1

Topic: Trouble with SOGO

I've had to reinstall Sogo because it stopped working. I'm running the latest nightly build. This config (all clients, passwords, etc) did work before the sogo snafu.

I've updated the sogo config with the current mysql passwords and according to the logs, logins work fine. I'm having *some* kind of config file issue because that got blown away on the reinstall and I had to build it from scratch.

I copied the sogo.conf from a fresh install of sogo and updated the password. That's literally all I did.

Roundcube logins work fine, so I know the passwords and mysql are good.

I know SOGO is accessing the database correctly because of this:

13 Apr 13 17:43:02 sogod [3296558]: SOGoRootPage successful login from '[hostname]' for user 'XXXX' - expire = -1  grace = -1 

Both web logins and activesync fail. Activesync is installed:


With web login, I get this error:

Apr 13 18:23:45 sogod [3324713]: [ERROR] <0x0x55b021b16e70[WOHttpTransaction]> client disconnected during delivery of response for <WORequest[0x0x55b022201070]: method=POST uri=/SOGo/connect app=SOGo rqKey=connect rqPath=(null)> (len=37): the socket was shutdown Apr 13 18:23:45 sogod [3324713]: [ip address] "POST /SOGo/connect HTTP/1.0" 200 37/97 0.039 - - 0 - 

With activesync:

Apr 13 18:14:21 sogod [3324713]: <0x0x55b021de09a0[SOGoActiveSyncDispatcher]> EAS - Forbidden access for user XXXX Apr 13 18:14:21 sogod [3324713]: |SOGo| request took 0.001488 seconds to execute Apr 13 18:14:21 sogod [3324713]: [hostname] "POST /SOGo/Microsoft-Server-ActiveSync?Cmd=FolderSync&User=XXXX&DeviceId=C235039772D84EAF8784ABF59A506311&DeviceType=WindowsOutlook15 HTTP/1.0" 403 0/45 0.002 - - 0 - 11 Apr 13 18:14:23 sogod [3324713]: |SOGo| starting method 'POST' on uri '/SOGo/Microsoft-Server-ActiveSync?Cmd=Sync&User=XXXX&DeviceId=C235039772D84EAF8784ABF59A506311&DeviceType=WindowsOutlook15'

Any ideas, greatly appreciated!

Here is the sogo config file:

{
    //
     //

    // Daemon address and port
    WOPort = 127.0.0.1:20000;

    // PID file
    //WOPidFile = /var/run/sogo/sogo.pid;

    // Log file
    //WOLogFile = /var/log/sogo/sogo.log;

    // Enable verbose logging. Reference:
    
SOGoDebugRequests = YES;
SOGoEASDebugEnabled = YES;
    //ImapDebugEnabled = YES;
    //LDAPDebugEnabled = YES;
    //MySQL4DebugEnabled = YES;
    //PGDebugEnabled = YES;

    // Define the URL to online help for SOGo. When set, an additional icon
    // will appear near the logout button in SOGo's web interface. The URL
    // will always be open in a blank target.
    //SOGoHelpURL = '';

    // set the maximum allowed size for content being sent to SOGo, this can
    // also limit the file attachment size being uploaded to SOGo when
    // composing a mail.
    // The value is in kilobyte. Default is 0 or disabled (unlimit).
    WOMaxUploadSize = 15360;

    // Parameter used to set the maximum allowed email message size when
    // composing a mail.
    // The value is in kilobytes. By default, the value is 0, or disabled so
    // no limit will be set.
    SOGoMaximumMessageSizeLimit = 15360;

    // Performance Tuning
    //
    // The amount of instances of SOGo that will be spawned to handle multiple
    // requests simultaneously. When started from the init script, that amount
    // is overriden by the `PREFORK=` setting in /etc/sysconfig/sogo or
    // /etc/default/sogo. A value of 3 is a reasonable default for low usage.
    // The maximum value depends on the CPU and IO power provided by your
    // machine: a value set too high will actually decrease performances under
    // high load.
    //
    // You should have at least one child per EAS device configured to use
    // "push". You must also have more children than you have EAS devices
    // configured to use "push" - in order to handle normal SOGo requests to
    // its Web or DAV interfaces.
    //
    // Defaults to 1 when unset, increase it if you see below error message in
    // sogo log file: 'No child available to handle incoming request'
    //
    // WARNING:
    //      - on RHEL/CentOS, this setting is controlled by parameter
    //        'PREFORK=' defined in /etc/sysconfig/sogo.
    //      - on Debian/Ubuntu, this setting is controlled by parameter
    //        'PREFORK=' defined in /etc/default/sogo.
    WOWorkersCount = 10;

