph Kreutzer 
Hi,

I implemented something like that in the backend, too. I’m using OpenLDAP.

I have a script (PHP CLI script as part of a Zend Framework management 
frontend) that uses a config file containing some LDAP searches to 
automatically add/remove users to/from groups based on some attributes. That 
part is hard to share, but it shouldn’t be too hard implementing it with some 
Shell script if you are using the LDAP backend, too.

Regarding restrictions:
As MJ proposed, I handle that in Postfix.

In main.cf, after smtpd_recipient_restrictions and smtpd_data_restrictions, 
there is a section:
# allow setting action internal_user_lookup to disallow non-listed users as 
sender
smtpd_restriction_classes =
internal_user_lookup
internal_user_lookup =
check_sender_access ldap:/etc/postfix/ldap-internal_user_lookup.cf,
# reject if not successful
check_recipient_access 
regexp:/etc/postfix/regexp-check_recipient_access-reject,
reject

ldap-internal_user_lookup.cf looks like this:
# resolve all mail addresses to OK (for checking of internal users)
query_filter = 
(&(|(objectClass=mailGroup)(objectClass=mailRecipient)(objectClass=inetOrgPerson))(|(mail=%s)(mailAlternateAddress=%s)(mailForwardingAddress=%s)(mailRoutingAddress=%s)))
result_attribute = mail
result_format = OK
(LDAP config is missing here)

regexp-check_recipient_access-reject:
# the same message for all
/^(.*)$/550 5.4.1 Delivery to this mailbox is not permitted for you

You see the point - if the sender address is somewhere in my Directory, the 
LDAP result returns OK - Mail is accepted. Otherwise, it returns no result and 
the second check is performed.

# postmap -q kreutzer.christ...@yesthatsmymail.com 
ldap:/etc/postfix/ldap-internal_user_lookup.cf
OK
# postmap -q kreutzer.christ...@example.com 
ldap:/etc/postfix/ldap-internal_user_lookup.cf
(no result)
# postmap -q kreutzer.christ...@example.com 
regexp:/etc/postfix/regexp-check_recipient_access-reject 
550 5.4.1 Delivery to this mailbox is not permitted for you

That always returns the 550 so the message will be rejected.


But how is internal_user_lookup actually enforced? This is how I’ve got it done:
ldap-check_recipient_access.cf:
# get recipient policy for a mail group
query_filter = (&(objectClass=mailGroup)(|(mail=%s)(mailAlternateAddress=%s)))
result_attribute = mgrpBroadcasterPolicy

main.cf again:
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
[...]
check_recipient_access ldap:/etc/postfix/ldap-check_recipient_access.cf,
reject_unverified_recipient

So, for every incoming mail I make a call to that LDAP search above. If the 
group has the attribute mgrpBroadcasterPolicy set to internal_user_lookup 
(that’s the only value that will be set at the moment, otherwise it won’t 
exist), the defined smtpd_restriction_class is called. Which does what I 
described above.

Hope that helps :-) The postfix docs are actually really good, but it’s complex 
to implement. Sometimes you just need a test setup. I got started there, I 
believe: http://www.postfix.org/LDAP_README.html 


Best regards,
Christoph

> Am 25.01.2019 um 13:09 schrieb mj (li...@merit.unu.edu) :
> 
> Hi,
> 
> On 1/25/19 3:37 AM, Pedro Antunes (pantu...@suroot.pt) wrote:
>> Hi,
>> how i can create an distribution list (alias) that contain all mailboxes of 
>> one domain? its possible?
>> It’s possible restrict who can send emails to one alias?
> 
> We do this in our accounts backend (ldap/AD) by creating a group, give it an 
> email address, and add users to it.
> 
> Then in sogo.conf we add a specific user source, something like:
> 
>>type = ldap;
>>CNFieldName = displayName;
>>IDFieldName = cn;
>>UIDFieldName = uid;
>>baseDN = "CN=Groups,DC=";
>>canAuthenticate = NO;
>>bindDN = "cn=sogo-groups,cn=.";
>>bindPassword = ;
>>displayName = "Our groups";
>>listRequiresDot = NO;
>>MailFieldNames =(mail, otherMailbox, proxyAddresses);
>>id = ad-mail-groups;
>>isAddressBook = YES;
>>port = 389;
>>scope = "SUB";
>>filter = "(objectClass=group)";
> 
> You also need to configure postfix to handle these same groups.
> 
> About restrictions: I guess I'd look at the postfix side of things for 
> restrictions. But I don't have an answer ready for you.
> 
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] webmail login attacks - captcha?

2018-04-25 Thread Christoph Kreutzer 
Hi,

If the IPs are all 127.0.0.1 in SOGos log, then you did not correctly configure 
Apache to forward the IPs like proxies do. I think that is mentioned in the 
manual.

Christoph

> Am 24.04.2018 um 21:48 schrieb Sergio Cesar winc (ser...@winc.net) 
> :
> 
> I wonder if one could user the webserver authentication and pass it to SOGo 
> or roundcube. Than fail2ban will catch the ip from the http log.
> 
> SC
> 
> 
> From: Sebastián Meyer
> Sent: Tuesday, April 24, 9:51 AM
> Subject: [SOGo] webmail login attacks - captcha?
> To: users@sogo.nu
> 
> 
> Hi,
> 
> I have a couple of compromissed webmail accounts, passwords wheren't easy to 
> guess.
> 
> I'd like to add an increasing delay for failed logins and a captcha, is it 
> possible?
> 
> For IMAP and SMTP access I use fail2ban, but using it for for webmail access 
> DoS attacks would be unacceptable frequently, all logins are from localhost 
> (127.0.0.1)
> 
> TIA,
> 
> --
> Seb
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
> 
> 
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] saml2

2018-04-10 Thread Christoph Kreutzer 
Hi MJ,

That option directly correlates with how long the session is valid (as the SAML 
assertion will be removed from cache after this time, and can no longer be sent 
to Dovecot).
3600 would be one hour. You may want to set it higher, so that the user will 
stay logged in for a business day (maybe 8*3600 or 10*3600). Beware that all 
cache entries will be kept this long, so you may need to increase the the 
memcached size (if you have enough RAM) - I think that is already discussed in 
the manual, somewhere on the mailing list or in one of our SAML tickets ;-)

If you change it, don’t forget to modify the grace option accordingly in 
/etc/pam.d/dovecot for pam-script-saml.

