diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 1947ec465..9bbdbea55 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1,3685 +1,3687 @@ -1) { - $bits=(int)($ar[1]); - } - else { - $bits = $iplen * 8; - } - for ($c=0; $bits>0; $c++) { - $bytemask = ($bits < 8) ? 0xff ^ ((1 << (8-$bits))-1) : 0xff; - if (((ord($ipb[$c]) ^ ord($ip1b[$c])) & $bytemask) != 0) { - continue 2; - } - $bits-=8; - } - return true; - } - return false; -} -function hash_password($password) { - // default_pass_scheme is determined in vars.inc.php (or corresponding local file) - // in case default pass scheme is not defined, falling back to BLF-CRYPT. - global $default_pass_scheme; - $pw_hash = NULL; - // support pre-hashed passwords - if (preg_match('/^{(ARGON2I|ARGON2ID|BLF-CRYPT|CLEAR|CLEARTEXT|CRYPT|DES-CRYPT|LDAP-MD5|MD5|MD5-CRYPT|PBKDF2|PLAIN|PLAIN-MD4|PLAIN-MD5|PLAIN-TRUNC|PLAIN-TRUNC|SHA|SHA1|SHA256|SHA256-CRYPT|SHA512|SHA512-CRYPT|SMD5|SSHA|SSHA256|SSHA512)}/i', $password)) { - $pw_hash = $password; - } - else { - switch (strtoupper($default_pass_scheme)) { - case "SSHA": - $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); - $pw_hash = "{SSHA}".base64_encode(hash('sha1', $password . $salt_str, true) . $salt_str); - break; - case "SSHA256": - $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); - $pw_hash = "{SSHA256}".base64_encode(hash('sha256', $password . $salt_str, true) . $salt_str); - break; - case "SSHA512": - $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); - $pw_hash = "{SSHA512}".base64_encode(hash('sha512', $password . $salt_str, true) . $salt_str); - break; - case "BLF-CRYPT": - default: - $pw_hash = "{BLF-CRYPT}" . password_hash($password, PASSWORD_BCRYPT); - break; - } - } - return $pw_hash; -} -function password_complexity($_action, $_data = null) { - global $redis; - global $lang; - switch ($_action) { - case 'edit': - if ($_SESSION['mailcow_cc_role'] != "admin") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_data), - 'msg' => 'access_denied' - ); - return false; - } - $is_now = password_complexity('get'); - if (!empty($is_now)) { - $length = (isset($_data['length']) && intval($_data['length']) >= 3) ? intval($_data['length']) : $is_now['length']; - $chars = (isset($_data['chars'])) ? intval($_data['chars']) : $is_now['chars']; - $lowerupper = (isset($_data['lowerupper'])) ? intval($_data['lowerupper']) : $is_now['lowerupper']; - $special_chars = (isset($_data['special_chars'])) ? intval($_data['special_chars']) : $is_now['special_chars']; - $numbers = (isset($_data['numbers'])) ? intval($_data['numbers']) : $is_now['numbers']; - } - try { - $redis->hMSet('PASSWD_POLICY', [ - 'length' => $length, - 'chars' => $chars, - 'special_chars' => $special_chars, - 'lowerupper' => $lowerupper, - 'numbers' => $numbers - ]); - } - catch (RedisException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_data), - 'msg' => array('redis_error', $e) - ); - return false; - } - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_action, $_data), - 'msg' => 'password_policy_saved' - ); - break; - case 'get': - try { - $length = $redis->hGet('PASSWD_POLICY', 'length'); - $chars = $redis->hGet('PASSWD_POLICY', 'chars'); - $special_chars = $redis->hGet('PASSWD_POLICY', 'special_chars'); - $lowerupper = $redis->hGet('PASSWD_POLICY', 'lowerupper'); - $numbers = $redis->hGet('PASSWD_POLICY', 'numbers'); - return array( - 'length' => $length, - 'chars' => $chars, - 'special_chars' => $special_chars, - 'lowerupper' => $lowerupper, - 'numbers' => $numbers - ); - } - catch (RedisException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_data), - 'msg' => array('redis_error', $e) - ); - return false; - } - return false; - break; - case 'html': - $policies = password_complexity('get'); - foreach ($policies as $name => $value) { - if ($value != 0) { - $policy_text[] = sprintf($lang['admin']["password_policy_$name"], $value); - } - } - return '

- ' . implode('
- ', (array)$policy_text) . '

'; - break; - } -} -function password_check($password1, $password2) { - $password_complexity = password_complexity('get'); - - if (empty($password1) || empty($password2)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_type), - 'msg' => 'password_complexity' - ); - return false; - } - - if ($password1 != $password2) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_type), - 'msg' => 'password_mismatch' - ); - return false; - } - - $given_password['length'] = strlen($password1); - $given_password['special_chars'] = preg_match('/[^a-zA-Z\d]/', $password1); - $given_password['chars'] = preg_match('/[a-zA-Z]/',$password1); - $given_password['numbers'] = preg_match('/\d/', $password1); - $lower = strlen(preg_replace("/[^a-z]/", '', $password1)); - $upper = strlen(preg_replace("/[^A-Z]/", '', $password1)); - $given_password['lowerupper'] = ($lower > 0 && $upper > 0) ? true : false; - - if ( - ($given_password['length'] < $password_complexity['length']) || - ($password_complexity['special_chars'] == 1 && (intval($given_password['special_chars']) != $password_complexity['special_chars'])) || - ($password_complexity['chars'] == 1 && (intval($given_password['chars']) != $password_complexity['chars'])) || - ($password_complexity['numbers'] == 1 && (intval($given_password['numbers']) != $password_complexity['numbers'])) || - ($password_complexity['lowerupper'] == 1 && (intval($given_password['lowerupper']) != $password_complexity['lowerupper'])) - ) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_type), - 'msg' => 'password_complexity' - ); - return false; - } - - return true; -} -function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) { - global $pdo; - global $redis; - $sasl_limit_days = intval($sasl_limit_days); - switch ($action) { - case 'get': - if (filter_var($username, FILTER_VALIDATE_EMAIL) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { - $stmt = $pdo->prepare('SELECT `real_rip`, MAX(`datetime`) as `datetime`, `service`, `app_password`, MAX(`app_passwd`.`name`) as `app_password_name` FROM `sasl_log` - LEFT OUTER JOIN `app_passwd` on `sasl_log`.`app_password` = `app_passwd`.`id` - WHERE `username` = :username - AND HOUR(TIMEDIFF(NOW(), `datetime`)) < :sasl_limit_days - GROUP BY `real_rip`, `service`, `app_password` - ORDER BY `datetime` DESC;'); - $stmt->execute(array(':username' => $username, ':sasl_limit_days' => ($sasl_limit_days * 24))); - $sasl = $stmt->fetchAll(PDO::FETCH_ASSOC); - foreach ($sasl as $k => $v) { - if (!filter_var($sasl[$k]['real_rip'], FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { - $sasl[$k]['real_rip'] = 'Web/EAS/Internal (' . $sasl[$k]['real_rip'] . ')'; - } - elseif (filter_var($sasl[$k]['real_rip'], FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { - try { - $sasl[$k]['location'] = $redis->hGet('IP_SHORTCOUNTRY', $sasl[$k]['real_rip']); - } - catch (RedisException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_data_log), - 'msg' => array('redis_error', $e) - ); - return false; - } - if (!$sasl[$k]['location']) { - $curl = curl_init(); - curl_setopt($curl, CURLOPT_URL,"https://dfdata.bella.network/country/" . $sasl[$k]['real_rip']); - curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); - curl_setopt($curl, CURLOPT_USERAGENT, 'Moocow'); - curl_setopt($curl, CURLOPT_TIMEOUT, 5); - $ip_data = curl_exec($curl); - if (!curl_errno($curl)) { - $ip_data_array = json_decode($ip_data, true); - if ($ip_data_array !== false and !empty($ip_data_array['shortcountry'])) { - $sasl[$k]['location'] = $ip_data_array['shortcountry']; - try { - $redis->hSet('IP_SHORTCOUNTRY', $sasl[$k]['real_rip'], $ip_data_array['shortcountry']); - } - catch (RedisException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_data_log), - 'msg' => array('redis_error', $e) - ); - curl_close($curl); - return false; - } - } - } - curl_close($curl); - } - } - } - } - else { - $sasl = array(); - } - if ($_SESSION['mailcow_cc_role'] == "admin" || $username == $_SESSION['mailcow_cc_username']) { - $stmt = $pdo->prepare('SELECT `remote`, `time` FROM `logs` - WHERE JSON_EXTRACT(`call`, "$[0]") = "check_login" - AND JSON_EXTRACT(`call`, "$[1]") = :username - AND `type` = "success" ORDER BY `time` DESC LIMIT 1 OFFSET :offset'); - $stmt->execute(array( - ':username' => $username, - ':offset' => $ui_offset - )); - $ui = $stmt->fetch(PDO::FETCH_ASSOC); - } - else { - $ui = array(); - } - - return array('ui' => $ui, 'sasl' => $sasl); - break; - case 'reset': - if (filter_var($username, FILTER_VALIDATE_EMAIL) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { - $stmt = $pdo->prepare('DELETE FROM `sasl_log` - WHERE `username` = :username'); - $stmt->execute(array(':username' => $username)); - } - if ($_SESSION['mailcow_cc_role'] == "admin" || $username == $_SESSION['mailcow_cc_username']) { - $stmt = $pdo->prepare('DELETE FROM `logs` - WHERE JSON_EXTRACT(`call`, "$[0]") = "check_login" - AND JSON_EXTRACT(`call`, "$[1]") = :username - AND `type` = "success"'); - $stmt->execute(array(':username' => $username)); - } - return true; - break; - } - -} -function set_sasl_log($username, $real_rip, $service){ - global $pdo; - - try { - if (!empty($_SESSION['app_passwd_id'])) { - $app_password = $_SESSION['app_passwd_id']; - } else { - $app_password = 0; - } - - $stmt = $pdo->prepare('REPLACE INTO `sasl_log` (`username`, `real_rip`, `service`, `app_password`) VALUES (:username, :real_rip, :service, :app_password)'); - $stmt->execute(array( - ':username' => $username, - ':real_rip' => $real_rip, - ':service' => $service, - ':app_password' => $app_password - )); - } catch (PDOException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('mysql_error', $e) - ); - return false; - } - - return true; -} -function flush_memcached() { - try { - $m = new Memcached(); - $m->addServer('memcached', 11211); - $m->flush(); - } - catch ( Exception $e ) { - // Dunno - } -} -function sys_mail($_data) { - if ($_SESSION['mailcow_cc_role'] != "admin") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__), - 'msg' => 'access_denied' - ); - return false; - } - $excludes = $_data['mass_exclude']; - $includes = $_data['mass_include']; - $mailboxes = array(); - $mass_from = $_data['mass_from']; - $mass_text = $_data['mass_text']; - $mass_html = $_data['mass_html']; - $mass_subject = $_data['mass_subject']; - if (!filter_var($mass_from, FILTER_VALIDATE_EMAIL)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__), - 'msg' => 'from_invalid' - ); - return false; - } - if (empty($mass_subject)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__), - 'msg' => 'subject_empty' - ); - return false; - } - if (empty($mass_text)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__), - 'msg' => 'text_empty' - ); - return false; - } - $domains = array_merge(mailbox('get', 'domains'), mailbox('get', 'alias_domains')); - foreach ($domains as $domain) { - foreach (mailbox('get', 'mailboxes', $domain) as $mailbox) { - $mailboxes[] = $mailbox; - } - } - if (!empty($includes)) { - $rcpts = array_intersect($mailboxes, $includes); - } - elseif (!empty($excludes)) { - $rcpts = array_diff($mailboxes, $excludes); - } - else { - $rcpts = $mailboxes; - } - if (!empty($rcpts)) { - ini_set('max_execution_time', 0); - ini_set('max_input_time', 0); - $mail = new PHPMailer; - $mail->Timeout = 10; - $mail->SMTPOptions = array( - 'ssl' => array( - 'verify_peer' => false, - 'verify_peer_name' => false, - 'allow_self_signed' => true - ) - ); - $mail->isSMTP(); - $mail->Host = 'dovecot-mailcow'; - $mail->SMTPAuth = false; - $mail->Port = 24; - $mail->setFrom($mass_from); - $mail->Subject = $mass_subject; - $mail->CharSet ="UTF-8"; - if (!empty($mass_html)) { - $mail->Body = $mass_html; - $mail->AltBody = $mass_text; - } - else { - $mail->Body = $mass_text; - } - $mail->XMailer = 'MooMassMail'; - foreach ($rcpts as $rcpt) { - $mail->AddAddress($rcpt); - if (!$mail->send()) { - $_SESSION['return'][] = array( - 'type' => 'warning', - 'log' => array(__FUNCTION__), - 'msg' => 'Mailer error (RCPT "' . htmlspecialchars($rcpt) . '"): ' . str_replace('https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting', '', $mail->ErrorInfo) - ); - } - $mail->ClearAllRecipients(); - } - } - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__), - 'msg' => 'Mass mail job completed, sent ' . count($rcpts) . ' mails' - ); -} -function logger($_data = false) { - /* - logger() will be called as last function - To manually log a message, logger needs to be called like below. - - logger(array( - 'return' => array( - array( - 'type' => 'danger', - 'log' => array(__FUNCTION__), - 'msg' => $err - ) - ) - )); - - These messages will not be printed as alert box. - To do so, push them to $_SESSION['return'] and do not call logger as they will be included automatically: - - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $user, '*'), - 'msg' => $err - ); - */ - global $pdo; - if (!$_data) { - $_data = $_SESSION; - } - if (!empty($_data['return'])) { - $task = substr(strtoupper(md5(uniqid(rand(), true))), 0, 6); - foreach ($_data['return'] as $return) { - $type = $return['type']; - $msg = null; - if (isset($return['msg'])) { - $msg = json_encode($return['msg'], JSON_UNESCAPED_UNICODE); - } - $call = null; - if (isset($return['log'])) { - $call = json_encode($return['log'], JSON_UNESCAPED_UNICODE); - } - if (!empty($_SESSION["dual-login"]["username"])) { - $user = $_SESSION["dual-login"]["username"] . ' => ' . $_SESSION['mailcow_cc_username']; - $role = $_SESSION["dual-login"]["role"] . ' => ' . $_SESSION['mailcow_cc_role']; - } - elseif (!empty($_SESSION['mailcow_cc_username'])) { - $user = $_SESSION['mailcow_cc_username']; - $role = $_SESSION['mailcow_cc_role']; - } - else { - $user = 'unauthenticated'; - $role = 'unauthenticated'; - } - // We cannot log when logs is missing... - try { - $stmt = $pdo->prepare("INSERT INTO `logs` (`type`, `task`, `msg`, `call`, `user`, `role`, `remote`, `time`) VALUES - (:type, :task, :msg, :call, :user, :role, :remote, UNIX_TIMESTAMP())"); - $stmt->execute(array( - ':type' => $type, - ':task' => $task, - ':call' => $call, - ':msg' => $msg, - ':user' => $user, - ':role' => $role, - ':remote' => get_remote_ip() - )); - } - catch (PDOException $e) { - # handle the exception here, as the exception handler function results in a white page - error_log($e->getMessage(), 0); - } - } - } - else { - return true; - } -} -function hasDomainAccess($username, $role, $domain) { - global $pdo; - if (empty($domain) || !is_valid_domain_name($domain)) { - return false; - } - if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { - return true; - } - if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { - return false; - } - if ($role != 'admin' && $role != 'domainadmin') { - return false; - } - if ($role == 'admin') { - $stmt = $pdo->prepare("SELECT `domain` FROM `domain` - WHERE `domain` = :domain"); - $stmt->execute(array(':domain' => $domain)); - $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); - $stmt = $pdo->prepare("SELECT `alias_domain` FROM `alias_domain` - WHERE `alias_domain` = :domain"); - $stmt->execute(array(':domain' => $domain)); - $num_results = $num_results + count($stmt->fetchAll(PDO::FETCH_ASSOC)); - if ($num_results != 0) { - return true; - } - } - elseif ($role == 'domainadmin') { - $stmt = $pdo->prepare("SELECT `domain` FROM `domain_admins` - WHERE ( - `active`='1' - AND `username` = :username - AND (`domain` = :domain1 OR `domain` = (SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain2)) - )"); - $stmt->execute(array(':username' => $username, ':domain1' => $domain, ':domain2' => $domain)); - $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); - if (!empty($num_results)) { - return true; - } - } - return false; -} -function hasMailboxObjectAccess($username, $role, $object) { - global $pdo; - if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { - return true; - } - if (empty($username) || empty($role) || empty($object)) { - return false; - } - if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { - return false; - } - if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') { - return false; - } - if ($username == $object) { - return true; - } - $stmt = $pdo->prepare("SELECT `domain` FROM `mailbox` WHERE `username` = :object"); - $stmt->execute(array(':object' => $object)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if (isset($row['domain']) && hasDomainAccess($username, $role, $row['domain'])) { - return true; - } - return false; -} -// does also verify mailboxes as a mailbox is a alias == goto -function hasAliasObjectAccess($username, $role, $object) { - global $pdo; - if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { - return true; - } - if (empty($username) || empty($role) || empty($object)) { - return false; - } - if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { - return false; - } - if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') { - return false; - } - $stmt = $pdo->prepare("SELECT `domain` FROM `alias` WHERE `address` = :object"); - $stmt->execute(array(':object' => $object)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if (isset($row['domain']) && hasDomainAccess($username, $role, $row['domain'])) { - return true; - } - return false; -} -function hasACLAccess($type) { - if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { - return true; - } - if (isset($_SESSION['acl'][$type]) && $_SESSION['acl'][$type] == "1") { - return true; - } - - return false; -} -function pem_to_der($pem_key) { - // Need to remove BEGIN/END PUBLIC KEY - $lines = explode("\n", trim($pem_key)); - unset($lines[count($lines)-1]); - unset($lines[0]); - return base64_decode(implode('', $lines)); -} -function expand_ipv6($ip) { - $hex = unpack("H*hex", inet_pton($ip)); - $ip = substr(preg_replace("/([A-f0-9]{4})/", "$1:", $hex['hex']), 0, -1); - return $ip; -} -function generate_tlsa_digest($hostname, $port, $starttls = null) { - if (!is_valid_domain_name($hostname)) { - return "Not a valid hostname"; - } - if (empty($starttls)) { - $context = stream_context_create(array("ssl" => array("capture_peer_cert" => true, 'verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true))); - $stream = stream_socket_client('ssl://' . $hostname . ':' . $port, $error_nr, $error_msg, 5, STREAM_CLIENT_CONNECT, $context); - if (!$stream) { - $error_msg = isset($error_msg) ? $error_msg : '-'; - return $error_nr . ': ' . $error_msg; - } - } - else { - $stream = stream_socket_client('tcp://' . $hostname . ':' . $port, $error_nr, $error_msg, 5); - if (!$stream) { - return $error_nr . ': ' . $error_msg; - } - $banner = fread($stream, 512 ); - if (preg_match("/^220/i", $banner)) { // SMTP - fwrite($stream,"HELO tlsa.generator.local\r\n"); - fread($stream, 512); - fwrite($stream,"STARTTLS\r\n"); - fread($stream, 512); - } - elseif (preg_match("/imap.+starttls/i", $banner)) { // IMAP - fwrite($stream,"A1 STARTTLS\r\n"); - fread($stream, 512); - } - elseif (preg_match("/^\+OK/", $banner)) { // POP3 - fwrite($stream,"STLS\r\n"); - fread($stream, 512); - } - elseif (preg_match("/^OK/m", $banner)) { // Sieve - fwrite($stream,"STARTTLS\r\n"); - fread($stream, 512); - } - else { - return 'Unknown banner: "' . htmlspecialchars(trim($banner)) . '"'; - } - // Upgrade connection - stream_set_blocking($stream, true); - stream_context_set_option($stream, 'ssl', 'capture_peer_cert', true); - stream_context_set_option($stream, 'ssl', 'verify_peer', false); - stream_context_set_option($stream, 'ssl', 'verify_peer_name', false); - stream_context_set_option($stream, 'ssl', 'allow_self_signed', true); - stream_socket_enable_crypto($stream, true, STREAM_CRYPTO_METHOD_ANY_CLIENT); - stream_set_blocking($stream, false); - } - $params = stream_context_get_params($stream); - if (!empty($params['options']['ssl']['peer_certificate'])) { - $key_resource = openssl_pkey_get_public($params['options']['ssl']['peer_certificate']); - // We cannot get ['rsa']['n'], the binary data would contain BEGIN/END PUBLIC KEY - $key_data = openssl_pkey_get_details($key_resource)['key']; - return '3 1 1 ' . openssl_digest(pem_to_der($key_data), 'sha256'); - } - else { - return 'Error: Cannot read peer certificate'; - } -} -function alertbox_log_parser($_data) { - global $lang; - if (isset($_data['return'])) { - foreach ($_data['return'] as $return) { - // Get type - $type = $return['type']; - // If a lang[type][msg] string exists, use it as message - if (isset($return['type']) && isset($return['msg']) && !is_array($return['msg'])) { - if (isset($lang[$return['type']][$return['msg']])) { - $msg = $lang[$return['type']][$return['msg']]; - } - else { - $msg = $return['msg']; - } - } - // If msg is an array, use first element as language string and run printf on it with remaining array elements - elseif (is_array($return['msg'])) { - $msg = array_shift($return['msg']); - $msg = vsprintf( - $lang[$return['type']][$msg], - $return['msg'] - ); - } - else { - $msg = '-'; - } - $log_array[] = array('msg' => $msg, 'type' => json_encode($type)); - } - if (!empty($log_array)) { - return $log_array; - } - } - return false; -} -function verify_salted_hash($hash, $password, $algo, $salt_length) { - // Decode hash - $dhash = base64_decode($hash); - // Get first n bytes of binary which equals a SSHA hash - $ohash = substr($dhash, 0, $salt_length); - // Remove SSHA hash from decoded hash to get original salt string - $osalt = str_replace($ohash, '', $dhash); - // Check single salted SSHA hash against extracted hash - if (hash_equals(hash($algo, $password . $osalt, true), $ohash)) { - return true; - } - return false; -} -function verify_hash($hash, $password) { - if (preg_match('/^{(.+)}(.+)/i', $hash, $hash_array)) { - $scheme = strtoupper($hash_array[1]); - $hash = $hash_array[2]; - switch ($scheme) { - case "ARGON2I": - case "ARGON2ID": - case "BLF-CRYPT": - case "CRYPT": - case "DES-CRYPT": - case "MD5-CRYPT": - case "MD5": - case "SHA256-CRYPT": - case "SHA512-CRYPT": - return password_verify($password, $hash); - - case "CLEAR": - case "CLEARTEXT": - case "PLAIN": - return $password == $hash; - - case "LDAP-MD5": - $hash = base64_decode($hash); - return hash_equals(hash('md5', $password, true), $hash); - - case "PBKDF2": - $components = explode('$', $hash); - $salt = $components[2]; - $rounds = $components[3]; - $hash = $components[4]; - return hash_equals(hash_pbkdf2('sha1', $password, $salt, $rounds), $hash); - - case "PBKDF2-SHA512": - // Handle FreeIPA-style hash: {PBKDF2-SHA512}10000$$ - $components = explode('$', $hash); - if (count($components) !== 3) return false; - - // 1st part: iteration count (integer) - $iterations = intval($components[0]); - if ($iterations <= 0) return false; - - // 2nd part: salt (base64-encoded) - $salt = $components[1]; - // 3rd part: hash (base64-encoded) - $stored_hash_b64 = $components[2]; - - // Decode salt and hash from base64 - $salt_bin = base64_decode($salt, true); - $hash_bin = base64_decode($stored_hash_b64, true); - if ($salt_bin === false || $hash_bin === false) return false; - // Get length of hash in bytes - $hash_len = strlen($hash_bin); - if ($hash_len === 0) return false; - - // Calculate PBKDF2-SHA512 hash for provided password - $test_hash = hash_pbkdf2('sha512', $password, $salt_bin, $iterations, $hash_len, true); - return hash_equals($hash_bin, $test_hash); - - case "PLAIN-MD4": - return hash_equals(hash('md4', $password), $hash); - - case "PLAIN-MD5": - return md5($password) == $hash; - - case "PLAIN-TRUNC": - $components = explode('-', $hash); - if (count($components) > 1) { - $trunc_len = $components[0]; - $trunc_password = $components[1]; - - return substr($password, 0, $trunc_len) == $trunc_password; - } else { - return $password == $hash; - } - - case "SHA": - case "SHA1": - case "SHA256": - case "SHA512": - // SHA is an alias for SHA1 - $scheme = $scheme == "SHA" ? "sha1" : strtolower($scheme); - $hash = base64_decode($hash); - return hash_equals(hash($scheme, $password, true), $hash); - - case "SMD5": - return verify_salted_hash($hash, $password, 'md5', 16); - - case "SSHA": - return verify_salted_hash($hash, $password, 'sha1', 20); - - case "SSHA256": - return verify_salted_hash($hash, $password, 'sha256', 32); - - case "SSHA512": - return verify_salted_hash($hash, $password, 'sha512', 64); - - default: - return false; - } - } - return false; -} -function formatBytes($size, $precision = 2) { - if(!is_numeric($size)) { - return "0"; - } - $base = log($size, 1024); - $suffixes = array(' Byte', ' KiB', ' MiB', ' GiB', ' TiB'); - if ($size == "0") { - return "0"; - } - return round(pow(1024, $base - floor($base)), $precision) . $suffixes[floor($base)]; -} -function update_sogo_static_view($mailbox = null) { - if (getenv('SKIP_SOGO') == "y") { - return true; - } - global $pdo; - global $lang; - - $mailbox_exists = false; - if ($mailbox !== null) { - // Check if the mailbox exists - $stmt = $pdo->prepare("SELECT username FROM mailbox WHERE username = :mailbox AND active = '1'"); - $stmt->execute(array(':mailbox' => $mailbox)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if ($row){ - $mailbox_exists = true; - } - } - - // generate random password for sogo to deny direct login - $random_password = base64_encode(openssl_random_pseudo_bytes(24)); - $random_salt = base64_encode(openssl_random_pseudo_bytes(16)); - $random_hash = '{SSHA256}' . base64_encode(hash('sha256', base64_decode($password) . $salt, true) . $salt); - - $subquery = "GROUP BY mailbox.username"; - if ($mailbox_exists) { - $subquery = "AND mailbox.username = :mailbox"; - } - $query = "INSERT INTO _sogo_static_view (`c_uid`, `domain`, `c_name`, `c_password`, `c_cn`, `mail`, `aliases`, `ad_aliases`, `ext_acl`, `kind`, `multiple_bookings`) - SELECT - mailbox.username, - mailbox.domain, - mailbox.username, - :random_hash, - mailbox.name, - mailbox.username, - IFNULL(GROUP_CONCAT(ga.aliases ORDER BY ga.aliases SEPARATOR ' '), ''), - IFNULL(gda.ad_alias, ''), - IFNULL(external_acl.send_as_acl, ''), - mailbox.kind, - mailbox.multiple_bookings - FROM - mailbox - LEFT OUTER JOIN grouped_mail_aliases ga ON ga.username REGEXP CONCAT('(^|,)', mailbox.username, '($|,)') - LEFT OUTER JOIN grouped_domain_alias_address gda ON gda.username = mailbox.username - LEFT OUTER JOIN grouped_sender_acl_external external_acl ON external_acl.username = mailbox.username - WHERE - mailbox.active = '1' - $subquery - ON DUPLICATE KEY UPDATE - `domain` = VALUES(`domain`), - `c_name` = VALUES(`c_name`), - `c_password` = VALUES(`c_password`), - `c_cn` = VALUES(`c_cn`), - `mail` = VALUES(`mail`), - `aliases` = VALUES(`aliases`), - `ad_aliases` = VALUES(`ad_aliases`), - `ext_acl` = VALUES(`ext_acl`), - `kind` = VALUES(`kind`), - `multiple_bookings` = VALUES(`multiple_bookings`)"; - - - if ($mailbox_exists) { - $stmt = $pdo->prepare($query); - $stmt->execute(array( - ':random_hash' => $random_hash, - ':mailbox' => $mailbox - )); - } else { - $stmt = $pdo->prepare($query); - $stmt->execute(array( - ':random_hash' => $random_hash - )); - } - - $stmt = $pdo->query("DELETE FROM _sogo_static_view WHERE `c_uid` NOT IN (SELECT `username` FROM `mailbox` WHERE `active` = '1');"); - - flush_memcached(); -} -function edit_user_account($_data) { - global $lang; - global $pdo; - - $_data_log = $_data; - !isset($_data_log['user_new_pass']) ?: $_data_log['user_new_pass'] = '*'; - !isset($_data_log['user_new_pass2']) ?: $_data_log['user_new_pass2'] = '*'; - !isset($_data_log['user_old_pass']) ?: $_data_log['user_old_pass'] = '*'; - - $username = $_SESSION['mailcow_cc_username']; - $role = $_SESSION['mailcow_cc_role']; - $password_old = $_data['user_old_pass']; - $pw_recovery_email = $_data['pw_recovery_email']; - - if (filter_var($username, FILTER_VALIDATE_EMAIL === false) || $role != 'user') { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - - // edit password - if (!empty($password_old) && !empty($_data['user_new_pass']) && !empty($_data['user_new_pass2'])) { - $stmt = $pdo->prepare("SELECT `password` FROM `mailbox` - WHERE `kind` NOT REGEXP 'location|thing|group' - AND `username` = :user AND authsource = 'mailcow'"); - $stmt->execute(array(':user' => $username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - - if (!verify_hash($row['password'], $password_old)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - - $password_new = $_data['user_new_pass']; - $password_new2 = $_data['user_new_pass2']; - if (password_check($password_new, $password_new2) !