    // Parameter used to set the maximum amount of time, in seconds, SOGo will
    // wait before replying to a Ping command.
    // If not set, it defaults to 10 seconds.
    SOGoMaximumPingInterval = 3540;

    // Parameter used to set the maximum amount of time, in seconds, SOGo will
    // wait before replying to a Sync command.
    // If not set, it defaults to 30 seconds.
    SOGoMaximumSyncInterval = 3540;

    // Parameter used to set the maximum amount of time, in seconds, SOGo will
    // wait before doing an internal check for data changes (add, delete, and
    // update). This parameter must be lower than SOGoMaximumSyncInterval and
    // SOGoMaximumPingInterval.
    // If not set, it defaults to 10 seconds.
    SOGoInternalSyncInterval = 30;

    // Specifies the number of minutes after which a busy child process will be
    // killed by the parent process.
    // Defaults to 10 (minutes).
    WOWatchDogRequestTimeout = 61;

    // Overwrite the maximum number of items returned during a Sync operation.
    // Defaults to 0, which means no overwrite is performed.
    // Setting this parameter to a value greater than 512 will have unexpected
    // behaviour with various ActiveSync clients.
    //SOGoMaximumSyncWindowSize = 100;

    // Overwrite the maximum response size during a Sync operation.
    // The value is in kilobytes. Setting this to 512 means the response size
    // will be of 524288 bytes or less (or a bit greater if needed for syncing
    // one item). Note that if you set the value too low and a mail message
    // (or any other object like calendar events, tasks and contacts) surpasses
    // it, it will still be synced but only this item will be.
    // Defaults to 0, which means no overwrite is performed.
    //
    // Say you have these five mails and you set the limit to 512KB:
    //  1.  250 KB
    //  2.  250 KB
    //  3.   25 KB
    //  4.  750 KB
    //  5.   10 KB
    // Sync iteration no. 1 will pick message 1, 2 and 3.
    // Sync iteration no. 2 will pick message 4.
    // Sync iteration no. 3 will pick message 5.
    SOGoMaximumSyncResponseSize = 2048;

    // The maximum amount of memory (in megabytes) that a child can use.
    // Reaching that value will force children processes to restart, in order
    // to preserve system memory.
    //
    // Error message when it reaches the value:
    // "terminating app, vMem size limit (xxx MB) has been reached (currently xxx MB)"
    //
    // Defaults to 384.
    SxVMemLimit = 500;

    // Enable XSRF (also known as CSRF) protection.
    SOGoXSRFValidationEnabled = YES;

    // IMAP connection pool.
    // Your performance will slightly increase, as you won't open a new
    // connection for every access to your IMAP server.
    // But you will get a lot of simultaneous open connections to your IMAP
    // server, so make sure he can handle them.
    // For debugging it is reasonable to turn pooling off.
    NGImap4DisableIMAP4Pooling = NO;

    SOGoProfileURL = "mysql://sogo:hBGPpUbECqki5PzjOUaVezGDJarQA4pT@127.0.0.1:3306/sogo/sogo_user_profile";
    OCSFolderInfoURL = "mysql://sogo:hBGPpUbECqki5PzjOUaVezGDJarQA4pT@127.0.0.1:3306/sogo/sogo_folder_info";
    OCSSessionsFolderURL = "mysql://sogo:hBGPpUbECqki5PzjOUaVezGDJarQA4pT@127.0.0.1:3306/sogo/sogo_sessions_folder";
    OCSEMailAlarmsFolderURL = "mysql://sogo:hBGPpUbECqki5PzjOUaVezGDJarQA4pT@127.0.0.1:3306/sogo/sogo_alarms_folder";

    // With 3 parameters below, SOGo requires only 9 SQL tables in total
    // instead of creating 4 SQL tables for each user.
    OCSCacheFolderURL = "mysql://sogo:hBGPpUbECqki5PzjOUaVezGDJarQA4pT@127.0.0.1:3306/sogo/sogo_cache_folder";
    OCSStoreURL = "mysql://sogo:hBGPpUbECqki5PzjOUaVezGDJarQA4pT@127.0.0.1:3306/sogo/sogo_store";
    OCSAclURL = "mysql://sogo:hBGPpUbECqki5PzjOUaVezGDJarQA4pT@127.0.0.1:3306/sogo/sogo_acl";

    // Default language in the web interface
    SOGoLanguage = English;

    // Specify which module to show after login: Calendar, Mail, Contacts.
    SOGoLoginModule = Mail;

    // Must login with full email address
    SOGoForceExternalLoginWithEmail = YES;

    // Allow user to change full name and email address.
    SOGoMailCustomFromEnabled = NO;