Regarding SOGo 3/4:
The behaviour is the same. I currently live with it (only having some users, 
and most using Thunderbird/Apple Mail clients).
I believe I asked once in a ticket why there is no handling of that case in the 
AJAX requests, but never got an explanation (maybe we also talked at 
cross-purposes ;-) ).

Best regards,
Christoph

> Am 10.04.2018 um 13:31 schrieb mj (li...@merit.unu.edu) :
> 
> Hi,
> 
> We're playing again with sogo / dovecot / saml and would like some feedback.
> 
> We have everything (sogo, keycloak IdP, dovecot with pam-script-saml) working 
> just fine, with one remaining issue:
> 
> After a while the sogo web interface stops working, unless you change 
> 'module' (from mail module to calendar or addressbook) at which point we are 
> redirected to the IdP, logon again, and then things work again.
> 
> While sogo has stopped working, and I change imap folder, nothing happens, 
> and apache logs two 302 lines like this:
> 
>> Apr 10 13:24:21 sogod [15166]: ip.4.address.com "GET 
>> /SOGo/so/testuser/Mail/0/folderINBOX/folderfb/unseenCount HTTP/1.1" 302 0/0 
>> 0.007 - - 0
>> Apr 10 13:24:21 sogod [15165]: ip.4.address.com "POST 
>> /SOGo/so/testuser/Mail/0/folderINBOX/folderfb/uids HTTP/1.1" 302 0/75 0.008 
>> - - 0
> 
> I have set SOGoCacheCleanupInterval to 3600, should I set it higher..? Are 
> others using saml auth also seeing this?
> 
> This is on a fresh stretch install, sogo version 2.3.23-1
> 
> Any use in tryting with sogo v3 or v4?
> 
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Upcoming SOGo v4 release

2018-03-05 Thread Christoph Kreutzer 
Hi Martin,

There is a DB migration script in the usual location (don‘t remember it atm).
At least on Debian the message is shown after upgrading.

Otherwise there were no manual steps required to update.

@Ludovic:
Thanks for the hard work, works without problems since last thursday!

Best regards,
Christoph

> Am 05.03.2018 um 00:49 schrieb Martin Waschbüsch (mar...@waschbuesch.de) 
> :
> 
> Hi Ludovic,
> 
>> Am 01.03.2018 um 14:52 schrieb Ludovic Marcotte (lmarco...@inverse.ca) 
>> :
>> 
>> Hello,
>> 
>> Early next week, we'll release SOGo v4. We've been working hard on this 
>> release for many months. Among some of important features of SOGo v4, there 
>> are:
>> 
>> full S/MIME support for signing and encryption
>> complete rework of the handling of recurrence exceptions
>> performance optimizations of the Web GUI by creating AngularJS components
>> many Enterprise ActiveSync improvements
>> We also made a gazillion of bug fixes and improvements.
>> 
>> Nightly builds of the upcoming v4 have been available since the beginning of 
>> the week - just replace /3/ by /4/ in the URL for the repositories while we 
>> update the website for the release
>> 
> 
> That is awesome!
> 
> Are there instructions for the upgrade procedure yet? Any major things to 
> look out for? e.g. required changes in SQL backend, etc.
> 
> Martin
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Integrate SOGo with a OTP Solution

2017-04-04 Thread Christoph Kreutzer 
Hello,

I am (mostly) successfully using the SAML authentication with SOGo. You can 
read about my experiences on the mailing ist ;-)

I also don’t know LinOTP, but would recommend privacyID3A 
(https://www.privacyidea.org/ ) and SimpleSAMLphp 
(https://simplesamlphp.org/ ) in combination as 
SAML IdP (Identity Provider). PrivacyID3A is under constant development and 
allows very flexible usage scenarios.

The simpler option would be SimpleSAMLphp alone with something like this: 
https://github.com/NIIF/simplesamlphp-module-authtfaga 
 (I currently use a 
forked version of it, but I’m in the process of migrating to privacyID3A). Or 
you can use every other IdP, like the Shibboleth IdP (but more complex to 
setup) or Keycloak (used by some other people out there I know).

Best regards,
Christoph

> Am 04.04.2017 um 17:33 schrieb Christian Mack 
> (christian.m...@uni-konstanz.de) :
> 
> Hello
> 
> Am 31.03.2017 um 00:28 schrieb Elias Pereira Silva (elias@dpf.gov.br):
>> Hi,
>> 
>> We have installed a linotp server (https://www.linotp.org/) to provide a
>> authentication with otp solution. it works like a radius server
>> integrated with a ldap directory that validates the password and otp
>> code on same input.
>> 
>> so, we are interesting to change the sogo authentication (on the
>> webserver) to include a radius auth (first) and in success case proceed
>> with the ldap authentication.
>> 
>> could you suggest to us a way to start this plan?
>> 
> 
> I do not know linotp myself.
> But I think you can use SAML2 authentication for it with SOGo.
> 
> Hope that gives a hint in the right direction.
> 
> 
> Kind regards,
> Christian Mack
> 
> -- 
> Christian Mack
> Universität Konstanz
> Kommunikations-, Informations-, Medienzentrum (KIM)
> Abteilung Basisdienste
> 78457 Konstanz
> +49 7531 88-4416
> 

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Activesync not bringing in Global Address List

2017-03-06 Thread Christoph Kreutzer 
Hello Gerald,

ActiveSync does by default only sync the personal address books. I don’t know 
if there is a way to add the global address book, but if it was, you would find 
a solution in the mailing list archives. I remember it has been discussed 
before.

