[SOGo] BTS activities for Friday, January 25 2019

2019-01-25 Thread SOGo reporter
Title: BTS activities for Friday, January 25 2019





  
BTS Activities

  Home page: http://www.sogo.nu/bugs
  Project: SOGo
  For the period covering: Friday, January 25 2019

  
  
idlast updatestatus (resolution)categorysummary
	
	
	  
	
4658
	2019-01-25 18:46:01
	updated (open)
	i18n
	Translations missing on transifex
	
	  
	
4598
	2019-01-25 09:46:36
	updated (open)
	Web General
	Slow login when users have big web calendars subscribed.
	
	  
	
4460
	2019-01-25 14:37:42
	updated (open)
	Web Mail
	Sent folder: sent messages cannot be replied to their BCC email addresses
	
	  
	
4596
	2019-01-25 09:55:49
	updated (open)
	Web Mail
	Report Junk/NoJunk icons: add confirmation action, please.
	
	  
	
  
  


-- users@sogo.nuhttps://inverse.ca/sogo/lists

Re: [SOGo] Signing into sogo redirects you to login again

2019-01-25 Thread Pedro Antunes
Hi Matthew,

I had same problem but it was related with virtualhost that I created to 
webmail.

My solution was redirect / to /SOGo on nginx.

location / {
try_files $uri $uri/ @strip-ext;
return 301 /SOGo$1;
  }

Regards,
Pedro Antunes

On 25/01/2019, 23:32, "users-requ...@sogo.nu on behalf of Matthew Valdez" 
 wrote:

Hello all,

Currently have SOGo setup to authenticate and login using ldap for our 
Active directory and when I go to sign in, it will redirect you to 
sogo/SOGo/username and it will be the login screen again, and you can 
keep repeating the login. I am assuming it has something to do with the 
database? I created the database and the user, I tried creating the 
tables and nothing changes. Below is my sogo config file with a few 
modifications to remove any "sensitive" data.

Thanks,

-Matthew


{

 SOGoProfileURL= 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_user_profile";
 OCSFolderInfoURL  = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_folder_info";
 OCSSessionsFolderURL  = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_sessions_info";
 OCSEMailAlarmsFolderURL   = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_alarms_folder";
 OCSStoreURL   = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_store";
 OCSAclURL = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_acl";
 OCSCacheFolderURL = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_cache_folder";

 SOGoLanguage  = English;
 SOGoAuthenticationType= LDAP;
 SOGoSieveScriptsEnabled   = YES;
 SOGoForwardEnabled= YES;
 SOGoVacationEnabled   = YES;
 SOGoEnableEMailAlarms = YES;
 SOGoTimeZone  = US/Central;
 SOGoSieveServer   = sieve://127.0.0.1:4190;
 SOGoCalendarDefaultRoles  = ("PublicDAndTViewer");
 SOGoAppointmentSendEMailNotifications = YES;


 SOGoUserSources = (
 {
 type= ldap;
 CNFieldName = cn;
 IDFieldName = uid;
 UIDFiledName= sAMAccountName;
 baseDN  = "CN=Users,DC=domain,DC=local";
 bindDN  = "CN=Sogo 
User,CN=Users,DC=domain,DC=local";
 bindFields  = (sAMAccountName);
 bindPassword= sogo;
 canAuthenticate = YES;
 displayName = "Active Directory";
 hostname= "ldap://ipaddress:389;;
 id  = directory;
 isAddressBook   = YES;
 }
 );
}



-- 
Matthew Valdez
Ludlum Measurements, Inc.
501 Oak Street
Sweetwater, TX 79556 USA
(325) 235-5494 Phone, ext:3393
maval...@ludlums.com

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

[SOGo] Signing into sogo redirects you to login again

2019-01-25 Thread Matthew Valdez

Hello all,

Currently have SOGo setup to authenticate and login using ldap for our 
Active directory and when I go to sign in, it will redirect you to 
sogo/SOGo/username and it will be the login screen again, and you can 
keep repeating the login. I am assuming it has something to do with the 
database? I created the database and the user, I tried creating the 
tables and nothing changes. Below is my sogo config file with a few 
modifications to remove any "sensitive" data.


Thanks,

-Matthew


{

    SOGoProfileURL    = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_user_profile";
    OCSFolderInfoURL  = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_folder_info";
    OCSSessionsFolderURL  = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_sessions_info";
    OCSEMailAlarmsFolderURL   = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_alarms_folder";
    OCSStoreURL   = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_store";
    OCSAclURL = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_acl";
    OCSCacheFolderURL = 
"mysql://sogo:sogo@127.0.0.1:3306/sogo/sogo_cache_folder";


    SOGoLanguage  = English;
    SOGoAuthenticationType    = LDAP;
    SOGoSieveScriptsEnabled   = YES;
    SOGoForwardEnabled    = YES;
    SOGoVacationEnabled   = YES;
    SOGoEnableEMailAlarms = YES;
    SOGoTimeZone  = US/Central;
    SOGoSieveServer   = sieve://127.0.0.1:4190;
    SOGoCalendarDefaultRoles  = ("PublicDAndTViewer");
    SOGoAppointmentSendEMailNotifications = YES;