    // IMAP server
    // Local connection is considered as secure by Dovecot, so 'imap://' is fine.
    // With remote IMAP server, use 'imaps://127.0.0.1:143/?tls=YES' instead;
    SOGoIMAPServer = "imap://127.0.0.1:143/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";

    // Allow user to add other IMAP accounts that will be visible from the SOGo
    // Webmail interface.
    // Default is NO.
    //SOGoMailAuxiliaryUserAccountsEnabled = YES;

    // SMTP server
    SOGoSMTPServer = "smtp://127.0.0.1:587/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
    SOGoMailingMechanism = smtp;
    SOGoSMTPAuthenticationType = PLAIN;

    // Enable managesieve service
    //
    // WARNING: Sieve scripts generated by SOGo is not compatible with Roundcube
    //          webmail, don't use sieve service in both webmails, otherwise
    //          it will be messy.
   
    //
    //SOGoSieveServer = "sieve://127.0.0.1:4190/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
    //SOGoSieveScriptsEnabled = YES;
    //SOGoVacationEnabled = YES;
    //SOGoForwardEnabled = YES;
    SOGoSieveFolderEncoding = UTF-8;

    // Memcached
    SOGoMemcachedHost = 127.0.0.1;

    // Parameter used to set which usernames require administrative privileges
    // over all the users tables. For example, this could be used to post
    // events in the users calendar without requiring the user to configure
    // his/her ACLs. In this case you will need to specify those superuser's
    // usernames like this :
    // SOGoSuperUsernames = (<username1>[,<username2>, ...]);
    //SOGoSuperUsernames = ();

    SOGoTimeZone = "America/New_York";

    SOGoFirstDayOfWeek = 1;

    SOGoRefreshViewCheck = every_5_minutes;
    SOGoMailReplyPlacement = below;

    // Disable gravatar
    SOGoExternalAvatarsEnabled = NO;
    SOGoGravatarEnabled = NO;

    // Control WebDAV access to the Calendar / Contacts collections.
    // This can be used to deny access to these resources from Thunderbird
    // Lightning for example.
    // Defaults to YES when unset.
    //SOGoCalendarDAVAccessEnabled = NO;
    //SOGoAddressBookDAVAccessEnabled = NO;

    // Allow users to share publicly (ie., requiring not authentication) their
    // calendars and address books.
    // Defaults to NO when unset.
    //SOGoEnablePublicAccess = YES;

    //
    // Notifications
    //
    // Enable email-based alarms on events and tasks.
    SOGoEnableEMailAlarms = YES;

    // Notify meeting participants
    SOGoAppointmentSendEMailNotifications = YES;

    // Notify if a calendar or an address book has been created.
    SOGoFoldersSendEMailNotifications = NO;

    // Notify involved users of a calendar or address book's ACLs.
    SOGoACLsSendEMailNotifications = YES;

    // Notify when a modification is being done to his/her own calendar by someone else.
    SOGoNotifyOnExternalModifications = YES;

    // NOTE: PostgreSQL cannot update view in iRedMail
    SOGoPasswordChangeEnabled = YES;

    // Authentication using SQL
    
    SOGoUserSources = (
        {
            type = sql;
            id = users;
            viewURL = "mysql://sogo:[deleted]@127.0.0.1:3306/sogo/users";
            canAuthenticate = YES;

            // The algorithm used for password encryption when changing
            // passwords without Password Policies enabled.
            // Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
            userPasswordAlgorithm = ssha512;
            prependPasswordScheme = YES;

            // Use `vmail.mailbox` as per-domain address book.
            isAddressBook = YES;
            displayName = "Domain Address Book";
            SOGoEnableDomainBasedUID = YES;
            DomainFieldName = "domain";

            // Listing of this LDAP source is only possible when performing a
            // search (respecting the SOGoSearchMinimumWordLength parameter)
            // or when explicitely typing a single dot.
            // Defaults to YES when unset.
            //
            // WARNING: if you have many accounts in this address book, it may
            //          reach server-side query size limit, or cause
            //          performance issue.
            listRequiresDot = NO;

            ModulesConstraints = {
                Mail = { c_webmail = y; };
                Calendar = { c_calendar = y; };
                ActiveSync = { c_activesync = y; };
            };
        },

        //{
        //    displayName = "Global Address Book";
        //    type = sql;
        //    id = global_address_book;
        //    viewURL = "mysql://sogo:hBGPpUbECqki5PzjOUaVezGDJarQA4pT@127.0.0.1:3306/sogo/users";
        //    canAuthenticate = NO;
        //    isAddressBook = YES;
        //    listRequiresDot = NO;
        //    SOGoEnableDomainBasedUID = YES;
        //    DomainFieldName = "domain";
        //},

