Improve authentication failure detection with word boundaries in regex

Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>

_modules/scripts/migrate_options.sh

@@ -14,7 +14,6 @@ migrate_config_options() {
     FLATCURVE_EXPERIMENTAL
     DISABLE_IPv6
     ACME_CONTACT
-    SOGO_URL_ENCRYPTION_KEY
   )
 
   for key in "${KEYS[@]}"; do
@@ -63,12 +62,6 @@ migrate_config_options() {
           sed -i '/^ACME_CONTACT=.*/d' mailcow.conf
           sed -i '/^#ACME_CONTACT=.*/d' mailcow.conf
           ;;
-        SOGO_URL_ENCRYPTION_KEY)
-          echo "Removing ${key} in mailcow.conf (moved to sogo.conf)"
-          sed -i '/^# SOGo URL encryption key/d' mailcow.conf
-          sed -i '/^# This key is used to encrypt email addresses within SOGo URLs/d' mailcow.conf
-          sed -i '/^SOGO_URL_ENCRYPTION_KEY=.*/d' mailcow.conf
-          ;;
       esac
     fi
   done

_modules/scripts/new_options.sh

@@ -43,6 +43,7 @@ adapt_new_options() {
   "ALLOW_ADMIN_EMAIL_LOGIN"
   "SKIP_HTTP_VERIFICATION"
   "SOGO_EXPIRE_SESSION"
+  "SOGO_URL_ENCRYPTION_KEY"
   "REDIS_PORT"
   "REDISPASS"
   "DOVECOT_MASTER_USER"
@@ -286,6 +287,11 @@ adapt_new_options() {
         REDISPASS)
             echo "REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 28)" >> mailcow.conf
             ;;
+        SOGO_URL_ENCRYPTION_KEY)
+            echo '# SOGo URL encryption key (exactly 16 characters, limited to A–Z, a–z, 0–9)' >> mailcow.conf
+            echo '# This key is used to encrypt email addresses within SOGo URLs' >> mailcow.conf
+            echo "SOGO_URL_ENCRYPTION_KEY=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 16)" >> mailcow.conf
+            ;;
         *)
             echo "${option}=" >> mailcow.conf
             ;;

data/Dockerfiles/acme/acme.sh

@@ -246,25 +246,6 @@ while true; do
     done
     VALIDATED_CONFIG_DOMAINS+=("${VALIDATED_CONFIG_DOMAINS_SUBDOMAINS[*]}")
   done
-
-  # Fetch alias domains where target domain has MTA-STS enabled
-  if [[ ${AUTODISCOVER_SAN} == "y" ]]; then
-    SQL_ALIAS_DOMAINS=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT ad.alias_domain FROM alias_domain ad INNER JOIN mta_sts m ON ad.target_domain = m.domain WHERE ad.active = 1 AND m.active = 1" -Bs)
-    if [[ $? -eq 0 ]]; then
-      while read alias_domain; do
-        if [[ -z "${alias_domain}" ]]; then
-          # ignore empty lines
-          continue
-        fi
-        # Only add mta-sts subdomain for alias domains
-        if [[ "mta-sts.${alias_domain}" != "${MAILCOW_HOSTNAME}" ]]; then
-          if check_domain "mta-sts.${alias_domain}"; then
-            VALIDATED_CONFIG_DOMAINS+=("mta-sts.${alias_domain}")
-          fi
-        fi
-      done <<< "${SQL_ALIAS_DOMAINS}"
-    fi
-  fi
   fi
 
   if check_domain ${MAILCOW_HOSTNAME}; then

data/Dockerfiles/dovecot/imapsync_runner.pl

@@ -117,51 +117,77 @@ while ($row = $sth->fetchrow_arrayref()) {
   if ($enc1 eq "TLS") { $enc1 = "--tls1"; } elsif ($enc1 eq "SSL") { $enc1 = "--ssl1"; } else { undef $enc1; }
 
   my $template = $run_dir . '/imapsync.XXXXXXX';
-  my $passfile1 = File::Temp->new(TEMPLATE => $template);
   my $passfile2 = File::Temp->new(TEMPLATE => $template);
   
