[SOGo] SAML2 with KeyCloak IDP and Apache Reverse Proxy configuration instructions

[Gary Horchem]

Does anyone have a working setup of Sogo SAML2 with KeyCloak as the IDP they 
could share? It’s sitting Behind an Apache Reverse Proxy. Thanks

Sent from my iPhone

[SOGo] Sogo - saml2 - keycloak

["la.jolie@paquerette"]

Hello everyone,

I'm trying to configure Sogo v4.3.0-1 (with dovecot / postfix on a fresh
Debian Buster) to work with my keycloak using Saml protocol.

I configured Sogo -> saml -> keycloak thanks to the infos found in these
discussions:
- https://www.mail-archive.com/users@sogo.nu/msg25426.html
- https://www.mail-archive.com/users@sogo.nu/msg27942.html

Now, when I successfully log in Keycloak, I'm redirected to
https://my.host/Sogo/saml2-signon-post, but have a white page with this
error in sogo.log:

sogod [20896]: |SOGo| starting method 'POST' on uri
'/SOGo/saml2-signon-post'
sogod [20896]: |SOGo| traverse(acquire): SOGo => saml2-signon-post
sogod [20896]: |SOGo|   do traverse name: 'SOGo'
sogod [20896]: |SOGo|   do traverse name: 'saml2-signon-post'
sogod [20896]: |SOGo| set clientObject: 
sogod[20896:20896] EXCEPTION: 
NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
'login' to dictionary INFO:{}
sogod [20896]: <0x0x55fa06f91fd0[WOResponse]> Zipping of response disabled
sogod [20896]: 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501
0/9061 0.009 - - 0


This error led me to this post: https://sogo.nu/bugs/view.php?id=4441

I tried different values for the option SOGoSAML2LoginAttribute (mail,
email) and check and recheck my mappers in Keycloak's Sogo client, but
always have the same error.

(unfortunately, in that post, the answer that seems to have resolve the
problem point to a link that doesn't exist anymore
(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"))


Is it possible that Sogo works correctly and this error comes from the
fact I didn't yet configured pam-script-saml
(https://github.com/ck-ws/pam-script-saml) for the link between Sogo &
dovecot.
I thought to at least have the Sogo page with an Access denied or User
not found without pam-script-saml, but maybe I'm wrong.

Would anyone who have succeeded in configuring keycloak (Saml) be
willing to share the options used for the Sogo client or check mine to
see if there is a mistake (see below)

And is there a way to have more debug infos on the Saml process in Sogo,
like having the data that Sogo get from the token?

I set all the debugging options I found for Sogo to Yes, but that
doesn't give more infos about the saml data / auth process.

---
SOGoEASDebugEnabled = YES;
GCSFolderDebugEnabled = YES;
GCSFolderStoreDebugEnabled = YES;
LDAPDebugEnabled = YES;
MySQL4DebugEnabled = YES;
NGImap4DisableIMAP4Pooling = YES;
ImapDebugEnabled = YES;
OCSFolderManagerSQLDebugEnabled = YES;
PGDebugEnabled = YES;
SOGoDebugRequests = YES;
SOGoMailKeepDraftsAfterSend = YES;
SOGoUIxDebugEnabled = YES;
SoDebugObjectTraversal = YES;
SoSecurityManagerDebugEnabled = YES;
WODontZipResponse = YES;
WODebugZipResponse = YES;
---
Is there another one I've missed that would give me more infos?


Thanks,
Kenny


My configurations:
--

* Sogo.conf (saml part):

SOGoCacheCleanupInterval = 3600;
SOGoAuthenticationType = saml2;
NGImap4AuthMechanism = PLAIN;
SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp.key";
SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp.crt";
SOGoSAML2LoginAttribute = "mail";
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://my.host";;


* Keycloak config (sogo client):
  - Settings:

Client Id: https://my.host/SOGo/saml2-metadata
Name: Sogo
Enabled: ON
Consent Required: OFF
Client protocol: Saml
Include AuthnStatement: ON
Include OneTimeUse Condition: OFF
Sign Documents : ON
Optimize REDIRECT signing key lookup: ON
Sign Assertions: OFF
Signature Algorithm: RSA_CHA256
SAML Signature Key Name: KEY_ID
Canonicalization Method: EXCLUSIVE
Encrypt Assertions: OFF
Client Signature Required: OFF
Force POST Binding: ON
Front Channel Logout: ON
Force Name ID Format: ON
Name ID Format: username
Valid Redirect URIs : https://my.host/SOGo/*
Master SAML Processing URL: https://my.host/SOGo/saml2-signon-post