== true) { - return false; - } - $password_hashed = hash_password($password_new); - $stmt = $pdo->prepare("UPDATE `mailbox` SET `password` = :password_hashed, - `attributes` = JSON_SET(`attributes`, '$.force_pw_update', '0'), - `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW()) - WHERE `username` = :username AND authsource = 'mailcow'"); - $stmt->execute(array( - ':password_hashed' => $password_hashed, - ':username' => $username - )); - $_SESSION['pending_pw_update'] = false; - - update_sogo_static_view(); - } - // edit password recovery email - elseif (!empty($password_old) && isset($pw_recovery_email)) { - if (!isset($_SESSION['acl']['pw_reset']) || $_SESSION['acl']['pw_reset'] != "1" ) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), - 'msg' => 'access_denied' - ); - return false; - } - - $stmt = $pdo->prepare("SELECT `password` FROM `mailbox` - WHERE `kind` NOT REGEXP 'location|thing|group' - AND `username` = :user AND authsource = 'mailcow'"); - $stmt->execute(array(':user' => $username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - - if (!verify_hash($row['password'], $password_old)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - - $pw_recovery_email = (!filter_var($pw_recovery_email, FILTER_VALIDATE_EMAIL)) ? '' : $pw_recovery_email; - $stmt = $pdo->prepare("UPDATE `mailbox` SET `attributes` = JSON_SET(`attributes`, '$.recovery_email', :recovery_email) - WHERE `username` = :username AND authsource = 'mailcow'"); - $stmt->execute(array( - ':recovery_email' => $pw_recovery_email, - ':username' => $username - )); - } - - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('mailbox_modified', htmlspecialchars($username)) - ); -} -function user_get_alias_details($username) { - global $pdo; - global $lang; - $data['direct_aliases'] = array(); - $data['shared_aliases'] = array(); - if ($_SESSION['mailcow_cc_role'] == "user") { - $username = $_SESSION['mailcow_cc_username']; - } - if (!filter_var($username, FILTER_VALIDATE_EMAIL)) { - return false; - } - if (!hasMailboxObjectAccess($username, $_SESSION['mailcow_cc_role'], $username)) { - return false; - } - $data['address'] = $username; - $stmt = $pdo->prepare("SELECT `address` AS `shared_aliases`, `public_comment` FROM `alias` - WHERE `goto` REGEXP :username_goto - AND `address` NOT LIKE '@%' - AND `goto` != :username_goto2 - AND `address` != :username_address"); - $stmt->execute(array( - ':username_goto' => '(^|,)'.preg_quote($username, '/').'($|,)', - ':username_goto2' => $username, - ':username_address' => $username - )); - $run = $stmt->fetchAll(PDO::FETCH_ASSOC); - while ($row = array_shift($run)) { - $data['shared_aliases'][$row['shared_aliases']]['public_comment'] = htmlspecialchars($row['public_comment']); - //$data['shared_aliases'][] = $row['shared_aliases']; - } - - $stmt = $pdo->prepare("SELECT `address` AS `direct_aliases`, `public_comment` FROM `alias` - WHERE `goto` = :username_goto - AND `address` NOT LIKE '@%' - AND `address` != :username_address"); - $stmt->execute( - array( - ':username_goto' => $username, - ':username_address' => $username - )); - $run = $stmt->fetchAll(PDO::FETCH_ASSOC); - while ($row = array_shift($run)) { - $data['direct_aliases'][$row['direct_aliases']]['public_comment'] = htmlspecialchars($row['public_comment']); - } - $stmt = $pdo->prepare("SELECT CONCAT(local_part, '@', alias_domain) AS `ad_alias`, `alias_domain` FROM `mailbox` - LEFT OUTER JOIN `alias_domain` on `target_domain` = `domain` - WHERE `username` = :username ;"); - $stmt->execute(array(':username' => $username)); - $run = $stmt->fetchAll(PDO::FETCH_ASSOC); - while ($row = array_shift($run)) { - if (empty($row['ad_alias'])) { - continue; - } - $data['direct_aliases'][$row['ad_alias']]['public_comment'] = $lang['add']['alias_domain']; - $data['alias_domains'][] = $row['alias_domain']; - } - $stmt = $pdo->prepare("SELECT IFNULL(GROUP_CONCAT(`send_as` SEPARATOR ', '), '') AS `send_as` FROM `sender_acl` WHERE `logged_in_as` = :username AND `send_as` NOT LIKE '@%';"); - $stmt->execute(array(':username' => $username)); - $run = $stmt->fetchAll(PDO::FETCH_ASSOC); - while ($row = array_shift($run)) { - $data['aliases_also_send_as'] = $row['send_as']; - } - $stmt = $pdo->prepare("SELECT CONCAT_WS(', ', IFNULL(GROUP_CONCAT(DISTINCT `send_as` SEPARATOR ', '), ''), GROUP_CONCAT(DISTINCT CONCAT('@',`alias_domain`) SEPARATOR ', ')) AS `send_as` FROM `sender_acl` LEFT JOIN `alias_domain` ON `alias_domain`.`target_domain` = TRIM(LEADING '@' FROM `send_as`) WHERE `logged_in_as` = :username AND `send_as` LIKE '@%';"); - $stmt->execute(array(':username' => $username)); - $run = $stmt->fetchAll(PDO::FETCH_ASSOC); - while ($row = array_shift($run)) { - $data['aliases_send_as_all'] = $row['send_as']; - } - $stmt = $pdo->prepare("SELECT IFNULL(GROUP_CONCAT(`address` SEPARATOR ', '), '') as `address` FROM `alias` WHERE `goto` REGEXP :username AND `address` LIKE '@%';"); - $stmt->execute(array(':username' => '(^|,)'.preg_quote($username, '/').'($|,)')); - $run = $stmt->fetchAll(PDO::FETCH_ASSOC); - while ($row = array_shift($run)) { - $data['is_catch_all'] = $row['address']; - } - return $data; -} -function is_valid_domain_name($domain_name, $options = array()) { - if (empty($domain_name)) { - return false; - } - - // Convert domain name to ASCII for validation - $domain_name = idn_to_ascii($domain_name, 0, INTL_IDNA_VARIANT_UTS46); - - if (isset($options['allow_wildcard']) && $options['allow_wildcard'] == true) { - // Remove '*.' if wildcard subdomains are allowed - if (strpos($domain_name, '*.') === 0) { - $domain_name = substr($domain_name, 2); - } - } - - return (preg_match("/^([a-z\d](-*[a-z\d])*)(\.([a-z\d](-*[a-z\d])*))*$/i", $domain_name) - && preg_match("/^.{1,253}$/", $domain_name) - && preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain_name)); -} -function set_tfa($_data) { - global $pdo; - global $yubi; - global $tfa; - global $iam_settings; - - $_data_log = $_data; - $access_denied = null; - !isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*'; - $username = $_SESSION['mailcow_cc_username']; - - // check for empty user and role - if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true; - - // check admin confirm password - if ($access_denied === null) { - $stmt = $pdo->prepare("SELECT `password` FROM `admin` - WHERE `username` = :username"); - $stmt->execute(array(':username' => $username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if ($row) { - if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true; - else $access_denied = false; - } - } - - // check mailbox confirm password - if ($access_denied === null) { - $stmt = $pdo->prepare("SELECT `password`, `authsource` FROM `mailbox` - WHERE `username` = :username"); - $stmt->execute(array(':username' => $username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if ($row) { - if ($row['authsource'] == 'ldap'){ - if (!ldap_mbox_login($username, $_data["confirm_password"], $iam_settings)) $access_denied = true; - else $access_denied = false; - } else { - if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true; - else $access_denied = false; - } - } - } - - // set access_denied error - if ($access_denied){ - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - - switch ($_data["tfa_method"]) { - case "yubi_otp": - $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"]; - $yubico_id = $_data['yubico_id']; - $yubico_key = $_data['yubico_key']; - $yubi = new Auth_Yubico($yubico_id, $yubico_key); - if (!$yubi) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - if (!ctype_alnum($_data["otp_token"]) || strlen($_data["otp_token"]) != 44) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'tfa_token_invalid' - ); - return false; - } - $yauth = $yubi->verify($_data["otp_token"]); - if (PEAR::isError($yauth)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('yotp_verification_failed', $yauth->getMessage()) - ); - return false; - } - try { - // We could also do a modhex translation here - $yubico_modhex_id = substr($_data["otp_token"], 0, 12); - $stmt = $pdo->prepare("DELETE FROM `tfa` - WHERE `username` = :username - AND (`authmech` = 'yubi_otp' AND `secret` LIKE :modhex)"); - $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id)); - $stmt = $pdo->prepare("INSERT INTO `tfa` (`key_id`, `username`, `authmech`, `active`, `secret`) VALUES - (:key_id, :username, 'yubi_otp', '1', :secret)"); - $stmt->execute(array(':key_id' => $key_id, ':username' => $username, ':secret' => $yubico_id . ':' . $yubico_key . ':' . $yubico_modhex_id)); - } - catch (PDOException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('mysql_error', $e) - ); - return false; - } - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('object_modified', htmlspecialchars($username)) - ); - break; - case "totp": - $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"]; - if ($tfa->verifyCode($_POST['totp_secret'], $_POST['totp_confirm_token']) === true) { - //$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username"); - //$stmt->execute(array(':username' => $username)); - $stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `secret`, `active`) VALUES (?, ?, 'totp', ?, '1')"); - $stmt->execute(array($username, $key_id, $_POST['totp_secret'])); - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('object_modified', $username) - ); - } - else { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'totp_verification_failed' - ); - } - break; - case "webauthn": - $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"]; - - $stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `keyHandle`, `publicKey`, `certificate`, `counter`, `active`) - VALUES (?, ?, 'webauthn', ?, ?, ?, ?, '1')"); - $stmt->execute(array( - $username, - $key_id, - base64_encode($_data['registration']->credentialId), - $_data['registration']->credentialPublicKey, - $_data['registration']->certificate, - 0 - )); - - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('object_modified', $username) - ); - break; - case "none": - $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username"); - $stmt->execute(array(':username' => $username)); - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('object_modified', htmlspecialchars($username)) - ); - break; - } -} -function fido2($_data) { - global $pdo; - global $WebAuthn; - $_data_log = $_data; - // Not logging registration data, only actions - // Silent errors for "get" requests - switch ($_data["action"]) { - case "register": - $username = $_SESSION['mailcow_cc_username']; - if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data["action"]), - 'msg' => 'access_denied' - ); - return false; - } - $stmt = $pdo->prepare("INSERT INTO `fido2` (`username`, `rpId`, `credentialPublicKey`, `certificateChain`, `certificate`, `certificateIssuer`, `certificateSubject`, `signatureCounter`, `AAGUID`, `credentialId`) - VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"); - $stmt->execute(array( - $username, - $_data['registration']->rpId, - $_data['registration']->credentialPublicKey, - $_data['registration']->certificateChain, - $_data['registration']->certificate, - $_data['registration']->certificateIssuer, - $_data['registration']->certificateSubject, - $_data['registration']->signatureCounter, - $_data['registration']->AAGUID, - $_data['registration']->credentialId) - ); - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_data["action"]), - 'msg' => array('object_modified', $username) - ); - break; - case "get_user_cids": - // Used to exclude existing CredentialIds while registering - $username = $_SESSION['mailcow_cc_username']; - if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { - return false; - } - $stmt = $pdo->prepare("SELECT `credentialId` FROM `fido2` WHERE `username` = :username"); - $stmt->execute(array(':username' => $username)); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $cids[] = $row['credentialId']; - } - return $cids; - break; - case "get_all_cids": - // Only needed when using fido2 with username - $stmt = $pdo->query("SELECT `credentialId` FROM `fido2`"); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $cids[] = $row['credentialId']; - } - return $cids; - break; - case "get_by_b64cid": - if (!isset($_data['cid']) || empty($_data['cid'])) { - return false; - } - $stmt = $pdo->prepare("SELECT `certificateSubject`, `username`, `credentialPublicKey`, SHA2(`credentialId`, 256) AS `cid` FROM `fido2` WHERE `credentialId` = :cid"); - $stmt->execute(array(':cid' => base64_decode($_data['cid']))); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if (empty($row) || empty($row['credentialPublicKey']) || empty($row['username'])) { - return false; - } - $data['pub_key'] = $row['credentialPublicKey']; - $data['username'] = $row['username']; - $data['subject'] = $row['certificateSubject']; - $data['cid'] = $row['cid']; - return $data; - break; - case "get_friendly_names": - $username = $_SESSION['mailcow_cc_username']; - if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { - return false; - } - $stmt = $pdo->prepare("SELECT SHA2(`credentialId`, 256) AS `cid`, `created`, `certificateSubject`, `friendlyName` FROM `fido2` WHERE `username` = :username"); - $stmt->execute(array(':username' => $username)); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $fns[] = array( - "subject" => (empty($row['certificateSubject']) ? 'Unknown (' . $row['created'] . ')' : $row['certificateSubject']), - "fn" => $row['friendlyName'], - "cid" => $row['cid'] - ); - } - return $fns; - break; - case "unset_fido2_key": - $username = $_SESSION['mailcow_cc_username']; - if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data["action"]), - 'msg' => 'access_denied' - ); - return false; - } - $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username AND SHA2(`credentialId`, 256) = :cid"); - $stmt->execute(array( - ':username' => $username, - ':cid' => $_data['post_data']['unset_fido2_key'] - )); - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('object_modified', htmlspecialchars($username)) - ); - break; - case "edit_fn": - $username = $_SESSION['mailcow_cc_username']; - if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data["action"]), - 'msg' => 'access_denied' - ); - return false; - } - $stmt = $pdo->prepare("UPDATE `fido2` SET `friendlyName` = :friendlyName WHERE SHA2(`credentialId`, 256) = :cid AND `username` = :username"); - $stmt->execute(array( - ':username' => $username, - ':friendlyName' => $_data['fido2_attrs']['fido2_fn'], - ':cid' => $_data['fido2_attrs']['fido2_cid'] - )); - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('object_modified', htmlspecialchars($username)) - ); - break; - case "verify": - $role = ""; - $tokenData = json_decode($_data['token']); - $clientDataJSON = base64_decode($tokenData->clientDataJSON); - $authenticatorData = base64_decode($tokenData->authenticatorData); - $signature = base64_decode($tokenData->signature); - $id = base64_decode($tokenData->id); - $challenge = $_SESSION['challenge']; - $process_fido2 = fido2(array("action" => "get_by_b64cid", "cid" => $tokenData->id)); - if ($process_fido2['pub_key'] === false) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array("fido2_login", $_data['user'], $process_fido2['username']), - 'msg' => "login_failed" - ); - return false; - } - try { - $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG_LOGIN'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']); - } - catch (Throwable $ex) { - unset($process_fido2); - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array("fido2_login", $_data['user'], $process_fido2['username'], $ex->getMessage()), - 'msg' => "login_failed" - ); - return false; - } - $return = new stdClass(); - $return->success = true; - $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username"); - $stmt->execute(array(':username' => $process_fido2['username'])); - $obj_props = $stmt->fetch(PDO::FETCH_ASSOC); - if ($obj_props['superadmin'] === 1 && (!$_data['user'] || $_data['user'] == "admin")) { - $role = "admin"; - } - elseif ($obj_props['superadmin'] === 0 && (!$_data['user'] || $_data['user'] == "domainadmin")) { - $role = "domainadmin"; - } - elseif (!isset($obj_props['superadmin']) && (!$_data['user'] || $_data['user'] == "user")) { - $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username"); - $stmt->execute(array(':username' => $process_fido2['username'])); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if ($row['username'] == $process_fido2['username']) { - $role = "user"; - } - } - else { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array("fido2_login", $_data['user'], $process_fido2['username']), - 'msg' => 'login_failed' - ); - return false; - } - if (empty($role)) { - session_unset(); - session_destroy(); - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array("fido2_login", $_data['user'], $process_fido2['username']), - 'msg' => 'login_failed' - ); - return false; - } - unset($_SESSION["challenge"]); - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array("fido2_login", $_data['user'], $process_fido2['username']), - 'msg' => array('logged_in_as', $process_fido2['username']) - ); - return array( - "role" => $role, - "username" => $process_fido2['username'], - "cid" => $process_fido2['cid'] - ); - break; - } -} -function unset_tfa_key($_data) { - // Can only unset own keys - // Needs at least one key left - global $pdo; - global $lang; - $_data_log = $_data; - $access_denied = null; - $id = intval($_data['unset_tfa_key']); - $username = $_SESSION['mailcow_cc_username']; - - // check for empty user and role - if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true; - - try { - if (!is_numeric($id)) $access_denied = true; - - // set access_denied error - if ($access_denied){ - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - - // check if it's last key - $stmt = $pdo->prepare("SELECT COUNT(*) AS `keys` FROM `tfa` - WHERE `username` = :username AND `active` = '1'"); - $stmt->execute(array(':username' => $username)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if ($row['keys'] == "1") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => 'last_key' - ); - return false; - } - - // delete key - $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `id` = :id"); - $stmt->execute(array(':username' => $username, ':id' => $id)); - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('object_modified', $username) - ); - } - catch (PDOException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('mysql_error', $e) - ); - return false; - } -} -function get_tfa($username = null, $id = null) { - global $pdo; - if (empty($username) && isset($_SESSION['mailcow_cc_username'])) { - $username = $_SESSION['mailcow_cc_username']; - } - elseif (empty($username)) { - return false; - } - - if (!isset($id)){ - // fetch all tfa methods - just get information about possible authenticators - $stmt = $pdo->prepare("SELECT `id`, `key_id`, `authmech` FROM `tfa` - WHERE `username` = :username AND `active` = '1'"); - $stmt->execute(array(':username' => $username)); - $results = $stmt->fetchAll(PDO::FETCH_ASSOC); - - // no tfa methods found - if (count($results) == 0) { - $data['name'] = 'none'; - $data['pretty'] = "-"; - $data['additional'] = array(); - return $data; - } - - $data['additional'] = $results; - return $data; - } else { - // fetch specific authenticator details by id - $stmt = $pdo->prepare("SELECT * FROM `tfa` - WHERE `username` = :username AND `id` = :id AND `active` = '1'"); - $stmt->execute(array(':username' => $username, ':id' => $id)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - - if (isset($row["authmech"])) { - switch ($row["authmech"]) { - case "yubi_otp": - $data['name'] = "yubi_otp"; - $data['pretty'] = "Yubico OTP"; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username AND `id` = :id"); - $stmt->execute(array( - ':username' => $username, - ':id' => $id - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; - } - return $data; - break; - // u2f - deprecated, should be removed - case "u2f": - $data['name'] = "u2f"; - $data['pretty'] = "Fido U2F"; - $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username AND `id` = :id"); - $stmt->execute(array( - ':username' => $username, - ':id' => $id - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; - } - return $data; - break; - case "hotp": - $data['name'] = "hotp"; - $data['pretty'] = "HMAC-based OTP"; - return $data; - break; - case "totp": - $data['name'] = "totp"; - $data['pretty'] = "Time-based OTP"; - $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username AND `id` = :id"); - $stmt->execute(array( - ':username' => $username, - ':id' => $id - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; - } - return $data; - break; - case "webauthn": - $data['name'] = "webauthn"; - $data['pretty'] = "WebAuthn"; - $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username AND `id` = :id"); - $stmt->execute(array( - ':username' => $username, - ':id' => $id - )); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - while($row = array_shift($rows)) { - $data['additional'][] = $row; - } - return $data; - break; - default: - $data['name'] = 'none'; - $data['pretty'] = "-"; - return $data; - break; - } - } - else { - $data['name'] = 'none'; - $data['pretty'] = "-"; - return $data; - } - } -} -function verify_tfa_login($username, $_data) { - global $pdo; - global $yubi; - global $u2f; - global $tfa; - global $WebAuthn; - - if ($_data['tfa_method'] != 'u2f'){ - - switch ($_data["tfa_method"]) { - case "yubi_otp": - if (!ctype_alnum($_data['token']) || strlen($_data['token']) != 44) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => array('yotp_verification_failed', 'token length error') - ); - return false; - } - $yubico_modhex_id = substr($_data['token'], 0, 12); - $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` - WHERE `username` = :username - AND `authmech` = 'yubi_otp' - AND `active` = '1' - AND `secret` LIKE :modhex"); - $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id)); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - $yubico_auth = explode(':', $row['secret']); - $yubi = new Auth_Yubico($yubico_auth[0], $yubico_auth[1]); - $yauth = $yubi->verify($_data['token']); - if (PEAR::isError($yauth)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => array('yotp_verification_failed', $yauth->getMessage()) - ); - return false; - } - else { - $_SESSION['tfa_id'] = $row['id']; - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => 'verified_yotp_login' - ); - return true; - } - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => array('yotp_verification_failed', 'unknown') - ); - return false; - break; - case "hotp": - return false; - break; - case "totp": - try { - $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` - WHERE `username` = :username - AND `authmech` = 'totp' - AND `id` = :id - AND `active`='1'"); - $stmt->execute(array(':username' => $username, ':id' => $_data['id'])); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - foreach ($rows as $row) { - if ($tfa->verifyCode($row['secret'], $_data['token']) === true) { - $_SESSION['tfa_id'] = $row['id']; - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => 'verified_totp_login' - ); - return true; - } - } - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => 'totp_verification_failed' - ); - return false; - } - catch (PDOException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => array('mysql_error', $e) - ); - return false; - } - break; - case "webauthn": - $tokenData = json_decode($_data['token']); - $clientDataJSON = base64_decode($tokenData->clientDataJSON); - $authenticatorData = base64_decode($tokenData->authenticatorData); - $signature = base64_decode($tokenData->signature); - $id = base64_decode($tokenData->id); - $challenge = $_SESSION['challenge']; - - $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `id` = :id AND `active`='1'"); - $stmt->execute(array(':id' => $_data['id'])); - $process_webauthn = $stmt->fetch(PDO::FETCH_ASSOC); - - if (empty($process_webauthn)){ - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => array('webauthn_authenticator_failed') - ); - return false; - } - - if (empty($process_webauthn['publicKey']) || $process_webauthn['publicKey'] === false) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => array('webauthn_publickey_failed') - ); - return false; - } - - if ($process_webauthn['username'] != $_SESSION['pending_mailcow_cc_username']){ - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => array('webauthn_username_failed') - ); - return false; - } - - try { - $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_webauthn['publicKey'], $challenge, null, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN'], $GLOBALS['WEBAUTHN_USER_PRESENT_FLAG']); - } - catch (Throwable $ex) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => array('webauthn_verification_failed', $ex->getMessage()) - ); - return false; - } - - $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username"); - $stmt->execute(array(':username' => $process_webauthn['username'])); - $obj_props = $stmt->fetch(PDO::FETCH_ASSOC); - if ($obj_props['superadmin'] === 1) { - $_SESSION["mailcow_cc_role"] = "admin"; - } - elseif ($obj_props['superadmin'] === 0) { - $_SESSION["mailcow_cc_role"] = "domainadmin"; - } - else { - $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username"); - $stmt->execute(array(':username' => $process_webauthn['username'])); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if (!empty($row['username'])) { - $_SESSION["mailcow_cc_role"] = "user"; - } else { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => array('webauthn_role_failed') - ); - return false; - } - } - - $_SESSION["mailcow_cc_username"] = $process_webauthn['username']; - $_SESSION['tfa_id'] = $process_webauthn['id']; - $_SESSION['authReq'] = null; - unset($_SESSION["challenge"]); - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array("webauthn_login"), - 'msg' => array('logged_in_as', $process_webauthn['username']) - ); - return true; - break; - default: - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $username, '*'), - 'msg' => 'unknown_tfa_method' - ); - return false; - break; - } - - return false; - } else { - // delete old keys that used u2f - $stmt = $pdo->prepare("SELECT * FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); - $stmt->execute(array(':username' => $username)); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - if (count($rows) == 0) return false; - - $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); - $stmt->execute(array(':username' => $username)); - return true; - } -} -function admin_api($access, $action, $data = null) { - global $pdo; - if ($_SESSION['mailcow_cc_role'] != "admin") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__), - 'msg' => 'access_denied' - ); - return false; - } - if ($access !