public/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-12-20 21:31:32 +00:00
Code Issues Releases Wiki Activity

Prevent user login if protocol access has been disabled

Browse Source
This commit is contained in:
FreddleSpl0it
2025-09-09 12:11:19 +02:00
parent 2f75039194
commit 13f7f9830b
2 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
data/conf/dovecot/auth/mailcowauth.php
View File

@@ -86,7 +86,7 @@ if ($result === false){
'remote_addr' => $post['real_rip'] 'remote_addr' => $post['real_rip']
)); ));
if ($result) { if ($result) {
error_log('MAILCOWAUTH: App auth for user ' . $post['username']); error_log('MAILCOWAUTH: App auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
set_sasl_log($post['username'], $post['real_rip'], $post['service']); set_sasl_log($post['username'], $post['real_rip'], $post['service']);
} }
} }
@@ -94,9 +94,9 @@ if ($result === false){
// Init Identity Provider // Init Identity Provider
$iam_provider = identity_provider('init'); $iam_provider = identity_provider('init');
$iam_settings = identity_provider('get'); $iam_settings = identity_provider('get');
$result = user_login($post['username'], $post['password'], array('is_internal' => true)); $result = user_login($post['username'], $post['password'], array('is_internal' => true, 'service' => $post['service']));
if ($result) { if ($result) {
error_log('MAILCOWAUTH: User auth for user ' . $post['username']); error_log('MAILCOWAUTH: User auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
set_sasl_log($post['username'], $post['real_rip'], $post['service']); set_sasl_log($post['username'], $post['real_rip'], $post['service']);
} }
} }
@@ -105,7 +105,7 @@ if ($result) {
http_response_code(200); // OK http_response_code(200); // OK
$return['success'] = true; $return['success'] = true;
} else { } else {
error_log("MAILCOWAUTH: Login failed for user " . $post['username']); error_log("MAILCOWAUTH: Login failed for user " . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
http_response_code(401); // Unauthorized http_response_code(401); // Unauthorized
} }

16
data/web/inc/functions.auth.inc.php
View File

@@ -193,6 +193,7 @@ function user_login($user, $pass, $extra = null){
global $iam_settings; global $iam_settings;
$is_internal = $extra['is_internal']; $is_internal = $extra['is_internal'];
$service = $extra['service'];
if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) { if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
if (!$is_internal){ if (!$is_internal){
@@ -235,6 +236,14 @@ function user_login($user, $pass, $extra = null){
$row = $stmt->fetch(PDO::FETCH_ASSOC); $row = $stmt->fetch(PDO::FETCH_ASSOC);
if (!empty($row)) { if (!empty($row)) {
// check if user has access to service (imap, smtp, pop3, sieve) if service is set
$row['attributes'] = json_decode($row['attributes'], true);
if (isset($service)) {
$key = strtolower($service) . "_access";
if (isset($row['attributes'][$key]) && $row['attributes'][$key] != '1') {
return false;
}
}
return true; return true;
} }
} }
@@ -242,7 +251,14 @@ function user_login($user, $pass, $extra = null){
return false; return false;
} }
// check if user has access to service (imap, smtp, pop3, sieve) if service is set
$row['attributes'] = json_decode($row['attributes'], true); $row['attributes'] = json_decode($row['attributes'], true);
if (isset($service)) {
$key = strtolower($service) . "_access";
if (isset($row['attributes'][$key]) && $row['attributes'][$key] != '1') {
return false;
}
}
switch ($row['authsource']) { switch ($row['authsource']) {
case 'keycloak': case 'keycloak':
// user authsource is keycloak, try using via rest flow // user authsource is keycloak, try using via rest flow