    SOGoUserSources = (
    {
    type    = ldap;
    CNFieldName = cn;
    IDFieldName = uid;
    UIDFiledName    = sAMAccountName;
    baseDN  = "CN=Users,DC=domain,DC=local";
    bindDN  = "CN=Sogo 
User,CN=Users,DC=domain,DC=local";

    bindFields  = (sAMAccountName);
    bindPassword    = sogo;
    canAuthenticate = YES;
    displayName = "Active Directory";
    hostname    = "ldap://ipaddress:389;;
    id  = directory;
    isAddressBook   = YES;
    }
    );
}



--
Matthew Valdez
Ludlum Measurements, Inc.
501 Oak Street
Sweetwater, TX 79556 USA
(325) 235-5494 Phone, ext:3393
maval...@ludlums.com

--
users@sogo.nu
https://inverse.ca/sogo/lists


Re: [SOGo] Alias for all mailboxes

2019-01-25 Thread Pedro Antunes
I'm using postfix __

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, 
check_recipient_access 
proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, 
reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, 
reject_unauth_destination

I think is there that I can restrict.. do you know how I can do it?

Regards,
Pedro Antunes

On 25/01/2019, 19:39, "Pedro Antunes"  wrote:

How I can check it?

I'm using mailcow with dovecote.

Thanks in advance,
Pedro Antunes

On 25/01/2019, 18:13, "Christoph Kreutzer"  
wrote:

Hi Pedro,

Do you use Postfix as MTA? Then it should be possible.
Actually, you can do quite the same with any other lookup instead of 
LDAP (I also use one regexp as you can see):
http://www.postfix.org/DATABASE_README.html#types

If your user source is e.g. MySQL or Postgres, you can use that, too. 
Or as the easiest forms in files there are the hash and texthash types.

So if you want to replace my ldap-internal_user_lookup.cf, you could 
use a file of allowed senders in the following format (type texthash):
us...@example.com OK
us...@example.com OK

ldap-check_recipient_access.cf is the same, but you should have a list 
that returns, so like:
li...@example.com internal_user_lookup
li...@example.com internal_user_lookup

Instead of texthash, it is usually better to use hash. For texthash, 
you need to reload postfix to make it pick up the changes. For hash, you only 
need to run postmap on the file (see the doc above).

Best regards,
Christoph

> Am 25.01.2019 um 17:24 schrieb Pedro Antunes :
> 
> Thanks for your help.
>  
> Without LDAP, I can restrict senders?
>  
> Exists any config file to this?
>  
> Regards,
> Pedro Antunes
>  
> From: Christoph Kreutzer 
> Date: Friday, 25 January 2019 at 15:59
> To: "users@sogo.nu" 
> Cc: "pantu...@suroot.pt" 
> Subject: Re: [SOGo] Alias for all mailboxes
>  
> Hi,
> 
> I implemented something like that in the backend, too. I’m using 
OpenLDAP.
> 
> I have a script (PHP CLI script as part of a Zend Framework 
management frontend) that uses a config file containing some LDAP searches to 
automatically add/remove users to/from groups based on some attributes. That 
part is hard to share, but it shouldn’t be too hard implementing it with some 
Shell script if you are using the LDAP backend, too.
> 
> Regarding restrictions:
> As MJ proposed, I handle that in Postfix.
> 
> In main.cf, after smtpd_recipient_restrictions and 
smtpd_data_restrictions, there is a section:
> # allow setting action internal_user_lookup to disallow non-listed 
users as sender
> smtpd_restriction_classes =
> internal_user_lookup
> internal_user_lookup =
> check_sender_access 
ldap:/etc/postfix/ldap-internal_user_lookup.cf,
> # reject if not successful
> check_recipient_access 
regexp:/etc/postfix/regexp-check_recipient_access-reject,
> reject
> 
> ldap-internal_user_lookup.cf looks like this:
> # resolve all mail addresses to OK (for checking of internal users)
> query_filter = 
(&(|(objectClass=mailGroup)(objectClass=mailRecipient)(objectClass=inetOrgPerson))(|(mail=%s)(mailAlternateAddress=%s)(mailForwardingAddress=%s)(mailRoutingAddress=%s)))
> result_attribute = mail
> result_format = OK
> (LDAP config is missing here)
> 
> regexp-check_recipient_access-reject:
> # the same message for all
> /^(.*)$/550 5.4.1 Delivery to this mailbox is not permitted 
for you
> 
> You see the point - if the sender address is somewhere in my 
Directory, the LDAP result returns OK - Mail is accepted. Otherwise, it returns 
no result and the second check is performed.
> 
> # postmap -q kreutzer.christ...@yesthatsmymail.com 
ldap:/etc/postfix/ldap-internal_user_lookup.cf
> OK
> # postmap -q kreutzer.christ...@example.com 
ldap:/etc/postfix/ldap-internal_user_lookup.cf
> (no result)
> # postmap -q kreutzer.christ...@example.com 
regexp:/etc/postfix/regexp-check_recipient_access-reject 
> 550 5.4.1 Delivery to this mailbox is not permitted for you
> 
> That always returns the 550 so the message will be rejected.
> 
> 
> But how is internal_user_lookup actually enforced? This is how I’ve 
got it done:
> ldap-check_recipient_access.cf:
> # get recipient policy for a mail group
> query_filter = 

Re: [SOGo] Alias for all mailboxes

2019-01-25 Thread Pedro Antunes
How I can check it?

I'm using mailcow with dovecote.