Regards,
Christoph

> Am 06.03.2017 um 17:58 schrieb Gerald Brandt (g...@majentis.com) 
> :
> 
> Hi,
> 
> I have SOGo 3.2.7 running on NethServer and talking to Active DIrectory 
> (Univention). On the web page, all of my AD users with email get pulled into 
> the address book. When connecting Outlook 2013 via activesync, the same 
> users/email addresses do not show up.
> 
> Is this a known issue with activesync?
> 
> Gerald
> 
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SOGo resources

2017-02-06 Thread Christoph Kreutzer 
Hi Gerald,

then I see two possibilities:

a) configure dovecot so that it accepts mails for your resources (new userdb 
entry)
b) modify postfix so that it redirects mails to a resource to another inbox

It won’t help you creating another AD account with another mail address which 
is redirected, since SOGo wouldn’t notice these mails and the resource won’t be 
booked (as you have written before). The booking is not done via mail but via 
the calendaring protocol (CalDAV, EAS), so the resource mail must be correct.

Regards,
Christoph

> Am 06.02.2017 um 19:43 schrieb Gerald Brandt (g...@majentis.com) 
> <users@sogo.nu>:
> 
> 
> 
> On 2017-02-06 10:03 AM, Christoph Kreutzer (kreutzer.christ...@gmail.com) 
> wrote:
>> Hi,
>> 
>> In my opinion, you can just leave the AD part out.
>> A resource is identified using an email address, but it doesn’t really need 
>> an inbox (I've configured it this way, at least).
>> 
>> Then, in SOGo, you can just add your resource as attendee to the event and 
>> it will accept or decline.
>> 
>> Regards,
>> Christoph
> 
> The issue is that my users are using a client (thunderbird or outlook), and 
> it will send an email for the invite.
> 
> Gerald
> 
> 
> 
> 
>>> Am 06.02.2017 um 16:48 schrieb Gerald Brandt (g...@majentis.com) 
>>> <users@sogo.nu>:
>>> 
>>> 
>>> 
>>> On 2017-02-05 02:09 PM, Christoph Kreutzer (kreutzer.christ...@gmail.com) 
>>> wrote:
>>>> Hi Gerald,
>>>> 
>>>> yes - just create a SQL user source with the necessary options for 
>>>> resources :)
>>>> 
>>>> Regards,
>>>> Christoph
>>>> 
>>>>> Am 05.02.2017 um 16:40 schrieb Gerald Brandt (g...@majentis.com) 
>>>>> <users@sogo.nu>:
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> I have SOGo running against Active Directory (details below*). Is it 
>>>>> possible to have resources (meeting rooms, etc) in the local MySQL 
>>>>> database while users and groups are in AD? I'm not super comfortable with 
>>>>> modifying my schema.
>>>>> 
>>>>> Gerald
>>>>> 
>>>>> * I run Univention as my AD, and NethServer as my SOGo. It works quite 
>>>>> well.
>>>>> 
>>>>> 
>>>>> -- 
>>>>> users@sogo.nu
>>>>> https://inverse.ca/sogo/lists
>>> That's great. Now I need some details.
>>> 
>>> Machine a: dc1 - Active directory, postfix, and dovecot
>>> Machine b: sogo
>>> 
>>> SOGo gets it user list from machine A, and connects to A's postfix and 
>>> dovecot server.
>>> 
>>> Since the meeting room needs an email address, do I create it as a regular 
>>> user in the AD domain, and as a resource user in the MySQL db?
>>> 
>>> AD: create user boardr...@example.com and forward all email to 
>>> boardroom-...@example.com
>>> MySQL: create user boardroom-...@example.com
>>> 
>>> Share boardroom-res calendar with users (read only)
>>> 
>>> Does that sound right?
>>> 
>>> Gerald
>>> -- 
>>> users@sogo.nu
>>> https://inverse.ca/sogo/lists
> 
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SOGo resources

2017-02-06 Thread Christoph Kreutzer 
Hi,

In my opinion, you can just leave the AD part out.
A resource is identified using an email address, but it doesn’t really need an 
inbox (I've configured it this way, at least).

Then, in SOGo, you can just add your resource as attendee to the event and it 
will accept or decline.

Regards,
Christoph

> Am 06.02.2017 um 16:48 schrieb Gerald Brandt (g...@majentis.com) 
> <users@sogo.nu>:
> 
> 
> 
> On 2017-02-05 02:09 PM, Christoph Kreutzer (kreutzer.christ...@gmail.com) 
> wrote:
>> Hi Gerald,
>> 
>> yes - just create a SQL user source with the necessary options for resources 
>> :)
>> 
>> Regards,
>> Christoph
>> 
>>> Am 05.02.2017 um 16:40 schrieb Gerald Brandt (g...@majentis.com) 
>>> <users@sogo.nu>:
>>> 
>>> Hi,
>>> 
>>> I have SOGo running against Active Directory (details below*). Is it 
>>> possible to have resources (meeting rooms, etc) in the local MySQL database 
>>> while users and groups are in AD? I'm not super comfortable with modifying 
>>> my schema.
>>> 
>>> Gerald
>>> 
>>> * I run Univention as my AD, and NethServer as my SOGo. It works quite well.
>>> 
>>> 
>>> -- 
>>> users@sogo.nu
>>> https://inverse.ca/sogo/lists
> That's great. Now I need some details.
> 
> Machine a: dc1 - Active directory, postfix, and dovecot
> Machine b: sogo
> 
> SOGo gets it user list from machine A, and connects to A's postfix and 
> dovecot server.
> 
> Since the meeting room needs an email address, do I create it as a regular 
> user in the AD domain, and as a resource user in the MySQL db?
> 
> AD: create user boardr...@example.com and forward all email to 
> boardroom-...@example.com
> MySQL: create user boardroom-...@example.com
> 
> Share boardroom-res calendar with users (read only)
> 
> Does that sound right?
> 
> Gerald
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SOGo resources

2017-02-05 Thread Christoph Kreutzer 
Hi Gerald,

yes - just create a SQL user source with the necessary options for resources :)

Regards,
Christoph

> Am 05.02.2017 um 16:40 schrieb Gerald Brandt (g...@majentis.com) 
> :
> 
> Hi,
> 
> I have SOGo running against Active Directory (details below*). Is it possible 
> to have resources (meeting rooms, etc) in the local MySQL database while 
> users and groups are in AD? I'm not super comfortable with modifying my 
> schema.
> 
> Gerald
> 
> * I run Univention as my AD, and NethServer as my SOGo. It works quite well.
> 
> 
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] end user passwd change in /SOGo

2017-01-31 Thread Christoph Kreutzer 
Hi Ralf, hi MJ,

Thanks for the answers up to now!