  - Mappers:

1 - mail
  Protocol: Saml
  Name: mail
  Mapper type: User Property
  Property: email
  SAML Attribute Name: mail
  SAML Attribute NameFormat: Basic

2 - uid
  Protocol: Saml
  Name: uid
  Mapper type: User Property
  Property: uid
  SAML Attribute Name: uid
  SAML Attribute NameFormat: Basic

3 - login (added because the error "nil value for key 'login'")
  Protocol: Saml
  Name: login
  Mapper type: User Property
  Property: email
  SAML Attribute Name: login
  SAML Attribute NameFormat: Basic


-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SAML2 + Keyclock

[mj]

Hi,

We have been trying this as well. I will send you the notes I kept, 
hopefully this will get you going.


First two links:
https://lists.inverse.ca/sogo/arc/users/2016-10/msg00100.html
https://sogo.nu/bugs/view.php?id=3933

In keycloak, make sure to configure:
NameID format: username
select FORCE NameID format

mappers
user property uid = uid / uid /uid (nasic)
user property mail = mail / email (property) / mail (basic)

in sogo.conf:
SOGoCacheCleanupInterval = 3600;
SOGoAuthenticationType = saml2;
NGImap4AuthMechanism = PLAIN;
SOGoSAML2PrivateKeyLocation = "/etc/sogo/key.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/cert.pem";
SOGoSAML2IdpMetadataLocation = "/etc/sogo/id-metadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/id.crt";
//SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp.crt";
SOGoSAML2LoginAttribute = "mail";
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://www.company.com";;

id-metadata.xml contains the generic keycloak metadata from 
https://id.merit.unu.edu/auth/realms/merit/protocol/saml/descriptor


Then, for dovecot you can use a non-auth listener on localhost, or 
configure dovecot to respond to saml auth:

https://github.com/ck-ws/pam-script-saml/

The author of this last script is also on this mailinglist.

Hopefully this will get you going.

MJ


On 10/11/2018 03:41 PM, "Conta de Administracao Expresso" 
(expresso.supo...@dpf.gov.br) wrote:

Hello everyone,

I need to configure SOGo 3.2.1 to authenticate with SAML2 in Keycloak 
3.4. Does anyone know how to do this setup? If so, can you send me the 
steps?


Thanks,

Eugenio

--
users@sogo.nu
https://inverse.ca/sogo/lists

--
users@sogo.nu
https://inverse.ca/sogo/lists

[SOGo] SAML2 + Keyclock

["Conta de Administracao Expresso"]

Hello everyone,

I need to configure SOGo 3.2.1 to authenticate with SAML2 in Keycloak 3.4. Does 
anyone know how to do this setup? If so, can you send me the steps?

Thanks,

Eugenio

 
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] saml2

[Christoph Kreutzer]

Hi MJ,

That option directly correlates with how long the session is valid (as the SAML 
assertion will be removed from cache after this time, and can no longer be sent 
to Dovecot).
3600 would be one hour. You may want to set it higher, so that the user will 
stay logged in for a business day (maybe 8*3600 or 10*3600). Beware that all 
cache entries will be kept this long, so you may need to increase the the 
memcached size (if you have enough RAM) - I think that is already discussed in 
the manual, somewhere on the mailing list or in one of our SAML tickets ;-)

If you change it, don’t forget to modify the grace option accordingly in 
/etc/pam.d/dovecot for pam-script-saml.

Regarding SOGo 3/4:
The behaviour is the same. I currently live with it (only having some users, 
and most using Thunderbird/Apple Mail clients).
I believe I asked once in a ticket why there is no handling of that case in the 
AJAX requests, but never got an explanation (maybe we also talked at 
cross-purposes ;-) ).