Thanks in advance,
Pedro Antunes

On 25/01/2019, 18:13, "Christoph Kreutzer"  
wrote:

Hi Pedro,

Do you use Postfix as MTA? Then it should be possible.
Actually, you can do quite the same with any other lookup instead of LDAP 
(I also use one regexp as you can see):
http://www.postfix.org/DATABASE_README.html#types

If your user source is e.g. MySQL or Postgres, you can use that, too. Or as 
the easiest forms in files there are the hash and texthash types.

So if you want to replace my ldap-internal_user_lookup.cf, you could use a 
file of allowed senders in the following format (type texthash):
us...@example.com OK
us...@example.com OK

ldap-check_recipient_access.cf is the same, but you should have a list that 
returns, so like:
li...@example.com internal_user_lookup
li...@example.com internal_user_lookup

Instead of texthash, it is usually better to use hash. For texthash, you 
need to reload postfix to make it pick up the changes. For hash, you only need 
to run postmap on the file (see the doc above).

Best regards,
Christoph

> Am 25.01.2019 um 17:24 schrieb Pedro Antunes :
> 
> Thanks for your help.
>  
> Without LDAP, I can restrict senders?
>  
> Exists any config file to this?
>  
> Regards,
> Pedro Antunes
>  
> From: Christoph Kreutzer 
> Date: Friday, 25 January 2019 at 15:59
> To: "users@sogo.nu" 
> Cc: "pantu...@suroot.pt" 
> Subject: Re: [SOGo] Alias for all mailboxes
>  
> Hi,
> 
> I implemented something like that in the backend, too. I’m using OpenLDAP.
> 
> I have a script (PHP CLI script as part of a Zend Framework management 
frontend) that uses a config file containing some LDAP searches to 
automatically add/remove users to/from groups based on some attributes. That 
part is hard to share, but it shouldn’t be too hard implementing it with some 
Shell script if you are using the LDAP backend, too.
> 
> Regarding restrictions:
> As MJ proposed, I handle that in Postfix.
> 
> In main.cf, after smtpd_recipient_restrictions and 
smtpd_data_restrictions, there is a section:
> # allow setting action internal_user_lookup to disallow non-listed users 
as sender
> smtpd_restriction_classes =
> internal_user_lookup
> internal_user_lookup =
> check_sender_access ldap:/etc/postfix/ldap-internal_user_lookup.cf,
> # reject if not successful
> check_recipient_access 
regexp:/etc/postfix/regexp-check_recipient_access-reject,
> reject
> 
> ldap-internal_user_lookup.cf looks like this:
> # resolve all mail addresses to OK (for checking of internal users)
> query_filter = 
(&(|(objectClass=mailGroup)(objectClass=mailRecipient)(objectClass=inetOrgPerson))(|(mail=%s)(mailAlternateAddress=%s)(mailForwardingAddress=%s)(mailRoutingAddress=%s)))
> result_attribute = mail
> result_format = OK
> (LDAP config is missing here)
> 
> regexp-check_recipient_access-reject:
> # the same message for all
> /^(.*)$/550 5.4.1 Delivery to this mailbox is not permitted for 
you
> 
> You see the point - if the sender address is somewhere in my Directory, 
the LDAP result returns OK - Mail is accepted. Otherwise, it returns no result 
and the second check is performed.
> 
> # postmap -q kreutzer.christ...@yesthatsmymail.com 
ldap:/etc/postfix/ldap-internal_user_lookup.cf
> OK
> # postmap -q kreutzer.christ...@example.com 
ldap:/etc/postfix/ldap-internal_user_lookup.cf
> (no result)
> # postmap -q kreutzer.christ...@example.com 
regexp:/etc/postfix/regexp-check_recipient_access-reject 
> 550 5.4.1 Delivery to this mailbox is not permitted for you
> 
> That always returns the 550 so the message will be rejected.
> 
> 
> But how is internal_user_lookup actually enforced? This is how I’ve got 
it done:
> ldap-check_recipient_access.cf:
> # get recipient policy for a mail group
> query_filter = 
(&(objectClass=mailGroup)(|(mail=%s)(mailAlternateAddress=%s)))
> result_attribute = mgrpBroadcasterPolicy
> 
> main.cf again:
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_unlisted_recipient,
> [...]
> check_recipient_access 
ldap:/etc/postfix/ldap-check_recipient_access.cf,
> reject_unverified_recipient
> 
> So, for every incoming mail I make a call to that LDAP search above. If 
the group has the attribute mgrpBroadcasterPolicy set to internal_user_lookup 
(that’s the only value that will be set at the moment, otherwise it won’t 
exist), the defined smtpd_restriction_class is called. Which does what I 
described above.
> 
> Hope that helps :-) The postfix docs are actually really 

Re: [SOGo] Alias for all mailboxes

2019-01-25 Thread Christoph Kreutzer
Hi Pedro,

Do you use Postfix as MTA? Then it should be possible.
Actually, you can do quite the same with any other lookup instead of LDAP (I 
also use one regexp as you can see):
http://www.postfix.org/DATABASE_README.html#types

If your user source is e.g. MySQL or Postgres, you can use that, too. Or as the 
easiest forms in files there are the hash and texthash types.

So if you want to replace my ldap-internal_user_lookup.cf, you could use a file 
of allowed senders in the following format (type texthash):
us...@example.com OK
us...@example.com OK

ldap-check_recipient_access.cf is the same, but you should have a list that 
returns, so like:
li...@example.com internal_user_lookup
li...@example.com internal_user_lookup

Instead of texthash, it is usually better to use hash. For texthash, you need 
to reload postfix to make it pick up the changes. For hash, you only need to 
run postmap on the file (see the doc above).