According to the docs [1] there is the following option for LDAP user sources:

bindAsCurrentUser
If set to YES, SOGo will always keep binding to the LDAP server using the DN of 
the currently authenticated user. If bindFields is set, bindDN and bindPassword 
will still be required to find the proper DN of the user.

In this case the user should be able to change it's own password via SOGo.
For this to work, you either need bindFields set (for looking up the users DN) 
or IDFieldName (the attribute which builds the users' DN (like 
IDFieldName=, baseDN).

MJ, I don't know if that works in combination with SAML - since SOGo shouldn't 
know the users password, it probably binds using the given bindDN, which then 
would need the rights to change other users passwords.

Ralf, I'm not sure what you're looking for. If you need a frontend for password 
self service, I would either go with the SOGo functionality built in, or with 
the already named LAM. In my use case I have an existing user management via a 
Zend Framework application, which allows that similarly to LAM (we use an admin 
user to set userPassword, setting a custom built crypt-hash using SHA512 with a 
nice number of rounds - should work with most Linux distros [2]).
If you're asking regarding OpenLDAP ACLs to allow a user to change it's own 
password, you would find that here: [3]
I don't really know much about the SOGo features itself, since I'm using SAML 
auth.

Regards,
Christoph

[1] 
https://sogo.nu/files/docs/SOGoInstallationGuide.html#_authentication_using_ldap
[2] https://en.m.wikipedia.org/wiki/Crypt_(C)#Support_in_operating_systems
[3] http://www.openldap.org/lists/openldap-software/200212/msg00518.html

> Am 31.01.2017 um 14:52 schrieb lists (li...@merit.unu.edu) :
> 
> Hi
> 
>> we are looking for a password change machanism for openldap. Can you
>> please share your knowledge re. this?
> In active directory, end users are allowed to change their own passwords by 
> default. This does require that the connection is make over ldapS.
> 
> There is a tool called ldap-account-manager (lam) that we used in the past. 
> It included an end-user password change portal.
> (https://www.ldap-account-manager.org/)
> 
> We are also looking currently testing RedHat's keycloak (SAML/oauth Idp) that 
> will prompt users to change their ldap passwords as well, if they have 
> expired.
> (http://www.keycloak.org/)
> 
> And you're right: Perhaps better to take this offlist if you have more 
> questions. (and yes, I also realise that your question was actually aimed at 
> Christoph)
> 
> Best regards to all,
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] end user passwd change in /SOGo

2017-01-30 Thread Christoph Kreutzer 
Hi MJ,

haven't checked that, but when not using User binding but giving a bind dn, 
probably the bind User is used for this action. Probably you can check that in 
the AD logs.
Also, you can probably give the user only the right to modify the userPassword 
attribute - at least in openldap that's possible.

Regards,
Christoph

> Am 30.01.2017 um 13:27 schrieb lists (li...@merit.unu.edu) :
> 
> Hi,
> 
> To support end-user password change using /SOGo, is it required that the 
> bindDN from sogo.conf has admin permissions in active directory?
> 
> Or are the changes done under the credentials of the currently /SOGo logged 
> on user, and without the need for admin permissions in AD?
> 
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Alarm notify - repeating events

2017-01-24 Thread Christoph Kreutzer 
You would think so, but no :D

The query in the cronjob is rounding down to the full minute and then takes the 
range from then to -5 mins.
So the alarm may come a bit late (at the event start time or shortly after), 
but it is sent.

Since I have only a small setup and use these notifications only several hours 
before fixed events (real world garbage collection ;-) ) this is fine for me. 
However I will test a newer nightly with the normal job when I come to it.

Regards,
Christoph

> Am 23.01.2017 um 08:06 schrieb Ralf Cirksena (c...@holmco.de) :
> 
> On Fri, Jan 20, 2017 at 03:09:45PM +0100 you wrote:
> 
>> What I also observed was that the reminder with the default cron job (every 
>> minute) was send six times, because the tool uses a 5 minute window (seen it 
>> in the source code). I now changed to cron job to run every 6 mins at that 
>> is fine now. However, it???s a kind of weird.
> 
> What do you do with arlarms set to 3..5 minutes prior to the event? I
> guess you may miss a few alarms.
> 
> 
> Regards
> -- 
> R. Cirksena 
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Alarm notify - repeating events

2017-01-20 Thread Christoph Kreutzer 
Hi Fabio,

I’m testing this functionality also. I think in my case the update to the new 
time is working, as the most reminders are now scheduled for the next week. But 
I also have entries from the first week of january.

What I also observed was that the reminder with the default cron job (every 
minute) was send six times, because the tool uses a 5 minute window (seen it in 
the source code). I now changed to cron job to run every 6 mins at that is fine 
now. However, it’s a kind of weird.

I think I need more thorough testing here, however I’m short on time at the 
moment.

Regards,
Christoph

> Am 19.01.2017 um 10:48 schrieb Fabio Onorini (onofa...@gmail.com) 
> :
> 
> ... in addition to the previous reporting
> I would expect that expired alarms on non-recurring events are deleted from 
> the table sogo_alarms_folder, but this does not happen.
> 
> 2017-01-19 10:33 GMT+01:00 Fabio Onorini  >:
> Hello sogo users,
> I have some problems with events alarm.
> 
> After upgrade to version 3.2.5, the system correctly add record in 
> sogo_alarms_folder table and cron script send mail.
> The problem occured on recurring events. The record was not updated with new 
> alarm_date (next occurence).
> 
> But on bugtracker the issue #1053 (https://sogo.nu/bugs/view.php?id=1053 
> ) was updated to resolved status.
> 
> Have you my same problem?
> 
> -- 
> 
> Fabio Onorini
> 
> 
> 
> -- 
> 
> Fabio Onorini
> -- 
> users@sogo.nu 
> https://inverse.ca/sogo/lists 
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] AD avatar - How to?

