public/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-12-12 17:36:01 +00:00
Code Issues Releases Wiki Activity

[Web] Remove authentication from autodiscover.php

Browse Source
This commit is contained in:
FreddleSpl0it
2025-09-22 10:45:26 +02:00
parent f67a12d157
commit af8f649882
1 changed files with 206 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files

383
data/web/autodiscover.php
View File

@@ -1,15 +1,139 @@
<?php
error_reporting(0);
header("Content-Type: application/xml");
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/lib/vendor/autoload.php';
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/vars.inc.php';
if(file_exists('inc/vars.local.inc.php')) {
include_once 'inc/vars.local.inc.php';
}
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
function error_xml($error_id, $error_code, $message) {
list($usec, $sec) = explode(' ', microtime());
$time_string = date('H:i:s', $sec) . substr($usec, 0, strlen($usec) - 2);
return <<<EOD
<?xml version="1.0" encoding="utf-8" ?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response>
<Error Time="$time_string" Id="$error_id">
<ErrorCode>$error_code</ErrorCode>
<Message>$message</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>
EOD;
}
function autodiscover_xml($type, $email, $displayname, $autodiscover_config) {
$displayname = htmlspecialchars($displayname, ENT_XML1 | ENT_QUOTES, 'UTF-8');
$caldav_port = $autodiscover_config['caldav']['port'] != 443 ? ':' . $autodiscover_config['caldav']['port'] : '';
$carddav_port = $autodiscover_config['carddav']['port'] != 443 ? ':' . $autodiscover_config['carddav']['port'] : '';
$xml = '';
$calcardav_xml = '';
if (getenv('SKIP_SOGO') != "y") {
$calcardav_xml .= <<<EOD
<Protocol>
<Type>CalDAV</Type>
<Server>https://{$autodiscover_config['caldav']['server']}{$caldav_port}/SOGo/dav/{$email}/</Server>
<DomainRequired>off</DomainRequired>
<LoginName>{$email}</LoginName>
</Protocol>
<Protocol>
<Type>CardDAV</Type>
<Server>https://{$autodiscover_config['carddav']['server']}{$carddav_port}/SOGo/dav/{$email}/</Server>
<DomainRequired>off</DomainRequired>
<LoginName>{$email}</LoginName>
</Protocol>
EOD;
}
if ($type == 'imap') {
$xml .= <<<EOD
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>{$displayname}</DisplayName>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>IMAP</Type>
<Server>{$autodiscover_config['imap']['server']}</Server>
<Port>{$autodiscover_config['imap']['port']}</Port>
<DomainRequired>off</DomainRequired>
<LoginName>{$email}</LoginName>
<SPA>off</SPA>
<SSL>on</SSL>
<AuthRequired>on</AuthRequired>
</Protocol>
<Protocol>
<Type>SMTP</Type>
<Server>{$autodiscover_config['smtp']['server']}</Server>
<Port>{$autodiscover_config['smtp']['port']}</Port>
<DomainRequired>off</DomainRequired>
<LoginName>{$email}</LoginName>
<SPA>off</SPA>
<SSL>on</SSL>
<AuthRequired>on</AuthRequired>
<UsePOPAuth>on</UsePOPAuth>
<SMTPLast>off</SMTPLast>
</Protocol>
{$calcardav_xml}
</Account>
</Response>
EOD;
}
else if ($type == 'activesync') {
$xml .= <<<EOD
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
<Culture>en:en</Culture>
<User>
<DisplayName>{$displayname}</DisplayName>
<EMailAddress>{$email}</EMailAddress>
</User>
<Action>
<Settings>
<Server>
<Type>MobileSync</Type>
<Url>{$autodiscover_config['activesync']['url']}</Url>
<Name>{$autodiscover_config['activesync']['url']}</Name>
</Server>
</Settings>
</Action>
</Response>
EOD;
}
return <<<EOD
<?xml version="1.0" encoding="utf-8" ?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
$xml
</Autodiscover>
EOD;
}
$default_autodiscover_config = $autodiscover_config;
$autodiscover_config = array_merge($default_autodiscover_config, $autodiscover_config);