Best regards,
Christoph

> Am 25.01.2019 um 17:24 schrieb Pedro Antunes :
> 
> Thanks for your help.
>  
> Without LDAP, I can restrict senders?
>  
> Exists any config file to this?
>  
> Regards,
> Pedro Antunes
>  
> From: Christoph Kreutzer 
> Date: Friday, 25 January 2019 at 15:59
> To: "users@sogo.nu" 
> Cc: "pantu...@suroot.pt" 
> Subject: Re: [SOGo] Alias for all mailboxes
>  
> Hi,
> 
> I implemented something like that in the backend, too. I’m using OpenLDAP.
> 
> I have a script (PHP CLI script as part of a Zend Framework management 
> frontend) that uses a config file containing some LDAP searches to 
> automatically add/remove users to/from groups based on some attributes. That 
> part is hard to share, but it shouldn’t be too hard implementing it with some 
> Shell script if you are using the LDAP backend, too.
> 
> Regarding restrictions:
> As MJ proposed, I handle that in Postfix.
> 
> In main.cf, after smtpd_recipient_restrictions and smtpd_data_restrictions, 
> there is a section:
> # allow setting action internal_user_lookup to disallow non-listed users as 
> sender
> smtpd_restriction_classes =
> internal_user_lookup
> internal_user_lookup =
> check_sender_access ldap:/etc/postfix/ldap-internal_user_lookup.cf,
> # reject if not successful
> check_recipient_access 
> regexp:/etc/postfix/regexp-check_recipient_access-reject,
> reject
> 
> ldap-internal_user_lookup.cf looks like this:
> # resolve all mail addresses to OK (for checking of internal users)
> query_filter = 
> (&(|(objectClass=mailGroup)(objectClass=mailRecipient)(objectClass=inetOrgPerson))(|(mail=%s)(mailAlternateAddress=%s)(mailForwardingAddress=%s)(mailRoutingAddress=%s)))
> result_attribute = mail
> result_format = OK
> (LDAP config is missing here)
> 
> regexp-check_recipient_access-reject:
> # the same message for all
> /^(.*)$/550 5.4.1 Delivery to this mailbox is not permitted for you
> 
> You see the point - if the sender address is somewhere in my Directory, the 
> LDAP result returns OK - Mail is accepted. Otherwise, it returns no result 
> and the second check is performed.
> 
> # postmap -q kreutzer.christ...@yesthatsmymail.com 
> ldap:/etc/postfix/ldap-internal_user_lookup.cf
> OK
> # postmap -q kreutzer.christ...@example.com 
> ldap:/etc/postfix/ldap-internal_user_lookup.cf
> (no result)
> # postmap -q kreutzer.christ...@example.com 
> regexp:/etc/postfix/regexp-check_recipient_access-reject 
> 550 5.4.1 Delivery to this mailbox is not permitted for you
> 
> That always returns the 550 so the message will be rejected.
> 
> 
> But how is internal_user_lookup actually enforced? This is how I’ve got it 
> done:
> ldap-check_recipient_access.cf:
> # get recipient policy for a mail group
> query_filter = (&(objectClass=mailGroup)(|(mail=%s)(mailAlternateAddress=%s)))
> result_attribute = mgrpBroadcasterPolicy
> 
> main.cf again:
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_unlisted_recipient,
> [...]
> check_recipient_access ldap:/etc/postfix/ldap-check_recipient_access.cf,
> reject_unverified_recipient
> 
> So, for every incoming mail I make a call to that LDAP search above. If the 
> group has the attribute mgrpBroadcasterPolicy set to internal_user_lookup 
> (that’s the only value that will be set at the moment, otherwise it won’t 
> exist), the defined smtpd_restriction_class is called. Which does what I 
> described above.
> 
> Hope that helps :-) The postfix docs are actually really good, but it’s 
> complex to implement. Sometimes you just need a test setup. I got started 
> there, I believe: http://www.postfix.org/LDAP_README.html
>  
> Best regards,
> Christoph
> 
> 
> Am 25.01.2019 um 13:09 schrieb mj (li...@merit.unu.edu) :
> 
> Hi,
> 
> On 1/25/19 3:37 AM, Pedro Antunes (pantu...@suroot.pt) wrote:
> 
> Hi,
> how i can create an distribution list (alias) that contain all mailboxes of 
> one domain? its possible?
> It’s possible restrict who can send emails to one alias?
> 
> 

Re: [SOGo] Alias for all mailboxes

2019-01-25 Thread Gordon Messmer

On 1/25/19 5:00 AM, Pedro Antunes" (pantu...@suroot.pt) wrote:

Ok. One more question.. It's possible restrict one alias to one sender?



The method will depend on which MTA you're using.  The most generic way 
is probably to use a mailing list instead of an alias.  Aliases 
typically don't have any business rules or logic associated with them.  
GNU Mailman can restrict senders.  Qmail or Courier MTA systems can use 
dot-qmail or dot-courier files and implement the check in a shell script.


--
users@sogo.nu
https://inverse.ca/sogo/lists


Re: [SOGo] AD LDAP SOGoUserSources

2019-01-25 Thread Michael Hekeler
its always easier to brak a complex problem down into small parts.
For AD auth with sogo I would suggest to install some ldap command
line client and test if I can access ldap first.

And if this is working then in the next step configure sogo with
the same auth params.