== "ro" && $access !== "rw") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__), - 'msg' => 'invalid access type' - ); - return false; - } - if ($action == "edit") { - $active = (!empty($data['active'])) ? 1 : 0; - $skip_ip_check = (isset($data['skip_ip_check'])) ? 1 : 0; - $allow_from = array(); - if (isset($data['allow_from'])) { - $allow_from = array_map('trim', preg_split( "/( |,|;|\n)/", $data['allow_from'])); - } - foreach ($allow_from as $key => $val) { - if (empty($val)) { - unset($allow_from[$key]); - continue; - } - if (valid_network($val) !== true) { - $_SESSION['return'][] = array( - 'type' => 'warning', - 'log' => array(__FUNCTION__, $data), - 'msg' => array('ip_invalid', htmlspecialchars($allow_from[$key])) - ); - unset($allow_from[$key]); - continue; - } - } - $allow_from = implode(',', array_unique(array_filter($allow_from))); - if (empty($allow_from) && $skip_ip_check == 0) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $data), - 'msg' => 'ip_list_empty' - ); - return false; - } - $api_key = implode('-', array( - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))) - )); - $stmt = $pdo->query("SELECT `api_key` FROM `api` WHERE `access` = '" . $access . "'"); - $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); - if (empty($num_results)) { - $stmt = $pdo->prepare("INSERT INTO `api` (`api_key`, `skip_ip_check`, `active`, `allow_from`, `access`) - VALUES (:api_key, :skip_ip_check, :active, :allow_from, :access);"); - $stmt->execute(array( - ':api_key' => $api_key, - ':skip_ip_check' => $skip_ip_check, - ':active' => $active, - ':allow_from' => $allow_from, - ':access' => $access - )); - } - else { - if ($skip_ip_check == 0) { - $stmt = $pdo->prepare("UPDATE `api` SET `skip_ip_check` = :skip_ip_check, - `active` = :active, - `allow_from` = :allow_from - WHERE `access` = :access;"); - $stmt->execute(array( - ':active' => $active, - ':skip_ip_check' => $skip_ip_check, - ':allow_from' => $allow_from, - ':access' => $access - )); - } - else { - $stmt = $pdo->prepare("UPDATE `api` SET `skip_ip_check` = :skip_ip_check, - `active` = :active - WHERE `access` = :access;"); - $stmt->execute(array( - ':active' => $active, - ':skip_ip_check' => $skip_ip_check, - ':access' => $access - )); - } - } - } - elseif ($action == "regen_key") { - $api_key = implode('-', array( - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))) - )); - $stmt = $pdo->prepare("UPDATE `api` SET `api_key` = :api_key WHERE `access` = :access"); - $stmt->execute(array( - ':api_key' => $api_key, - ':access' => $access - )); - } - elseif ($action == "get") { - $stmt = $pdo->query("SELECT * FROM `api` WHERE `access` = '" . $access . "'"); - $apidata = $stmt->fetch(PDO::FETCH_ASSOC); - if ($apidata !== false) { - $apidata['allow_from'] = str_replace(',', PHP_EOL, $apidata['allow_from']); - } - return $apidata; - } - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $data), - 'msg' => 'admin_api_modified' - ); -} -function license($action, $data = null) { - global $pdo; - global $redis; - global $lang; - if ($_SESSION['mailcow_cc_role'] != "admin") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__), - 'msg' => 'access_denied' - ); - return false; - } - switch ($action) { - case "verify": - // Keep result until revalidate button is pressed or session expired - $stmt = $pdo->query("SELECT `version` FROM `versions` WHERE `application` = 'GUID'"); - $versions = $stmt->fetch(PDO::FETCH_ASSOC); - $post = array('guid' => $versions['version']); - $curl = curl_init('https://verify.mailcow.email'); - curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); - curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10); - curl_setopt($curl, CURLOPT_POSTFIELDS, $post); - $response = curl_exec($curl); - curl_close($curl); - $json_return = json_decode($response, true); - if ($response && $json_return) { - if ($json_return['response'] === "ok") { - $_SESSION['gal']['valid'] = "true"; - $_SESSION['gal']['c'] = $json_return['c']; - $_SESSION['gal']['s'] = $json_return['s']; - if ($json_return['m'] == 'NoMoore') { - $_SESSION['gal']['m'] = '🐄'; - } - else { - $_SESSION['gal']['m'] = str_repeat('🐄', substr_count($json_return['m'], 'o')); - } - } - elseif ($json_return['response'] === "invalid") { - $_SESSION['gal']['valid'] = "false"; - $_SESSION['gal']['c'] = $lang['mailbox']['no']; - $_SESSION['gal']['s'] = $lang['mailbox']['no']; - $_SESSION['gal']['m'] = $lang['mailbox']['no']; - } - } - else { - $_SESSION['gal']['valid'] = "false"; - $_SESSION['gal']['c'] = $lang['danger']['temp_error']; - $_SESSION['gal']['s'] = $lang['danger']['temp_error']; - $_SESSION['gal']['m'] = $lang['danger']['temp_error']; - } - try { - // json_encode needs "true"/"false" instead of true/false, to not encode it to 0 or 1 - $redis->Set('LICENSE_STATUS_CACHE', json_encode($_SESSION['gal'])); - } - catch (RedisException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_data_log), - 'msg' => array('redis_error', $e) - ); - return false; - } - return $_SESSION['gal']['valid']; - break; - case "guid": - $stmt = $pdo->query("SELECT `version` FROM `versions` WHERE `application` = 'GUID'"); - $versions = $stmt->fetch(PDO::FETCH_ASSOC); - return $versions['version']; - break; - } -} -function rspamd_ui($action, $data = null) { - if ($_SESSION['mailcow_cc_role'] != "admin") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__), - 'msg' => 'access_denied' - ); - return false; - } - switch ($action) { - case "edit": - $rspamd_ui_pass = $data['rspamd_ui_pass']; - $rspamd_ui_pass2 = $data['rspamd_ui_pass2']; - if (empty($rspamd_ui_pass) || empty($rspamd_ui_pass2)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, '*', '*'), - 'msg' => 'password_empty' - ); - return false; - } - if ($rspamd_ui_pass != $rspamd_ui_pass2) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, '*', '*'), - 'msg' => 'password_mismatch' - ); - return false; - } - if (strlen($rspamd_ui_pass) < 6) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, '*', '*'), - 'msg' => 'rspamd_ui_pw_length' - ); - return false; - } - $docker_return = docker('post', 'rspamd-mailcow', 'exec', array('cmd' => 'rspamd', 'task' => 'worker_password', 'raw' => $rspamd_ui_pass), array('Content-Type: application/json')); - if ($docker_return_array = json_decode($docker_return, true)) { - if ($docker_return_array['type'] == 'success') { - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, '*', '*'), - 'msg' => 'rspamd_ui_pw_set' - ); - return true; - } - else { - $_SESSION['return'][] = array( - 'type' => $docker_return_array['type'], - 'log' => array(__FUNCTION__, '*', '*'), - 'msg' => $docker_return_array['msg'] - ); - return false; - } - } - else { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, '*', '*'), - 'msg' => 'unknown' - ); - return false; - } - break; - } -} -function cors($action, $data = null) { - global $redis; - - switch ($action) { - case "edit": - if ($_SESSION['mailcow_cc_role'] != "admin") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $data), - 'msg' => 'access_denied' - ); - return false; - } - - $allowed_origins = isset($data['allowed_origins']) ? $data['allowed_origins'] : array($_SERVER['SERVER_NAME']); - $allowed_origins = !is_array($allowed_origins) ? array_filter(array_map('trim', explode("\n", $allowed_origins))) : $allowed_origins; - foreach ($allowed_origins as $origin) { - if (!filter_var($origin, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) && $origin != '*') { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $data), - 'msg' => 'cors_invalid_origin' - ); - return false; - } - } - - $allowed_methods = isset($data['allowed_methods']) ? $data['allowed_methods'] : array('GET', 'POST', 'PUT', 'DELETE'); - $allowed_methods = !is_array($allowed_methods) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_methods)) : $allowed_methods; - $available_methods = array('GET', 'POST', 'PUT', 'DELETE'); - foreach ($allowed_methods as $method) { - if (!in_array($method, $available_methods)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $data), - 'msg' => 'cors_invalid_method' - ); - return false; - } - } - - try { - $redis->hMSet('CORS_SETTINGS', array( - 'allowed_origins' => implode(', ', $allowed_origins), - 'allowed_methods' => implode(', ', $allowed_methods) - )); - } catch (RedisException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $data), - 'msg' => array('redis_error', $e) - ); - return false; - } - - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $action, $data), - 'msg' => 'cors_headers_edited' - ); - return true; - break; - case "get": - try { - $cors_settings = $redis->hMGet('CORS_SETTINGS', array('allowed_origins', 'allowed_methods')); - } catch (RedisException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $data), - 'msg' => array('redis_error', $e) - ); - } - - $cors_settings = !$cors_settings ? array('allowed_origins' => $_SERVER['SERVER_NAME'], 'allowed_methods' => 'GET, POST, PUT, DELETE') : $cors_settings; - $cors_settings['allowed_origins'] = empty($cors_settings['allowed_origins']) ? $_SERVER['SERVER_NAME'] : $cors_settings['allowed_origins']; - $cors_settings['allowed_methods'] = empty($cors_settings['allowed_methods']) ? 'GET, POST, PUT, DELETE, OPTION' : $cors_settings['allowed_methods']; - - return $cors_settings; - break; - case "set_headers": - $cors_settings = cors('get'); - // check if requested origin is in allowed origins - $allowed_origins = explode(', ', $cors_settings['allowed_origins']); - $cors_settings['allowed_origins'] = $allowed_origins[0]; - if (in_array('*', $allowed_origins)){ - $cors_settings['allowed_origins'] = '*'; - } else if (array_key_exists('HTTP_ORIGIN', $_SERVER) && in_array($_SERVER['HTTP_ORIGIN'], $allowed_origins)) { - $cors_settings['allowed_origins'] = $_SERVER['HTTP_ORIGIN']; - } - // always allow OPTIONS for preflight request - $cors_settings["allowed_methods"] = empty($cors_settings["allowed_methods"]) ? 'OPTIONS' : $cors_settings["allowed_methods"] . ', ' . 'OPTIONS'; - - header('Access-Control-Allow-Origin: ' . $cors_settings['allowed_origins']); - header('Access-Control-Allow-Methods: '. $cors_settings['allowed_methods']); - header('Access-Control-Allow-Headers: Accept, Content-Type, X-Api-Key, Origin'); - - // Access-Control settings requested, this is just a preflight request - if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' && - isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) && - isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) { - - $allowed_methods = explode(', ', $cors_settings["allowed_methods"]); - if (in_array($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'], $allowed_methods, true)) - // method allowed send 200 OK - http_response_code(200); - else - // method not allowed send 405 METHOD NOT ALLOWED - http_response_code(405); - - exit; - } - break; - } -} -function getBaseURL($protocol = null) { - // Get current server name - $host = strtolower($_SERVER['SERVER_NAME']); - - // craft allowed server name list - $mailcow_hostname = strtolower(getenv("MAILCOW_HOSTNAME")); - $additional_server_names = strtolower(getenv("ADDITIONAL_SERVER_NAMES")) ?: ""; - $additional_server_names = preg_replace('/\s+/', '', $additional_server_names); - $allowed_server_names = $additional_server_names !== "" ? explode(',', $additional_server_names) : array(); - array_push($allowed_server_names, $mailcow_hostname); - - // Fallback to MAILCOW HOSTNAME if current server name is not in allowed list - if (!in_array($host, $allowed_server_names)) { - $host = $mailcow_hostname; - } - - if (!isset($protocol)) { - $protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http'; - } - $base_url = $protocol . '://' . $host; - - return $base_url; -} -function uuid4() { - $data = openssl_random_pseudo_bytes(16); - - $data[6] = chr(ord($data[6]) & 0x0f | 0x40); - $data[8] = chr(ord($data[8]) & 0x3f | 0x80); - - return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4)); -} -function identity_provider($_action = null, $_data = null, $_extra = null) { - global $pdo; - global $iam_provider; - global $iam_settings; - - $data_log = $_data; - if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*'; - if (isset($data_log['access_token'])) $data_log['access_token'] = '*'; - - switch ($_action) { - case 'get': - $settings = array(); - $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;"); - $stmt->execute(); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - foreach($rows as $row){ - switch ($row["key"]) { - case "redirect_url_extra": - case "mappers": - case "templates": - $settings[$row["key"]] = json_decode($row["value"]); - break; - case "use_ssl": - case "use_tls": - case "login_provisioning": - case "ignore_ssl_errors": - $settings[$row["key"]] = boolval($row["value"]); - break; - default: - $settings[$row["key"]] = $row["value"]; - break; - } - } - // set login_provisioning if not exists - if (!array_key_exists('login_provisioning', $settings)) { - $settings['login_provisioning'] = 1; - } - // return default client_scopes for generic-oidc if none is set - if ($settings["authsource"] == "generic-oidc" && empty($settings["client_scopes"])){ - $settings["client_scopes"] = "openid profile email mailcow_template"; - } - if ($_extra['hide_sensitive']){ - $settings['client_secret'] = ''; - $settings['access_token'] = ''; - } - // return default ldap options - if ($settings["authsource"] == "ldap"){ - $settings['use_ssl'] = !isset($settings['use_ssl']) ? false : $settings['use_ssl']; - $settings['use_tls'] = !isset($settings['use_tls']) ? false : $settings['use_tls']; - $settings['ignore_ssl_errors'] = !isset($settings['ignore_ssl_errors']) ? false : $settings['ignore_ssl_errors']; - } - return $settings; - break; - case 'edit': - if ($_SESSION['mailcow_cc_role'] != "admin") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_data), - 'msg' => 'access_denied' - ); - return false; - } - if (!isset($_data['authsource'])){ - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $data_log), - 'msg' => array('required_data_missing', '') - ); - return false; - } - - $available_authsources = array( - "keycloak", - "generic-oidc", - "ldap" - ); - $_data['authsource'] = strtolower($_data['authsource']); - if (!in_array($_data['authsource'], $available_authsources)){ - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $data_log), - 'msg' => array('invalid_authsource', $setting) - ); - return false; - } - - $stmt = $pdo->prepare("SELECT * FROM `mailbox` - WHERE `authsource` != 'mailcow' - AND `authsource` IS NOT NULL - AND `authsource` != :authsource"); - $stmt->execute(array(':authsource' => $_data['authsource'])); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - if ($rows) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $data_log), - 'msg' => array('authsource_in_use', $setting) - ); - return false; - } - - $_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false; - $_data['login_provisioning'] = isset($_data['login_provisioning']) ? boolval($_data['login_provisioning']) : false; - switch ($_data['authsource']) { - case "keycloak": - $_data['server_url'] = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null; - $_data['mailpassword_flow'] = isset($_data['mailpassword_flow']) ? intval($_data['mailpassword_flow']) : 0; - $_data['periodic_sync'] = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0; - $_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0; - $_data['sync_interval'] = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15; - $_data['sync_interval'] = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval']; - $required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval', 'ignore_ssl_error', 'login_provisioning'); - break; - case "generic-oidc": - $_data['authorize_url'] = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null; - $_data['token_url'] = (!empty($_data['token_url'])) ? $_data['token_url'] : null; - $_data['userinfo_url'] = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null; - $_data['client_scopes'] = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email mailcow_template"; - $required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes', 'ignore_ssl_error', 'login_provisioning'); - break; - case "ldap": - $_data['host'] = (!empty($_data['host'])) ? str_replace(" ", "", $_data['host']) : ""; - $_data['port'] = (!empty($_data['port'])) ? intval($_data['port']) : 389; - $_data['username_field'] = (!empty($_data['username_field'])) ? strtolower($_data['username_field']) : "mail"; - $_data['attribute_field'] = (!empty($_data['attribute_field'])) ? strtolower($_data['attribute_field']) : ""; - $_data['filter'] = (!empty($_data['filter'])) ? $_data['filter'] : ""; - $_data['periodic_sync'] = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0; - $_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0; - $_data['use_ssl'] = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false; - $_data['use_tls'] = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false; - $_data['sync_interval'] = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15; - $_data['sync_interval'] = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval']; - $required_settings = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error', 'login_provisioning'); - break; - } - - $pdo->beginTransaction(); - $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); - // add connection settings - foreach($required_settings as $setting){ - if (!isset($_data[$setting])){ - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $data_log), - 'msg' => array('required_data_missing', $setting) - ); - $pdo->rollback(); - return false; - } - - $stmt->bindParam(':key', $setting); - $stmt->bindParam(':value', $_data[$setting]); - $stmt->execute(); - } - $pdo->commit(); - - // add redirect_url_extra - if (isset($_data['redirect_url_extra'])){ - $_data['redirect_url_extra'] = (!is_array($_data['redirect_url_extra'])) ? array($_data['redirect_url_extra']) : $_data['redirect_url_extra']; - - $redirect_url_extra = array_filter($_data['redirect_url_extra']); - $redirect_url_extra = json_encode($redirect_url_extra); - - $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('redirect_url_extra', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); - $stmt->bindParam(':value', $redirect_url_extra); - $stmt->execute(); - } - - // add default template - if (isset($_data['default_template'])) { - $_data['default_template'] = (empty($_data['default_template'])) ? "" : $_data['default_template']; - $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('default_template', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); - $stmt->bindParam(':value', $_data['default_template']); - $stmt->execute(); - } - - // add mappers - if (isset($_data['mappers']) && isset($_data['templates'])){ - $_data['mappers'] = (!is_array($_data['mappers'])) ? array($_data['mappers']) : $_data['mappers']; - $_data['templates'] = (!is_array($_data['templates'])) ? array($_data['templates']) : $_data['templates']; - - $mappers = array_filter($_data['mappers']); - $templates = array_filter($_data['templates']); - if (count($mappers) == count($templates)){ - $mappers = json_encode($mappers); - $templates = json_encode($templates); - - $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('mappers', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); - $stmt->bindParam(':value', $mappers); - $stmt->execute(); - $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('templates', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); - $stmt->bindParam(':value', $templates); - $stmt->execute(); - } - } - - // delete old access_token - $stmt = $pdo->query("INSERT INTO identity_provider (`key`, `value`) VALUES ('access_token', '') ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); - - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_action, $data_log), - 'msg' => array('object_modified', '') - ); - return true; - break; - case 'test': - if ($_SESSION['mailcow_cc_role'] != "admin") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_data), - 'msg' => 'access_denied' - ); - return false; - } - - switch ($_data['authsource']) { - case 'keycloak': - $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token"; - $req = http_build_query(array( - 'grant_type' => 'client_credentials', - 'client_id' => $_data['client_id'], - 'client_secret' => $_data['client_secret'] - )); - $curl = curl_init(); - curl_setopt($curl, CURLOPT_URL, $url); - curl_setopt($curl, CURLOPT_TIMEOUT, 7); - curl_setopt($curl, CURLOPT_POST, 1); - curl_setopt($curl, CURLOPT_POSTFIELDS, $req); - curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); - curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); - if ($_data['ignore_ssl_error'] == "1"){ - curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); - curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false); - } - $res = curl_exec($curl); - $code = curl_getinfo($curl, CURLINFO_HTTP_CODE); - curl_close ($curl); - - if ($code != 200) { - return false; - } - break; - case 'generic-oidc': - $url = $_data['token_url']; - $curl = curl_init(); - curl_setopt($curl, CURLOPT_URL, $url); - curl_setopt($curl, CURLOPT_TIMEOUT, 7); - curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); - curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "OPTIONS"); - if ($_data['ignore_ssl_error'] == "1"){ - curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); - curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false); - } - $res = curl_exec($curl); - $code = curl_getinfo($curl, CURLINFO_HTTP_CODE); - curl_close ($curl); - - if ($code != 200) { - return false; - } - break; - case 'ldap': - if (!$_data['host'] || !$_data['port'] || !$_data['basedn'] || - !$_data['binddn'] || !$_data['bindpass']){ - return false; - } - $_data['use_ssl'] = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false; - $_data['use_tls'] = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false; - $_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false; - $options = array(); - if ($_data['ignore_ssl_error']) { - $options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER; - } - $provider = new \LdapRecord\Connection([ - 'hosts' => explode(",", $_data['host']), - 'port' => $_data['port'], - 'base_dn' => $_data['basedn'], - 'username' => $_data['binddn'], - 'password' => $_data['bindpass'], - 'use_ssl' => $_data['use_ssl'], - 'use_tls' => $_data['use_tls'], - 'options' => $options - ]); - try { - $provider->connect(); - } catch (Throwable $e) { - return false; - } - break; - } - - return true; - break; - case "delete": - if ($_SESSION['mailcow_cc_role'] != "admin") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_data), - 'msg' => 'access_denied' - ); - return false; - } - - $stmt = $pdo->query("SELECT * FROM `mailbox` - WHERE `authsource` != 'mailcow' - AND `authsource` IS NOT NULL"); - $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - if ($rows) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $data_log), - 'msg' => array('authsource_in_use', $setting) - ); - return false; - } - - $stmt = $pdo->query("DELETE FROM identity_provider;"); - - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_action, $data_log), - 'msg' => array('item_deleted', '') - ); - return true; - break; - case "init": - $settings = identity_provider('get'); - $provider = null; - - switch ($settings['authsource']) { - case "keycloak": - if ($settings['server_url'] && $settings['realm'] && $settings['client_id'] && - $settings['client_secret'] && $settings['redirect_url'] && $settings['version']){ - $guzzyClient = new GuzzleHttp\Client([ - 'defaults' => [ - \GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5, - \GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true], - \GuzzleHttp\RequestOptions::VERIFY => !$settings['ignore_ssl_error'], - ] - ); - $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([ - 'authServerUrl' => $settings['server_url'], - 'realm' => $settings['realm'], - 'clientId' => $settings['client_id'], - 'clientSecret' => $settings['client_secret'], - 'redirectUri' => $settings['redirect_url'], - 'version' => $settings['version'], - // 'encryptionAlgorithm' => 'RS256', // optional - // 'encryptionKeyPath' => '../key.pem' // optional - // 'encryptionKey' => 'contents_of_key_or_certificate' // optional - ]); - $provider->setHttpClient($guzzyClient); - } - break; - case "generic-oidc": - if ($settings['client_id'] && $settings['client_secret'] && $settings['redirect_url'] && - $settings['authorize_url'] && $settings['token_url'] && $settings['userinfo_url']){ - $guzzyClient = new GuzzleHttp\Client([ - 'defaults' => [ - \GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5, - \GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true], - \GuzzleHttp\RequestOptions::VERIFY => !$settings['ignore_ssl_error'], - ] - ); - $provider = new \League\OAuth2\Client\Provider\GenericProvider([ - 'clientId' => $settings['client_id'], - 'clientSecret' => $settings['client_secret'], - 'redirectUri' => $settings['redirect_url'], - 'urlAuthorize' => $settings['authorize_url'], - 'urlAccessToken' => $settings['token_url'], - 'urlResourceOwnerDetails' => $settings['userinfo_url'], - 'scopes' => $settings['client_scopes'] - ]); - $provider->setHttpClient($guzzyClient); - } - break; - case "ldap": - if ($settings['host'] && $settings['port'] && $settings['basedn'] && - $settings['binddn'] && $settings['bindpass']){ - $options = array(); - if ($settings['ignore_ssl_error']) { - $options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER; - } - $provider = new \LdapRecord\Connection([ - 'hosts' => explode(",", $settings['host']), - 'port' => $settings['port'], - 'base_dn' => $settings['basedn'], - 'username' => $settings['binddn'], - 'password' => $settings['bindpass'], - 'use_ssl' => $settings['use_ssl'], - 'use_tls' => $settings['use_tls'], - 'options' => $options - ]); - try { - $provider->connect(); - } catch (Throwable $e) { - $provider = null; - } - } - break; - } - return $provider; - break; - case "verify-sso": - if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc'){ - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, "no OIDC provider configured"), - 'msg' => 'login_failed' - ); - return false; - } - - try { - $token = $iam_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]); - $plain_token = $token->getToken(); - $plain_refreshtoken = $token->getRefreshToken(); - $info = $iam_provider->getResourceOwner($token)->toArray(); - } catch (Throwable $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $e->getMessage()), - 'msg' => 'login_failed' - ); - return false; - } - // check if email address is given - if (empty($info['email'])) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, 'No email address found for user'), - 'msg' => 'login_failed' - ); - return false; - } - - // get mapped template - $user_template = $info['mailcow_template']; - $mapper_key = array_search($user_template, $iam_settings['mappers']); - - // token valid, get mailbox - $stmt = $pdo->prepare("SELECT - mailbox.