2017-01-09 Thread Christoph Kreutzer 
Hi Alex,

That's easy.
SOGo by default uses the photo LDAP attribute. You need to create a Mapping 
from photo to thumbnailPhoto or jpegPhoto, or both. See the documentation for 
LDAP UserSource mapping, I don't have it in my mind.

It should look somehow like
photo = ("thumbnailPhoto", "jpegPhoto")

Best regards,
Christoph

> Am 09.01.2017 um 13:03 schrieb Alexandre Zuotoski Neto 
> (t...@csmcalderaria.com.br) :
> 
> Hi!
> 
>Thanks for reply. If I understood, your examples are on how to add images 
> to AD. My MS-AD already have users images, I wanna use them in SOGo, like I 
> alredy do in Roundcube, GLPI, Openfire, etc. 
> 
>How can I import/show my AD users images into SOGo?
> 
> Cheers.
> 
>  
> 
> ---
> 
> Alex Zuotoski
> Tecnologia da Informação
> Fones: +5541-3641-4250 / Ramal 229
> E-mails: a...@csmcalderaria.com.br / t...@csmcalderaria.com.br
> 
> http://www.csmcalderaria.com.br
> 
> Em 2017-01-09 09:48, Szládovics Péter escreveu:
> 
>> 2017-01-09 12:29 keltezéssel, Alexandre Zuotoski Neto 
>> (t...@csmcalderaria.com.br) írta:
>>> Hi!
>>> 
>>>I saw that SOGo now supports active directory avatars (I guess that it 
>>> also supports MS-AD thumbnalPhoto/jpegPhoto attribute). Is it correct? If 
>>> so, how to do it, please?
>>> 
>>> Thanks you!
>>> 
>> 
>> Hi Alexandre,
>> 
>> For example: if you have a thumbnail in /path/example.jpg, then you can do 
>> it with the following method.
>>> echo "dn: cn=example.user,dc=example,dc=com
>>> changetype: modify
>>> add: jpegPhoto
>>> jpegPhoto:< file://path/example.jpg
>>> -
>>> add: thumbnailPhoto
>>> thumbnailPhoto:< file://path/example.jpg" | ldapmodify -D 
>>> cn=administrator,dc=example,dc=com -W
>> It adds both attribute to the user's attributes after you give the 
>> administrator' password.
>> You need the ldap-utils package for do that.
>> 
>> If user have an other jpeg thumbnail avater, then you need to use the 
>> "replace" command instead of "add". I think you can use the ldbmodify 
>> instead of ldapmodify with similar syntax, but not sure to same. I usually 
>> use above.
>> 
>> Cheers,
>> Peti
>> -- 
>> users@sogo.nu
>> https://inverse.ca/sogo/lists
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] multi-domain and identical usernames

2017-01-08 Thread Christoph Kreutzer 
Hi,

in my experience your configuration is just not possible (however I’m unable to 
find it specifically written in the docs).
But there are several parts about it:
- see SOGoEnableDomainBasedUID, 
- „c_uid - will be used for authentication“
- „c_name - which can be identical to c_uid - will be used to uniquely identify 
entries“

What would be possible:
see SOGoLoginDomains
And maybe you could modify the login page, so that the domain value is selected 
using JS and eventually hidden. See: 
https://sogo.nu/nc/support/faq/article/how-to-customize-the-html-2.html 


But I’m afraid a vHost-based config doesn’t seem to be possible.

Don’t you like your users signing in using their mail address? I find that more 
intuitive, personally.

Best regards,
Christoph

> Am 08.01.2017 um 18:22 schrieb To Ja (goa.ra...@gmail.com) :
> 
> Hi Kai-Uwe.
> Thank you for your input. I really appreciate it.
> However I don't see how just this data model should support my requirement 
> (the same usernames on multiple domains).
> 
> I already have Exim+Dovecot+Roundcube combo that supports it perfectly.
> I am now hoping to replace Roundcube with SOGo as a webmail.
> However what is simple in Roundcube, where I can define separate config for 
> mail.alpha.com and mail.beta.com
> 
> // try to load host-specific configuration
> $config['include_host_config'] = array(
>   'mail.alpha.com' => 'alpha_config.inc.php',
>   'mail.beta.com' => 'beta_config.inc.php',
> );
> 
> This seems imposible in SOGo out of the box.
> Hopefully I am wrong with that statement and that's why I am asking other 
> users for opinion.
> 
> Thanks!
> 
> 
> On Sun, Jan 8, 2017 at 4:21 PM, "Kai-Uwe Rommel"  wrote:
> 
> users-requ...@sogo.nu wrote on 08.01.2017 15:40:02:
> > 
> > Hi SOGo users.
> > Has anyone managed to set up multi-domain configuration with 
> > webmail, where users login just with their usernames and identical 
> > usernames are handled correctly?
> > What I mean:
> > j...@alpha.com and j...@beta.com will use just "joe" as a username in 
> > their webmails (mail.alpha.com and mail.beta.com).
> > I've spent whole day trying to do that, with no success yet.
> I am using MySQL as the authentication source and user table for
> Dovecot and SOGo. My user table looks like this (names changed):
> select * from mail.dovecot_user
> +---+--+++++
> | uuid  | gid  | cn | email  | home   
> | active |
> +---+--+++++
> | 10003 | 5000 | julius.schulz  | julius.sch...@dom.com  | 
> /var/spool/mail/dom.com/julius.schulz  |  1 |
> | 10004 | 5000 | clemens.schulz | clemens.sch...@dom.com | 
> /var/spool/mail/dom.com/clemens.schulz |  1 |
> | 10001 | 5000 | joachim.schulz | joachim.sch...@dom.com | 
> /var/spool/mail/dom.com/joachim.schulz |  1 |
> | 10018 | 5000 | root   | r...@localhost.dom.com | 
> /var/spool/mail/dom.com/joachim.schulz |  1 |
> | 10002 | 5000 | postmaster | postmas...@dom.com | 
> /var/spool/mail/dom.com/joachim.schulz |  1 |
> | 10016 | 5000 | ebay_wf| ebay...@dom.com| 
> /var/spool/mail/dom.com/joachim.schulz |  1 |
> | 10020 | 5000 | agnes.meier| agnes.me...@dom.com| 
> /var/spool/mail/dom.com/agnes.meier|  1 |
> ...
> 
> I am using "cn" as the column to use for login, so users log in
> with "firstname.lastname" only. As you can see, for one mailbox
> I have defined a few aliases this way. This is in this case
> not for different domains but you should be able to use it
> that way as well. But in addition, you would have to configure
> Postfix to accept e-mails for the additional domains, too.
> 
> Kai-Uwe Rommel
> 
> 
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
> 
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] sogo / dovecot / saml