> Am 25.01.2019 um 10:14 schrieb Rowland Penny (rpenny241...@gmail.com)
> :
> 
> On Thu, 24 Jan 2019 14:48:01 -0800
> "Carl Doss" (cd...@bahaicenter.net)  wrote:
> 
> 
>>> 
 On 1/24/2019 1:28 PM, Matthew Valdez (maval...@ludlums.com) wrote:
 Hello,
 
 I am trying to setup the SOGoUserSources by using Active Directory 
 and LDAP and for some reason I cannot seem to get it to work. I am 
 able to login if I use the type SQL, but cannot seem to get it to 
 work with ldap. Any help would be appreciate, this is what I have
 for SOGoUserSources, of course modified a little to share with you
 all.
 
 
 SOGoUserSources = (
 {
 type = ldap;
 CNFieldName = cn;
 IDFieldName = uid;
 UIDFieldName = uid;
 baseDN= "cn=Users,dc=domain,dc=local";
 bindDN   = 
 "cn=sogo,cn=Users,dc=domain,dc=local";
 bindPassword= password;
 canAuthenticate = YES;
 displayName= "Shared Addresses";
 hostname= "ldap://dns.dc.local:389;;
 id = public;
 isAddressBook   = YES;
 }
 );
 
> 
> Taking this:
> 
> cn=Users,dc=domain,dc=local
> 
> and this:
> 
> ldap://dns.dc.local:389
> 
> into account, is the FQDN of the AD DC really
> 'dns.dc.local' ?
> 
> To put it another way, they do not match, 'dc=domain,dc=local' will
> come from your dns domain 'domain.local' so the 'hostname' should be
> 'ldap://' or 'ldap://.domain.local'
> 
> Rowland
> 
> 
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists


Re: [SOGo] Alias for all mailboxes

2019-01-25 Thread Pedro Antunes
Thanks for your help.

Without LDAP, I can restrict senders?

Exists any config file to this?

Regards,
Pedro Antunes

From: Christoph Kreutzer 
Date: Friday, 25 January 2019 at 15:59
To: "users@sogo.nu" 
Cc: "pantu...@suroot.pt" 
Subject: Re: [SOGo] Alias for all mailboxes

Hi,

I implemented something like that in the backend, too. I’m using OpenLDAP.

I have a script (PHP CLI script as part of a Zend Framework management 
frontend) that uses a config file containing some LDAP searches to 
automatically add/remove users to/from groups based on some attributes. That 
part is hard to share, but it shouldn’t be too hard implementing it with some 
Shell script if you are using the LDAP backend, too.

Regarding restrictions:
As MJ proposed, I handle that in Postfix.

In main.cf, after smtpd_recipient_restrictions and smtpd_data_restrictions, 
there is a section:
# allow setting action internal_user_lookup to disallow non-listed users as 
sender
smtpd_restriction_classes =
internal_user_lookup
internal_user_lookup =
check_sender_access ldap:/etc/postfix/ldap-internal_user_lookup.cf,
# reject if not successful
check_recipient_access 
regexp:/etc/postfix/regexp-check_recipient_access-reject,
reject

ldap-internal_user_lookup.cf looks like this:
# resolve all mail addresses to OK (for checking of internal users)
query_filter = 
(&(|(objectClass=mailGroup)(objectClass=mailRecipient)(objectClass=inetOrgPerson))(|(mail=%s)(mailAlternateAddress=%s)(mailForwardingAddress=%s)(mailRoutingAddress=%s)))
result_attribute = mail
result_format = OK
(LDAP config is missing here)

regexp-check_recipient_access-reject:
# the same message for all
/^(.*)$/550 5.4.1 Delivery to this mailbox is not permitted for you

You see the point - if the sender address is somewhere in my Directory, the 
LDAP result returns OK - Mail is accepted. Otherwise, it returns no result and 
the second check is performed.

# postmap -q 
kreutzer.christ...@yesthatsmymail.com
 ldap:/etc/postfix/ldap-internal_user_lookup.cf
OK
# postmap -q 
kreutzer.christ...@example.com 
ldap:/etc/postfix/ldap-internal_user_lookup.cf
(no result)
# postmap -q 
kreutzer.christ...@example.com 
regexp:/etc/postfix/regexp-check_recipient_access-reject
550 5.4.1 Delivery to this mailbox is not permitted for you

That always returns the 550 so the message will be rejected.


But how is internal_user_lookup actually enforced? This is how I’ve got it done:
ldap-check_recipient_access.cf:
# get recipient policy for a mail group
query_filter = (&(objectClass=mailGroup)(|(mail=%s)(mailAlternateAddress=%s)))
result_attribute = mgrpBroadcasterPolicy

main.cf again:
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
[...]
check_recipient_access ldap:/etc/postfix/ldap-check_recipient_access.cf,
reject_unverified_recipient

So, for every incoming mail I make a call to that LDAP search above. If the 
group has the attribute mgrpBroadcasterPolicy set to internal_user_lookup 
(that’s the only value that will be set at the moment, otherwise it won’t 
exist), the defined smtpd_restriction_class is called. Which does what I 
described above.