*, - domain.active AS d_active - FROM `mailbox` - INNER JOIN domain on mailbox.domain = domain.domain - WHERE `kind` NOT REGEXP 'location|thing|group' - AND `username` = :user"); - $stmt->execute(array(':user' => $info['email'])); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if ($row){ - if (!in_array($row['authsource'], array("keycloak", "generic-oidc"))) { - clear_session(); - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $info['email'], "The user's authentication source is not of type OIDC"), - 'msg' => 'login_failed' - ); - return false; - } - if ($mapper_key !== false) { - // update user - $_SESSION['access_all_exception'] = '1'; - mailbox('edit', 'mailbox_from_template', array( - 'username' => $info['email'], - 'name' => $info['name'], - 'template' => $iam_settings['templates'][$mapper_key] - )); - $_SESSION['access_all_exception'] = '0'; - - // get updated row - $stmt = $pdo->prepare("SELECT - mailbox.*, - domain.active AS d_active - FROM `mailbox` - INNER JOIN domain on mailbox.domain = domain.domain - WHERE `kind` NOT REGEXP 'location|thing|group' - AND `username` = :user"); - $stmt->execute(array(':user' => $info['email'])); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - } - if ($row['active'] != 1 || $row['d_active'] != 1) { - clear_session(); - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $info['email'], 'Domain or mailbox is inactive'), - 'msg' => 'login_failed' - ); - return false; - } - set_user_loggedin_session($info['email']); - $_SESSION['iam_token'] = $plain_token; - $_SESSION['iam_refresh_token'] = $plain_refreshtoken; - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']), - 'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username']) - ); - return true; - } - - // user doesn't exist, check if login provisioning is enabled - if (!$iam_settings['login_provisioning']){ - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, "Auto-create users on login is deactivated"), - 'msg' => 'login_failed' - ); - return false; - } - - if (empty($iam_settings['mappers']) || empty($user_template) || $mapper_key === false){ - if (!empty($iam_settings['default_template'])) { - $mbox_template = $iam_settings['default_template']; - } else { - clear_session(); - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $info['email'], 'No matching attribute mapping was found'), - 'msg' => 'login_failed' - ); - return false; - } - } else { - $mbox_template = $iam_settings['templates'][$mapper_key]; - } - - // create mailbox - $_SESSION['access_all_exception'] = '1'; - $create_res = mailbox('add', 'mailbox_from_template', array( - 'domain' => explode('@', $info['email'])[1], - 'local_part' => explode('@', $info['email'])[0], - 'name' => $info['name'], - 'authsource' => $iam_settings['authsource'], - 'template' => $mbox_template - )); - $_SESSION['access_all_exception'] = '0'; - if (!$create_res){ - clear_session(); - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $info['email'], 'Could not create mailbox on login'), - 'msg' => 'login_failed' - ); - return false; - } - - // double check if mailbox and domain is active - $stmt = $pdo->prepare("SELECT * FROM `mailbox` - INNER JOIN domain on mailbox.domain = domain.domain - WHERE `kind` NOT REGEXP 'location|thing|group' - AND `mailbox`.`active`='1' - AND `domain`.`active`='1' - AND `username` = :user"); - $stmt->execute(array(':user' => $info['email'])); - $row = $stmt->fetch(PDO::FETCH_ASSOC); - if (empty($row)) { - clear_session(); - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $info['email'], 'Domain or mailbox is inactive'), - 'msg' => 'login_failed' - ); - return false; - } - - set_user_loggedin_session($info['email']); - $_SESSION['iam_token'] = $plain_token; - $_SESSION['iam_refresh_token'] = $plain_refreshtoken; - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']), - 'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username']) - ); - return true; - break; - case "refresh-token": - try { - $token = $iam_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]); - $plain_token = $token->getToken(); - $plain_refreshtoken = $token->getRefreshToken(); - $info = $iam_provider->getResourceOwner($token)->toArray(); - } catch (Throwable $e) { - clear_session(); - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__), - 'msg' => array('refresh_login_failed', $e->getMessage()) - ); - return false; - } - - if (empty($info['email'])){ - clear_session(); - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']), - 'msg' => 'refresh_login_failed' - ); - return false; - } - - set_user_loggedin_session($info['email']); - $_SESSION['iam_token'] = $plain_token; - $_SESSION['iam_refresh_token'] = $plain_refreshtoken; - return true; - break; - case "get-redirect": - if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc') - return false; - $options = []; - if (isset($iam_settings['redirect_url_extra'])) { - // check if the current domain is used in an extra redirect URL - $targetDomain = strtolower($_SERVER['HTTP_HOST']); - foreach ($iam_settings['redirect_url_extra'] as $testUrl) { - $testUrlParsed = parse_url($testUrl); - if (isset($testUrlParsed['host']) && strtolower($testUrlParsed['host']) == $targetDomain) { - $options['redirect_uri'] = $testUrl; - break; - } - } - } - $authUrl = $iam_provider->getAuthorizationUrl($options); - $_SESSION['oauth2state'] = $iam_provider->getState(); - return $authUrl; - break; - case "get-keycloak-admin-token": - // get access_token for service account of mailcow client - if ($iam_settings['authsource'] !== 'keycloak') return false; - if (isset($iam_settings['access_token'])) { - // check if access_token is valid - $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token/introspect"; - $req = http_build_query(array( - 'token' => $iam_settings['access_token'], - 'client_id' => $iam_settings['client_id'], - 'client_secret' => $iam_settings['client_secret'] - )); - $curl = curl_init(); - curl_setopt($curl, CURLOPT_URL, $url); - curl_setopt($curl, CURLOPT_TIMEOUT, 7); - curl_setopt($curl, CURLOPT_POST, 1); - curl_setopt($curl, CURLOPT_POSTFIELDS, $req); - curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); - curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); - curl_setopt($curl, CURLOPT_TIMEOUT, 5); - $res = json_decode(curl_exec($curl), true); - $code = curl_getinfo($curl, CURLINFO_HTTP_CODE); - curl_close ($curl); - if ($code == 200 && $res['active'] == true) { - // token is valid - return $iam_settings['access_token']; - } - } - - $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token"; - $req = http_build_query(array( - 'grant_type' => 'client_credentials', - 'client_id' => $iam_settings['client_id'], - 'client_secret' => $iam_settings['client_secret'] - )); - $curl = curl_init(); - curl_setopt($curl, CURLOPT_URL, $url); - curl_setopt($curl, CURLOPT_TIMEOUT, 7); - curl_setopt($curl, CURLOPT_POST, 1); - curl_setopt($curl, CURLOPT_POSTFIELDS, $req); - curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); - curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); - curl_setopt($curl, CURLOPT_TIMEOUT, 5); - $res = json_decode(curl_exec($curl), true); - $code = curl_getinfo($curl, CURLINFO_HTTP_CODE); - curl_close ($curl); - if ($code != 200) { - return false; - } - - $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); - $stmt->execute(array( - ':key' => 'access_token', - ':value' => $res['access_token'] - )); - return $res['access_token']; - break; - } -} -function reset_password($action, $data = null) { - global $pdo; - global $redis; - global $mailcow_hostname; - global $PW_RESET_TOKEN_LIMIT; - global $PW_RESET_TOKEN_LIFETIME; - - $_data_log = $data; - if (isset($_data_log['new_password'])) $_data_log['new_password'] = '*'; - if (isset($_data_log['new_password2'])) $_data_log['new_password2'] = '*'; - - switch ($action) { - case 'check': - $token = $data; - - $stmt = $pdo->prepare("SELECT `t1`.`username` FROM `reset_password` AS `t1` JOIN `mailbox` AS `t2` ON `t1`.`username` = `t2`.`username` WHERE `t1`.`token` = :token AND `t1`.`created` > DATE_SUB(NOW(), INTERVAL :lifetime MINUTE) AND `t2`.`active` = 1 AND `t2`.`authsource` = 'mailcow';"); - $stmt->execute(array( - ':token' => preg_replace('/[^a-zA-Z0-9-]/', '', $token), - ':lifetime' => $PW_RESET_TOKEN_LIFETIME - )); - $return = $stmt->fetch(PDO::FETCH_ASSOC); - return empty($return['username']) ? false : $return['username']; - break; - case 'issue': - $username = $data; - - // perform cleanup - $stmt = $pdo->prepare("DELETE FROM `reset_password` WHERE created < DATE_SUB(NOW(), INTERVAL :lifetime MINUTE);"); - $stmt->execute(array(':lifetime' => $PW_RESET_TOKEN_LIFETIME)); - - if (filter_var($username, FILTER_VALIDATE_EMAIL) === false) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - - $pw_reset_notification = reset_password('get_notification', 'raw'); - if (!$pw_reset_notification) return false; - if (empty($pw_reset_notification['from']) || empty($pw_reset_notification['subject'])) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'password_reset_na' - ); - return false; - } - - $stmt = $pdo->prepare("SELECT * FROM `mailbox` - WHERE `username` = :username AND authsource = 'mailcow'"); - $stmt->execute(array(':username' => $username)); - $mailbox_data = $stmt->fetch(PDO::FETCH_ASSOC); - - if (empty($mailbox_data)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'password_reset_invalid_user' - ); - return false; - } - - $mailbox_attr = json_decode($mailbox_data['attributes'], true); - if (empty($mailbox_attr['recovery_email']) || filter_var($mailbox_attr['recovery_email'], FILTER_VALIDATE_EMAIL) === false) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => "password_reset_invalid_user" - ); - return false; - } - - $stmt = $pdo->prepare("SELECT * FROM `reset_password` - WHERE `username` = :username"); - $stmt->execute(array(':username' => $username)); - $generated_token_count = count($stmt->fetchAll(PDO::FETCH_ASSOC)); - if ($generated_token_count >= $PW_RESET_TOKEN_LIMIT) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => "reset_token_limit_exceeded" - ); - return false; - } - - $token = implode('-', array( - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))), - strtoupper(bin2hex(random_bytes(3))) - )); - - $stmt = $pdo->prepare("INSERT INTO `reset_password` (`username`, `token`) - VALUES (:username, :token)"); - $stmt->execute(array( - ':username' => $username, - ':token' => $token - )); - - $reset_link = getBaseURL() . "/reset-password?token=" . $token; - - $request_date = new DateTime(); - $locale_date = locale_get_default(); - $date_formatter = new IntlDateFormatter( - $locale_date, - IntlDateFormatter::FULL, - IntlDateFormatter::FULL - ); - $formatted_request_date = $date_formatter->format($request_date); - - // set template vars - // subject - $pw_reset_notification['subject'] = str_replace('{{hostname}}', $mailcow_hostname, $pw_reset_notification['subject']); - $pw_reset_notification['subject'] = str_replace('{{link}}', $reset_link, $pw_reset_notification['subject']); - $pw_reset_notification['subject'] = str_replace('{{username}}', $username, $pw_reset_notification['subject']); - $pw_reset_notification['subject'] = str_replace('{{username2}}', $mailbox_attr['recovery_email'], $pw_reset_notification['subject']); - $pw_reset_notification['subject'] = str_replace('{{date}}', $formatted_request_date, $pw_reset_notification['subject']); - $pw_reset_notification['subject'] = str_replace('{{token_lifetime}}', $PW_RESET_TOKEN_LIFETIME, $pw_reset_notification['subject']); - // text - $pw_reset_notification['text_tmpl'] = str_replace('{{hostname}}', $mailcow_hostname, $pw_reset_notification['text_tmpl']); - $pw_reset_notification['text_tmpl'] = str_replace('{{link}}', $reset_link, $pw_reset_notification['text_tmpl']); - $pw_reset_notification['text_tmpl'] = str_replace('{{username}}', $username, $pw_reset_notification['text_tmpl']); - $pw_reset_notification['text_tmpl'] = str_replace('{{username2}}', $mailbox_attr['recovery_email'], $pw_reset_notification['text_tmpl']); - $pw_reset_notification['text_tmpl'] = str_replace('{{date}}', $formatted_request_date, $pw_reset_notification['text_tmpl']); - $pw_reset_notification['text_tmpl'] = str_replace('{{token_lifetime}}', $PW_RESET_TOKEN_LIFETIME, $pw_reset_notification['text_tmpl']); - // html - $pw_reset_notification['html_tmpl'] = str_replace('{{hostname}}', $mailcow_hostname, $pw_reset_notification['html_tmpl']); - $pw_reset_notification['html_tmpl'] = str_replace('{{link}}', $reset_link, $pw_reset_notification['html_tmpl']); - $pw_reset_notification['html_tmpl'] = str_replace('{{username}}', $username, $pw_reset_notification['html_tmpl']); - $pw_reset_notification['html_tmpl'] = str_replace('{{username2}}', $mailbox_attr['recovery_email'], $pw_reset_notification['html_tmpl']); - $pw_reset_notification['html_tmpl'] = str_replace('{{date}}', $formatted_request_date, $pw_reset_notification['html_tmpl']); - $pw_reset_notification['html_tmpl'] = str_replace('{{token_lifetime}}', $PW_RESET_TOKEN_LIFETIME, $pw_reset_notification['html_tmpl']); - - - $email_sent = reset_password('send_mail', array( - "from" => $pw_reset_notification['from'], - "to" => $mailbox_attr['recovery_email'], - "subject" => $pw_reset_notification['subject'], - "text" => $pw_reset_notification['text_tmpl'], - "html" => $pw_reset_notification['html_tmpl'] - )); - - if (!$email_sent){ - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => "recovery_email_failed" - ); - return false; - } - - list($localPart, $domainPart) = explode('@', $mailbox_attr['recovery_email']); - if (strlen($localPart) > 1) { - $maskedLocalPart = $localPart[0] . str_repeat('*', strlen($localPart) - 1); - } else { - $maskedLocalPart = "*"; - } - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => array("recovery_email_sent", $maskedLocalPart . '@' . $domainPart) - ); - return array( - "username" => $username, - "issue" => "success" - ); - break; - case 'reset': - $token = $data['token']; - $new_password = $data['new_password']; - $new_password2 = $data['new_password2']; - $username = $data['username']; - $check_tfa = $data['check_tfa']; - - if (!$username || !$token) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'invalid_reset_token' - ); - return false; - } - - # check new password - if (!password_check($new_password, $new_password2)) { - return false; - } - - if ($check_tfa){ - // check for tfa authenticators - $authenticators = get_tfa($username); - if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { - $_SESSION['pending_mailcow_cc_username'] = $username; - $_SESSION['pending_pw_reset_token'] = $token; - $_SESSION['pending_pw_new_password'] = $new_password; - $_SESSION['pending_tfa_methods'] = $authenticators['additional']; - $_SESSION['return'][] = array( - 'type' => 'info', - 'log' => array(__FUNCTION__, $user, '*'), - 'msg' => 'awaiting_tfa_confirmation' - ); - return false; - } - } - - # set new password - $password_hashed = hash_password($new_password); - $stmt = $pdo->prepare("UPDATE `mailbox` SET - `password` = :password_hashed, - `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW()) - WHERE `username` = :username AND authsource = 'mailcow'"); - $stmt->execute(array( - ':password_hashed' => $password_hashed, - ':username' => $username - )); - - // perform cleanup - $stmt = $pdo->prepare("DELETE FROM `reset_password` WHERE `username` = :username;"); - $stmt->execute(array( - ':username' => $username - )); - - update_sogo_static_view($username); - - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'password_changed_success' - ); - return true; - break; - case 'get_notification': - $type = $data; - - try { - $settings['from'] = $redis->Get('PW_RESET_FROM'); - $settings['subject'] = $redis->Get('PW_RESET_SUBJ'); - $settings['html_tmpl'] = $redis->Get('PW_RESET_HTML'); - $settings['text_tmpl'] = $redis->Get('PW_RESET_TEXT'); - if (empty($settings['html_tmpl']) && empty($settings['text_tmpl'])) { - $settings['html_tmpl'] = file_get_contents("/tpls/pw_reset_html.tpl"); - $settings['text_tmpl'] = file_get_contents("/tpls/pw_reset_text.tpl"); - } - - if ($type != "raw") { - $settings['html_tmpl'] = htmlspecialchars($settings['html_tmpl']); - $settings['text_tmpl'] = htmlspecialchars($settings['text_tmpl']); - } - } - catch (RedisException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => array('redis_error', $e) - ); - return false; - } - - return $settings; - break; - case 'send_mail': - $from = $data['from']; - $to = $data['to']; - $text = $data['text']; - $html = $data['html']; - $subject = $data['subject']; - - if (!filter_var($from, FILTER_VALIDATE_EMAIL)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'from_invalid' - ); - return false; - } - if (!filter_var($to, FILTER_VALIDATE_EMAIL)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'to_invalid' - ); - return false; - } - if (empty($subject)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'subject_empty' - ); - return false; - } - if (empty($text)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'text_empty' - ); - return false; - } - - ini_set('max_execution_time', 0); - ini_set('max_input_time', 0); - $mail = new PHPMailer; - $mail->Timeout = 10; - $mail->SMTPOptions = array( - 'ssl' => array( - 'verify_peer' => false, - 'verify_peer_name' => false, - 'allow_self_signed' => true - ) - ); - $mail->isSMTP(); - $mail->Host = 'postfix-mailcow'; - $mail->SMTPAuth = false; - $mail->Port = 25; - $mail->setFrom($from); - $mail->Subject = $subject; - $mail->CharSet ="UTF-8"; - if (!empty($html)) { - $mail->Body = $html; - $mail->AltBody = $text; - } - else { - $mail->Body = $text; - } - $mail->XMailer = 'MooMail'; - $mail->AddAddress($to); - if (!$mail->send()) { - return false; - } - $mail->ClearAllRecipients(); - - return true; - break; - } - - if ($_SESSION['mailcow_cc_role'] != "admin") { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - - switch ($action) { - case 'edit_notification': - $subject = $data['subject']; - $from = preg_replace('/[\x00-\x1F\x80-\xFF]/', '', $data['from']); - - $from = (!filter_var($from, FILTER_VALIDATE_EMAIL)) ? "" : $from; - $subject = (empty($subject)) ? "" : $subject; - $text = (empty($data['text_tmpl'])) ? "" : $data['text_tmpl']; - $html = (empty($data['html_tmpl'])) ? "" : $data['html_tmpl']; - - try { - $redis->Set('PW_RESET_FROM', $from); - $redis->Set('PW_RESET_SUBJ', $subject); - $redis->Set('PW_RESET_HTML', $html); - $redis->Set('PW_RESET_TEXT', $text); - } - catch (RedisException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => array('redis_error', $e) - ); - return false; - } - - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'saved_settings' - ); - break; - } -} -function clear_session(){ - session_regenerate_id(true); - session_unset(); - session_destroy(); - session_write_close(); -} -function set_user_loggedin_session($user) { - session_regenerate_id(true); - $_SESSION['mailcow_cc_username'] = $user; - $_SESSION['mailcow_cc_role'] = 'user'; - $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass"); - $_SESSION['sogo-sso-user-allowed'][] = $user; - $_SESSION['sogo-sso-pass'] = $sogo_sso_pass; - unset($_SESSION['pending_mailcow_cc_username']); - unset($_SESSION['pending_mailcow_cc_role']); - unset($_SESSION['pending_tfa_methods']); -} -function get_logs($application, $lines = false) { - if ($lines === false) { - $lines = $GLOBALS['LOG_LINES'] - 1; - } - elseif(is_numeric($lines) && $lines >= 1) { - $lines = abs(intval($lines) - 1); - } - else { - list ($from, $to) = explode('-', $lines); - $from = intval($from); - $to = intval($to); - if ($from < 1 || $to < $from) { return false; } - } - global $redis; - global $pdo; - if ($_SESSION['mailcow_cc_role'] != "admin") { - return false; - } - // SQL - if ($application == "mailcow-ui") { - if (isset($from) && isset($to)) { - $stmt = $pdo->prepare("SELECT * FROM `logs` ORDER BY `id` DESC LIMIT :from, :to"); - $stmt->execute(array( - ':from' => $from - 1, - ':to' => $to - )); - $data = $stmt->fetchAll(PDO::FETCH_ASSOC); - } - else { - $stmt = $pdo->prepare("SELECT * FROM `logs` ORDER BY `id` DESC LIMIT :lines"); - $stmt->execute(array( - ':lines' => $lines + 1, - )); - $data = $stmt->fetchAll(PDO::FETCH_ASSOC); - } - if (is_array($data)) { - return $data; - } - } - if ($application == "sasl") { - if (isset($from) && isset($to)) { - $stmt = $pdo->prepare("SELECT * FROM `sasl_log` ORDER BY `datetime` DESC LIMIT :from, :to"); - $stmt->execute(array( - ':from' => $from - 1, - ':to' => $to - )); - $data = $stmt->fetchAll(PDO::FETCH_ASSOC); - } - else { - $stmt = $pdo->prepare("SELECT * FROM `sasl_log` ORDER BY `datetime` DESC LIMIT :lines"); - $stmt->execute(array( - ':lines' => $lines + 1, - )); - $data = $stmt->fetchAll(PDO::FETCH_ASSOC); - } - if (is_array($data)) { - return $data; - } - } - // Redis - if ($application == "dovecot-mailcow") { - if (isset($from) && isset($to)) { - $data = $redis->lRange('DOVECOT_MAILLOG', $from - 1, $to - 1); - } - else { - $data = $redis->lRange('DOVECOT_MAILLOG', 0, $lines); - } - if ($data) { - foreach ($data as $json_line) { - $data_array[] = json_decode($json_line, true); - } - return $data_array; - } - } - if ($application == "cron-mailcow") { - if (isset($from) && isset($to)) { - $data = $redis->lRange('CRON_LOG', $from - 1, $to - 1); - } - else { - $data = $redis->lRange('CRON_LOG', 0, $lines); - } - if ($data) { - foreach ($data as $json_line) { - $data_array[] = json_decode($json_line, true); - } - return $data_array; - } - } - if ($application == "postfix-mailcow") { - if (isset($from) && isset($to)) { - $data = $redis->lRange('POSTFIX_MAILLOG', $from - 1, $to - 1); - } - else { - $data = $redis->lRange('POSTFIX_MAILLOG', 0, $lines); - } - if ($data) { - foreach ($data as $json_line) { - $data_array[] = json_decode($json_line, true); - } - return $data_array; - } - } - if ($application == "sogo-mailcow") { - if (isset($from) && isset($to)) { - $data = $redis->lRange('SOGO_LOG', $from - 1, $to - 1); - } - else { - $data = $redis->lRange('SOGO_LOG', 0, $lines); - } - if ($data) { - foreach ($data as $json_line) { - $data_array[] = json_decode($json_line, true); - } - return $data_array; - } - } - if ($application == "watchdog-mailcow") { - if (isset($from) && isset($to)) { - $data = $redis->lRange('WATCHDOG_LOG', $from - 1, $to - 1); - } - else { - $data = $redis->lRange('WATCHDOG_LOG', 0, $lines); - } - if ($data) { - foreach ($data as $json_line) { - $data_array[] = json_decode($json_line, true); - } - return $data_array; - } - } - if ($application == "acme-mailcow") { - if (isset($from) && isset($to)) { - $data = $redis->lRange('ACME_LOG', $from - 1, $to - 1); - } - else { - $data = $redis->lRange('ACME_LOG', 0, $lines); - } - if ($data) { - foreach ($data as $json_line) { - $data_array[] = json_decode($json_line, true); - } - return $data_array; - } - } - if ($application == "ratelimited") { - if (isset($from) && isset($to)) { - $data = $redis->lRange('RL_LOG', $from - 1, $to - 1); - } - else { - $data = $redis->lRange('RL_LOG', 0, $lines); - } - if ($data) { - foreach ($data as $json_line) { - $data_array[] = json_decode($json_line, true); - } - return $data_array; - } - } - if ($application == "api-mailcow") { - if (isset($from) && isset($to)) { - $data = $redis->lRange('API_LOG', $from - 1, $to - 1); - } - else { - $data = $redis->lRange('API_LOG', 0, $lines); - } - if ($data) { - foreach ($data as $json_line) { - $data_array[] = json_decode($json_line, true); - } - return $data_array; - } - } - if ($application == "netfilter-mailcow") { - if (isset($from) && isset($to)) { - $data = $redis->lRange('NETFILTER_LOG', $from - 1, $to - 1); - } - else { - $data = $redis->lRange('NETFILTER_LOG', 0, $lines); - } - if ($data) { - foreach ($data as $json_line) { - $data_array[] = json_decode($json_line, true); - } - return $data_array; - } - } - if ($application == "autodiscover-mailcow") { - if (isset($from) && isset($to)) { - $data = $redis->lRange('AUTODISCOVER_LOG', $from - 1, $to - 1); - } - else { - $data = $redis->lRange('AUTODISCOVER_LOG', 0, $lines); - } - if ($data) { - foreach ($data as $json_line) { - $data_array[] = json_decode($json_line, true); - } - return $data_array; - } - } - if ($application == "rspamd-history") { - $curl = curl_init(); - curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, '/var/lib/rspamd/rspamd.sock'); - if (!is_numeric($lines)) { - list ($from, $to) = explode('-', $lines); - curl_setopt($curl, CURLOPT_URL,"http://rspamd/history?from=" . intval($from) . "&to=" . intval($to)); - } - else { - curl_setopt($curl, CURLOPT_URL,"http://rspamd/history?to=" . intval($lines)); - } - curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); - $history = curl_exec($curl); - if (!curl_errno($curl)) { - $data_array = json_decode($history, true); - curl_close($curl); - return $data_array['rows']; - } - curl_close($curl); - return false; - } - if ($application == "rspamd-stats") { - $curl = curl_init(); - curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, '/var/lib/rspamd/rspamd.sock'); - curl_setopt($curl, CURLOPT_URL,"http://rspamd/stat"); - curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); - $stats = curl_exec($curl); - if (!curl_errno($curl)) { - $data_array = json_decode($stats, true); - curl_close($curl); - return $data_array; - } - curl_close($curl); - return false; - } - return false; -} -function getGUID() { - if (function_exists('com_create_guid')) { - return com_create_guid(); - } - mt_srand((double)microtime()*10000);//optional for php 4.2.0 and up. - $charid = strtoupper(md5(uniqid(rand(), true))); - $hyphen = chr(45);// "-" - return substr($charid, 0, 8).$hyphen - .substr($charid, 8, 4).$hyphen - .substr($charid,12, 4).$hyphen - .substr($charid,16, 4).$hyphen - .substr($charid,20,12); -} - -function cleanupJS($ignore = '', $folder = '/tmp/*.js') { - $now = time(); - foreach (glob($folder) as $filename) { - if(strpos($filename, $ignore) !== false) { - continue; - } - if (is_file($filename)) { - if ($now - filemtime($filename) >= 60 * 60) { - unlink($filename); - } - } - } -} - -function cleanupCSS($ignore = '', $folder = '/tmp/*.css') { - $now = time(); - foreach (glob($folder) as $filename) { - if(strpos($filename, $ignore) !== false) { - continue; - } - if (is_file($filename)) { - if ($now - filemtime($filename) >= 60 * 60) { - unlink($filename); - } - } - } -} - -?> +1) { + $bits=(int)($ar[1]); + } + else { + $bits = $iplen * 8; + } + for ($c=0; $bits>0; $c++) { + $bytemask = ($bits < 8) ? 0xff ^ ((1 << (8-$bits))-1) : 0xff; + if (((ord($ipb[$c]) ^ ord($ip1b[$c])) & $bytemask) != 0) { + continue 2; + } + $bits-=8; + } + return true; + } + return false; +} +function hash_password($password) { + // default_pass_scheme is determined in vars.inc.php (or corresponding local file) + // in case default pass scheme is not defined, falling back to BLF-CRYPT. + global $default_pass_scheme; + $pw_hash = NULL; + // support pre-hashed passwords + if (preg_match('/^{(ARGON2I|ARGON2ID|BLF-CRYPT|CLEAR|CLEARTEXT|CRYPT|DES-CRYPT|LDAP-MD5|MD5|MD5-CRYPT|PBKDF2|PLAIN|PLAIN-MD4|PLAIN-MD5|PLAIN-TRUNC|PLAIN-TRUNC|SHA|SHA1|SHA256|SHA256-CRYPT|SHA512|SHA512-CRYPT|SMD5|SSHA|SSHA256|SSHA512)}/i', $password)) { + $pw_hash = $password; + } + else { + switch (strtoupper($default_pass_scheme)) { + case "SSHA": + $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); + $pw_hash = "{SSHA}".base64_encode(hash('sha1', $password . $salt_str, true) . $salt_str); + break; + case "SSHA256": + $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); + $pw_hash = "{SSHA256}".base64_encode(hash('sha256', $password . $salt_str, true) . $salt_str); + break; + case "SSHA512": + $salt_str = bin2hex(openssl_random_pseudo_bytes(8)); + $pw_hash = "{SSHA512}".base64_encode(hash('sha512', $password . $salt_str, true) . $salt_str); + break; + case "BLF-CRYPT": + default: + $pw_hash = "{BLF-CRYPT}" . password_hash($password, PASSWORD_BCRYPT); + break; + } + } + return $pw_hash; +} +function password_complexity($_action, $_data = null) { + global $redis; + global $lang; + switch ($_action) { + case 'edit': + if ($_SESSION['mailcow_cc_role'] != "admin") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data), + 'msg' => 'access_denied' + ); + return false; + } + $is_now = password_complexity('get'); + if (!empty($is_now)) { + $length = (isset($_data['length']) && intval($_data['length']) >= 3) ? intval($_data['length']) : $is_now['length']; + $chars = (isset($_data['chars'])) ? intval($_data['chars']) : $is_now['chars']; + $lowerupper = (isset($_data['lowerupper'])) ? intval($_data['lowerupper']) : $is_now['lowerupper']; + $special_chars = (isset($_data['special_chars'])) ? intval($_data['special_chars']) : $is_now['special_chars']; + $numbers = (isset($_data['numbers'])) ? intval($_data['numbers']) : $is_now['numbers']; + } + try { + $redis->hMSet('PASSWD_POLICY', [ + 'length' => $length, + 'chars' => $chars, + 'special_chars' => $special_chars, + 'lowerupper' => $lowerupper, + 'numbers' => $numbers + ]); + } + catch (RedisException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data), + 'msg' => array('redis_error', $e) + ); + return false; + } + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_action, $_data), + 'msg' => 'password_policy_saved' + ); + break; + case 'get': + try { + $length = $redis->hGet('PASSWD_POLICY', 'length'); + $chars = $redis->hGet('PASSWD_POLICY', 'chars'); + $special_chars = $redis->hGet('PASSWD_POLICY', 'special_chars'); + $lowerupper = $redis->hGet('PASSWD_POLICY', 'lowerupper'); + $numbers = $redis->hGet('PASSWD_POLICY', 'numbers'); + return array( + 'length' => $length, + 'chars' => $chars, + 'special_chars' => $special_chars, + 'lowerupper' => $lowerupper, + 'numbers' => $numbers + ); + } + catch (RedisException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data), + 'msg' => array('redis_error', $e) + ); + return false; + } + return false; + break; + case 'html': + $policies = password_complexity('get'); + foreach ($policies as $name => $value) { + if ($value != 0) { + $policy_text[] = sprintf($lang['admin']["password_policy_$name"], $value); + } + } + return '