2016-12-03 Thread Christoph Kreutzer 
Hello MJ

Please see the first of my mails again. There is an option beginning with 
NGImap... in my configuration example doing exactly that :)

Good luck!

Regards,
Christoph

> Am 03.12.2016 um 21:21 schrieb mj (li...@merit.unu.edu) :
> 
> 
> 
>> On 12/03/2016 07:52 PM, mj (li...@merit.unu.edu) wrote:
>> 
>> It would be so nice if we could re-use the password-less OpenChange imap
>> listener on 127.0.0.1/32 also for SAML access.
> 
> Timo Sirainen from dovecot tells me:
> 
> "If SOGo used AUTHENTICATE PLAIN instead of LOGIN, it should work. The SASL 
> authentication buffer is larger (8 kB) than regular commands' buffer (~1 kB)."
> 
> Is there a way to make SOGo do that?
> 
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Logwatch - Spamd error

2016-11-28 Thread Christoph Kreutzer 
Hi,

Looks like the update mechanism: It downloads new signatures and restarts the 
server afterwards to pick them up.

> Am 27.11.2016 um 20:19 schrieb postmaster (postmas...@tayzee.xyz) 
> :
> 
> Hey All,
> 
> I seem to have the below in my logwatch everyday. Can anyone explain why or 
> what this means? Is my spamassassin working properly?
> 
> Ive posted the latest mail logs below too.
> 
> Any help would be much appreciated :)
> 
> Thanks 
> - SpamAssassin Begin  
> 
> Child-related errors
> 
>spamd: child [___] killed successfully: interrupted, signal ___ (___): 2 
> Time(s)
> 
> -- SpamAssassin End - 
> 
>  
> 
> Nov 27 07:07:17 mail spamd[1892]: spamd: server hit by SIGHUP, restarting
> 
> Nov 27 07:07:17 mail spamd[1892]: spamd: child [2150] killed successfully: 
> interrupted, signal 2 (0002)
> 
> Nov 27 07:07:17 mail spamd[1892]: spamd: child [2149] killed successfully: 
> interrupted, signal 2 (0002)
> 
> Nov 27 07:07:17 mail spamd[1892]: spamd: server socket closed, type 
> IO::Socket::IP
> 
> Nov 27 07:07:17 mail spamd[1892]: spamd: server socket closed, type 
> IO::Socket::IP
> 
> Nov 27 07:07:18 mail spamd[1892]: logger: removing stderr method
> 
> Nov 27 07:07:19 mail spamd[17357]: zoom: able to use 342/342 'body_0' 
> compiled rules (100%)
> 
> Nov 27 07:07:20 mail spamd[17357]: spamd: server started on IO::Socket::IP 
> [::1]:783, IO::Socket::IP [127.0.0.1]:783 (running version 3.4.1)
> 
> Nov 27 07:07:20 mail spamd[17357]: spamd: server pid: 17357
> 
> Nov 27 07:07:20 mail spamd[17357]: spamd: server successfully spawned child 
> process, pid 17382
> 
> Nov 27 07:07:20 mail spamd[17357]: spamd: server successfully spawned child 
> process, pid 17383
> 
> Nov 27 07:07:20 mail spamd[17357]: prefork: child states: II
> 
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] sogo / dovecot / saml

2016-11-26 Thread Christoph Kreutzer 
Hi MJ,

Your welcome!

> Thanks for the above. Nice that we're both on dovecot. Are you using the 
> regular jessie packages?

Yes, I’m using the default Debian repositories (+ backports, but I’m not sure 
if Dovecot is in there).

> No, same here, but on the other hand: the whole crudesaml exersize sounds 
> like a messy journey too.
It is. If there is a chance I would like to replace my PHP implementation, too. 
But you just can’t rely on liblasso for that without patching… And currently 
it’s working OK for me.

Best regards,
Christoph
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Problem with sharing

2016-11-25 Thread Christoph Kreutzer 
Hi Alex,

Problem 1: Did you define the several domains as different domains in 
sogo.conf? If it's only one, it's default behaviour.

Problem 2: You can set default access rights in sogo.conf, please take a look 
at the docs, I don't remember them right now. Sth. like PublicDandTViewer etc.

Best regards,
Christoph

Von meinem iPhone gesendet

> Am 25.11.2016 um 21:35 schrieb Alexander Holzapfel (a...@huizi.at) 
> :
> 
> Hi. I use SOGo in combonation with the administration-tool mailcow and i love 
> it.
> 
> But now i have seen that when i am searching for some users, they will be 
> displayed with its name and mail address.
> 
> Problem 1: I won't see the other users with other domain names. Is it 
> possible to set the privacy level a little bit higher?
> 
> Problem 2: I can subscribe to a calendar of a person who doesn't have added 
> my account to his sharing partners. How can I disable that?
> 
> Alex
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] sogo / dovecot / saml

2016-11-25 Thread Christoph Kreutzer 
Hi MJ,

I’m probably one of the few that got it working. I’m using it on Debian 8, what 
is your OS?

crudesaml was not working for me, since it needs at least a patched liblasso 
(you find more on that in the archive, I’ve posted all my findings some weeks 
ago).
My solution was relatively fast developed using PHP (I tried a shell script 
first, but parsing XML etc. would have been hell): 
https://github.com/ck-ws/pam-script-saml 


Of course it would also be possible to just accept any password on the dovecot 
side from localhost. I would try it as it’s documented for OpenChange.

