1

Topic: Restrict "Any Authenticated User" sharing permissions in SOGo

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: Debian 9.4 (stretch)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): NGINX
- Manage mail accounts with iRedAdmin-Pro? YES
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

The 0.9.8 update includes a great feature to limit the Global Address Book to the current domain. Thanks for that!

I was hoping that the update would separate the domains fully but when you "add subscription" in the addressbook, any user on any domain is searchable. Can this be limited to the current domain too?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Restrict "Any Authenticated User" sharing permissions in SOGo

Anybody?

3

Re: Restrict "Any Authenticated User" sharing permissions in SOGo

According to the SOGO docs, I will have to define individual domains like this:

domains = {
        acme.com = {
            SOGoMailDomain = acme.com;
            SOGoDraftsFolderName = Drafts;
            SOGoUserSources = (
                {
                    type = ldap;
                    CNFieldName = cn;
                    IDFieldName = uid;
                    UIDFieldName = uid;
                    baseDN = "ou=users,dc=acme,dc=com";
                    bindDN = "uid=sogo,ou=users,dc=acme,dc=com";
                    bindPassword = qwerty;
                    canAuthenticate = YES;
                    displayName = "Shared Addresses";
                    hostname = 127.0.0.1;
                    id = public_acme;
                    isAddressBook = YES;
                    port = 389;
                }
            );
        };

I've merged the iredmail configurtaion into the sample above and been able to connect but the Global Address Book is not available. I'm think I need help choosing the baseDN for each domain. Does anyone have a working example I could refer to?

4

Re: Restrict "Any Authenticated User" sharing permissions in SOGo

Help push SOGo team to implement placeholder support in LDAP base dn, this will give you the most flexible solution:
https://sogo.nu/bugs/view.php?id=3685

5

Re: Restrict "Any Authenticated User" sharing permissions in SOGo

I saw your request and that seems like a better way to tackle the problem. Unfortunately, I need to find a fix - now - before I can go live with my new server. Until a better solution comes up, I don't mind adding to the configuration per domain. I'm having problems getting the global address to work for the individual domains.

BTW, he posted an invalid link for consulting. It should be ---> https://sogo.nu/support.html#/commercial

6 (edited by sayso 2018-04-05 09:12:34)

Re: Restrict "Any Authenticated User" sharing permissions in SOGo

So I think I have it figured out. First, remove the existing SOGoUserSources and duplicate it withing the domains = { ... statement for each domain like this:

domains = {
                domain.com = {
                    SOGoMailDomain = domain.com;
                    SOGoDraftsFolderName = Drafts;
                    SOGoUserSources = (
                        {
                            // Used for user authentication
                            type = ldap;
                            id = <domain>_users;
                            canAuthenticate = YES;
                            isAddressBook = NO;
                            displayName = "LDAP Authentication";

                            hostname = "ldap://127.0.0.1:389";
                            baseDN = "o=domains,dc=domain,dc=com";
                            bindDN = "cn=vmail,dc=domain,dc=com";
                            bindPassword = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
                            filter = "objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo";
                            scope = SUB;

                            // The algorithm used for password encryption when changing
                            // passwords without Password Policies enabled.
                            // Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
                            userPasswordAlgorithm = ssha512;

                            CNFieldName = cn;
                            IDFieldName = mail;
                            bindFields = (mail);
                            // value of UIDFieldName must be unique on entire server
                            UIDFieldName = mail;
                            IMAPLoginFieldName = mail;
                        },
                        {
                            type = ldap;
                            CNFieldName = cn;
                            bindFields = (mail);
                            IDFieldName = mail;
                            UIDFieldName = mail;
                            IMAPLoginFieldName = mail;
                            id = <domain>;
                            isAddressBook = YES;
                            listRequiresDot = NO;
                            canAuthenticate = YES;
                            bindAsCurrentUser = YES;
                            displayName = "Global Address Book";
                            hostname = "ldap://127.0.0.1:389";
                            baseDN = "o=domains,dc=domain,dc=com";
                            bindDN = "cn=vmail,dc=domain,dc=com";
                            bindPassword = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
                            filter = "((enabledService=mail AND accountStatus=active AND enabledService=displayedInGlobalAddressBook) AND ((objectClass=mailUser AND enabledService=sogo) OR (objectClass=mailList) OR (objectClass=mailAlias)))";
                            SearchFieldNames = (cn, sn, displayName, telephoneNumber, mail, shadowAddress, departmentNumber);
                            scope = SUB;
                        }
                    );
                };
                domain2.com = {
                    SOGoMailDomain = domain2.com;
                    SOGoDraftsFolderName = Drafts;
                    SOGoUserSources = (

                    ... etc ...

                        }
                    );
                };

            };

These are preliminary results with just two domains. Both are separated and setting permissions for "All Authenticated Users" no longer allows access across domains. Seems to be working fine.