- ' . implode('
- ', (array)$policy_text) . '

'; + break; + } +} +function password_check($password1, $password2) { + $password_complexity = password_complexity('get'); + + if (empty($password1) || empty($password2)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type), + 'msg' => 'password_complexity' + ); + return false; + } + + if ($password1 != $password2) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type), + 'msg' => 'password_mismatch' + ); + return false; + } + + $given_password['length'] = strlen($password1); + $given_password['special_chars'] = preg_match('/[^a-zA-Z\d]/', $password1); + $given_password['chars'] = preg_match('/[a-zA-Z]/',$password1); + $given_password['numbers'] = preg_match('/\d/', $password1); + $lower = strlen(preg_replace("/[^a-z]/", '', $password1)); + $upper = strlen(preg_replace("/[^A-Z]/", '', $password1)); + $given_password['lowerupper'] = ($lower > 0 && $upper > 0) ? true : false; + + if ( + ($given_password['length'] < $password_complexity['length']) || + ($password_complexity['special_chars'] == 1 && (intval($given_password['special_chars']) != $password_complexity['special_chars'])) || + ($password_complexity['chars'] == 1 && (intval($given_password['chars']) != $password_complexity['chars'])) || + ($password_complexity['numbers'] == 1 && (intval($given_password['numbers']) != $password_complexity['numbers'])) || + ($password_complexity['lowerupper'] == 1 && (intval($given_password['lowerupper']) != $password_complexity['lowerupper'])) + ) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type), + 'msg' => 'password_complexity' + ); + return false; + } + + return true; +} +function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) { + global $pdo; + global $redis; + $sasl_limit_days = intval($sasl_limit_days); + switch ($action) { + case 'get': + if (filter_var($username, FILTER_VALIDATE_EMAIL) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { + $stmt = $pdo->prepare('SELECT `real_rip`, MAX(`datetime`) as `datetime`, `service`, `app_password`, MAX(`app_passwd`.`name`) as `app_password_name` FROM `sasl_log` + LEFT OUTER JOIN `app_passwd` on `sasl_log`.`app_password` = `app_passwd`.`id` + WHERE `username` = :username + AND HOUR(TIMEDIFF(NOW(), `datetime`)) < :sasl_limit_days + GROUP BY `real_rip`, `service`, `app_password` + ORDER BY `datetime` DESC;'); + $stmt->execute(array(':username' => $username, ':sasl_limit_days' => ($sasl_limit_days * 24))); + $sasl = $stmt->fetchAll(PDO::FETCH_ASSOC); + foreach ($sasl as $k => $v) { + if (!filter_var($sasl[$k]['real_rip'], FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { + $sasl[$k]['real_rip'] = 'Web/EAS/Internal (' . $sasl[$k]['real_rip'] . ')'; + } + elseif (filter_var($sasl[$k]['real_rip'], FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { + try { + $sasl[$k]['location'] = $redis->hGet('IP_SHORTCOUNTRY', $sasl[$k]['real_rip']); + } + catch (RedisException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data_log), + 'msg' => array('redis_error', $e) + ); + return false; + } + if (!$sasl[$k]['location']) { + $curl = curl_init(); + curl_setopt($curl, CURLOPT_URL,"https://dfdata.bella.network/country/" . $sasl[$k]['real_rip']); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); + curl_setopt($curl, CURLOPT_USERAGENT, 'Moocow'); + curl_setopt($curl, CURLOPT_TIMEOUT, 5); + $ip_data = curl_exec($curl); + if (!curl_errno($curl)) { + $ip_data_array = json_decode($ip_data, true); + if ($ip_data_array !== false and !empty($ip_data_array['shortcountry'])) { + $sasl[$k]['location'] = $ip_data_array['shortcountry']; + try { + $redis->hSet('IP_SHORTCOUNTRY', $sasl[$k]['real_rip'], $ip_data_array['shortcountry']); + } + catch (RedisException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data_log), + 'msg' => array('redis_error', $e) + ); + curl_close($curl); + return false; + } + } + } + curl_close($curl); + } + } + } + } + else { + $sasl = array(); + } + if ($_SESSION['mailcow_cc_role'] == "admin" || $username == $_SESSION['mailcow_cc_username']) { + $stmt = $pdo->prepare('SELECT `remote`, `time` FROM `logs` + WHERE JSON_EXTRACT(`call`, "$[0]") = "check_login" + AND JSON_EXTRACT(`call`, "$[1]") = :username + AND `type` = "success" ORDER BY `time` DESC LIMIT 1 OFFSET :offset'); + $stmt->execute(array( + ':username' => $username, + ':offset' => $ui_offset + )); + $ui = $stmt->fetch(PDO::FETCH_ASSOC); + } + else { + $ui = array(); + } + + return array('ui' => $ui, 'sasl' => $sasl); + break; + case 'reset': + if (filter_var($username, FILTER_VALIDATE_EMAIL) && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { + $stmt = $pdo->prepare('DELETE FROM `sasl_log` + WHERE `username` = :username'); + $stmt->execute(array(':username' => $username)); + } + if ($_SESSION['mailcow_cc_role'] == "admin" || $username == $_SESSION['mailcow_cc_username']) { + $stmt = $pdo->prepare('DELETE FROM `logs` + WHERE JSON_EXTRACT(`call`, "$[0]") = "check_login" + AND JSON_EXTRACT(`call`, "$[1]") = :username + AND `type` = "success"'); + $stmt->execute(array(':username' => $username)); + } + return true; + break; + } + +} +function set_sasl_log($username, $real_rip, $service){ + global $pdo; + + try { + if (!empty($_SESSION['app_passwd_id'])) { + $app_password = $_SESSION['app_passwd_id']; + } else { + $app_password = 0; + } + + $stmt = $pdo->prepare('REPLACE INTO `sasl_log` (`username`, `real_rip`, `service`, `app_password`) VALUES (:username, :real_rip, :service, :app_password)'); + $stmt->execute(array( + ':username' => $username, + ':real_rip' => $real_rip, + ':service' => $service, + ':app_password' => $app_password + )); + } catch (PDOException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('mysql_error', $e) + ); + return false; + } + + return true; +} +function flush_memcached() { + try { + $m = new Memcached(); + $m->addServer('memcached', 11211); + $m->flush(); + } + catch ( Exception $e ) { + // Dunno + } +} +function sys_mail($_data) { + if ($_SESSION['mailcow_cc_role'] != "admin") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__), + 'msg' => 'access_denied' + ); + return false; + } + $excludes = $_data['mass_exclude']; + $includes = $_data['mass_include']; + $mailboxes = array(); + $mass_from = $_data['mass_from']; + $mass_text = $_data['mass_text']; + $mass_html = $_data['mass_html']; + $mass_subject = $_data['mass_subject']; + if (!filter_var($mass_from, FILTER_VALIDATE_EMAIL)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__), + 'msg' => 'from_invalid' + ); + return false; + } + if (empty($mass_subject)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__), + 'msg' => 'subject_empty' + ); + return false; + } + if (empty($mass_text)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__), + 'msg' => 'text_empty' + ); + return false; + } + $domains = array_merge(mailbox('get', 'domains'), mailbox('get', 'alias_domains')); + foreach ($domains as $domain) { + foreach (mailbox('get', 'mailboxes', $domain) as $mailbox) { + $mailboxes[] = $mailbox; + } + } + if (!empty($includes)) { + $rcpts = array_intersect($mailboxes, $includes); + } + elseif (!empty($excludes)) { + $rcpts = array_diff($mailboxes, $excludes); + } + else { + $rcpts = $mailboxes; + } + if (!empty($rcpts)) { + ini_set('max_execution_time', 0); + ini_set('max_input_time', 0); + $mail = new PHPMailer; + $mail->Timeout = 10; + $mail->SMTPOptions = array( + 'ssl' => array( + 'verify_peer' => false, + 'verify_peer_name' => false, + 'allow_self_signed' => true + ) + ); + $mail->isSMTP(); + $mail->Host = 'dovecot-mailcow'; + $mail->SMTPAuth = false; + $mail->Port = 24; + $mail->setFrom($mass_from); + $mail->Subject = $mass_subject; + $mail->CharSet ="UTF-8"; + if (!empty($mass_html)) { + $mail->Body = $mass_html; + $mail->AltBody = $mass_text; + } + else { + $mail->Body = $mass_text; + } + $mail->XMailer = 'MooMassMail'; + foreach ($rcpts as $rcpt) { + $mail->AddAddress($rcpt); + if (!$mail->send()) { + $_SESSION['return'][] = array( + 'type' => 'warning', + 'log' => array(__FUNCTION__), + 'msg' => 'Mailer error (RCPT "' . htmlspecialchars($rcpt) . '"): ' . str_replace('https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting', '', $mail->ErrorInfo) + ); + } + $mail->ClearAllRecipients(); + } + } + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__), + 'msg' => 'Mass mail job completed, sent ' . count($rcpts) . ' mails' + ); +} +function logger($_data = false) { + /* + logger() will be called as last function + To manually log a message, logger needs to be called like below. + + logger(array( + 'return' => array( + array( + 'type' => 'danger', + 'log' => array(__FUNCTION__), + 'msg' => $err + ) + ) + )); + + These messages will not be printed as alert box. + To do so, push them to $_SESSION['return'] and do not call logger as they will be included automatically: + + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $user, '*'), + 'msg' => $err + ); + */ + global $pdo; + if (!$_data) { + $_data = $_SESSION; + } + if (!empty($_data['return'])) { + $task = substr(strtoupper(md5(uniqid(rand(), true))), 0, 6); + foreach ($_data['return'] as $return) { + $type = $return['type']; + $msg = null; + if (isset($return['msg'])) { + $msg = json_encode($return['msg'], JSON_UNESCAPED_UNICODE); + } + $call = null; + if (isset($return['log'])) { + $call = json_encode($return['log'], JSON_UNESCAPED_UNICODE); + } + if (!empty($_SESSION["dual-login"]["username"])) { + $user = $_SESSION["dual-login"]["username"] . ' => ' . $_SESSION['mailcow_cc_username']; + $role = $_SESSION["dual-login"]["role"] . ' => ' . $_SESSION['mailcow_cc_role']; + } + elseif (!empty($_SESSION['mailcow_cc_username'])) { + $user = $_SESSION['mailcow_cc_username']; + $role = $_SESSION['mailcow_cc_role']; + } + else { + $user = 'unauthenticated'; + $role = 'unauthenticated'; + } + // We cannot log when logs is missing... + try { + $stmt = $pdo->prepare("INSERT INTO `logs` (`type`, `task`, `msg`, `call`, `user`, `role`, `remote`, `time`) VALUES + (:type, :task, :msg, :call, :user, :role, :remote, UNIX_TIMESTAMP())"); + $stmt->execute(array( + ':type' => $type, + ':task' => $task, + ':call' => $call, + ':msg' => $msg, + ':user' => $user, + ':role' => $role, + ':remote' => get_remote_ip() + )); + } + catch (PDOException $e) { + # handle the exception here, as the exception handler function results in a white page + error_log($e->getMessage(), 0); + } + } + } + else { + return true; + } +} +function hasDomainAccess($username, $role, $domain) { + global $pdo; + if (empty($domain) || !is_valid_domain_name($domain)) { + return false; + } + if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { + return true; + } + if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { + return false; + } + if ($role != 'admin' && $role != 'domainadmin') { + return false; + } + if ($role == 'admin') { + $stmt = $pdo->prepare("SELECT `domain` FROM `domain` + WHERE `domain` = :domain"); + $stmt->execute(array(':domain' => $domain)); + $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); + $stmt = $pdo->prepare("SELECT `alias_domain` FROM `alias_domain` + WHERE `alias_domain` = :domain"); + $stmt->execute(array(':domain' => $domain)); + $num_results = $num_results + count($stmt->fetchAll(PDO::FETCH_ASSOC)); + if ($num_results != 0) { + return true; + } + } + elseif ($role == 'domainadmin') { + $stmt = $pdo->prepare("SELECT `domain` FROM `domain_admins` + WHERE ( + `active`='1' + AND `username` = :username + AND (`domain` = :domain1 OR `domain` = (SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain2)) + )"); + $stmt->execute(array(':username' => $username, ':domain1' => $domain, ':domain2' => $domain)); + $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); + if (!empty($num_results)) { + return true; + } + } + return false; +} +function hasMailboxObjectAccess($username, $role, $object) { + global $pdo; + if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { + return true; + } + if (empty($username) || empty($role) || empty($object)) { + return false; + } + if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { + return false; + } + if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') { + return false; + } + if ($username == $object) { + return true; + } + $stmt = $pdo->prepare("SELECT `domain` FROM `mailbox` WHERE `username` = :object"); + $stmt->execute(array(':object' => $object)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if (isset($row['domain']) && hasDomainAccess($username, $role, $row['domain'])) { + return true; + } + return false; +} +// does also verify mailboxes as a mailbox is a alias == goto +function hasAliasObjectAccess($username, $role, $object) { + global $pdo; + if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { + return true; + } + if (empty($username) || empty($role) || empty($object)) { + return false; + } + if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { + return false; + } + if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') { + return false; + } + $stmt = $pdo->prepare("SELECT `domain` FROM `alias` WHERE `address` = :object"); + $stmt->execute(array(':object' => $object)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if (isset($row['domain']) && hasDomainAccess($username, $role, $row['domain'])) { + return true; + } + return false; +} +function hasACLAccess($type) { + if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { + return true; + } + if (isset($_SESSION['acl'][$type]) && $_SESSION['acl'][$type] == "1") { + return true; + } + + return false; +} +function pem_to_der($pem_key) { + // Need to remove BEGIN/END PUBLIC KEY + $lines = explode("\n", trim($pem_key)); + unset($lines[count($lines)-1]); + unset($lines[0]); + return base64_decode(implode('', $lines)); +} +function expand_ipv6($ip) { + $hex = unpack("H*hex", inet_pton($ip)); + $ip = substr(preg_replace("/([A-f0-9]{4})/", "$1:", $hex['hex']), 0, -1); + return $ip; +} +function generate_tlsa_digest($hostname, $port, $starttls = null) { + if (!is_valid_domain_name($hostname)) { + return "Not a valid hostname"; + } + if (empty($starttls)) { + $context = stream_context_create(array("ssl" => array("capture_peer_cert" => true, 'verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true))); + $stream = stream_socket_client('ssl://' . $hostname . ':' . $port, $error_nr, $error_msg, 5, STREAM_CLIENT_CONNECT, $context); + if (!$stream) { + $error_msg = isset($error_msg) ? $error_msg : '-'; + return $error_nr . ': ' . $error_msg; + } + } + else { + $stream = stream_socket_client('tcp://' . $hostname . ':' . $port, $error_nr, $error_msg, 5); + if (!$stream) { + return $error_nr . ': ' . $error_msg; + } + $banner = fread($stream, 512 ); + if (preg_match("/^220/i", $banner)) { // SMTP + fwrite($stream,"HELO tlsa.generator.local\r\n"); + fread($stream, 512); + fwrite($stream,"STARTTLS\r\n"); + fread($stream, 512); + } + elseif (preg_match("/imap.+starttls/i", $banner)) { // IMAP + fwrite($stream,"A1 STARTTLS\r\n"); + fread($stream, 512); + } + elseif (preg_match("/^\+OK/", $banner)) { // POP3 + fwrite($stream,"STLS\r\n"); + fread($stream, 512); + } + elseif (preg_match("/^OK/m", $banner)) { // Sieve + fwrite($stream,"STARTTLS\r\n"); + fread($stream, 512); + } + else { + return 'Unknown banner: "' . htmlspecialchars(trim($banner)) . '"'; + } + // Upgrade connection + stream_set_blocking($stream, true); + stream_context_set_option($stream, 'ssl', 'capture_peer_cert', true); + stream_context_set_option($stream, 'ssl', 'verify_peer', false); + stream_context_set_option($stream, 'ssl', 'verify_peer_name', false); + stream_context_set_option($stream, 'ssl', 'allow_self_signed', true); + stream_socket_enable_crypto($stream, true, STREAM_CRYPTO_METHOD_ANY_CLIENT); + stream_set_blocking($stream, false); + } + $params = stream_context_get_params($stream); + if (!empty($params['options']['ssl']['peer_certificate'])) { + $key_resource = openssl_pkey_get_public($params['options']['ssl']['peer_certificate']); + // We cannot get ['rsa']['n'], the binary data would contain BEGIN/END PUBLIC KEY + $key_data = openssl_pkey_get_details($key_resource)['key']; + return '3 1 1 ' . openssl_digest(pem_to_der($key_data), 'sha256'); + } + else { + return 'Error: Cannot read peer certificate'; + } +} +function alertbox_log_parser($_data) { + global $lang; + if (isset($_data['return'])) { + foreach ($_data['return'] as $return) { + // Get type + $type = $return['type']; + // If a lang[type][msg] string exists, use it as message + if (isset($return['type']) && isset($return['msg']) && !is_array($return['msg'])) { + if (isset($lang[$return['type']][$return['msg']])) { + $msg = $lang[$return['type']][$return['msg']]; + } + else { + $msg = $return['msg']; + } + } + // If msg is an array, use first element as language string and run printf on it with remaining array elements + elseif (is_array($return['msg'])) { + $msg = array_shift($return['msg']); + $msg = vsprintf( + $lang[$return['type']][$msg], + $return['msg'] + ); + } + else { + $msg = '-'; + } + $log_array[] = array('msg' => $msg, 'type' => json_encode($type)); + } + if (!empty($log_array)) { + return $log_array; + } + } + return false; +} +function verify_salted_hash($hash, $password, $algo, $salt_length) { + // Decode hash + $dhash = base64_decode($hash); + // Get first n bytes of binary which equals a SSHA hash + $ohash = substr($dhash, 0, $salt_length); + // Remove SSHA hash from decoded hash to get original salt string + $osalt = str_replace($ohash, '', $dhash); + // Check single salted SSHA hash against extracted hash + if (hash_equals(hash($algo, $password . $osalt, true), $ohash)) { + return true; + } + return false; +} +function verify_hash($hash, $password) { + if (preg_match('/^{(.+)}(.+)/i', $hash, $hash_array)) { + $scheme = strtoupper($hash_array[1]); + $hash = $hash_array[2]; + switch ($scheme) { + case "ARGON2I": + case "ARGON2ID": + case "BLF-CRYPT": + case "CRYPT": + case "DES-CRYPT": + case "MD5-CRYPT": + case "MD5": + case "SHA256-CRYPT": + case "SHA512-CRYPT": + return password_verify($password, $hash); + + case "CLEAR": + case "CLEARTEXT": + case "PLAIN": + return $password == $hash; + + case "LDAP-MD5": + $hash = base64_decode($hash); + return hash_equals(hash('md5', $password, true), $hash); + + case "PBKDF2": + $components = explode('$', $hash); + $salt = $components[2]; + $rounds = $components[3]; + $hash = $components[4]; + return hash_equals(hash_pbkdf2('sha1', $password, $salt, $rounds), $hash); + + case "PBKDF2-SHA512": + // Handle FreeIPA-style hash: {PBKDF2-SHA512}10000$$ + $components = explode('$', $hash); + if (count($components) !== 3) return false; + + // 1st part: iteration count (integer) + $iterations = intval($components[0]); + if ($iterations <= 0) return false; + + // 2nd part: salt (base64-encoded) + $salt = $components[1]; + // 3rd part: hash (base64-encoded) + $stored_hash_b64 = $components[2]; + + // Decode salt and hash from base64 + $salt_bin = base64_decode($salt, true); + $hash_bin = base64_decode($stored_hash_b64, true); + if ($salt_bin === false || $hash_bin === false) return false; + // Get length of hash in bytes + $hash_len = strlen($hash_bin); + if ($hash_len === 0) return false; + + // Calculate PBKDF2-SHA512 hash for provided password + $test_hash = hash_pbkdf2('sha512', $password, $salt_bin, $iterations, $hash_len, true); + return hash_equals($hash_bin, $test_hash); + + case "PLAIN-MD4": + return hash_equals(hash('md4', $password), $hash); + + case "PLAIN-MD5": + return md5($password) == $hash; + + case "PLAIN-TRUNC": + $components = explode('-', $hash); + if (count($components) > 1) { + $trunc_len = $components[0]; + $trunc_password = $components[1]; + + return substr($password, 0, $trunc_len) == $trunc_password; + } else { + return $password == $hash; + } + + case "SHA": + case "SHA1": + case "SHA256": + case "SHA512": + // SHA is an alias for SHA1 + $scheme = $scheme == "SHA" ? "sha1" : strtolower($scheme); + $hash = base64_decode($hash); + return hash_equals(hash($scheme, $password, true), $hash); + + case "SMD5": + return verify_salted_hash($hash, $password, 'md5', 16); + + case "SSHA": + return verify_salted_hash($hash, $password, 'sha1', 20); + + case "SSHA256": + return verify_salted_hash($hash, $password, 'sha256', 32); + + case "SSHA512": + return verify_salted_hash($hash, $password, 'sha512', 64); + + default: + return false; + } + } + return false; +} +function formatBytes($size, $precision = 2) { + if(!is_numeric($size)) { + return "0"; + } + $base = log($size, 1024); + $suffixes = array(' Byte', ' KiB', ' MiB', ' GiB', ' TiB'); + if ($size == "0") { + return "0"; + } + return round(pow(1024, $base - floor($base)), $precision) . $suffixes[floor($base)]; +} +function update_sogo_static_view($mailbox = null) { + if (getenv('SKIP_SOGO') == "y") { + return true; + } + global $pdo; + global $lang; + + $mailbox_exists = false; + if ($mailbox !== null) { + // Check if the mailbox exists + $stmt = $pdo->prepare("SELECT username FROM mailbox WHERE username = :mailbox AND active = '1'"); + $stmt->execute(array(':mailbox' => $mailbox)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if ($row){ + $mailbox_exists = true; + } + } + + // generate random password for sogo to deny direct login + $random_password = base64_encode(openssl_random_pseudo_bytes(24)); + $random_salt = base64_encode(openssl_random_pseudo_bytes(16)); + $random_hash = '{SSHA256}' . base64_encode(hash('sha256', base64_decode($password) . $salt, true) . $salt); + + $subquery = "GROUP BY mailbox.username"; + if ($mailbox_exists) { + $subquery = "AND mailbox.username = :mailbox"; + } + $query = "INSERT INTO _sogo_static_view (`c_uid`, `domain`, `c_name`, `c_password`, `c_cn`, `mail`, `aliases`, `ad_aliases`, `ext_acl`, `kind`, `multiple_bookings`) + SELECT + mailbox.username, + mailbox.domain, + mailbox.username, + :random_hash, + mailbox.name, + mailbox.username, + IFNULL(GROUP_CONCAT(ga.aliases ORDER BY ga.aliases SEPARATOR ' '), ''), + IFNULL(gda.ad_alias, ''), + IFNULL(external_acl.send_as_acl, ''), + mailbox.kind, + mailbox.multiple_bookings + FROM + mailbox + LEFT OUTER JOIN grouped_mail_aliases ga ON ga.username REGEXP CONCAT('(^|,)', mailbox.username, '($|,)') + LEFT OUTER JOIN grouped_domain_alias_address gda ON gda.username = mailbox.username + LEFT OUTER JOIN grouped_sender_acl_external external_acl ON external_acl.username = mailbox.username + WHERE + mailbox.active = '1' + $subquery + ON DUPLICATE KEY UPDATE + `domain` = VALUES(`domain`), + `c_name` = VALUES(`c_name`), + `c_password` = VALUES(`c_password`), + `c_cn` = VALUES(`c_cn`), + `mail` = VALUES(`mail`), + `aliases` = VALUES(`aliases`), + `ad_aliases` = VALUES(`ad_aliases`), + `ext_acl` = VALUES(`ext_acl`), + `kind` = VALUES(`kind`), + `multiple_bookings` = VALUES(`multiple_bookings`)"; + + + if ($mailbox_exists) { + $stmt = $pdo->prepare($query); + $stmt->execute(array( + ':random_hash' => $random_hash, + ':mailbox' => $mailbox + )); + } else { + $stmt = $pdo->prepare($query); + $stmt->execute(array( + ':random_hash' => $random_hash + )); + } + + $stmt = $pdo->query("DELETE FROM _sogo_static_view WHERE `c_uid` NOT IN (SELECT `username` FROM `mailbox` WHERE `active` = '1');"); + + flush_memcached(); +} +function edit_user_account($_data) { + global $lang; + global $pdo; + + $_data_log = $_data; + !isset($_data_log['user_new_pass']) ?: $_data_log['user_new_pass'] = '*'; + !isset($_data_log['user_new_pass2']) ?: $_data_log['user_new_pass2'] = '*'; + !isset($_data_log['user_old_pass']) ?: $_data_log['user_old_pass'] = '*'; + + $username = $_SESSION['mailcow_cc_username']; + $role = $_SESSION['mailcow_cc_role']; + $password_old = $_data['user_old_pass']; + $pw_recovery_email = $_data['pw_recovery_email']; + + if (filter_var($username, FILTER_VALIDATE_EMAIL === false) || $role != 'user') { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => 'access_denied' + ); + return false; + } + + // edit password + if (!empty($password_old) && !empty($_data['user_new_pass']) && !empty($_data['user_new_pass2'])) { + $stmt = $pdo->prepare("SELECT `password` FROM `mailbox` + WHERE `kind` NOT REGEXP 'location|thing|group' + AND `username` = :user AND authsource = 'mailcow'"); + $stmt->execute(array(':user' => $username)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + + if (!verify_hash($row['password'], $password_old)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => 'access_denied' + ); + return false; + } + + $password_new = $_data['user_new_pass']; + $password_new2 = $_data['user_new_pass2']; + if (password_check($password_new, $password_new2) !