Hope that helps :-) The postfix docs are actually really good, but it’s complex 
to implement. Sometimes you just need a test setup. I got started there, I 
believe: http://www.postfix.org/LDAP_README.html

Best regards,
Christoph


Am 25.01.2019 um 13:09 schrieb mj 
(li...@merit.unu.edu) 
mailto:users@sogo.nu>>:

Hi,

On 1/25/19 3:37 AM, Pedro Antunes 
(pantu...@suroot.pt) wrote:

Hi,
how i can create an distribution list (alias) that contain all mailboxes of one 
domain? its possible?
It’s possible restrict who can send emails to one alias?

We do this in our accounts backend (ldap/AD) by creating a group, give it an 
email address, and add users to it.

Then in sogo.conf we add a specific user source, something like:


   type = ldap;
   CNFieldName = displayName;
   IDFieldName = cn;
   UIDFieldName = uid;
   baseDN = "CN=Groups,DC=";
   canAuthenticate = NO;
   bindDN = "cn=sogo-groups,cn=.";
   bindPassword = ;
   displayName = "Our groups";
   listRequiresDot = NO;
   MailFieldNames =(mail, otherMailbox, proxyAddresses);
   id = ad-mail-groups;
   isAddressBook = YES;
   port = 389;
   scope = "SUB";
   filter = "(objectClass=group)";

You also need to configure postfix to handle these same groups.

About restrictions: I guess I'd look at the postfix side of things for 
restrictions. But I don't have an answer ready for you.

MJ
--
users@sogo.nu
https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] AD LDAP SOGoUserSources

2019-01-25 Thread Matthew Valdez

I appreciate all the help I got it now. Had to make a few modifications.


{
    SOGoUserSources = (
    {
    type    = ldap;
    CNFieldName = cn;
    IDFieldName = uid;
    UIDFiledName    = sAMAccountName;
    baseDN  = "CN=Users,DC=domain,DC=local";
    bindDN  = "CN=Sogo 
User,CN=Users,DC=domain,DC=local";

    bindFields  = (sAMAccountName);
    bindPassword    = password;
    canAuthenticate = YES;
    displayName = "Active Directory";
    hostname    = "ldap://dnsip:389;;
    id  = directory;
    isAddressBook   = YES;
    }
    );

Thanks,


-Matthew

On 1/24/2019 4:48 PM, Carl Doss (cd...@bahaicenter.net) wrote:

type=ldap;
    type=ldap;
    CNFieldName = cn;
    IDFieldName = cn;
    UIDFieldName = sAMAccountName;
    baseDN = "cn=Users,dc=domain,dc=local";
    bindDN = "cn=sogo,cn=Users,dc=domain,dc=local";
    bindPassword = password;
    bindFields = (sAMAccountName);
    canAuthenticate = YES;
    displayName = "Active Directory";
    hostname = ldap://dns.dc.local:;
    id = directory;
    isAddressBook = YES;

On 1/24/2019 2:20 PM, Carl Doss (cd...@bahaicenter.net) wrote:

I hate to ask a stupid question but did you set up kerberose

On 1/24/2019 1:28 PM, Matthew Valdez (maval...@ludlums.com) wrote:

Hello,

I am trying to setup the SOGoUserSources by using Active Directory 
and LDAP and for some reason I cannot seem to get it to work. I am 
able to login if I use the type SQL, but cannot seem to get it to 
work with ldap. Any help would be appreciate, this is what I have 
for SOGoUserSources, of course modified a little to share with you all.



    SOGoUserSources = (
    {
            type             = ldap;
            CNFieldName     = cn;
            IDFieldName     = uid;
            UIDFieldName     = uid;
            baseDN            = "cn=Users,dc=domain,dc=local";
            bindDN           = 
"cn=sogo,cn=Users,dc=domain,dc=local";

            bindPassword    = password;
            canAuthenticate = YES;
            displayName        = "Shared Addresses";
            hostname        = "ldap://dns.dc.local:389;;
            id             = public;
            isAddressBook   = YES;
    }
    );

Thanks,


-Matthew



--
users@sogo.nu
https://inverse.ca/sogo/lists


Re: [SOGo] Alias for all mailboxes

2019-01-25 Thread Christoph Kreutzer
Hi,

I implemented something like that in the backend, too. I’m using OpenLDAP.

I have a script (PHP CLI script as part of a Zend Framework management 
frontend) that uses a config file containing some LDAP searches to 
automatically add/remove users to/from groups based on some attributes. That 
part is hard to share, but it shouldn’t be too hard implementing it with some 
Shell script if you are using the LDAP backend, too.

Regarding restrictions:
As MJ proposed, I handle that in Postfix.

In main.cf, after smtpd_recipient_restrictions and smtpd_data_restrictions, 
there is a section:
# allow setting action internal_user_lookup to disallow non-listed users as 
sender
smtpd_restriction_classes =
internal_user_lookup
internal_user_lookup =
check_sender_access ldap:/etc/postfix/ldap-internal_user_lookup.cf,
# reject if not successful
check_recipient_access 
regexp:/etc/postfix/regexp-check_recipient_access-reject,
reject

ldap-internal_user_lookup.cf looks like this:
# resolve all mail addresses to OK (for checking of internal users)
query_filter = 
(&(|(objectClass=mailGroup)(objectClass=mailRecipient)(objectClass=inetOrgPerson))(|(mail=%s)(mailAlternateAddress=%s)(mailForwardingAddress=%s)(mailRoutingAddress=%s)))
result_attribute = mail
result_format = OK
(LDAP config is missing here)

regexp-check_recipient_access-reject:
# the same message for all
/^(.*)$/550 5.4.1 Delivery to this mailbox is not permitted for you

You see the point - if the sender address is somewhere in my Directory, the 
LDAP result returns OK - Mail is accepted. Otherwise, it returns no result and 
the second check is performed.