-  binmode( $passfile1, ":utf8" );
-  
-  print $passfile1 "$password1\n";
   print $passfile2 trim($master_pass) . "\n";
 
   my @custom_params_a = qqw($custom_params);
   my $custom_params_ref = \@custom_params_a;
 
-  my $generated_cmds = [ "/usr/local/bin/imapsync",
-  "--tmpdir", "/tmp",
-  "--nofoldersizes",
-  "--addheader",
-  ($timeout1 le "0" ? () : ('--timeout1', $timeout1)),
-  ($timeout2 le "0" ? () : ('--timeout2', $timeout2)),
-  ($exclude eq "" ? () : ("--exclude", $exclude)),
-  ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
-  ($maxage eq "0" ? () : ('--maxage', $maxage)),
-  ($maxbytespersecond eq "0" ? () : ('--maxbytespersecond', $maxbytespersecond)),
-  ($delete2duplicates ne "1" ? () : ('--delete2duplicates')),
-  ($subscribeall  ne "1" ? () : ('--subscribeall')),
-  ($delete1 ne "1" ? () : ('--delete')),
-  ($delete2 ne "1" ? () : ('--delete2')),
-  ($automap ne "1" ? () : ('--automap')),
-  ($skipcrossduplicates ne "1" ? () : ('--skipcrossduplicates')),
-  (!defined($enc1) ? () : ($enc1)),
-  "--host1", $host1,
-  "--user1", $user1,
-  "--passfile1", $passfile1->filename,
-  "--port1", $port1,
-  "--host2", "localhost",
-  "--user2", $user2 . '*' . trim($master_user),
-  "--passfile2", $passfile2->filename,
-  ($dry eq "1" ? ('--dry') : ()),
-  '--no-modulesversion',
-  '--noreleasecheck'];
+  # Helper function to run imapsync with a specific encoding for password1
+  my $run_imapsync = sub {
+    my ($encoding) = @_;
+    
+    my $passfile1 = File::Temp->new(TEMPLATE => $template);
+    
+    if ($encoding eq 'utf8') {
+      binmode( $passfile1, ":utf8" );
+    } elsif ($encoding eq 'latin1') {
+      binmode( $passfile1, ":encoding(iso-8859-1)" );
+    }
+    
+    print $passfile1 "$password1\n";
+    $passfile1->flush();
+
+    my $generated_cmds = [ "/usr/local/bin/imapsync",
+    "--tmpdir", "/tmp",
+    "--nofoldersizes",
+    "--addheader",
+    ($timeout1 le "0" ? () : ('--timeout1', $timeout1)),
+    ($timeout2 le "0" ? () : ('--timeout2', $timeout2)),
+    ($exclude eq "" ? () : ("--exclude", $exclude)),
+    ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
+    ($maxage eq "0" ? () : ('--maxage', $maxage)),
+    ($maxbytespersecond eq "0" ? () : ('--maxbytespersecond', $maxbytespersecond)),
+    ($delete2duplicates ne "1" ? () : ('--delete2duplicates')),
+    ($subscribeall  ne "1" ? () : ('--subscribeall')),
+    ($delete1 ne "1" ? () : ('--delete')),
+    ($delete2 ne "1" ? () : ('--delete2')),
+    ($automap ne "1" ? () : ('--automap')),
+    ($skipcrossduplicates ne "1" ? () : ('--skipcrossduplicates')),
+    (!defined($enc1) ? () : ($enc1)),
+    "--host1", $host1,
+    "--user1", $user1,
+    "--passfile1", $passfile1->filename,
+    "--port1", $port1,
+    "--host2", "localhost",
+    "--user2", $user2 . '*' . trim($master_user),
+    "--passfile2", $passfile2->filename,
+    ($dry eq "1" ? ('--dry') : ()),
+    '--no-modulesversion',
+    '--noreleasecheck'];
+
+    my $stdout;
+    run [@$generated_cmds, @$custom_params_ref], '&>', \$stdout;
+    
+    return $stdout;
+  };
 
   try {
     $is_running = $dbh->prepare("UPDATE imapsync SET is_running = 1, success = NULL, exit_status = NULL WHERE id = ?");
     $is_running->bind_param( 1, ${id} );
     $is_running->execute();
 