== true) { + return false; + } + $password_hashed = hash_password($password_new); + $stmt = $pdo->prepare("UPDATE `mailbox` SET `password` = :password_hashed, + `attributes` = JSON_SET(`attributes`, '$.force_pw_update', '0'), + `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW()) + WHERE `username` = :username AND authsource = 'mailcow'"); + $stmt->execute(array( + ':password_hashed' => $password_hashed, + ':username' => $username + )); + $_SESSION['pending_pw_update'] = false; + + update_sogo_static_view(); + } + // edit password recovery email + elseif (!empty($password_old) && isset($pw_recovery_email)) { + if (!isset($_SESSION['acl']['pw_reset']) || $_SESSION['acl']['pw_reset'] != "1" ) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), + 'msg' => 'access_denied' + ); + return false; + } + + $stmt = $pdo->prepare("SELECT `password` FROM `mailbox` + WHERE `kind` NOT REGEXP 'location|thing|group' + AND `username` = :user AND authsource = 'mailcow'"); + $stmt->execute(array(':user' => $username)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + + if (!verify_hash($row['password'], $password_old)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => 'access_denied' + ); + return false; + } + + $pw_recovery_email = (!filter_var($pw_recovery_email, FILTER_VALIDATE_EMAIL)) ? '' : $pw_recovery_email; + $stmt = $pdo->prepare("UPDATE `mailbox` SET `attributes` = JSON_SET(`attributes`, '$.recovery_email', :recovery_email) + WHERE `username` = :username AND authsource = 'mailcow'"); + $stmt->execute(array( + ':recovery_email' => $pw_recovery_email, + ':username' => $username + )); + } + + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('mailbox_modified', htmlspecialchars($username)) + ); +} +function user_get_alias_details($username) { + global $pdo; + global $lang; + $data['direct_aliases'] = array(); + $data['shared_aliases'] = array(); + if ($_SESSION['mailcow_cc_role'] == "user") { + $username = $_SESSION['mailcow_cc_username']; + } + if (!filter_var($username, FILTER_VALIDATE_EMAIL)) { + return false; + } + if (!hasMailboxObjectAccess($username, $_SESSION['mailcow_cc_role'], $username)) { + return false; + } + $data['address'] = $username; + $stmt = $pdo->prepare("SELECT `address` AS `shared_aliases`, `public_comment` FROM `alias` + WHERE `goto` REGEXP :username_goto + AND `address` NOT LIKE '@%' + AND `goto` != :username_goto2 + AND `address` != :username_address"); + $stmt->execute(array( + ':username_goto' => '(^|,)'.preg_quote($username, '/').'($|,)', + ':username_goto2' => $username, + ':username_address' => $username + )); + $run = $stmt->fetchAll(PDO::FETCH_ASSOC); + while ($row = array_shift($run)) { + $data['shared_aliases'][$row['shared_aliases']]['public_comment'] = htmlspecialchars($row['public_comment']); + //$data['shared_aliases'][] = $row['shared_aliases']; + } + + $stmt = $pdo->prepare("SELECT `address` AS `direct_aliases`, `public_comment` FROM `alias` + WHERE `goto` = :username_goto + AND `address` NOT LIKE '@%' + AND `address` != :username_address"); + $stmt->execute( + array( + ':username_goto' => $username, + ':username_address' => $username + )); + $run = $stmt->fetchAll(PDO::FETCH_ASSOC); + while ($row = array_shift($run)) { + $data['direct_aliases'][$row['direct_aliases']]['public_comment'] = htmlspecialchars($row['public_comment']); + } + $stmt = $pdo->prepare("SELECT CONCAT(local_part, '@', alias_domain) AS `ad_alias`, `alias_domain` FROM `mailbox` + LEFT OUTER JOIN `alias_domain` on `target_domain` = `domain` + WHERE `username` = :username ;"); + $stmt->execute(array(':username' => $username)); + $run = $stmt->fetchAll(PDO::FETCH_ASSOC); + while ($row = array_shift($run)) { + if (empty($row['ad_alias'])) { + continue; + } + $data['direct_aliases'][$row['ad_alias']]['public_comment'] = $lang['add']['alias_domain']; + $data['alias_domains'][] = $row['alias_domain']; + } + $stmt = $pdo->prepare("SELECT IFNULL(GROUP_CONCAT(`send_as` SEPARATOR ', '), '') AS `send_as` FROM `sender_acl` WHERE `logged_in_as` = :username AND `send_as` NOT LIKE '@%';"); + $stmt->execute(array(':username' => $username)); + $run = $stmt->fetchAll(PDO::FETCH_ASSOC); + while ($row = array_shift($run)) { + $data['aliases_also_send_as'] = $row['send_as']; + } + $stmt = $pdo->prepare("SELECT CONCAT_WS(', ', IFNULL(GROUP_CONCAT(DISTINCT `send_as` SEPARATOR ', '), ''), GROUP_CONCAT(DISTINCT CONCAT('@',`alias_domain`) SEPARATOR ', ')) AS `send_as` FROM `sender_acl` LEFT JOIN `alias_domain` ON `alias_domain`.`target_domain` = TRIM(LEADING '@' FROM `send_as`) WHERE `logged_in_as` = :username AND `send_as` LIKE '@%';"); + $stmt->execute(array(':username' => $username)); + $run = $stmt->fetchAll(PDO::FETCH_ASSOC); + while ($row = array_shift($run)) { + $data['aliases_send_as_all'] = $row['send_as']; + } + $stmt = $pdo->prepare("SELECT IFNULL(GROUP_CONCAT(`address` SEPARATOR ', '), '') as `address` FROM `alias` WHERE `goto` REGEXP :username AND `address` LIKE '@%';"); + $stmt->execute(array(':username' => '(^|,)'.preg_quote($username, '/').'($|,)')); + $run = $stmt->fetchAll(PDO::FETCH_ASSOC); + while ($row = array_shift($run)) { + $data['is_catch_all'] = $row['address']; + } + return $data; +} +function is_valid_domain_name($domain_name, $options = array()) { + if (empty($domain_name)) { + return false; + } + + // Convert domain name to ASCII for validation + $domain_name = idn_to_ascii($domain_name, 0, INTL_IDNA_VARIANT_UTS46); + + if (isset($options['allow_wildcard']) && $options['allow_wildcard'] == true) { + // Remove '*.' if wildcard subdomains are allowed + if (strpos($domain_name, '*.') === 0) { + $domain_name = substr($domain_name, 2); + } + } + + return (preg_match("/^([a-z\d](-*[a-z\d])*)(\.([a-z\d](-*[a-z\d])*))*$/i", $domain_name) + && preg_match("/^.{1,253}$/", $domain_name) + && preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain_name)); +} +function set_tfa($_data) { + global $pdo; + global $yubi; + global $tfa; + global $iam_settings; + + $_data_log = $_data; + $access_denied = null; + !isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*'; + $username = $_SESSION['mailcow_cc_username']; + + // check for empty user and role + if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true; + + // check admin confirm password + if ($access_denied === null) { + $stmt = $pdo->prepare("SELECT `password` FROM `admin` + WHERE `username` = :username"); + $stmt->execute(array(':username' => $username)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if ($row) { + if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true; + else $access_denied = false; + } + } + + // check mailbox confirm password + if ($access_denied === null) { + $stmt = $pdo->prepare("SELECT `password`, `authsource` FROM `mailbox` + WHERE `username` = :username"); + $stmt->execute(array(':username' => $username)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if ($row) { + if ($row['authsource'] == 'ldap'){ + if (!ldap_mbox_login($username, $_data["confirm_password"], $iam_settings)) $access_denied = true; + else $access_denied = false; + } else { + if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true; + else $access_denied = false; + } + } + } + + // set access_denied error + if ($access_denied){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => 'access_denied' + ); + return false; + } + + switch ($_data["tfa_method"]) { + case "yubi_otp": + $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"]; + $yubico_id = $_data['yubico_id']; + $yubico_key = $_data['yubico_key']; + $yubi = new Auth_Yubico($yubico_id, $yubico_key); + if (!$yubi) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => 'access_denied' + ); + return false; + } + if (!ctype_alnum($_data["otp_token"]) || strlen($_data["otp_token"]) != 44) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => 'tfa_token_invalid' + ); + return false; + } + $yauth = $yubi->verify($_data["otp_token"]); + if (PEAR::isError($yauth)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('yotp_verification_failed', $yauth->getMessage()) + ); + return false; + } + try { + // We could also do a modhex translation here + $yubico_modhex_id = substr($_data["otp_token"], 0, 12); + $stmt = $pdo->prepare("DELETE FROM `tfa` + WHERE `username` = :username + AND (`authmech` = 'yubi_otp' AND `secret` LIKE :modhex)"); + $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id)); + $stmt = $pdo->prepare("INSERT INTO `tfa` (`key_id`, `username`, `authmech`, `active`, `secret`) VALUES + (:key_id, :username, 'yubi_otp', '1', :secret)"); + $stmt->execute(array(':key_id' => $key_id, ':username' => $username, ':secret' => $yubico_id . ':' . $yubico_key . ':' . $yubico_modhex_id)); + } + catch (PDOException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('mysql_error', $e) + ); + return false; + } + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('object_modified', htmlspecialchars($username)) + ); + break; + case "totp": + $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"]; + if ($tfa->verifyCode($_POST['totp_secret'], $_POST['totp_confirm_token']) === true) { + //$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username"); + //$stmt->execute(array(':username' => $username)); + $stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `secret`, `active`) VALUES (?, ?, 'totp', ?, '1')"); + $stmt->execute(array($username, $key_id, $_POST['totp_secret'])); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('object_modified', $username) + ); + } + else { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => 'totp_verification_failed' + ); + } + break; + case "webauthn": + $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"]; + + $stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `keyHandle`, `publicKey`, `certificate`, `counter`, `active`) + VALUES (?, ?, 'webauthn', ?, ?, ?, ?, '1')"); + $stmt->execute(array( + $username, + $key_id, + base64_encode($_data['registration']->credentialId), + $_data['registration']->credentialPublicKey, + $_data['registration']->certificate, + 0 + )); + + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('object_modified', $username) + ); + break; + case "none": + $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username"); + $stmt->execute(array(':username' => $username)); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('object_modified', htmlspecialchars($username)) + ); + break; + } +} +function fido2($_data) { + global $pdo; + global $WebAuthn; + $_data_log = $_data; + // Not logging registration data, only actions + // Silent errors for "get" requests + switch ($_data["action"]) { + case "register": + $username = $_SESSION['mailcow_cc_username']; + if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data["action"]), + 'msg' => 'access_denied' + ); + return false; + } + $stmt = $pdo->prepare("INSERT INTO `fido2` (`username`, `rpId`, `credentialPublicKey`, `certificateChain`, `certificate`, `certificateIssuer`, `certificateSubject`, `signatureCounter`, `AAGUID`, `credentialId`) + VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"); + $stmt->execute(array( + $username, + $_data['registration']->rpId, + $_data['registration']->credentialPublicKey, + $_data['registration']->certificateChain, + $_data['registration']->certificate, + $_data['registration']->certificateIssuer, + $_data['registration']->certificateSubject, + $_data['registration']->signatureCounter, + $_data['registration']->AAGUID, + $_data['registration']->credentialId) + ); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_data["action"]), + 'msg' => array('object_modified', $username) + ); + break; + case "get_user_cids": + // Used to exclude existing CredentialIds while registering + $username = $_SESSION['mailcow_cc_username']; + if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { + return false; + } + $stmt = $pdo->prepare("SELECT `credentialId` FROM `fido2` WHERE `username` = :username"); + $stmt->execute(array(':username' => $username)); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $cids[] = $row['credentialId']; + } + return $cids; + break; + case "get_all_cids": + // Only needed when using fido2 with username + $stmt = $pdo->query("SELECT `credentialId` FROM `fido2`"); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $cids[] = $row['credentialId']; + } + return $cids; + break; + case "get_by_b64cid": + if (!isset($_data['cid']) || empty($_data['cid'])) { + return false; + } + $stmt = $pdo->prepare("SELECT `certificateSubject`, `username`, `credentialPublicKey`, SHA2(`credentialId`, 256) AS `cid` FROM `fido2` WHERE `credentialId` = :cid"); + $stmt->execute(array(':cid' => base64_decode($_data['cid']))); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if (empty($row) || empty($row['credentialPublicKey']) || empty($row['username'])) { + return false; + } + $data['pub_key'] = $row['credentialPublicKey']; + $data['username'] = $row['username']; + $data['subject'] = $row['certificateSubject']; + $data['cid'] = $row['cid']; + return $data; + break; + case "get_friendly_names": + $username = $_SESSION['mailcow_cc_username']; + if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { + return false; + } + $stmt = $pdo->prepare("SELECT SHA2(`credentialId`, 256) AS `cid`, `created`, `certificateSubject`, `friendlyName` FROM `fido2` WHERE `username` = :username"); + $stmt->execute(array(':username' => $username)); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $fns[] = array( + "subject" => (empty($row['certificateSubject']) ? 'Unknown (' . $row['created'] . ')' : $row['certificateSubject']), + "fn" => $row['friendlyName'], + "cid" => $row['cid'] + ); + } + return $fns; + break; + case "unset_fido2_key": + $username = $_SESSION['mailcow_cc_username']; + if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data["action"]), + 'msg' => 'access_denied' + ); + return false; + } + $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username AND SHA2(`credentialId`, 256) = :cid"); + $stmt->execute(array( + ':username' => $username, + ':cid' => $_data['post_data']['unset_fido2_key'] + )); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('object_modified', htmlspecialchars($username)) + ); + break; + case "edit_fn": + $username = $_SESSION['mailcow_cc_username']; + if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data["action"]), + 'msg' => 'access_denied' + ); + return false; + } + $stmt = $pdo->prepare("UPDATE `fido2` SET `friendlyName` = :friendlyName WHERE SHA2(`credentialId`, 256) = :cid AND `username` = :username"); + $stmt->execute(array( + ':username' => $username, + ':friendlyName' => $_data['fido2_attrs']['fido2_fn'], + ':cid' => $_data['fido2_attrs']['fido2_cid'] + )); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('object_modified', htmlspecialchars($username)) + ); + break; + case "verify": + $role = ""; + $tokenData = json_decode($_data['token']); + $clientDataJSON = base64_decode($tokenData->clientDataJSON); + $authenticatorData = base64_decode($tokenData->authenticatorData); + $signature = base64_decode($tokenData->signature); + $id = base64_decode($tokenData->id); + $challenge = $_SESSION['challenge']; + $process_fido2 = fido2(array("action" => "get_by_b64cid", "cid" => $tokenData->id)); + if ($process_fido2['pub_key'] === false) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array("fido2_login", $_data['user'], $process_fido2['username']), + 'msg' => "login_failed" + ); + return false; + } + try { + $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG_LOGIN'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']); + } + catch (Throwable $ex) { + unset($process_fido2); + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array("fido2_login", $_data['user'], $process_fido2['username'], $ex->getMessage()), + 'msg' => "login_failed" + ); + return false; + } + $return = new stdClass(); + $return->success = true; + $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username"); + $stmt->execute(array(':username' => $process_fido2['username'])); + $obj_props = $stmt->fetch(PDO::FETCH_ASSOC); + if ($obj_props['superadmin'] === 1 && (!$_data['user'] || $_data['user'] == "admin")) { + $role = "admin"; + } + elseif ($obj_props['superadmin'] === 0 && (!$_data['user'] || $_data['user'] == "domainadmin")) { + $role = "domainadmin"; + } + elseif (!isset($obj_props['superadmin']) && (!$_data['user'] || $_data['user'] == "user")) { + $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username"); + $stmt->execute(array(':username' => $process_fido2['username'])); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if ($row['username'] == $process_fido2['username']) { + $role = "user"; + } + } + else { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array("fido2_login", $_data['user'], $process_fido2['username']), + 'msg' => 'login_failed' + ); + return false; + } + if (empty($role)) { + session_unset(); + session_destroy(); + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array("fido2_login", $_data['user'], $process_fido2['username']), + 'msg' => 'login_failed' + ); + return false; + } + unset($_SESSION["challenge"]); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array("fido2_login", $_data['user'], $process_fido2['username']), + 'msg' => array('logged_in_as', $process_fido2['username']) + ); + return array( + "role" => $role, + "username" => $process_fido2['username'], + "cid" => $process_fido2['cid'] + ); + break; + } +} +function unset_tfa_key($_data) { + // Can only unset own keys + // Needs at least one key left + global $pdo; + global $lang; + $_data_log = $_data; + $access_denied = null; + $id = intval($_data['unset_tfa_key']); + $username = $_SESSION['mailcow_cc_username']; + + // check for empty user and role + if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true; + + try { + if (!is_numeric($id)) $access_denied = true; + + // set access_denied error + if ($access_denied){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => 'access_denied' + ); + return false; + } + + // check if it's last key + $stmt = $pdo->prepare("SELECT COUNT(*) AS `keys` FROM `tfa` + WHERE `username` = :username AND `active` = '1'"); + $stmt->execute(array(':username' => $username)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if ($row['keys'] == "1") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => 'last_key' + ); + return false; + } + + // delete key + $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `id` = :id"); + $stmt->execute(array(':username' => $username, ':id' => $id)); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('object_modified', $username) + ); + } + catch (PDOException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_data_log), + 'msg' => array('mysql_error', $e) + ); + return false; + } +} +function get_tfa($username = null, $id = null) { + global $pdo; + if (empty($username) && isset($_SESSION['mailcow_cc_username'])) { + $username = $_SESSION['mailcow_cc_username']; + } + elseif (empty($username)) { + return false; + } + + if (!isset($id)){ + // fetch all tfa methods - just get information about possible authenticators + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `authmech` FROM `tfa` + WHERE `username` = :username AND `active` = '1'"); + $stmt->execute(array(':username' => $username)); + $results = $stmt->fetchAll(PDO::FETCH_ASSOC); + + // no tfa methods found + if (count($results) == 0) { + $data['name'] = 'none'; + $data['pretty'] = "-"; + $data['additional'] = array(); + return $data; + } + + $data['additional'] = $results; + return $data; + } else { + // fetch specific authenticator details by id + $stmt = $pdo->prepare("SELECT * FROM `tfa` + WHERE `username` = :username AND `id` = :id AND `active` = '1'"); + $stmt->execute(array(':username' => $username, ':id' => $id)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + + if (isset($row["authmech"])) { + switch ($row["authmech"]) { + case "yubi_otp": + $data['name'] = "yubi_otp"; + $data['pretty'] = "Yubico OTP"; + $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username AND `id` = :id"); + $stmt->execute(array( + ':username' => $username, + ':id' => $id + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + // u2f - deprecated, should be removed + case "u2f": + $data['name'] = "u2f"; + $data['pretty'] = "Fido U2F"; + $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username AND `id` = :id"); + $stmt->execute(array( + ':username' => $username, + ':id' => $id + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + case "hotp": + $data['name'] = "hotp"; + $data['pretty'] = "HMAC-based OTP"; + return $data; + break; + case "totp": + $data['name'] = "totp"; + $data['pretty'] = "Time-based OTP"; + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username AND `id` = :id"); + $stmt->execute(array( + ':username' => $username, + ':id' => $id + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + case "webauthn": + $data['name'] = "webauthn"; + $data['pretty'] = "WebAuthn"; + $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username AND `id` = :id"); + $stmt->execute(array( + ':username' => $username, + ':id' => $id + )); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $data['additional'][] = $row; + } + return $data; + break; + default: + $data['name'] = 'none'; + $data['pretty'] = "-"; + return $data; + break; + } + } + else { + $data['name'] = 'none'; + $data['pretty'] = "-"; + return $data; + } + } +} +function verify_tfa_login($username, $_data) { + global $pdo; + global $yubi; + global $u2f; + global $tfa; + global $WebAuthn; + + if ($_data['tfa_method'] != 'u2f'){ + + switch ($_data["tfa_method"]) { + case "yubi_otp": + if (!ctype_alnum($_data['token']) || strlen($_data['token']) != 44) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('yotp_verification_failed', 'token length error') + ); + return false; + } + $yubico_modhex_id = substr($_data['token'], 0, 12); + $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` + WHERE `username` = :username + AND `authmech` = 'yubi_otp' + AND `active` = '1' + AND `secret` LIKE :modhex"); + $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id)); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + $yubico_auth = explode(':', $row['secret']); + $yubi = new Auth_Yubico($yubico_auth[0], $yubico_auth[1]); + $yauth = $yubi->verify($_data['token']); + if (PEAR::isError($yauth)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('yotp_verification_failed', $yauth->getMessage()) + ); + return false; + } + else { + $_SESSION['tfa_id'] = $row['id']; + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => 'verified_yotp_login' + ); + return true; + } + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('yotp_verification_failed', 'unknown') + ); + return false; + break; + case "hotp": + return false; + break; + case "totp": + try { + $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa` + WHERE `username` = :username + AND `authmech` = 'totp' + AND `id` = :id + AND `active`='1'"); + $stmt->execute(array(':username' => $username, ':id' => $_data['id'])); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + foreach ($rows as $row) { + if ($tfa->verifyCode($row['secret'], $_data['token']) === true) { + $_SESSION['tfa_id'] = $row['id']; + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => 'verified_totp_login' + ); + return true; + } + } + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => 'totp_verification_failed' + ); + return false; + } + catch (PDOException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('mysql_error', $e) + ); + return false; + } + break; + case "webauthn": + $tokenData = json_decode($_data['token']); + $clientDataJSON = base64_decode($tokenData->clientDataJSON); + $authenticatorData = base64_decode($tokenData->authenticatorData); + $signature = base64_decode($tokenData->signature); + $id = base64_decode($tokenData->id); + $challenge = $_SESSION['challenge']; + + $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `id` = :id AND `active`='1'"); + $stmt->execute(array(':id' => $_data['id'])); + $process_webauthn = $stmt->fetch(PDO::FETCH_ASSOC); + + if (empty($process_webauthn)){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('webauthn_authenticator_failed') + ); + return false; + } + + if (empty($process_webauthn['publicKey']) || $process_webauthn['publicKey'] === false) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('webauthn_publickey_failed') + ); + return false; + } + + if ($process_webauthn['username'] != $_SESSION['pending_mailcow_cc_username']){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('webauthn_username_failed') + ); + return false; + } + + try { + $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_webauthn['publicKey'], $challenge, null, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN'], $GLOBALS['WEBAUTHN_USER_PRESENT_FLAG']); + } + catch (Throwable $ex) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('webauthn_verification_failed', $ex->getMessage()) + ); + return false; + } + + $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username"); + $stmt->execute(array(':username' => $process_webauthn['username'])); + $obj_props = $stmt->fetch(PDO::FETCH_ASSOC); + if ($obj_props['superadmin'] === 1) { + $_SESSION["mailcow_cc_role"] = "admin"; + } + elseif ($obj_props['superadmin'] === 0) { + $_SESSION["mailcow_cc_role"] = "domainadmin"; + } + else { + $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username"); + $stmt->execute(array(':username' => $process_webauthn['username'])); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if (!empty($row['username'])) { + $_SESSION["mailcow_cc_role"] = "user"; + } else { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => array('webauthn_role_failed') + ); + return false; + } + } + + $_SESSION["mailcow_cc_username"] = $process_webauthn['username']; + $_SESSION['tfa_id'] = $process_webauthn['id']; + $_SESSION['authReq'] = null; + unset($_SESSION["challenge"]); + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array("webauthn_login"), + 'msg' => array('logged_in_as', $process_webauthn['username']) + ); + return true; + break; + default: + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $username, '*'), + 'msg' => 'unknown_tfa_method' + ); + return false; + break; + } + + return false; + } else { + // delete old keys that used u2f + $stmt = $pdo->prepare("SELECT * FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); + $stmt->execute(array(':username' => $username)); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + if (count($rows) == 0) return false; + + $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username"); + $stmt->execute(array(':username' => $username)); + return true; + } +} +function admin_api($access, $action, $data = null) { + global $pdo; + if ($_SESSION['mailcow_cc_role'] != "admin") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__), + 'msg' => 'access_denied' + ); + return false; + } + if ($access !== "ro" && $access !== "rw") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__), + 'msg' => 'invalid access type' + ); + return false; + } + if ($action == "edit") { + $active = (!empty($data['active'])) ? 1 : 0; + $skip_ip_check = (isset($data['skip_ip_check'])) ? 1 : 0; + $allow_from = array(); + if (isset($data['allow_from'])) { + $allow_from = array_map('trim', preg_split( "/( |,|;|\n)/", $data['allow_from'])); + } + foreach ($allow_from as $key => $val) { + if (empty($val)) { + unset($allow_from[$key]); + continue; + } + if (valid_network($val) !