        // Display mailing aliases in address book.
        // You need to create SQL view 'sogo.aliases' first.
        //
        // For MySQL:
        //
        //  CREATE VIEW sogo.aliases (c_uid, c_name, c_password, c_cn, mail, domain)
        //          AS SELECT address, name, '', name, address, domain
        //          FROM vmail.alias WHERE active=1;
        //
        //{
        //    displayName = "Mailing Lists";
        //    type = sql;
        //    id = aliases;
        //    viewURL = "mysql://sogo:hBGPpUbECqki5PzjOUaVezGDJarQA4pT@127.0.0.1:3306/sogo/aliases";
        //    canAuthenticate = NO;
        //    isAddressBook = YES;
        //    listRequiresDot = NO;
        //    SOGoEnableDomainBasedUID = YES;
        //    DomainFieldName = "domain";
        //},
    );
    

    // Authentication using LDAP
    /* LDAP backend
    SOGoUserSources = (
        {
            // Used for user authentication
            type = ldap;
            id = users;
            canAuthenticate = YES;
            isAddressBook = NO;
            displayName = "LDAP Authentication";

            hostname = "PH_LDAP_URI";
            baseDN = "domainName=%d,PH_LDAP_BASEDN";
            bindDN = "PH_LDAP_BINDDN";
            bindPassword = "PH_LDAP_BINDPW";
            filter = "objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo";
            scope = SUB;

            // always keep binding to the LDAP server using the DN of the
            // currently authenticated user. bindDN and bindPassword are still
            // required to find DN of the user.
            // Note: with default LDAP acl configured by iRedMail, user doesn't
            //       have privilege to query PH_LDAP_BASEDN.
            //       so this doesn't work.
            bindAsCurrentUser = YES;

            // The algorithm used for password encryption when changing
            // passwords without Password Policies enabled.
            // Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
            userPasswordAlgorithm = ssha512;

            CNFieldName = cn;
            IDFieldName = mail;
            // value of UIDFieldName must be unique on entire server
            UIDFieldName = mail;
            IMAPLoginFieldName = mail;
            MailFieldNames = (mail);
            bindFields = (mail);

            ModulesConstraints = {
                Mail = { enabledService = sogowebmail; };
                Calendar = { enabledService = sogocalendar; };
                ActiveSync = { enabledService = sogoactivesync; };
            };
        },
        {
            // Used for global address book
            type = ldap;
            id = global_addressbook;
            canAuthenticate = NO;
            isAddressBook = YES;
            displayName = "Global Address Book";
            bindAsCurrentUser = YES;

            // Listing of this LDAP source is only possible when performing a
            // search (respecting the SOGoSearchMinimumWordLength parameter)
            // or when explicitely typing a single dot.
            // Defaults to YES when unset.
            //
            // WARNING: if you have many accounts in this address book, it may
            //          reach server-side query size limit, or cause
            //          performance issue.
            listRequiresDot = NO;

            hostname = "PH_LDAP_URI";
            baseDN = "domainName=%d,PH_LDAP_BASEDN";
            bindDN = "PH_LDAP_BINDDN";
            bindPassword = "PH_LDAP_BINDPW";
            filter = "((enabledService=mail AND accountStatus=active AND enabledService=displayedInGlobalAddressBook) AND ((objectClass=mailUser AND enabledService=sogo) OR (objectClass=mailList) OR (objectClass=mailAlias)))";
            scope = SUB;

            IDFieldName = mail;
            bindFields = (mail);
            // value of UID field must be unique on whole server.
            UIDFieldName = mail;
            IMAPLoginFieldName = mail;

            CNFieldName = cn;
            SearchFieldNames = (cn, sn, displayName, telephoneNumber, mail, shadowAddress, departmentNumber);

            // Resources management (Free/Busy)
           
            KindFieldName = "Kind";
            MultipleBookingsFieldName = "MultipleBookings";
        }
    );
    LDAP backend */
}

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team.

2

Re: Trouble with SOGO

Which iRedMail release are you running? There're 2 SOGo related fixes in latest iRedMail-1.5.2, you'd better check it out:
https://docs.iredmail.org/upgrade.iredm … 1.5.2.html

3

Re: Trouble with SOGO

ZhangHuangbin wrote:

Which iRedMail release are you running? There're 2 SOGo related fixes in latest iRedMail-1.5.2, you'd better check it out:
[url omitted]

Wow! Thanks.

The nginx settings fixed the web login. I dropped the sessions table, but that didn't change my experience.

I'm still getting a EAS - Forbidden access for user XXX with no other errors and the user account (in fact all) have activedirectory permission set to 1.

Any suggestions there?

thank you so much!!

4

Re: Trouble with SOGO

Any error in /var/log/sogo/sogo.log when you got the "Forbidden access" issue?