Your problem isn’t really one: For Dovecot you can specify several passdb 
lookups, I’ve done that also (one for localhost with the normal LDAP userdb, 
one with PAM for SAML, and one using MySQL for Google-like app passwords), see 
below:

# application specific passwords
passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql-asp.conf.ext
}
# PAM (for SOGo SAML SSO login)
passdb {
  driver = pam
}
# normal login
passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
  override_fields = allow_nets=local,127.0.0.1/32,::1
}
userdb {
  driver = prefetch
}
userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
}

Of course you would need to apply your passwordless config in there. But I 
don’t really like the thought of a passwordless mail access…

Also there is currently a problem with CAS/SAML authentication. See #3884: 
https://sogo.nu/bugs/view.php?id=3884 


Best regards,
Christoph

> Am 25.11.2016 um 09:08 schrieb mj (li...@merit.unu.edu) :
> 
> Hi,
> 
> We have just started experimenting with saml, and trying it with the various 
> applications we use.
> 
> From the docs and list posts, it seems that we can use SAML with sogo, the 
> only difficulty being the dovecot authentication. (with crudesaml, pam, etc)
> 
> So I wonder: for the SOGo openchange/outlook compatibility it is already 
> required to allow imap from localhost without a password. Could we somehow 
> use this for SAML auth as well?
> 
> Is anyone doing that? What would the required config be like?
> 
> The problem, I imagine: we need a 'regular' config, for regular password 
> authentication, and a 'localhost-passwordless' config, specific for saml, 
> right?
> 
> Or am I talking nonsense now?
> 
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SAML2 authentication requirements

2016-10-20 Thread Christoph Kreutzer 
y checks the first result row for a given uid (but I think it 
should be easily changeable, see feature request #3820).
I currently work around it by creating multiple views for authentication 
sources, each returning only one password per user. This is a bit tricky (at 
least as long MariaDB doesn't support analytical window functions), but if 
somebody is interested, I could document it.


> Am 19.09.2016 um 14:53 schrieb Stephen Ingram <sbing...@gmail.com>:
> 
> On Sun, Sep 18, 2016 at 4:09 AM, Christoph Kreutzer 
> <kreutzer.christ...@gmail.com <mailto:kreutzer.christ...@gmail.com>> wrote:
> 
>> Am 16.09.2016 um 19:11 schrieb Christoph Kreutzer 
>> <kreutzer.christ...@gmail.com <mailto:kreutzer.christ...@gmail.com>>:
>> 
>> How could you resolve this, Stephen?
> 
> I found it out (after adding a consent:Consent to simpleSAMLphp):
> As the Shibboleth SP wants OID attributes, I had added a name2oid 
> AttributeMap. I just added a oid2name in the SP metadata in simpleSAMLphp and 
> it works now :)
> 
> Now I only have to find out how to make SAML work with Dovecot, hopefully 
> without patching and recompiling:
> https://wiki.auf.org/wikiteki/Projet/SOGo/TestsSAML 
> <https://wiki.auf.org/wikiteki/Projet/SOGo/TestsSAML>
> 
> Christoph-
> 
> Glad to hear you got things working at least on the front end. Unfortunately, 
> I never was able to get either of the solutions recommended by the SOGo 
> manual working on the backend to the mail store (in your case Dovecot). Both 
> solutions are sort of a mess in that they use non-standard patches that don't 
> seem to be supported by any distribution packages. You could setup in a 
> similar way to how they developers advocate using EAS by simply allowing all 
> access to the mail server from SOGo. Even though it's really difficult to 
> pass the password, the username seems to be passed properly so if you tell 
> Dovecot to accept the connection, so you should end up with the correct user. 
> Certainly not the best considering that you are obviously trying to setup a 
> secure solution by not exposing the password at all. I'm guessing not too 
> many schools have deployed SOGo (with Shibboleth), or they are keeping very 
> quiet about how they are doing it. I never heard back from anyone at auf.org 
> <http://auf.org/> again. If you do find a good solution, I would love to hear 
> what you did.
> 
> Steve

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Autodiscovery + Openchange + SOGo

2016-09-22 Thread Christoph Kreutzer 
Hi!

I use a custom implementation based on this guide/code (as I don’t use Zentyal):
https://www.kernel-error.de/postfix/autodiscover 


My observations:
- Different clients use different upper-/lowercase - I personally map all 
request to autodiscover.example.com to /autodiscover/autodiscover.xml
- I also had a problem with 4xx responses, but I think 417 (by the web server) 
because of some Expect: 100 header

As I use lighttpd, I can’t recommend a specific Apache config. But here is mine:

# autodiscover.example.com (Exchange ActiveSync/Outlook Auto Discovery)
$HTTP["host"] == „autodiscover.example.com" {
server.reject-expect-100-with-417 = "disable"
server.document-root = "/var/www/html"
url.rewrite-once = (
"^/(.*)$" => "/autodiscover-ms.php"
)
}

This works fine up to now, also in the test from Microsoft.

Greetings from the federal city,
Christoph

> Am 22.09.2016 um 09:59 schrieb devteam (devt...@alpeinsoft.ch) 
> :
> 
> Hello, guys!  Few month ago Jhonathan post issue on zentyal bug tracker, but 
> still they not respond (https://tracker.zentyal.org/issues/5043):
> 
> May be sogo team have experience in autodiscover?
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

[SOGo] Application specific password authentication

2016-09-22 Thread Christoph Kreutzer 
Hello,

I’m currently working on the implementation of application specific passwords 
for my mail server (like Googles: 
https://support.google.com/accounts/answer/185833 
).
My main authentication/user source is LDAP, but I don’t want my users to set 
their LDAP passwords on their devices for accessing Cal/CardDAV.