== true) { + $_SESSION['return'][] = array( + 'type' => 'warning', + 'log' => array(__FUNCTION__, $data), + 'msg' => array('ip_invalid', htmlspecialchars($allow_from[$key])) + ); + unset($allow_from[$key]); + continue; + } + } + $allow_from = implode(',', array_unique(array_filter($allow_from))); + if (empty($allow_from) && $skip_ip_check == 0) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $data), + 'msg' => 'ip_list_empty' + ); + return false; + } + $api_key = implode('-', array( + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))) + )); + $stmt = $pdo->query("SELECT `api_key` FROM `api` WHERE `access` = '" . $access . "'"); + $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); + if (empty($num_results)) { + $stmt = $pdo->prepare("INSERT INTO `api` (`api_key`, `skip_ip_check`, `active`, `allow_from`, `access`) + VALUES (:api_key, :skip_ip_check, :active, :allow_from, :access);"); + $stmt->execute(array( + ':api_key' => $api_key, + ':skip_ip_check' => $skip_ip_check, + ':active' => $active, + ':allow_from' => $allow_from, + ':access' => $access + )); + } + else { + if ($skip_ip_check == 0) { + $stmt = $pdo->prepare("UPDATE `api` SET `skip_ip_check` = :skip_ip_check, + `active` = :active, + `allow_from` = :allow_from + WHERE `access` = :access;"); + $stmt->execute(array( + ':active' => $active, + ':skip_ip_check' => $skip_ip_check, + ':allow_from' => $allow_from, + ':access' => $access + )); + } + else { + $stmt = $pdo->prepare("UPDATE `api` SET `skip_ip_check` = :skip_ip_check, + `active` = :active + WHERE `access` = :access;"); + $stmt->execute(array( + ':active' => $active, + ':skip_ip_check' => $skip_ip_check, + ':access' => $access + )); + } + } + } + elseif ($action == "regen_key") { + $api_key = implode('-', array( + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))) + )); + $stmt = $pdo->prepare("UPDATE `api` SET `api_key` = :api_key WHERE `access` = :access"); + $stmt->execute(array( + ':api_key' => $api_key, + ':access' => $access + )); + } + elseif ($action == "get") { + $stmt = $pdo->query("SELECT * FROM `api` WHERE `access` = '" . $access . "'"); + $apidata = $stmt->fetch(PDO::FETCH_ASSOC); + if ($apidata !== false) { + $apidata['allow_from'] = str_replace(',', PHP_EOL, $apidata['allow_from']); + } + return $apidata; + } + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $data), + 'msg' => 'admin_api_modified' + ); +} +function license($action, $data = null) { + global $pdo; + global $redis; + global $lang; + if ($_SESSION['mailcow_cc_role'] != "admin") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__), + 'msg' => 'access_denied' + ); + return false; + } + switch ($action) { + case "verify": + // Keep result until revalidate button is pressed or session expired + $stmt = $pdo->query("SELECT `version` FROM `versions` WHERE `application` = 'GUID'"); + $versions = $stmt->fetch(PDO::FETCH_ASSOC); + $post = array('guid' => $versions['version']); + $curl = curl_init('https://verify.mailcow.email'); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); + curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10); + curl_setopt($curl, CURLOPT_POSTFIELDS, $post); + $response = curl_exec($curl); + curl_close($curl); + $json_return = json_decode($response, true); + if ($response && $json_return) { + if ($json_return['response'] === "ok") { + $_SESSION['gal']['valid'] = "true"; + $_SESSION['gal']['c'] = $json_return['c']; + $_SESSION['gal']['s'] = $json_return['s']; + if ($json_return['m'] == 'NoMoore') { + $_SESSION['gal']['m'] = '🐄'; + } + else { + $_SESSION['gal']['m'] = str_repeat('🐄', substr_count($json_return['m'], 'o')); + } + } + elseif ($json_return['response'] === "invalid") { + $_SESSION['gal']['valid'] = "false"; + $_SESSION['gal']['c'] = $lang['mailbox']['no']; + $_SESSION['gal']['s'] = $lang['mailbox']['no']; + $_SESSION['gal']['m'] = $lang['mailbox']['no']; + } + } + else { + $_SESSION['gal']['valid'] = "false"; + $_SESSION['gal']['c'] = $lang['danger']['temp_error']; + $_SESSION['gal']['s'] = $lang['danger']['temp_error']; + $_SESSION['gal']['m'] = $lang['danger']['temp_error']; + } + try { + // json_encode needs "true"/"false" instead of true/false, to not encode it to 0 or 1 + $redis->Set('LICENSE_STATUS_CACHE', json_encode($_SESSION['gal'])); + } + catch (RedisException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data_log), + 'msg' => array('redis_error', $e) + ); + return false; + } + return $_SESSION['gal']['valid']; + break; + case "guid": + $stmt = $pdo->query("SELECT `version` FROM `versions` WHERE `application` = 'GUID'"); + $versions = $stmt->fetch(PDO::FETCH_ASSOC); + return $versions['version']; + break; + } +} +function rspamd_ui($action, $data = null) { + if ($_SESSION['mailcow_cc_role'] != "admin") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__), + 'msg' => 'access_denied' + ); + return false; + } + switch ($action) { + case "edit": + $rspamd_ui_pass = $data['rspamd_ui_pass']; + $rspamd_ui_pass2 = $data['rspamd_ui_pass2']; + if (empty($rspamd_ui_pass) || empty($rspamd_ui_pass2)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, '*', '*'), + 'msg' => 'password_empty' + ); + return false; + } + if ($rspamd_ui_pass != $rspamd_ui_pass2) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, '*', '*'), + 'msg' => 'password_mismatch' + ); + return false; + } + if (strlen($rspamd_ui_pass) < 6) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, '*', '*'), + 'msg' => 'rspamd_ui_pw_length' + ); + return false; + } + $docker_return = docker('post', 'rspamd-mailcow', 'exec', array('cmd' => 'rspamd', 'task' => 'worker_password', 'raw' => $rspamd_ui_pass), array('Content-Type: application/json')); + if ($docker_return_array = json_decode($docker_return, true)) { + if ($docker_return_array['type'] == 'success') { + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, '*', '*'), + 'msg' => 'rspamd_ui_pw_set' + ); + return true; + } + else { + $_SESSION['return'][] = array( + 'type' => $docker_return_array['type'], + 'log' => array(__FUNCTION__, '*', '*'), + 'msg' => $docker_return_array['msg'] + ); + return false; + } + } + else { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, '*', '*'), + 'msg' => 'unknown' + ); + return false; + } + break; + } +} +function cors($action, $data = null) { + global $redis; + + switch ($action) { + case "edit": + if ($_SESSION['mailcow_cc_role'] != "admin") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $data), + 'msg' => 'access_denied' + ); + return false; + } + + $allowed_origins = isset($data['allowed_origins']) ? $data['allowed_origins'] : array($_SERVER['SERVER_NAME']); + $allowed_origins = !is_array($allowed_origins) ? array_filter(array_map('trim', explode("\n", $allowed_origins))) : $allowed_origins; + foreach ($allowed_origins as $origin) { + if (!filter_var($origin, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) && $origin != '*') { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $data), + 'msg' => 'cors_invalid_origin' + ); + return false; + } + } + + $allowed_methods = isset($data['allowed_methods']) ? $data['allowed_methods'] : array('GET', 'POST', 'PUT', 'DELETE'); + $allowed_methods = !is_array($allowed_methods) ? array_map('trim', preg_split( "/( |,|;|\n)/", $allowed_methods)) : $allowed_methods; + $available_methods = array('GET', 'POST', 'PUT', 'DELETE'); + foreach ($allowed_methods as $method) { + if (!in_array($method, $available_methods)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $data), + 'msg' => 'cors_invalid_method' + ); + return false; + } + } + + try { + $redis->hMSet('CORS_SETTINGS', array( + 'allowed_origins' => implode(', ', $allowed_origins), + 'allowed_methods' => implode(', ', $allowed_methods) + )); + } catch (RedisException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $data), + 'msg' => array('redis_error', $e) + ); + return false; + } + + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $action, $data), + 'msg' => 'cors_headers_edited' + ); + return true; + break; + case "get": + try { + $cors_settings = $redis->hMGet('CORS_SETTINGS', array('allowed_origins', 'allowed_methods')); + } catch (RedisException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $data), + 'msg' => array('redis_error', $e) + ); + } + + $cors_settings = !$cors_settings ? array('allowed_origins' => $_SERVER['SERVER_NAME'], 'allowed_methods' => 'GET, POST, PUT, DELETE') : $cors_settings; + $cors_settings['allowed_origins'] = empty($cors_settings['allowed_origins']) ? $_SERVER['SERVER_NAME'] : $cors_settings['allowed_origins']; + $cors_settings['allowed_methods'] = empty($cors_settings['allowed_methods']) ? 'GET, POST, PUT, DELETE, OPTION' : $cors_settings['allowed_methods']; + + return $cors_settings; + break; + case "set_headers": + $cors_settings = cors('get'); + // check if requested origin is in allowed origins + $allowed_origins = explode(', ', $cors_settings['allowed_origins']); + $cors_settings['allowed_origins'] = $allowed_origins[0]; + if (in_array('*', $allowed_origins)){ + $cors_settings['allowed_origins'] = '*'; + } else if (array_key_exists('HTTP_ORIGIN', $_SERVER) && in_array($_SERVER['HTTP_ORIGIN'], $allowed_origins)) { + $cors_settings['allowed_origins'] = $_SERVER['HTTP_ORIGIN']; + } + // always allow OPTIONS for preflight request + $cors_settings["allowed_methods"] = empty($cors_settings["allowed_methods"]) ? 'OPTIONS' : $cors_settings["allowed_methods"] . ', ' . 'OPTIONS'; + + header('Access-Control-Allow-Origin: ' . $cors_settings['allowed_origins']); + header('Access-Control-Allow-Methods: '. $cors_settings['allowed_methods']); + header('Access-Control-Allow-Headers: Accept, Content-Type, X-Api-Key, Origin'); + + // Access-Control settings requested, this is just a preflight request + if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' && + isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) && + isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) { + + $allowed_methods = explode(', ', $cors_settings["allowed_methods"]); + if (in_array($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'], $allowed_methods, true)) + // method allowed send 200 OK + http_response_code(200); + else + // method not allowed send 405 METHOD NOT ALLOWED + http_response_code(405); + + exit; + } + break; + } +} +function getBaseURL($protocol = null) { + // Get current server name + $host = strtolower($_SERVER['SERVER_NAME']); + + // craft allowed server name list + $mailcow_hostname = strtolower(getenv("MAILCOW_HOSTNAME")); + $additional_server_names = strtolower(getenv("ADDITIONAL_SERVER_NAMES")) ?: ""; + $additional_server_names = preg_replace('/\s+/', '', $additional_server_names); + $allowed_server_names = $additional_server_names !== "" ? explode(',', $additional_server_names) : array(); + array_push($allowed_server_names, $mailcow_hostname); + + // Fallback to MAILCOW HOSTNAME if current server name is not in allowed list + if (!in_array($host, $allowed_server_names)) { + $host = $mailcow_hostname; + } + + if (!isset($protocol)) { + $protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http'; + } + $base_url = $protocol . '://' . $host; + + return $base_url; +} +function uuid4() { + $data = openssl_random_pseudo_bytes(16); + + $data[6] = chr(ord($data[6]) & 0x0f | 0x40); + $data[8] = chr(ord($data[8]) & 0x3f | 0x80); + + return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4)); +} +function identity_provider($_action = null, $_data = null, $_extra = null) { + global $pdo; + global $iam_provider; + global $iam_settings; + + $data_log = $_data; + if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*'; + if (isset($data_log['access_token'])) $data_log['access_token'] = '*'; + + switch ($_action) { + case 'get': + $settings = array(); + $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;"); + $stmt->execute(); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + foreach($rows as $row){ + switch ($row["key"]) { + case "redirect_url_extra": + case "mappers": + case "templates": + $settings[$row["key"]] = json_decode($row["value"]); + break; + case "use_ssl": + case "use_tls": + case "login_provisioning": + case "ignore_ssl_errors": + $settings[$row["key"]] = boolval($row["value"]); + break; + default: + $settings[$row["key"]] = $row["value"]; + break; + } + } + // set login_provisioning if not exists + if (!array_key_exists('login_provisioning', $settings)) { + $settings['login_provisioning'] = 1; + } + // return default client_scopes for generic-oidc if none is set + if ($settings["authsource"] == "generic-oidc" && empty($settings["client_scopes"])){ + $settings["client_scopes"] = "openid profile email mailcow_template"; + } + if ($_extra['hide_sensitive']){ + $settings['client_secret'] = ''; + $settings['access_token'] = ''; + } + // return default ldap options + if ($settings["authsource"] == "ldap"){ + $settings['use_ssl'] = !isset($settings['use_ssl']) ? false : $settings['use_ssl']; + $settings['use_tls'] = !isset($settings['use_tls']) ? false : $settings['use_tls']; + $settings['ignore_ssl_errors'] = !isset($settings['ignore_ssl_errors']) ? false : $settings['ignore_ssl_errors']; + } + return $settings; + break; + case 'edit': + if ($_SESSION['mailcow_cc_role'] != "admin") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data), + 'msg' => 'access_denied' + ); + return false; + } + if (!isset($_data['authsource'])){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $data_log), + 'msg' => array('required_data_missing', '') + ); + return false; + } + + $available_authsources = array( + "keycloak", + "generic-oidc", + "ldap" + ); + $_data['authsource'] = strtolower($_data['authsource']); + if (!in_array($_data['authsource'], $available_authsources)){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $data_log), + 'msg' => array('invalid_authsource', $setting) + ); + return false; + } + + $stmt = $pdo->prepare("SELECT * FROM `mailbox` + WHERE `authsource` != 'mailcow' + AND `authsource` IS NOT NULL + AND `authsource` != :authsource"); + $stmt->execute(array(':authsource' => $_data['authsource'])); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + if ($rows) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $data_log), + 'msg' => array('authsource_in_use', $setting) + ); + return false; + } + + $_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false; + $_data['login_provisioning'] = isset($_data['login_provisioning']) ? boolval($_data['login_provisioning']) : false; + switch ($_data['authsource']) { + case "keycloak": + $_data['server_url'] = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null; + $_data['mailpassword_flow'] = isset($_data['mailpassword_flow']) ? intval($_data['mailpassword_flow']) : 0; + $_data['periodic_sync'] = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0; + $_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0; + $_data['sync_interval'] = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15; + $_data['sync_interval'] = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval']; + $required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval', 'ignore_ssl_error', 'login_provisioning'); + break; + case "generic-oidc": + $_data['authorize_url'] = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null; + $_data['token_url'] = (!empty($_data['token_url'])) ? $_data['token_url'] : null; + $_data['userinfo_url'] = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null; + $_data['client_scopes'] = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email mailcow_template"; + $required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes', 'ignore_ssl_error', 'login_provisioning'); + break; + case "ldap": + $_data['host'] = (!empty($_data['host'])) ? str_replace(" ", "", $_data['host']) : ""; + $_data['port'] = (!empty($_data['port'])) ? intval($_data['port']) : 389; + $_data['username_field'] = (!empty($_data['username_field'])) ? strtolower($_data['username_field']) : "mail"; + $_data['attribute_field'] = (!empty($_data['attribute_field'])) ? strtolower($_data['attribute_field']) : ""; + $_data['filter'] = (!empty($_data['filter'])) ? $_data['filter'] : ""; + $_data['periodic_sync'] = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0; + $_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0; + $_data['use_ssl'] = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false; + $_data['use_tls'] = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false; + $_data['sync_interval'] = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15; + $_data['sync_interval'] = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval']; + $required_settings = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error', 'login_provisioning'); + break; + } + + $pdo->beginTransaction(); + $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); + // add connection settings + foreach($required_settings as $setting){ + if (!isset($_data[$setting])){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $data_log), + 'msg' => array('required_data_missing', $setting) + ); + $pdo->rollback(); + return false; + } + + $stmt->bindParam(':key', $setting); + $stmt->bindParam(':value', $_data[$setting]); + $stmt->execute(); + } + $pdo->commit(); + + // add redirect_url_extra + if (isset($_data['redirect_url_extra'])){ + $_data['redirect_url_extra'] = (!is_array($_data['redirect_url_extra'])) ? array($_data['redirect_url_extra']) : $_data['redirect_url_extra']; + + $redirect_url_extra = array_filter($_data['redirect_url_extra']); + $redirect_url_extra = json_encode($redirect_url_extra); + + $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('redirect_url_extra', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); + $stmt->bindParam(':value', $redirect_url_extra); + $stmt->execute(); + } + + // add default template + if (isset($_data['default_template'])) { + $_data['default_template'] = (empty($_data['default_template'])) ? "" : $_data['default_template']; + $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('default_template', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); + $stmt->bindParam(':value', $_data['default_template']); + $stmt->execute(); + } + + // add mappers + if (isset($_data['mappers']) && isset($_data['templates'])){ + $_data['mappers'] = (!is_array($_data['mappers'])) ? array($_data['mappers']) : $_data['mappers']; + $_data['templates'] = (!is_array($_data['templates'])) ? array($_data['templates']) : $_data['templates']; + + $mappers = array_filter($_data['mappers']); + $templates = array_filter($_data['templates']); + if (count($mappers) == count($templates)){ + $mappers = json_encode($mappers); + $templates = json_encode($templates); + + $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('mappers', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); + $stmt->bindParam(':value', $mappers); + $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('templates', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); + $stmt->bindParam(':value', $templates); + $stmt->execute(); + } + } + + // delete old access_token + $stmt = $pdo->query("INSERT INTO identity_provider (`key`, `value`) VALUES ('access_token', '') ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); + + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_action, $data_log), + 'msg' => array('object_modified', '') + ); + return true; + break; + case 'test': + if ($_SESSION['mailcow_cc_role'] != "admin") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data), + 'msg' => 'access_denied' + ); + return false; + } + + switch ($_data['authsource']) { + case 'keycloak': + $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token"; + $req = http_build_query(array( + 'grant_type' => 'client_credentials', + 'client_id' => $_data['client_id'], + 'client_secret' => $_data['client_secret'] + )); + $curl = curl_init(); + curl_setopt($curl, CURLOPT_URL, $url); + curl_setopt($curl, CURLOPT_TIMEOUT, 7); + curl_setopt($curl, CURLOPT_POST, 1); + curl_setopt($curl, CURLOPT_POSTFIELDS, $req); + curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); + if ($_data['ignore_ssl_error'] == "1"){ + curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); + curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false); + } + $res = curl_exec($curl); + $code = curl_getinfo($curl, CURLINFO_HTTP_CODE); + curl_close ($curl); + + if ($code != 200) { + return false; + } + break; + case 'generic-oidc': + $url = $_data['token_url']; + $curl = curl_init(); + curl_setopt($curl, CURLOPT_URL, $url); + curl_setopt($curl, CURLOPT_TIMEOUT, 7); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); + curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "OPTIONS"); + if ($_data['ignore_ssl_error'] == "1"){ + curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); + curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false); + } + $res = curl_exec($curl); + $code = curl_getinfo($curl, CURLINFO_HTTP_CODE); + curl_close ($curl); + + if ($code != 200) { + return false; + } + break; + case 'ldap': + if (!$_data['host'] || !$_data['port'] || !$_data['basedn'] || + !$_data['binddn'] || !$_data['bindpass']){ + return false; + } + $_data['use_ssl'] = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false; + $_data['use_tls'] = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false; + $_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false; + $options = array(); + if ($_data['ignore_ssl_error']) { + $options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER; + } + $provider = new \LdapRecord\Connection([ + 'hosts' => explode(",", $_data['host']), + 'port' => $_data['port'], + 'base_dn' => $_data['basedn'], + 'username' => $_data['binddn'], + 'password' => $_data['bindpass'], + 'use_ssl' => $_data['use_ssl'], + 'use_tls' => $_data['use_tls'], + 'options' => $options + ]); + try { + $provider->connect(); + } catch (Throwable $e) { + return false; + } + break; + } + + return true; + break; + case "delete": + if ($_SESSION['mailcow_cc_role'] != "admin") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data), + 'msg' => 'access_denied' + ); + return false; + } + + $stmt = $pdo->query("SELECT * FROM `mailbox` + WHERE `authsource` != 'mailcow' + AND `authsource` IS NOT NULL"); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + if ($rows) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $data_log), + 'msg' => array('authsource_in_use', $setting) + ); + return false; + } + + $stmt = $pdo->query("DELETE FROM identity_provider;"); + + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_action, $data_log), + 'msg' => array('item_deleted', '') + ); + return true; + break; + case "init": + $settings = identity_provider('get'); + $provider = null; + + switch ($settings['authsource']) { + case "keycloak": + if ($settings['server_url'] && $settings['realm'] && $settings['client_id'] && + $settings['client_secret'] && $settings['redirect_url'] && $settings['version']){ + $guzzyClient = new GuzzleHttp\Client([ + 'defaults' => [ + \GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5, + \GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true], + \GuzzleHttp\RequestOptions::VERIFY => !$settings['ignore_ssl_error'], + ] + ); + $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([ + 'authServerUrl' => $settings['server_url'], + 'realm' => $settings['realm'], + 'clientId' => $settings['client_id'], + 'clientSecret' => $settings['client_secret'], + 'redirectUri' => $settings['redirect_url'], + 'version' => $settings['version'], + // 'encryptionAlgorithm' => 'RS256', // optional + // 'encryptionKeyPath' => '../key.pem' // optional + // 'encryptionKey' => 'contents_of_key_or_certificate' // optional + ]); + $provider->setHttpClient($guzzyClient); + } + break; + case "generic-oidc": + if ($settings['client_id'] && $settings['client_secret'] && $settings['redirect_url'] && + $settings['authorize_url'] && $settings['token_url'] && $settings['userinfo_url']){ + $guzzyClient = new GuzzleHttp\Client([ + 'defaults' => [ + \GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5, + \GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true], + \GuzzleHttp\RequestOptions::VERIFY => !$settings['ignore_ssl_error'], + ] + ); + $provider = new \League\OAuth2\Client\Provider\GenericProvider([ + 'clientId' => $settings['client_id'], + 'clientSecret' => $settings['client_secret'], + 'redirectUri' => $settings['redirect_url'], + 'urlAuthorize' => $settings['authorize_url'], + 'urlAccessToken' => $settings['token_url'], + 'urlResourceOwnerDetails' => $settings['userinfo_url'], + 'scopes' => $settings['client_scopes'] + ]); + $provider->setHttpClient($guzzyClient); + } + break; + case "ldap": + if ($settings['host'] && $settings['port'] && $settings['basedn'] && + $settings['binddn'] && $settings['bindpass']){ + $options = array(); + if ($settings['ignore_ssl_error']) { + $options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER; + } + $provider = new \LdapRecord\Connection([ + 'hosts' => explode(",", $settings['host']), + 'port' => $settings['port'], + 'base_dn' => $settings['basedn'], + 'username' => $settings['binddn'], + 'password' => $settings['bindpass'], + 'use_ssl' => $settings['use_ssl'], + 'use_tls' => $settings['use_tls'], + 'options' => $options + ]); + try { + $provider->connect(); + } catch (Throwable $e) { + $provider = null; + } + } + break; + } + return $provider; + break; + case "verify-sso": + if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc'){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, "no OIDC provider configured"), + 'msg' => 'login_failed' + ); + return false; + } + + try { + $token = $iam_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]); + $plain_token = $token->getToken(); + $plain_refreshtoken = $token->getRefreshToken(); + $info = $iam_provider->getResourceOwner($token)->toArray(); + } catch (Throwable $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $e->getMessage()), + 'msg' => 'login_failed' + ); + return false; + } + // check if email address is given + if (empty($info['email'])) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, 'No email address found for user'), + 'msg' => 'login_failed' + ); + return false; + } + + // get mapped template + $user_template = $info['mailcow_template']; + $mapper_key = array_search($user_template, $iam_settings['mappers']); + + // token valid, get mailbox + $stmt = $pdo->prepare("SELECT + mailbox.*, + domain.active AS d_active + FROM `mailbox` + INNER JOIN domain on mailbox.domain = domain.domain + WHERE `kind` NOT REGEXP 'location|thing|group' + AND `username` = :user"); + $stmt->execute(array(':user' => $info['email'])); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if ($row){ + if (!in_array($row['authsource'], array("keycloak", "generic-oidc"))) { + clear_session(); + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $info['email'], "The user's authentication source is not of type OIDC"), + 'msg' => 'login_failed' + ); + return false; + } + if ($mapper_key !== false) { + // update user + $_SESSION['access_all_exception'] = '1'; + mailbox('edit', 'mailbox_from_template', array( + 'username' => $info['email'], + 'name' => $info['name'], + 'template' => $iam_settings['templates'][$mapper_key] + )); + $_SESSION['access_all_exception'] = '0'; + + // get updated row + $stmt = $pdo->prepare("SELECT + mailbox.