# postmap -q kreutzer.christ...@yesthatsmymail.com 
ldap:/etc/postfix/ldap-internal_user_lookup.cf
OK
# postmap -q kreutzer.christ...@example.com 
ldap:/etc/postfix/ldap-internal_user_lookup.cf
(no result)
# postmap -q kreutzer.christ...@example.com 
regexp:/etc/postfix/regexp-check_recipient_access-reject 
550 5.4.1 Delivery to this mailbox is not permitted for you

That always returns the 550 so the message will be rejected.


But how is internal_user_lookup actually enforced? This is how I’ve got it done:
ldap-check_recipient_access.cf:
# get recipient policy for a mail group
query_filter = (&(objectClass=mailGroup)(|(mail=%s)(mailAlternateAddress=%s)))
result_attribute = mgrpBroadcasterPolicy

main.cf again:
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
[...]
check_recipient_access ldap:/etc/postfix/ldap-check_recipient_access.cf,
reject_unverified_recipient

So, for every incoming mail I make a call to that LDAP search above. If the 
group has the attribute mgrpBroadcasterPolicy set to internal_user_lookup 
(that’s the only value that will be set at the moment, otherwise it won’t 
exist), the defined smtpd_restriction_class is called. Which does what I 
described above.

Hope that helps :-) The postfix docs are actually really good, but it’s complex 
to implement. Sometimes you just need a test setup. I got started there, I 
believe: http://www.postfix.org/LDAP_README.html 


Best regards,
Christoph

> Am 25.01.2019 um 13:09 schrieb mj (li...@merit.unu.edu) :
> 
> Hi,
> 
> On 1/25/19 3:37 AM, Pedro Antunes (pantu...@suroot.pt) wrote:
>> Hi,
>> how i can create an distribution list (alias) that contain all mailboxes of 
>> one domain? its possible?
>> It’s possible restrict who can send emails to one alias?
> 
> We do this in our accounts backend (ldap/AD) by creating a group, give it an 
> email address, and add users to it.
> 
> Then in sogo.conf we add a specific user source, something like:
> 
>>type = ldap;
>>CNFieldName = displayName;
>>IDFieldName = cn;
>>UIDFieldName = uid;
>>baseDN = "CN=Groups,DC=";
>>canAuthenticate = NO;
>>bindDN = "cn=sogo-groups,cn=.";
>>bindPassword = ;
>>displayName = "Our groups";
>>listRequiresDot = NO;
>>MailFieldNames =(mail, otherMailbox, proxyAddresses);
>>id = ad-mail-groups;
>>isAddressBook = YES;
>>port = 389;
>>scope = "SUB";
>>filter = "(objectClass=group)";
> 
> You also need to configure postfix to handle these same groups.
> 
> About restrictions: I guess I'd look at the postfix side of things for 
> restrictions. But I don't have an answer ready for you.
> 
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Alias for all mailboxes

2019-01-25 Thread mj

Hi,

On 1/25/19 3:37 AM, Pedro Antunes (pantu...@suroot.pt) wrote:

Hi,

how i can create an distribution list (alias) that contain all mailboxes 
of one domain? its possible?


It’s possible restrict who can send emails to one alias?



We do this in our accounts backend (ldap/AD) by creating a group, give 
it an email address, and add users to it.


Then in sogo.conf we add a specific user source, something like:


type = ldap;
CNFieldName = displayName;
IDFieldName = cn;
UIDFieldName = uid;
baseDN = "CN=Groups,DC=";
canAuthenticate = NO;
bindDN = "cn=sogo-groups,cn=.";
bindPassword = ;
displayName = "Our groups";
listRequiresDot = NO;
MailFieldNames =(mail, otherMailbox, proxyAddresses);
id = ad-mail-groups;
isAddressBook = YES;
port = 389;
scope = "SUB";
filter = "(objectClass=group)";


You also need to configure postfix to handle these same groups.

About restrictions: I guess I'd look at the postfix side of things for 
restrictions. But I don't have an answer ready for you.


MJ
--
users@sogo.nu
https://inverse.ca/sogo/lists


Re: [SOGo] Alias for all mailboxes

2019-01-25 Thread Pedro Antunes
Ok. One more question.. It's possible restrict one alias to one sender?


Example: One alias only receive emails from an specific email address. 

Regards,
Pedro Antunes

On 25/01/2019, 12:57, "users-requ...@sogo.nu on behalf of Christian Mack" 
 wrote:

Hello

Am 25.01.19 um 03:37 schrieb Pedro Antunes (pantu...@suroot.pt):
> 
> how i can create an distribution list (alias) that contain all mailboxes 
of one domain? its possible?
> It’s possible restrict who can send emails to one alias?
> 

There is no function who does that in SOGo.
You could create an distribution list, that consists of all possible
addresses, but you would need to create that manually and keep it up to
date manually.
Perhaps you could generate and add it per script.

Distribution lists are per address book.
Whoever can read that address book can use that distribution list.