Best regards,
Christoph

> Am 10.04.2018 um 13:31 schrieb mj (li...@merit.unu.edu) :
> 
> Hi,
> 
> We're playing again with sogo / dovecot / saml and would like some feedback.
> 
> We have everything (sogo, keycloak IdP, dovecot with pam-script-saml) working 
> just fine, with one remaining issue:
> 
> After a while the sogo web interface stops working, unless you change 
> 'module' (from mail module to calendar or addressbook) at which point we are 
> redirected to the IdP, logon again, and then things work again.
> 
> While sogo has stopped working, and I change imap folder, nothing happens, 
> and apache logs two 302 lines like this:
> 
>> Apr 10 13:24:21 sogod [15166]: ip.4.address.com "GET 
>> /SOGo/so/testuser/Mail/0/folderINBOX/folderfb/unseenCount HTTP/1.1" 302 0/0 
>> 0.007 - - 0
>> Apr 10 13:24:21 sogod [15165]: ip.4.address.com "POST 
>> /SOGo/so/testuser/Mail/0/folderINBOX/folderfb/uids HTTP/1.1" 302 0/75 0.008 
>> - - 0
> 
> I have set SOGoCacheCleanupInterval to 3600, should I set it higher..? Are 
> others using saml auth also seeing this?
> 
> This is on a fresh stretch install, sogo version 2.3.23-1
> 
> Any use in tryting with sogo v3 or v4?
> 
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

[SOGo] saml2

[mj]

Hi,

We're playing again with sogo / dovecot / saml and would like some feedback.

We have everything (sogo, keycloak IdP, dovecot with pam-script-saml) 
working just fine, with one remaining issue:


After a while the sogo web interface stops working, unless you change 
'module' (from mail module to calendar or addressbook) at which point we 
are redirected to the IdP, logon again, and then things work again.


While sogo has stopped working, and I change imap folder, nothing 
happens, and apache logs two 302 lines like this:



Apr 10 13:24:21 sogod [15166]: ip.4.address.com "GET 
/SOGo/so/testuser/Mail/0/folderINBOX/folderfb/unseenCount HTTP/1.1" 302 0/0 0.007 - 
- 0
Apr 10 13:24:21 sogod [15165]: ip.4.address.com "POST 
/SOGo/so/testuser/Mail/0/folderINBOX/folderfb/uids HTTP/1.1" 302 0/75 0.008 - - 0


I have set SOGoCacheCleanupInterval to 3600, should I set it higher..? 
Are others using saml auth also seeing this?


This is on a fresh stretch install, sogo version 2.3.23-1

Any use in tryting with sogo v3 or v4?

MJ
--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] sogo / saml2 / LassoProfileErrorUnsupportedProfile

[mj]

Hi,


Stupid thing: this worked in my previous setup. I started over again to
verify and document everything, and now this
LassoProfileErrorUnsupportedProfile comes up. :-(


It seems i made an error pasting the IdP metadata...

Sorry for the noise.
--
users@sogo.nu
https://inverse.ca/sogo/lists

[SOGo] sogo / saml2 / LassoProfileErrorUnsupportedProfile

[mj]

Hi,

I have configured sogo to use SAML2 like this in sogo.conf:


SOGoAuthenticationType = saml2;
NGImap4AuthMechanism = PLAIN;
SOGoSAML2PrivateKeyLocation = "/etc/sogo/key.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/cert.pem";

SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp.key";
SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp.crt";

SOGoSAML2LoginAttribute = "mail";
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "http://www.company.com";;


However, accessing /SOGo gives a Proxy error (Reason: Error reading from 
remote server) and in sogo.log I get:



Dec 21 11:09:34 sogod [5978]: <0x0x7fbe48948b00[WOWatchDog]> child spawned with 
pid 6085
EXCEPTION:  
NAME:LassoProfileErrorUnsupportedProfile REASON:Unsupported protocol profile 
INFO:(null)


Stupid thing: this worked in my previous setup. I started over again to 
verify and document everything, and now this 
LassoProfileErrorUnsupportedProfile comes up. :-(


This is on the v3 todays nightlies. Anyone with a suggestion?

MJ
--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SAML2 authentication requirements

[Christoph Kreutzer]

Hi Steve,

I was also afraid of patching common libraries, but I also tried following the 
AUF recipe (without success). I also thought about the OpenChange way (allow 
access without password from localhost [or other SOGo host]), but that wasn’t 
really what I wanted, as you noted by yourself ;) As for EAS, this works fine 
for me out of the box, but I’m not using OpenChange.

I researched a bit further and documented my steps as good as I can remember 
(forgot to take notes sometimes).

Christoph.