-    run [@$generated_cmds, @$custom_params_ref], '&>', \my $stdout;
+    # First attempt with UTF-8 encoding (default behavior)
+    my $stdout = $run_imapsync->('utf8');
+
+    # Check if authentication failed
+    my $auth_failed = ($stdout =~ /\b(LOGIN failed|authentication failed|AUTHENTICATIONFAILED)\b/i);
+    
+    # If authentication failed with UTF-8, retry with Latin-1 encoding for legacy passwords
+    if ($auth_failed) {
+      $stdout = $run_imapsync->('latin1');
+    }
 
     # check exit code and status
     ($exit_code, $exit_status) = ($stdout =~ m/Exiting\swith\sreturn\svalue\s(\d+)\s\(([^:)]+)/);

data/web/inc/ajax/dns_diagnostics.php

@@ -129,16 +129,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
     );
   }
 
-  // Check if domain is an alias domain and get target domain's MTA-STS
-  $alias_domain_details = mailbox('get', 'alias_domain_details', $domain);
-  $mta_sts_domain = $domain;
-  
-  if ($alias_domain_details !== false && !empty($alias_domain_details['target_domain'])) {
-    // This is an alias domain, check target domain for MTA-STS
-    $mta_sts_domain = $alias_domain_details['target_domain'];
-  }
-  
-  $mta_sts = mailbox('get', 'mta_sts', $mta_sts_domain);
+  $mta_sts = mailbox('get', 'mta_sts', $domain);
   if (count($mta_sts) > 0 && $mta_sts['active'] == 1) {
     if (!in_array($domain, $alias_domains)) {
       $records[] = array(

data/web/mta-sts.php

@@ -7,30 +7,7 @@ if (!isset($_SERVER['HTTP_HOST']) || strpos($_SERVER['HTTP_HOST'], 'mta-sts.') !
 }
 
 $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
-$domain = idn_to_ascii(strtolower(str_replace('mta-sts.', '', $host)), 0, INTL_IDNA_VARIANT_UTS46);
-
-// Validate domain or return 404 on error
-if ($domain === false || empty($domain)) {
-  http_response_code(404);
-  exit;
-}
-
-// Check if domain is an alias domain and resolve to target domain
-try {
-  $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain");
-  $stmt->execute(array(':domain' => $domain));
-  $alias_row = $stmt->fetch(PDO::FETCH_ASSOC);
-  
-  if ($alias_row !== false && !empty($alias_row['target_domain'])) {
-    // This is an alias domain, use the target domain for MTA-STS lookup
-    $domain = $alias_row['target_domain'];
-  }
-} catch (PDOException $e) {
-  // On database error, return 404
-  http_response_code(404);
-  exit;
-}
-
+$domain = str_replace('mta-sts.', '', $host);
 $mta_sts = mailbox('get', 'mta_sts', $domain);
 
 if (count($mta_sts) == 0 ||

docker-compose.yml

@@ -213,6 +213,7 @@ services:
         - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
         - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
         - SOGO_EXPIRE_SESSION=${SOGO_EXPIRE_SESSION:-480}
+        - SOGO_URL_ENCRYPTION_KEY=${SOGO_URL_ENCRYPTION_KEY:-SOGoSuperSecret0}
         - SKIP_SOGO=${SKIP_SOGO:-n}
         - MASTER=${MASTER:-y}
         - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
@@ -464,7 +465,7 @@ services:
           condition: service_started
         unbound-mailcow:
           condition: service_healthy
-      image: ghcr.io/mailcow/acme:1.95
+      image: ghcr.io/mailcow/acme:1.94
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       environment:

generate_config.sh

@@ -405,6 +405,10 @@ MAILDIR_SUB=Maildir
 # SOGo session timeout in minutes
 SOGO_EXPIRE_SESSION=480
 
+# SOGo URL encryption key (exactly 16 characters, limited to A–Z, a–z, 0–9)
+# This key is used to encrypt email addresses within SOGo URLs
+SOGO_URL_ENCRYPTION_KEY=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 16)
+
 # DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
 # Empty by default to auto-generate master user and password on start.
 # User expands to DOVECOT_MASTER_USER@mailcow.local