// SQL
//$dsn = $database_type . ":host=" . $database_host . ";dbname=" . $database_name;
$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
$opt = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
];
$pdo = new PDO($dsn, $database_user, $database_pass, $opt);
// Redis
$redis = new Redis();
try {
@@ -22,10 +146,15 @@ try {
$redis->auth(getenv("REDISPASS"));
}
catch (Exception $e) {
exit;
$_SESSION['return'][] = array(
'type' => 'danger',
'msg' => 'Redis: '.$e
);
echo error_xml("2477272013", "600", "Server Error");
exit(0);
}
error_reporting(0);
$data = trim(file_get_contents("php://input"));
@@ -45,102 +174,8 @@ if (getenv('SKIP_SOGO') == "y") {
$autodiscover_config['autodiscoverType'] = 'imap';
}
//$dsn = $database_type . ":host=" . $database_host . ";dbname=" . $database_name;
$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
$opt = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
];
$pdo = new PDO($dsn, $database_user, $database_pass, $opt);
// Init Identity Provider
$iam_provider = identity_provider('init');
$iam_settings = identity_provider('get');
$login_user = strtolower(trim($_SERVER['PHP_AUTH_USER']));
$login_pass = trim(htmlspecialchars_decode($_SERVER['PHP_AUTH_PW']));
if (empty($_SERVER['PHP_AUTH_USER']) || empty($_SERVER['PHP_AUTH_PW'])) {
$json = json_encode(
array(
"time" => time(),
"ua" => $_SERVER['HTTP_USER_AGENT'],
"user" => "none",
"ip" => $_SERVER['REMOTE_ADDR'],
"service" => "Error: must be authenticated"
)
);
$redis->lPush('AUTODISCOVER_LOG', $json);
header('WWW-Authenticate: Basic realm="' . $_SERVER['HTTP_HOST'] . '"');
header('HTTP/1.0 401 Unauthorized');
exit(0);
}
$login_role = check_login($login_user, $login_pass, array('eas' => TRUE));
if ($login_role === "user") {
header("Content-Type: application/xml");
echo '<?xml version="1.0" encoding="utf-8" ?>' . PHP_EOL;
?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<?php
if(!$data) {
try {
$json = json_encode(
array(
"time" => time(),
"ua" => $_SERVER['HTTP_USER_AGENT'],
"user" => $_SERVER['PHP_AUTH_USER'],
"ip" => $_SERVER['REMOTE_ADDR'],
"service" => "Error: invalid or missing request data"
)
);
$redis->lPush('AUTODISCOVER_LOG', $json);
$redis->lTrim('AUTODISCOVER_LOG', 0, 100);
}
catch (RedisException $e) {
$_SESSION['return'][] = array(
'type' => 'danger',
'msg' => 'Redis: '.$e
);
return false;
}
list($usec, $sec) = explode(' ', microtime());
?>
<Response>
<Error Time="<?=date('H:i:s', $sec) . substr($usec, 0, strlen($usec) - 2);?>" Id="2477272013">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>
<?php
exit(0);
}
try {
$discover = new SimpleXMLElement($data);
$email = $discover->Request->EMailAddress;
} catch (Exception $e) {
$email = $_SERVER['PHP_AUTH_USER'];
}
$username = trim($email);
try {
$stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
$stmt->execute(array(':username' => $username));
$MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
}
catch(PDOException $e) {
die("Failed to determine name from SQL");
}
if (!empty($MailboxData['name'])) {
$displayname = $MailboxData['name'];
}
else {
$displayname = $email;
}
if(!$data) {
try {
$json = json_encode(
array(
@@ -148,7 +183,7 @@ if ($login_role === "user") {
"ua" => $_SERVER['HTTP_USER_AGENT'],
"user" => $_SERVER['PHP_AUTH_USER'],
"ip" => $_SERVER['REMOTE_ADDR'],
"service" => $autodiscover_config['autodiscoverType']
"service" => "Error: invalid or missing request data"
)
);
$redis->lPush('AUTODISCOVER_LOG', $json);
@@ -159,83 +194,77 @@ if ($login_role === "user") {
'type' => 'danger',
'msg' => 'Redis: '.$e
);
return false;
}
if ($autodiscover_config['autodiscoverType'] == 'imap') {
?>
