<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
	<title type="html"><![CDATA[iRedMail — SOGo per-user flags (Webmail/ActiveSync) ignored — ModulesConstraints]]></title>
	<link rel="self" href="https://forum.iredmail.org/feed-atom-topic21168.xml" />
	<updated>2026-07-01T07:19:27Z</updated>
	<generator>PunBB</generator>
	<id>https://forum.iredmail.org/topic21168-sogo-peruser-flags-webmailactivesync-ignored-modulesconstraints.html</id>
		<entry>
			<title type="html"><![CDATA[Re: SOGo per-user flags (Webmail/ActiveSync) ignored — ModulesConstraints]]></title>
			<link rel="alternate" href="https://forum.iredmail.org/post92064.html#p92064" />
			<content type="html"><![CDATA[<div class="quotebox"><cite>ZhangHuangbin wrote:</cite><blockquote><p>Latest SOGo release is v5.12.9, could you please upgrade SOGo packages and try again?</p></blockquote></div><p>Update after upgrading to SOGo 5.12.9:<br />Upgraded SOGo to 5.12.9.20260630-1 (latest nightly, released today) as suggested. Result is identical — ModulesConstraints still has no effect with MySQL/MariaDB backend.<br />Test setup:</p><p>User user@domain.tld with enablesogowebmail = &#039;n&#039; (varchar(1)) in vmail.mailbox<br />sogo.users view correctly exposes c_webmail column (confirmed via SHOW CREATE VIEW)<br />ModulesConstraints added inside SQL SOGoUserSources block in sogo.conf:</p><p>ModulesConstraints = {<br />&nbsp; &nbsp; Mail = { c_webmail = y; };<br />&nbsp; &nbsp; Calendar = { c_calendar = y; };<br />&nbsp; &nbsp; ActiveSync = { c_activesync = y; };<br />};<br />SOGo log after restart and fresh login (no cached session):<br />SOGoRootPage successful login from &#039;x.x.x.x&#039; for user &#039;user@domain.tld&#039; - expire = -1&nbsp; grace = -1<br />POST /SOGo/connect HTTP/1.0&quot; 200<br />Login succeeds despite c_webmail = n. No constraint evaluation visible in logs.<br />Additional finding: The three iRedAdmin-Pro toggles (enablesogowebmail, enablesogocalendar, enablesogoactivesync) appear to be silently ignored by SOGo regardless of version. The only flag that actually enforces access via the sogo.users view is enablesogo (master toggle), which blocks all SOGo access including EAS and CalDAV — too coarse for per-service control.<br />Current workaround: nginx-level redirect of /SOGo, /SOGo/ and /SOGo/connect to Roundcube (/mail). Global block only, no per-user granularity.<br />Is ModulesConstraints actually supported for SQL backends in any SOGo version? If not, should iRedAdmin-Pro hide or disable these per-service toggles to avoid misleading administrators?</p>]]></content>
			<author>
				<name><![CDATA[oscarfp]]></name>
				<uri>https://forum.iredmail.org/user53870.html</uri>
			</author>
			<updated>2026-07-01T07:19:27Z</updated>
			<id>https://forum.iredmail.org/post92064.html#p92064</id>
		</entry>
		<entry>
			<title type="html"><![CDATA[Re: SOGo per-user flags (Webmail/ActiveSync) ignored — ModulesConstraints]]></title>
			<link rel="alternate" href="https://forum.iredmail.org/post92062.html#p92062" />
			<content type="html"><![CDATA[<p>Latest SOGo release is v5.12.9, could you please upgrade SOGo packages and try again?</p>]]></content>
			<author>
				<name><![CDATA[ZhangHuangbin]]></name>
				<uri>https://forum.iredmail.org/user2.html</uri>
			</author>
			<updated>2026-07-01T02:34:16Z</updated>
			<id>https://forum.iredmail.org/post92062.html#p92062</id>
		</entry>
		<entry>
			<title type="html"><![CDATA[SOGo per-user flags (Webmail/ActiveSync) ignored — ModulesConstraints]]></title>
			<link rel="alternate" href="https://forum.iredmail.org/post92060.html#p92060" />
