On 20-09-2024 12:25, Christian Mack ([email protected]) wrote:
Hello
Am 19.09.24 um 16:13 schrieb Kees van Vloten ([email protected]):
On 19-09-2024 15:56, qhivert ([email protected]) wrote:
To add my 2cents by reading the code, in the case of
SOGoTrustProxyAuthentication = YES; Sogo will check the presence of
the header
"x-webobjects-auth-type" : "Basic"
If yes, it will use the Basic access authentication ->
https://en.wikipedia.org/wiki/Basic_access_authentication to get the
password.
I don't know how you make apache retrieve the password and put it in
this header though...
I would not know how to do that either, but Sogo **will** get the
username from Apache. Since Apache has done the authentication and
the user has passed it, we trust the user. Another check that the
user can pass authentication will render the same result, hence it
has no added value.
[cut]
As you are having all on one server, that is true.
Well, the statement below is also true if everything is on one server.
But if you have a seperate IMAP + SMTP server, and someone compromises
the SOGo server, in your setting that person has complete access to
all postboxes from the SOGo server and can send as whoever he likes.
If you have to authenticate against IMAP and SMTP, then he only can
misuse those postboxes currently logged in.
It is good to point this out! Basically it is a assessment question: is
it a problem (for your organization) to make it one risk domain?
Going the risk path leads me to another observation: Sogo provides
multiple services: webmail-server, calendar-server (caldav),
addressbook-server (carddav), active-sync-server. If any of those are
compromised, all are compromised. It would be nice to run those
services independent of each other and have the option to put them on
different servers and separate the risk domains.
- Kees.
Kind regards,
Christian Mack