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName><?=htmlspecialchars($displayname, ENT_XML1 | ENT_QUOTES, 'UTF-8');?></DisplayName>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>IMAP</Type>
<Server><?=$autodiscover_config['imap']['server'];?></Server>
<Port><?=$autodiscover_config['imap']['port'];?></Port>
<DomainRequired>off</DomainRequired>
<LoginName><?=$email;?></LoginName>
<SPA>off</SPA>
<SSL>on</SSL>
<AuthRequired>on</AuthRequired>
</Protocol>
<Protocol>
<Type>SMTP</Type>
<Server><?=$autodiscover_config['smtp']['server'];?></Server>
<Port><?=$autodiscover_config['smtp']['port'];?></Port>
<DomainRequired>off</DomainRequired>
<LoginName><?=$email;?></LoginName>
<SPA>off</SPA>
<SSL>on</SSL>
<AuthRequired>on</AuthRequired>
<UsePOPAuth>on</UsePOPAuth>
<SMTPLast>off</SMTPLast>
</Protocol>
<?php
if (getenv('SKIP_SOGO') != "y") {
?>
<Protocol>
<Type>CalDAV</Type>
<Server>https://<?=$autodiscover_config['caldav']['server'];?><?php if ($autodiscover_config['caldav']['port'] != 443) echo ':'.$autodiscover_config['caldav']['port']; ?>/SOGo/dav/<?=$email;?>/</Server>
<DomainRequired>off</DomainRequired>
<LoginName><?=$email;?></LoginName>
</Protocol>
<Protocol>
<Type>CardDAV</Type>
<Server>https://<?=$autodiscover_config['carddav']['server'];?><?php if ($autodiscover_config['caldav']['port'] != 443) echo ':'.$autodiscover_config['carddav']['port']; ?>/SOGo/dav/<?=$email;?>/</Server>
<DomainRequired>off</DomainRequired>
<LoginName><?=$email;?></LoginName>
</Protocol>
<?php
}
?>
</Account>
</Response>
<?php
}
else if ($autodiscover_config['autodiscoverType'] == 'activesync') {
?>
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
<Culture>en:en</Culture>
<User>
<DisplayName><?=htmlspecialchars($displayname, ENT_XML1 | ENT_QUOTES, 'UTF-8');?></DisplayName>
<EMailAddress><?=$email;?></EMailAddress>
</User>
<Action>
<Settings>
<Server>
<Type>MobileSync</Type>
<Url><?=$autodiscover_config['activesync']['url'];?></Url>
<Name><?=$autodiscover_config['activesync']['url'];?></Name>
</Server>
</Settings>
</Action>
</Response>
<?php
}
?>
</Autodiscover>
<?php
echo error_xml("2477272013", "600", "Invalid Request");
exit(0);
}
?>
try {
$discover = new SimpleXMLElement($data);
$email = $discover->Request->EMailAddress;
} catch (Exception $e) {
// could not parse email address
try {
$json = json_encode(
array(
"time" => time(),
"ua" => $_SERVER['HTTP_USER_AGENT'],
"user" => $_SERVER['PHP_AUTH_USER'],
"ip" => $_SERVER['REMOTE_ADDR'],
"service" => "Error: missing email address in request data"
)
);
$redis->lPush('AUTODISCOVER_LOG', $json);
$redis->lTrim('AUTODISCOVER_LOG', 0, 100);
}
catch (RedisException $e) {
$_SESSION['return'][] = array(
'type' => 'danger',
'msg' => 'Redis: '.$e
);
}
echo error_xml("2477272013", "600", "Invalid Request");
exit(0);
}
$username = trim($email);
$displayname = $username;
try {
$stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
$stmt->execute(array(':username' => $username));
$MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
}
catch(PDOException $e) {
$MailboxData = array("name" => "");
}
if (!empty($MailboxData['name'])) {
$displayname = $MailboxData['name'];
}
try {
$json = json_encode(
array(
"time" => time(),
"ua" => $_SERVER['HTTP_USER_AGENT'],
"user" => $_SERVER['PHP_AUTH_USER'],
"ip" => $_SERVER['REMOTE_ADDR'],
"service" => $autodiscover_config['autodiscoverType']
)
);
$redis->lPush('AUTODISCOVER_LOG', $json);
$redis->lTrim('AUTODISCOVER_LOG', 0, 100);
}
catch (RedisException $e) {
$_SESSION['return'][] = array(
'type' => 'danger',
'msg' => 'Redis: '.$e
);
echo error_xml("2477272013", "600", "Server Error");
exit(0);
}
echo autodiscover_xml($autodiscover_config['autodiscoverType'], $email, $displayname, $autodiscover_config);
exit(0);