1 Topic by smiller50

  • smiller50
  • Member
  • Offline
  • Registered: 2018-09-26
  • Posts: 16

Topic: Disable Sogo web interface?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

iRedMail 0.9.8 / Debian 9 / MySql / Nginx / iRedAdmin standard


What would be the best way to disable the Sogo web interface while still preserving full functionality (Push, Calendar, etc.) for ActiveSync clients? I am using 2FA for Roundcube access and do not use the Sogo web interface at all so I'd like to disable it for security reasons. Nginx doesn't like it if I simply rename the Sogo template files and I'm having difficulty figuring out a proper method.

Thanks for any tips -

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by smiller50 (edited by smiller50 2018-09-26 06:45:54)

  • smiller50
  • Member
  • Offline
  • Registered: 2018-09-26
  • Posts: 16

Re: Disable Sogo web interface?

Aw nevermind, I figured it out, simply comment out the include Sogo template line in '00-default-ssl.conf' (not certain if that is the best way to do it, but it works. wink  )

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Disable Sogo web interface?

smiller50 wrote:

What would be the best way to disable the Sogo web interface while still preserving full functionality (Push, Calendar, etc.) for ActiveSync clients?

If you want to keep the calendar/contacts/activesync services, you can NOT comment out sogo template in Nginx config file.

Instead, you can add SOGo parameter "ModulesConstraints" (in /etc/sogo/sogo.conf) to disable Mail function.
FYI: https://sogo.nu/files/docs/SOGoInstallationGuide.html (Search "ModulesConstraints", there're 2 matched search result for LDAP, 2 for SQL)

4 Reply by smiller50

  • smiller50
  • Member
  • Offline
  • Registered: 2018-09-26
  • Posts: 16

Re: Disable Sogo web interface?

Well this is turning out to be more difficult than I would have expected. You're correct, commenting out the Sogo template reference breaks MS Exchange connections for clients. The Sogo "ModulesConstraints" parameter is effective in that it will delete Mail and Calendar access from the Sogo web interface, but it does not completely disable the web interface as the 'Address Book' function is still available (along with ability to change password, etc.) and oddly enough there appears to be no way to delete the Address Book web functionality. The only reference I could find indicates as such and while it is from 2012 and refers to Sogo 2 it still seems accurate in that the Address Book page apparently still cannot be deleted by ModulesConstraints. (https://lists.inverse.ca/sogo/arc/users … 00090.html)

There seems to be many configurable options for the web interface at https://sogo.nu/files/docs/SOGoInstallationGuide.html but as far as I can tell no way to simply disable it entirely. This means that the Sogo web page still remains as an unnecessary security exposure with no way to disable it..? That makes 2FA for Roundcube kinda useless if someone can just go to the Sogo web page and login with a compromised password.

Surely there must be an answer to such a simple thing as disabling the web interface but I am unable to find it (at least in a way that does not also break Exchange functionality for clients.)

5 Reply by smiller50

  • smiller50
  • Member
  • Offline
  • Registered: 2018-09-26
  • Posts: 16

Re: Disable Sogo web interface?

I've posed this question on the Sogo support mailing list as well and will post any input I receive.

6 Reply by smiller50 (edited by smiller50 2018-10-01 01:58:21)

  • smiller50
  • Member
  • Offline
  • Registered: 2018-09-26
  • Posts: 16

Re: Disable Sogo web interface?

Well not a peep from the Sogo support list, but I did figure out a way to disable access to the Sogo web interface without interfering with external ActiveSync client functionality. In the Sogo templates file (/etc/nginx/templates/sogo.tmpl) you can disable http traffic to Sogo by entering:

location ~ ^/SOGo { return 404; }

Enter this immediately after the existing line in the file:  location ^~ /SOGo {   and then restart Nginx.

This will kill traffic to the Sogo web interface however ssl access by EAS clients will not be affected. It will kill DAV client access, but I don't use that. If you do there is probably a way to selectively permit that, but I didn't go that far.

Hope this helps someone with a similar issue.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Disable Sogo web interface?

smiller50 wrote:

The only reference I could find indicates as such and while it is from 2012 and refers to Sogo 2 it still seems accurate in that the Address Book page apparently still cannot be deleted by ModulesConstraints. (https://lists.inverse.ca/sogo/arc/users … 00090.html)

Please help submit a bug report or feature request to ask SOGo team to support disabling  contacts/address books with "ModulesConstraints" parameter.

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Disable Sogo web interface?

I just submitted this request:
https://sogo.nu/bugs/view.php?id=4559

Leave a reply in the bug report page to let sogo developers know you need this feature.