Therefore I created an SQL authentication source which allows to add more than 
one password per account.
Since you can’t write your own password query like in Dovecot, I built a view 
over it and tried several ways without success:
1. Return multiple entries with the same c_uid and a different c_name 
(PK@c_uid), each with a different c_password (because of „c_name: will be used 
to uniquely identify entries“ in documentation)
=> only the first c_uid matching result works
2. Return multiple entries with different c_uid and the same c_name, each with 
a different c_passwords
=> creates multiple accounts and needs PK@c_name as login user
3. Return a single entry with multiple, space delimited c_password
=> doesn’t work at all

Does someone know a working configuration? As a last resort I thought of the 
following workaround:
Create multiple views (5 - 10), each returning only one entry per c_uid with 
different passwords, configure the same amount of AuthSources in sogo.conf. But 
that isn’t really beautiful, as it restricts the amount of app specific 
passwords and I think the performance would lack because of the 10 additional 
queries per login attempt.

I already had a look into SQLSource.m 
(https://github.com/inverse-inc/sogo/blob/master/SoObjects/SOGo/SQLSource.m#L209
 
),
 but I think I need to dig deeper to find out if it’s possible to process more 
than one result row (and more than one password, therefore). Relevant part 
starting around L#270.

Thanks,
Christoph
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Change WebServerResources URL

2016-09-21 Thread Christoph Kreutzer 
AFAIK not. But how about making a (301) redirect in your web servers config? It 
will still touch your web server the first time, but usually the 301’s should 
be cached by the browser.

> Am 21.09.2016 um 19:45 schrieb Jason Mooradian (cow...@gmail.com) 
> :
> 
> Is there anyway to change the WebServerResources URL so I can point it to a 
> CDN instead of the main Sogo server?
> 
> Thanks!
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SAML2 authentication requirements

2016-09-18 Thread Christoph Kreutzer 

> Am 16.09.2016 um 19:11 schrieb Christoph Kreutzer 
> <kreutzer.christ...@gmail.com>:
> 
> How could you resolve this, Stephen?

I found it out (after adding a consent:Consent to simpleSAMLphp):
As the Shibboleth SP wants OID attributes, I had added a name2oid AttributeMap. 
I just added a oid2name in the SP metadata in simpleSAMLphp and it works now :)

Now I only have to find out how to make SAML work with Dovecot, hopefully 
without patching and recompiling:
https://wiki.auf.org/wikiteki/Projet/SOGo/TestsSAML 
<https://wiki.auf.org/wikiteki/Projet/SOGo/TestsSAML>

Christoph.
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SAML2 authentication requirements

2016-09-16 Thread Christoph Kreutzer 

> Am 01.07.2013 um 20:10 schrieb Stephen Ingram :
> 
> On Sat, Jun 29, 2013 at 6:13 AM, Ludovic Marcotte  > wrote:
> On 2013-06-29 1:57 AM, Stephen Ingram wrote:
>> The makefile in SoObjects/SOGo (line 149) indicates the presence of this 
>> metadata file, but there is none. The code in SOGoSAML2Session also appears 
>> to look for this file (SOGoSAML2Metadata.xml). Does this need to be added 
>> before compiling? I've tried adding it to the WebserverResources directory, 
>> but SOGo still doesn't pick it up.
> Try placing it in /usr/sbin/Resources/sogod/Resources/  (adjust depending on 
> where your sogod binary is located and create the Resources directory).
> 
> That is just to some brain damage in the bundle loading code.
> 
> That doesn't work, but it did give me a hint as to where it should be. The 
> magic location is /usr/lib/GNUstep/Frameworks/SOGo.framework/Resources/. I 
> can now see the metadata when browsing to 
> https://webmail.4test.net/SOGo/saml2-metadata 
> . If I try to login at 
> https://webmail.4test.net/SOGo  I am 
> correctly re-directed to the IdP for authentication.
> 
> I still don't have a working system as once authenticating at the IdP, SOGo 
> apparently doesn't receive what it's looking for and tries to login with 
> nothing:
> 
> EXCEPTION:  NAME:NSInvalidArgumentException 
> REASON:Tried to add nil value for key 'login' to dictionary INFO:{}
> 
> which results in a proxy error:
> 
> The proxy server received an invalid response from an upstream server. The 
> proxy server could not handle the request POST /SOGo/saml2-signon-post.
> 
> Looking at the code, I see that SOGo maybe only wants either the uid or mail 
> attributes encoded in a SAML2NameID format. I'm not sure if the endpoint 
> /SOGo/saml2-signon-post is correct or not as I gleaned it from error logs 
> listing typical SOGo requests. Are /SOGo/saml2-metadata and 
> /SOGo/saml2-signon-post the only two endpoints?
> 
> Steve


Hi,

I know that was long ago, but maybe someone can help. I tried setting up SOGo 
3.1.5 on Debian Jessie with SAML Auth (SimpleSAMLphp IdP is working properly 
with Shibboleth SP).
Following Configuration:

// SAML
SOGoAuthenticationType = saml2;
SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp.crt";
SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp.crt";
SOGoSAML2LoginAttribute = mail;
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://example.com“;

I also tried it without SOGoSAML2LoginAttribute, but I get the same error as 
above:

Sep 16 19:01:00 sogod [17999]: <0x0x7f7b1f9a4fc0[SOGoCache]> Cache 
cleanup interval set every 300.00 seconds
Sep 16 19:01:00 sogod [17999]: <0x0x7f7b1f9a4fc0[SOGoCache]> Using 
host(s) 'localhost' as server(s)
EXCEPTION:  
NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'login' 
to dictionary INFO:{}
Sep 16 19:01:00 sogod [17945]: <0x0x7f7b1fc00530[WOWatchDogChild]> 
child 17999 exited
Sep 16 19:01:00 sogod [17945]: <0x0x7f7b1fc00530[WOWatchDogChild]>  
(terminated due to signal 6)
Sep 16 19:01:00 sogod [17945]: <0x0x7f7b1fa1c190[WOWatchDog]> child 
spawned with pid 18002

How could you resolve this, Stephen?


Thanks,
Christoph

PS: There is a typo in the documentation: SOGoSAML2CertiTicateLocation ;) Cost 
me half an hour to find out.
-- 
users@sogo.nu
https://inverse.ca/sogo/lists