Kind regards,
Christian Mack

-- 
Christian Mack
Universität Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung Basisdienste
78457 Konstanz
+49 7531 88-4416


-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Alias for all mailboxes

2019-01-25 Thread Christian Mack
Hello

Am 25.01.19 um 03:37 schrieb Pedro Antunes (pantu...@suroot.pt):
> 
> how i can create an distribution list (alias) that contain all mailboxes of 
> one domain? its possible?
> It’s possible restrict who can send emails to one alias?
> 

There is no function who does that in SOGo.
You could create an distribution list, that consists of all possible
addresses, but you would need to create that manually and keep it up to
date manually.
Perhaps you could generate and add it per script.

Distribution lists are per address book.
Whoever can read that address book can use that distribution list.

Kind regards,
Christian Mack

-- 
Christian Mack
Universität Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung Basisdienste
78457 Konstanz
+49 7531 88-4416



smime.p7s
Description: S/MIME Cryptographic Signature


Re: [SOGo] AD LDAP SOGoUserSources

2019-01-25 Thread Rowland Penny
On Thu, 24 Jan 2019 14:48:01 -0800
"Carl Doss" (cd...@bahaicenter.net)  wrote:


> >
> > On 1/24/2019 1:28 PM, Matthew Valdez (maval...@ludlums.com) wrote:
> >> Hello,
> >>
> >> I am trying to setup the SOGoUserSources by using Active Directory 
> >> and LDAP and for some reason I cannot seem to get it to work. I am 
> >> able to login if I use the type SQL, but cannot seem to get it to 
> >> work with ldap. Any help would be appreciate, this is what I have
> >> for SOGoUserSources, of course modified a little to share with you
> >> all.
> >>
> >>
> >>     SOGoUserSources = (
> >>     {
> >>             type             = ldap;
> >>             CNFieldName     = cn;
> >>             IDFieldName     = uid;
> >>             UIDFieldName     = uid;
> >>             baseDN            = "cn=Users,dc=domain,dc=local";
> >>             bindDN           = 
> >> "cn=sogo,cn=Users,dc=domain,dc=local";
> >>             bindPassword    = password;
> >>             canAuthenticate = YES;
> >>             displayName        = "Shared Addresses";
> >>             hostname        = "ldap://dns.dc.local:389;;
> >>             id             = public;
> >>             isAddressBook   = YES;
> >>     }
> >>     );
> >>

Taking this:

cn=Users,dc=domain,dc=local

and this:

ldap://dns.dc.local:389

into account, is the FQDN of the AD DC really
'dns.dc.local' ?

To put it another way, they do not match, 'dc=domain,dc=local' will
come from your dns domain 'domain.local' so the 'hostname' should be
'ldap://' or 'ldap://.domain.local'

Rowland
  

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] AD LDAP SOGoUserSources

2019-01-25 Thread mj

Hi Matthew,

Did you set:
 SOGoAuthenticationMethod = LDAP;

Best,
MJ

On 1/24/19 10:28 PM, Matthew Valdez (maval...@ludlums.com) wrote:

Hello,

I am trying to setup the SOGoUserSources by using Active Directory and 
LDAP and for some reason I cannot seem to get it to work. I am able to 
login if I use the type SQL, but cannot seem to get it to work with 
ldap. Any help would be appreciate, this is what I have for 
SOGoUserSources, of course modified a little to share with you all.



     SOGoUserSources = (
     {
             type             = ldap;
             CNFieldName     = cn;
             IDFieldName     = uid;
             UIDFieldName     = uid;
             baseDN            = "cn=Users,dc=domain,dc=local";
             bindDN           = "cn=sogo,cn=Users,dc=domain,dc=local";
             bindPassword    = password;
             canAuthenticate = YES;
             displayName        = "Shared Addresses";
             hostname        = "ldap://dns.dc.local:389;;
             id             = public;
             isAddressBook   = YES;
     }
     );

Thanks,


-Matthew



--
users@sogo.nu
https://inverse.ca/sogo/lists


Re: [SOGo] AD LDAP SOGoUserSources

2019-01-25 Thread goetz.reini...@filmakademie.de
Hi,

> Am 24.01.2019 um 22:28 schrieb Matthew Valdez (maval...@ludlums.com) 
> :
> 
> Hello,
> 
> I am trying to setup the SOGoUserSources by using Active Directory and LDAP 
> and for some reason I cannot seem to get it to work. I am able to login if I 
> use the type SQL, but cannot seem to get it to work with ldap. Any help would 
> be appreciate, this is what I have for SOGoUserSources, of course modified a 
> little to share with you all.
> 
> 
> SOGoUserSources = (
> {
> type = ldap;
> CNFieldName = cn;
> IDFieldName = uid;
> UIDFieldName = uid;
> baseDN= "cn=Users,dc=domain,dc=local";
> bindDN   = "cn=sogo,cn=Users,dc=domain,dc=local";
> bindPassword= password;
> canAuthenticate = YES;
> displayName= "Shared Addresses";
> hostname= "ldap://dns.dc.local:389;;
> id = public;
> isAddressBook   = YES;
> }
> );
> 

May be your AD is using SSL/starttls on port 389?

hostname = "ldap://dns.dc.local:389/!StartTLS 
“;

And I have a filter set:

filter = "mail = '*‘"

Regards . Götz



smime.p7s
Description: S/MIME cryptographic signature


[SOGo] Alias for all mailboxes

2019-01-25 Thread Pedro Antunes
Hi,

how i can create an distribution list (alias) that contain all mailboxes of one 
domain? its possible?
It’s possible restrict who can send emails to one alias?

Regards,
Pedro Antunes
-- 
users@sogo.nu
https://inverse.ca/sogo/lists