*, + domain.active AS d_active + FROM `mailbox` + INNER JOIN domain on mailbox.domain = domain.domain + WHERE `kind` NOT REGEXP 'location|thing|group' + AND `username` = :user"); + $stmt->execute(array(':user' => $info['email'])); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + } + if ($row['active'] != 1 || $row['d_active'] != 1) { + clear_session(); + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $info['email'], 'Domain or mailbox is inactive'), + 'msg' => 'login_failed' + ); + return false; + } + set_user_loggedin_session($info['email']); + $_SESSION['iam_token'] = $plain_token; + $_SESSION['iam_refresh_token'] = $plain_refreshtoken; + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']), + 'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username']) + ); + return true; + } + + // user doesn't exist, check if login provisioning is enabled + if (!$iam_settings['login_provisioning']){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, "Auto-create users on login is deactivated"), + 'msg' => 'login_failed' + ); + return false; + } + + if (empty($iam_settings['mappers']) || empty($user_template) || $mapper_key === false){ + if (!empty($iam_settings['default_template'])) { + $mbox_template = $iam_settings['default_template']; + } else { + clear_session(); + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $info['email'], 'No matching attribute mapping was found'), + 'msg' => 'login_failed' + ); + return false; + } + } else { + $mbox_template = $iam_settings['templates'][$mapper_key]; + } + + // create mailbox + $_SESSION['access_all_exception'] = '1'; + $create_res = mailbox('add', 'mailbox_from_template', array( + 'domain' => explode('@', $info['email'])[1], + 'local_part' => explode('@', $info['email'])[0], + 'name' => $info['name'], + 'authsource' => $iam_settings['authsource'], + 'template' => $mbox_template + )); + $_SESSION['access_all_exception'] = '0'; + if (!$create_res){ + clear_session(); + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $info['email'], 'Could not create mailbox on login'), + 'msg' => 'login_failed' + ); + return false; + } + + // double check if mailbox and domain is active + $stmt = $pdo->prepare("SELECT * FROM `mailbox` + INNER JOIN domain on mailbox.domain = domain.domain + WHERE `kind` NOT REGEXP 'location|thing|group' + AND `mailbox`.`active`='1' + AND `domain`.`active`='1' + AND `username` = :user"); + $stmt->execute(array(':user' => $info['email'])); + $row = $stmt->fetch(PDO::FETCH_ASSOC); + if (empty($row)) { + clear_session(); + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $info['email'], 'Domain or mailbox is inactive'), + 'msg' => 'login_failed' + ); + return false; + } + + set_user_loggedin_session($info['email']); + $_SESSION['iam_token'] = $plain_token; + $_SESSION['iam_refresh_token'] = $plain_refreshtoken; + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']), + 'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username']) + ); + return true; + break; + case "refresh-token": + try { + $token = $iam_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]); + $plain_token = $token->getToken(); + $plain_refreshtoken = $token->getRefreshToken(); + $info = $iam_provider->getResourceOwner($token)->toArray(); + } catch (Throwable $e) { + clear_session(); + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__), + 'msg' => array('refresh_login_failed', $e->getMessage()) + ); + return false; + } + + if (empty($info['email'])){ + clear_session(); + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']), + 'msg' => 'refresh_login_failed' + ); + return false; + } + + set_user_loggedin_session($info['email']); + $_SESSION['iam_token'] = $plain_token; + $_SESSION['iam_refresh_token'] = $plain_refreshtoken; + return true; + break; + case "get-redirect": + if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc') + return false; + $options = []; + if (isset($iam_settings['redirect_url_extra'])) { + // check if the current domain is used in an extra redirect URL + $targetDomain = strtolower($_SERVER['HTTP_HOST']); + foreach ($iam_settings['redirect_url_extra'] as $testUrl) { + $testUrlParsed = parse_url($testUrl); + if (isset($testUrlParsed['host']) && strtolower($testUrlParsed['host']) == $targetDomain) { + $options['redirect_uri'] = $testUrl; + break; + } + } + } + $authUrl = $iam_provider->getAuthorizationUrl($options); + $_SESSION['oauth2state'] = $iam_provider->getState(); + return $authUrl; + break; + case "get-keycloak-admin-token": + // get access_token for service account of mailcow client + if ($iam_settings['authsource'] !== 'keycloak') return false; + if (isset($iam_settings['access_token'])) { + // check if access_token is valid + $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token/introspect"; + $req = http_build_query(array( + 'token' => $iam_settings['access_token'], + 'client_id' => $iam_settings['client_id'], + 'client_secret' => $iam_settings['client_secret'] + )); + $curl = curl_init(); + curl_setopt($curl, CURLOPT_URL, $url); + curl_setopt($curl, CURLOPT_TIMEOUT, 7); + curl_setopt($curl, CURLOPT_POST, 1); + curl_setopt($curl, CURLOPT_POSTFIELDS, $req); + curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); + curl_setopt($curl, CURLOPT_TIMEOUT, 5); + $res = json_decode(curl_exec($curl), true); + $code = curl_getinfo($curl, CURLINFO_HTTP_CODE); + curl_close ($curl); + if ($code == 200 && $res['active'] == true) { + // token is valid + return $iam_settings['access_token']; + } + } + + $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token"; + $req = http_build_query(array( + 'grant_type' => 'client_credentials', + 'client_id' => $iam_settings['client_id'], + 'client_secret' => $iam_settings['client_secret'] + )); + $curl = curl_init(); + curl_setopt($curl, CURLOPT_URL, $url); + curl_setopt($curl, CURLOPT_TIMEOUT, 7); + curl_setopt($curl, CURLOPT_POST, 1); + curl_setopt($curl, CURLOPT_POSTFIELDS, $req); + curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); + curl_setopt($curl, CURLOPT_TIMEOUT, 5); + $res = json_decode(curl_exec($curl), true); + $code = curl_getinfo($curl, CURLINFO_HTTP_CODE); + curl_close ($curl); + if ($code != 200) { + return false; + } + + $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);"); + $stmt->execute(array( + ':key' => 'access_token', + ':value' => $res['access_token'] + )); + return $res['access_token']; + break; + } +} +function reset_password($action, $data = null) { + global $pdo; + global $redis; + global $mailcow_hostname; + global $PW_RESET_TOKEN_LIMIT; + global $PW_RESET_TOKEN_LIFETIME; + + $_data_log = $data; + if (isset($_data_log['new_password'])) $_data_log['new_password'] = '*'; + if (isset($_data_log['new_password2'])) $_data_log['new_password2'] = '*'; + + switch ($action) { + case 'check': + $token = $data; + + $stmt = $pdo->prepare("SELECT `t1`.`username` FROM `reset_password` AS `t1` JOIN `mailbox` AS `t2` ON `t1`.`username` = `t2`.`username` WHERE `t1`.`token` = :token AND `t1`.`created` > DATE_SUB(NOW(), INTERVAL :lifetime MINUTE) AND `t2`.`active` = 1 AND `t2`.`authsource` = 'mailcow';"); + $stmt->execute(array( + ':token' => preg_replace('/[^a-zA-Z0-9-]/', '', $token), + ':lifetime' => $PW_RESET_TOKEN_LIFETIME + )); + $return = $stmt->fetch(PDO::FETCH_ASSOC); + return empty($return['username']) ? false : $return['username']; + break; + case 'issue': + $username = $data; + + // perform cleanup + $stmt = $pdo->prepare("DELETE FROM `reset_password` WHERE created < DATE_SUB(NOW(), INTERVAL :lifetime MINUTE);"); + $stmt->execute(array(':lifetime' => $PW_RESET_TOKEN_LIFETIME)); + + if (filter_var($username, FILTER_VALIDATE_EMAIL) === false) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'access_denied' + ); + return false; + } + + $pw_reset_notification = reset_password('get_notification', 'raw'); + if (!$pw_reset_notification) return false; + if (empty($pw_reset_notification['from']) || empty($pw_reset_notification['subject'])) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'password_reset_na' + ); + return false; + } + + $stmt = $pdo->prepare("SELECT * FROM `mailbox` + WHERE `username` = :username AND authsource = 'mailcow'"); + $stmt->execute(array(':username' => $username)); + $mailbox_data = $stmt->fetch(PDO::FETCH_ASSOC); + + if (empty($mailbox_data)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'password_reset_invalid_user' + ); + return false; + } + + $mailbox_attr = json_decode($mailbox_data['attributes'], true); + if (empty($mailbox_attr['recovery_email']) || filter_var($mailbox_attr['recovery_email'], FILTER_VALIDATE_EMAIL) === false) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => "password_reset_invalid_user" + ); + return false; + } + + $stmt = $pdo->prepare("SELECT * FROM `reset_password` + WHERE `username` = :username"); + $stmt->execute(array(':username' => $username)); + $generated_token_count = count($stmt->fetchAll(PDO::FETCH_ASSOC)); + if ($generated_token_count >= $PW_RESET_TOKEN_LIMIT) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => "reset_token_limit_exceeded" + ); + return false; + } + + $token = implode('-', array( + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))), + strtoupper(bin2hex(random_bytes(3))) + )); + + $stmt = $pdo->prepare("INSERT INTO `reset_password` (`username`, `token`) + VALUES (:username, :token)"); + $stmt->execute(array( + ':username' => $username, + ':token' => $token + )); + + $reset_link = getBaseURL() . "/reset-password?token=" . $token; + + $request_date = new DateTime(); + $locale_date = locale_get_default(); + $date_formatter = new IntlDateFormatter( + $locale_date, + IntlDateFormatter::FULL, + IntlDateFormatter::FULL + ); + $formatted_request_date = $date_formatter->format($request_date); + + // set template vars + // subject + $pw_reset_notification['subject'] = str_replace('{{hostname}}', $mailcow_hostname, $pw_reset_notification['subject']); + $pw_reset_notification['subject'] = str_replace('{{link}}', $reset_link, $pw_reset_notification['subject']); + $pw_reset_notification['subject'] = str_replace('{{username}}', $username, $pw_reset_notification['subject']); + $pw_reset_notification['subject'] = str_replace('{{username2}}', $mailbox_attr['recovery_email'], $pw_reset_notification['subject']); + $pw_reset_notification['subject'] = str_replace('{{date}}', $formatted_request_date, $pw_reset_notification['subject']); + $pw_reset_notification['subject'] = str_replace('{{token_lifetime}}', $PW_RESET_TOKEN_LIFETIME, $pw_reset_notification['subject']); + // text + $pw_reset_notification['text_tmpl'] = str_replace('{{hostname}}', $mailcow_hostname, $pw_reset_notification['text_tmpl']); + $pw_reset_notification['text_tmpl'] = str_replace('{{link}}', $reset_link, $pw_reset_notification['text_tmpl']); + $pw_reset_notification['text_tmpl'] = str_replace('{{username}}', $username, $pw_reset_notification['text_tmpl']); + $pw_reset_notification['text_tmpl'] = str_replace('{{username2}}', $mailbox_attr['recovery_email'], $pw_reset_notification['text_tmpl']); + $pw_reset_notification['text_tmpl'] = str_replace('{{date}}', $formatted_request_date, $pw_reset_notification['text_tmpl']); + $pw_reset_notification['text_tmpl'] = str_replace('{{token_lifetime}}', $PW_RESET_TOKEN_LIFETIME, $pw_reset_notification['text_tmpl']); + // html + $pw_reset_notification['html_tmpl'] = str_replace('{{hostname}}', $mailcow_hostname, $pw_reset_notification['html_tmpl']); + $pw_reset_notification['html_tmpl'] = str_replace('{{link}}', $reset_link, $pw_reset_notification['html_tmpl']); + $pw_reset_notification['html_tmpl'] = str_replace('{{username}}', $username, $pw_reset_notification['html_tmpl']); + $pw_reset_notification['html_tmpl'] = str_replace('{{username2}}', $mailbox_attr['recovery_email'], $pw_reset_notification['html_tmpl']); + $pw_reset_notification['html_tmpl'] = str_replace('{{date}}', $formatted_request_date, $pw_reset_notification['html_tmpl']); + $pw_reset_notification['html_tmpl'] = str_replace('{{token_lifetime}}', $PW_RESET_TOKEN_LIFETIME, $pw_reset_notification['html_tmpl']); + + + $email_sent = reset_password('send_mail', array( + "from" => $pw_reset_notification['from'], + "to" => $mailbox_attr['recovery_email'], + "subject" => $pw_reset_notification['subject'], + "text" => $pw_reset_notification['text_tmpl'], + "html" => $pw_reset_notification['html_tmpl'] + )); + + if (!$email_sent){ + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => "recovery_email_failed" + ); + return false; + } + + list($localPart, $domainPart) = explode('@', $mailbox_attr['recovery_email']); + if (strlen($localPart) > 1) { + $maskedLocalPart = $localPart[0] . str_repeat('*', strlen($localPart) - 1); + } else { + $maskedLocalPart = "*"; + } + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => array("recovery_email_sent", $maskedLocalPart . '@' . $domainPart) + ); + return array( + "username" => $username, + "issue" => "success" + ); + break; + case 'reset': + $token = $data['token']; + $new_password = $data['new_password']; + $new_password2 = $data['new_password2']; + $username = $data['username']; + $check_tfa = $data['check_tfa']; + + if (!$username || !$token) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'invalid_reset_token' + ); + return false; + } + + # check new password + if (!password_check($new_password, $new_password2)) { + return false; + } + + if ($check_tfa){ + // check for tfa authenticators + $authenticators = get_tfa($username); + if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) { + $_SESSION['pending_mailcow_cc_username'] = $username; + $_SESSION['pending_pw_reset_token'] = $token; + $_SESSION['pending_pw_new_password'] = $new_password; + $_SESSION['pending_tfa_methods'] = $authenticators['additional']; + $_SESSION['return'][] = array( + 'type' => 'info', + 'log' => array(__FUNCTION__, $user, '*'), + 'msg' => 'awaiting_tfa_confirmation' + ); + return false; + } + } + + # set new password + $password_hashed = hash_password($new_password); + $stmt = $pdo->prepare("UPDATE `mailbox` SET + `password` = :password_hashed, + `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW()) + WHERE `username` = :username AND authsource = 'mailcow'"); + $stmt->execute(array( + ':password_hashed' => $password_hashed, + ':username' => $username + )); + + // perform cleanup + $stmt = $pdo->prepare("DELETE FROM `reset_password` WHERE `username` = :username;"); + $stmt->execute(array( + ':username' => $username + )); + + update_sogo_static_view($username); + + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'password_changed_success' + ); + return true; + break; + case 'get_notification': + $type = $data; + + try { + $settings['from'] = $redis->Get('PW_RESET_FROM'); + $settings['subject'] = $redis->Get('PW_RESET_SUBJ'); + $settings['html_tmpl'] = $redis->Get('PW_RESET_HTML'); + $settings['text_tmpl'] = $redis->Get('PW_RESET_TEXT'); + if (empty($settings['html_tmpl']) && empty($settings['text_tmpl'])) { + $settings['html_tmpl'] = file_get_contents("/tpls/pw_reset_html.tpl"); + $settings['text_tmpl'] = file_get_contents("/tpls/pw_reset_text.tpl"); + } + + if ($type != "raw") { + $settings['html_tmpl'] = htmlspecialchars($settings['html_tmpl']); + $settings['text_tmpl'] = htmlspecialchars($settings['text_tmpl']); + } + } + catch (RedisException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => array('redis_error', $e) + ); + return false; + } + + return $settings; + break; + case 'send_mail': + $from = $data['from']; + $to = $data['to']; + $text = $data['text']; + $html = $data['html']; + $subject = $data['subject']; + + if (!filter_var($from, FILTER_VALIDATE_EMAIL)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'from_invalid' + ); + return false; + } + if (!filter_var($to, FILTER_VALIDATE_EMAIL)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'to_invalid' + ); + return false; + } + if (empty($subject)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'subject_empty' + ); + return false; + } + if (empty($text)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'text_empty' + ); + return false; + } + + ini_set('max_execution_time', 0); + ini_set('max_input_time', 0); + $mail = new PHPMailer; + $mail->Timeout = 10; + $mail->SMTPOptions = array( + 'ssl' => array( + 'verify_peer' => false, + 'verify_peer_name' => false, + 'allow_self_signed' => true + ) + ); + $mail->isSMTP(); + $mail->Host = 'postfix-mailcow'; + $mail->SMTPAuth = false; + $mail->Port = 25; + $mail->setFrom($from); + $mail->Subject = $subject; + $mail->CharSet ="UTF-8"; + if (!empty($html)) { + $mail->Body = $html; + $mail->AltBody = $text; + } + else { + $mail->Body = $text; + } + $mail->XMailer = 'MooMail'; + $mail->AddAddress($to); + if (!$mail->send()) { + return false; + } + $mail->ClearAllRecipients(); + + return true; + break; + } + + if ($_SESSION['mailcow_cc_role'] != "admin") { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'access_denied' + ); + return false; + } + + switch ($action) { + case 'edit_notification': + $subject = $data['subject']; + $from = preg_replace('/[\x00-\x1F\x80-\xFF]/', '', $data['from']); + + $from = (!filter_var($from, FILTER_VALIDATE_EMAIL)) ? "" : $from; + $subject = (empty($subject)) ? "" : $subject; + $text = (empty($data['text_tmpl'])) ? "" : $data['text_tmpl']; + $html = (empty($data['html_tmpl'])) ? "" : $data['html_tmpl']; + + try { + $redis->Set('PW_RESET_FROM', $from); + $redis->Set('PW_RESET_SUBJ', $subject); + $redis->Set('PW_RESET_HTML', $html); + $redis->Set('PW_RESET_TEXT', $text); + } + catch (RedisException $e) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => array('redis_error', $e) + ); + return false; + } + + $_SESSION['return'][] = array( + 'type' => 'success', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'saved_settings' + ); + break; + } +} +function clear_session(){ + session_regenerate_id(true); + session_unset(); + session_destroy(); + session_write_close(); +} +function set_user_loggedin_session($user) { + session_regenerate_id(true); + $_SESSION['mailcow_cc_username'] = $user; + $_SESSION['mailcow_cc_role'] = 'user'; + // Update User-Agent after session regeneration to prevent validation errors + $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT']; + $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass"); + $_SESSION['sogo-sso-user-allowed'][] = $user; + $_SESSION['sogo-sso-pass'] = $sogo_sso_pass; + unset($_SESSION['pending_mailcow_cc_username']); + unset($_SESSION['pending_mailcow_cc_role']); + unset($_SESSION['pending_tfa_methods']); +} +function get_logs($application, $lines = false) { + if ($lines === false) { + $lines = $GLOBALS['LOG_LINES'] - 1; + } + elseif(is_numeric($lines) && $lines >= 1) { + $lines = abs(intval($lines) - 1); + } + else { + list ($from, $to) = explode('-', $lines); + $from = intval($from); + $to = intval($to); + if ($from < 1 || $to < $from) { return false; } + } + global $redis; + global $pdo; + if ($_SESSION['mailcow_cc_role'] != "admin") { + return false; + } + // SQL + if ($application == "mailcow-ui") { + if (isset($from) && isset($to)) { + $stmt = $pdo->prepare("SELECT * FROM `logs` ORDER BY `id` DESC LIMIT :from, :to"); + $stmt->execute(array( + ':from' => $from - 1, + ':to' => $to + )); + $data = $stmt->fetchAll(PDO::FETCH_ASSOC); + } + else { + $stmt = $pdo->prepare("SELECT * FROM `logs` ORDER BY `id` DESC LIMIT :lines"); + $stmt->execute(array( + ':lines' => $lines + 1, + )); + $data = $stmt->fetchAll(PDO::FETCH_ASSOC); + } + if (is_array($data)) { + return $data; + } + } + if ($application == "sasl") { + if (isset($from) && isset($to)) { + $stmt = $pdo->prepare("SELECT * FROM `sasl_log` ORDER BY `datetime` DESC LIMIT :from, :to"); + $stmt->execute(array( + ':from' => $from - 1, + ':to' => $to + )); + $data = $stmt->fetchAll(PDO::FETCH_ASSOC); + } + else { + $stmt = $pdo->prepare("SELECT * FROM `sasl_log` ORDER BY `datetime` DESC LIMIT :lines"); + $stmt->execute(array( + ':lines' => $lines + 1, + )); + $data = $stmt->fetchAll(PDO::FETCH_ASSOC); + } + if (is_array($data)) { + return $data; + } + } + // Redis + if ($application == "dovecot-mailcow") { + if (isset($from) && isset($to)) { + $data = $redis->lRange('DOVECOT_MAILLOG', $from - 1, $to - 1); + } + else { + $data = $redis->lRange('DOVECOT_MAILLOG', 0, $lines); + } + if ($data) { + foreach ($data as $json_line) { + $data_array[] = json_decode($json_line, true); + } + return $data_array; + } + } + if ($application == "cron-mailcow") { + if (isset($from) && isset($to)) { + $data = $redis->lRange('CRON_LOG', $from - 1, $to - 1); + } + else { + $data = $redis->lRange('CRON_LOG', 0, $lines); + } + if ($data) { + foreach ($data as $json_line) { + $data_array[] = json_decode($json_line, true); + } + return $data_array; + } + } + if ($application == "postfix-mailcow") { + if (isset($from) && isset($to)) { + $data = $redis->lRange('POSTFIX_MAILLOG', $from - 1, $to - 1); + } + else { + $data = $redis->lRange('POSTFIX_MAILLOG', 0, $lines); + } + if ($data) { + foreach ($data as $json_line) { + $data_array[] = json_decode($json_line, true); + } + return $data_array; + } + } + if ($application == "sogo-mailcow") { + if (isset($from) && isset($to)) { + $data = $redis->lRange('SOGO_LOG', $from - 1, $to - 1); + } + else { + $data = $redis->lRange('SOGO_LOG', 0, $lines); + } + if ($data) { + foreach ($data as $json_line) { + $data_array[] = json_decode($json_line, true); + } + return $data_array; + } + } + if ($application == "watchdog-mailcow") { + if (isset($from) && isset($to)) { + $data = $redis->lRange('WATCHDOG_LOG', $from - 1, $to - 1); + } + else { + $data = $redis->lRange('WATCHDOG_LOG', 0, $lines); + } + if ($data) { + foreach ($data as $json_line) { + $data_array[] = json_decode($json_line, true); + } + return $data_array; + } + } + if ($application == "acme-mailcow") { + if (isset($from) && isset($to)) { + $data = $redis->lRange('ACME_LOG', $from - 1, $to - 1); + } + else { + $data = $redis->lRange('ACME_LOG', 0, $lines); + } + if ($data) { + foreach ($data as $json_line) { + $data_array[] = json_decode($json_line, true); + } + return $data_array; + } + } + if ($application == "ratelimited") { + if (isset($from) && isset($to)) { + $data = $redis->lRange('RL_LOG', $from - 1, $to - 1); + } + else { + $data = $redis->lRange('RL_LOG', 0, $lines); + } + if ($data) { + foreach ($data as $json_line) { + $data_array[] = json_decode($json_line, true); + } + return $data_array; + } + } + if ($application == "api-mailcow") { + if (isset($from) && isset($to)) { + $data = $redis->lRange('API_LOG', $from - 1, $to - 1); + } + else { + $data = $redis->lRange('API_LOG', 0, $lines); + } + if ($data) { + foreach ($data as $json_line) { + $data_array[] = json_decode($json_line, true); + } + return $data_array; + } + } + if ($application == "netfilter-mailcow") { + if (isset($from) && isset($to)) { + $data = $redis->lRange('NETFILTER_LOG', $from - 1, $to - 1); + } + else { + $data = $redis->lRange('NETFILTER_LOG', 0, $lines); + } + if ($data) { + foreach ($data as $json_line) { + $data_array[] = json_decode($json_line, true); + } + return $data_array; + } + } + if ($application == "autodiscover-mailcow") { + if (isset($from) && isset($to)) { + $data = $redis->lRange('AUTODISCOVER_LOG', $from - 1, $to - 1); + } + else { + $data = $redis->lRange('AUTODISCOVER_LOG', 0, $lines); + } + if ($data) { + foreach ($data as $json_line) { + $data_array[] = json_decode($json_line, true); + } + return $data_array; + } + } + if ($application == "rspamd-history") { + $curl = curl_init(); + curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, '/var/lib/rspamd/rspamd.sock'); + if (!is_numeric($lines)) { + list ($from, $to) = explode('-', $lines); + curl_setopt($curl, CURLOPT_URL,"http://rspamd/history?from=" . intval($from) . "&to=" . intval($to)); + } + else { + curl_setopt($curl, CURLOPT_URL,"http://rspamd/history?to=" . intval($lines)); + } + curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); + $history = curl_exec($curl); + if (!curl_errno($curl)) { + $data_array = json_decode($history, true); + curl_close($curl); + return $data_array['rows']; + } + curl_close($curl); + return false; + } + if ($application == "rspamd-stats") { + $curl = curl_init(); + curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, '/var/lib/rspamd/rspamd.sock'); + curl_setopt($curl, CURLOPT_URL,"http://rspamd/stat"); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); + $stats = curl_exec($curl); + if (!curl_errno($curl)) { + $data_array = json_decode($stats, true); + curl_close($curl); + return $data_array; + } + curl_close($curl); + return false; + } + return false; +} +function getGUID() { + if (function_exists('com_create_guid')) { + return com_create_guid(); + } + mt_srand((double)microtime()*10000);//optional for php 4.2.0 and up. + $charid = strtoupper(md5(uniqid(rand(), true))); + $hyphen = chr(45);// "-" + return substr($charid, 0, 8).$hyphen + .substr($charid, 8, 4).$hyphen + .substr($charid,12, 4).$hyphen + .substr($charid,16, 4).$hyphen + .substr($charid,20,12); +} + +function cleanupJS($ignore = '', $folder = '/tmp/*.js') { + $now = time(); + foreach (glob($folder) as $filename) { + if(strpos($filename, $ignore) !== false) { + continue; + } + if (is_file($filename)) { + if ($now - filemtime($filename) >= 60 * 60) { + unlink($filename); + } + } + } +} + +function cleanupCSS($ignore = '', $folder = '/tmp/*.css') { + $now = time(); + foreach (glob($folder) as $filename) { + if(strpos($filename, $ignore) !== false) { + continue; + } + if (is_file($filename)) { + if ($now - filemtime($filename) >= 60 * 60) { + unlink($filename); + } + } + } +} + +?> diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php index 8f3192d70..da820730c 100644 --- a/data/web/inc/sessions.inc.php +++ b/data/web/inc/sessions.inc.php @@ -43,6 +43,8 @@ if (!isset($_SESSION['SESS_REMOTE_UA'])) { if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $SESSION_LIFETIME)) { session_unset(); session_destroy(); + // After destroying session, we need to reset the User-Agent for the new session + $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT']; } $_SESSION['LAST_ACTIVITY'] = time(); diff --git a/data/web/inc/triggers.admin.inc.php b/data/web/inc/triggers.admin.inc.php index df46a459c..4708b9e00 100644 --- a/data/web/inc/triggers.admin.inc.php +++ b/data/web/inc/triggers.admin.inc.php @@ -50,6 +50,8 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) { session_regenerate_id(true); $_SESSION['mailcow_cc_username'] = $login_user; $_SESSION['mailcow_cc_role'] = "admin"; + // Update User-Agent after session regeneration to prevent validation errors + $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT']; header("Location: /admin/dashboard"); die(); } diff --git a/data/web/inc/triggers.domainadmin.inc.php b/data/web/inc/triggers.domainadmin.inc.php index a9f913688..187b27320 100644 --- a/data/web/inc/triggers.domainadmin.inc.php +++ b/data/web/inc/triggers.domainadmin.inc.php @@ -7,6 +7,8 @@ if (!empty($_GET['sso_token'])) { session_regenerate_id(true); $_SESSION['mailcow_cc_username'] = $username; $_SESSION['mailcow_cc_role'] = 'domainadmin'; + // Update User-Agent after session regeneration to prevent validation errors + $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT']; header('Location: /domainadmin/mailbox'); } } @@ -61,6 +63,8 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) { session_regenerate_id(true); $_SESSION['mailcow_cc_username'] = $login_user; $_SESSION['mailcow_cc_role'] = "domainadmin"; + // Update User-Agent after session regeneration to prevent validation errors + $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT']; header("Location: /domainadmin/mailbox"); die(); }