			<content type="html"><![CDATA[<p>==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====<br />- iRedMail version (check /etc/iredmail-release): 1.7.3 MARIADB edition<br />- Deployed with iRedMail Easy or the downloadable installer? Downloadable installer<br />- Linux/BSD distribution name and version: Debian GNU/Linux 12 (Bookworm)<br />- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL/MariaDB<br />- Web server (Apache or Nginx): Nginx<br />- Manage mail accounts with iRedAdmin-Pro? Yes, iRedAdmin-Pro-SQL 5.8<br />- [IMPORTANT] Related original log or error message is required if you&#039;re experiencing an issue.</p><p>SOGo log extract confirming successful login despite enablesogowebmail = &#039;n&#039; in vmail.mailbox:</p><p>Jun 30 20:11:25 sogod [15240]: SOGoRootPage successful login from &#039;172.16.x.x&#039; for user &#039;user@domain.tld&#039; - expire = -1&nbsp; grace = -1<br />Jun 30 20:11:25 sogod [15240]: 172.16.x.x &quot;POST /SOGo/connect HTTP/1.0&quot; 200 84/94 0.044 - - 0 - 13<br />====</p><p>---</p><p>**[Bug Report] iRedAdmin-Pro SOGo per-user flags (enablesogowebmail, enablesogocalendar, enablesogoactivesync) have no effect on SOGo behavior**</p><p>**Description:**</p><p>iRedAdmin-Pro exposes three per-user toggles under SOGo Groupware:<br />- SOGo Webmail<br />- SOGo Calendar<br />- SOGo ActiveSync</p><p>These map to columns `enablesogowebmail`, `enablesogocalendar` and `enablesogoactivesync` in `vmail.mailbox`, which are exposed via the `sogo.users` view as `c_webmail`, `c_calendar` and `c_activesync` respectively.</p><p>Disabling any of these flags in iRedAdmin-Pro has no effect on SOGo behavior. Users with `enablesogowebmail = &#039;n&#039;` can still log in to the SOGo webmail interface. Users with `enablesogoactivesync = &#039;n&#039;` and `enablesogocalendar = &#039;n&#039;` can still authenticate via EAS (HTTP 200) and CalDAV (HTTP 207 Multi-Status).</p><p>**Verification:**</p><p>Confirmed that the `sogo.users` view correctly exposes the columns:</p><p>```sql<br />SHOW CREATE VIEW sogo.users\G<br />-- Result includes:<br />-- enablesogowebmail AS c_webmail<br />-- enablesogocalendar AS c_calendar<br />-- enablesogoactivesync AS c_activesync<br />```</p><p>Confirmed column type in `vmail.mailbox`:<br />```sql<br />SELECT COLUMN_NAME, DATA_TYPE, CHARACTER_MAXIMUM_LENGTH<br />FROM information_schema.COLUMNS<br />WHERE TABLE_SCHEMA = &#039;vmail&#039; AND TABLE_NAME = &#039;mailbox&#039;<br />AND COLUMN_NAME = &#039;enablesogowebmail&#039;;<br />-- Result: varchar(1)<br />```</p><p>Added `ModulesConstraints` to `/etc/sogo/sogo.conf` inside the SQL `SOGoUserSources` block, using the syntax from the official iRedMail sample:</p><p>```<br />ModulesConstraints = {<br />&nbsp; &nbsp; Mail = { c_webmail = y; };<br />&nbsp; &nbsp; Calendar = { c_calendar = y; };<br />&nbsp; &nbsp; ActiveSync = { c_activesync = y; };<br />};<br />```</p><p>After restarting SOGo, users with `enablesogowebmail = &#039;n&#039;` can still log in successfully. SOGo log confirms:</p><p>```<br />SOGoRootPage successful login from &#039;172.16.x.x&#039; for user &#039;user@domain.tld&#039; - expire = -1&nbsp; grace = -1<br />POST /SOGo/connect HTTP/1.0&quot; 200<br />```</p><p>**Root cause (suspected):**</p><p>This appears to be related to SOGo bug #5390 (ModulesConstraints and SQL column type VARCHAR(1)), which was reported as resolved but the behavior persists in SOGo 5.9.0 with MySQL/MariaDB backend. The `ModulesConstraints` directive does not appear to be enforced for SQL authentication sources in this version.</p><p>**Impact:**</p><p>The per-user SOGo service flags in iRedAdmin-Pro are effectively non-functional. Administrators who disable SOGo Webmail, Calendar or ActiveSync for specific users via iRedAdmin-Pro will see no actual restriction applied. This is a silent failure with no warning in the UI or logs.</p><p>**Workaround currently in use:**</p><p>Blocking SOGo web access at the nginx level by redirecting `/SOGo`, `/SOGo/` and `/SOGo/connect` to `/mail` (Roundcube). This is a global block and does not allow per-user granularity.</p><p>**Question:**</p><p>Is there a supported way to enforce per-user SOGo service restrictions (webmail, calendar, ActiveSync) with a MySQL/MariaDB SQL backend in iRedAdmin-Pro 5.8 / SOGo 5.9.0? If `ModulesConstraints` is not functional for SQL sources, should the iRedAdmin-Pro UI reflect this limitation?</p>]]></content>
			<author>
				<name><![CDATA[oscarfp]]></name>
				<uri>https://forum.iredmail.org/user53870.html</uri>
			</author>
			<updated>2026-06-30T18:54:41Z</updated>
			<id>https://forum.iredmail.org/post92060.html#p92060</id>
		</entry>
</feed>