SAML with SOGo and Dovecot
==

SOGo SAML configuration
---
I am using the following configuration, which is pretty straightforward:
SOGoAuthenticationType = saml2;
NGImap4AuthMechanism = PLAIN;
SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp.crt";
SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp.crt";
SOGoSAML2LoginAttribute = "mail";
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://example.com";;

idp-metadata.xml and idp.crt come from the IdP.

saml.pem and saml.crt are your certificate and private key, possible generated 
like this:
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt 
-keyout saml.pem

Most important is the IMAP part.
>From the SOGo installation guide: "if you make use of the CrudeSAML SASL 
>plugin, you need to make sure that NGImap4AuthMechanism is configured to use 
>the SAML mechanism. If you make use of the CrudeSAML PAM plugin, this value 
>may be left empty."
That suggests, if you are using PAM, you can leave the defaults. At least with 
Dovecot, this doesn't work out of the box.
SOGo will use the LOGIN command and sends the full SAML assertion as password. 
Dovecot will fail to authenticate, because the "password" is larger than the 
reserved memory.
But you can use AUTHENTICATE PLAIN, because for AUTHENTICATE a larger buffer is 
reserved (for using Kerberos tickets, etc.). To get SOGo/SOPE to do this, add 
the NGImap4AuthMechanism = PLAIN as I did above.

Dovecot SAML authentication (PAM)
-
1. crudesaml, as listed in SOGo documentation

1.1 UCS crudesaml & liblasso3
(Univention Corporate Server, Debian based enterprise Linux)
- Issue crudesaml deb-Build: 
https://forge.univention.org/bugzilla/show_bug.cgi?id=39315
- crudesaml deb: 
http://updates.software-univention.de/4.1/maintained/4.1-0/amd64/pam-saml_1.5.0-4.12.201510061230_amd64.deb
Also needs patched liblasso3 installed (see issue, and: 
https://dev.entrouvert.org/issues/8042).
I just added the Repository in APT and pinned it, so that only the specific 
packages where installed.
However, segfaults while processing the PAM request on Debian Jessie.

1.2 Custom build crudesaml against default liblasso3
Gives "Undefined symbol: lasso_provider_verify_saml_signature" (as expected)

1.3 Custom build liblasso3 from upstream and crudesaml
- patched using the patches by Inverse/AUF 
(https://wiki.auf.org/wikiteki/Projet/SOGo/TestsSAML)
- second build patched using UCS patch (https://dev.entrouvert.org/issues/8042)
Sometimes segfaulted, but most of all flooded logs with: GLib-GObject-WARNING 
**: cannot register existing ... (clashed with installed liblasso3 by Debian)
Worked for some requests, for most not (I would say 1 of 4, because of glib 
problem)

1.4 liblasso3 using deb-src package and patching
I tried it once, but I didn't like it ;) Build failed even without patching 
(but I think only because all bindings where compiled, too)
Didn't tried any longer then, as I don't want to have to patch every single 
release.


2. pam-script
https://packages.debian.org/en/jessie/libpam-script

2.1 bash implementation of crudesaml
I started with it, only using minimal dependencies (xmllint, openssl, xmlsec).
But then realized, that it would be hard to implement the whole SAML protocol 
with XML extraction using xmllint --xpath and verifying signatures using xmlsec.

2.2 pam-script-saml
Is a PHP implementation using the LightSAML library 
(https://www.lightsaml.com/LightSAML-Core/), accepts nearly the same arguments 
like pam-saml.
Available on GitHub: https://github.com/ck-ws/pam-script-saml
Time will tell if it is performing good enough. For the moment it works good 
enough in a test environment.

DAV Access
--
DAV access for Cal/CardDAV will usually not support SAML authentication. The 
simplest solution is to keep your default authentication source in place, on 
which SOGo should rely nevertheless.
I, however, don't really want my users passwords in some apps. So I built 
something like Googles App Passwords, stored in a MariaDB/MySQL database. SOGo 
currently only checks the first result row for a given uid (but I think it 
should be easily changeable, see feature request #38

Re: [SOGo] SAML2 authentication requirements

[Christoph Kreutzer]

> Am 16.09.2016 um 19:11 schrieb Christoph Kreutzer 
> :
> 
> How could you resolve this, Stephen?

I found it out (after adding a consent:Consent to simpleSAMLphp):
As the Shibboleth SP wants OID attributes, I had added a name2oid AttributeMap. 
I just added a oid2name in the SP metadata in simpleSAMLphp and it works now :)

Now I only have to find out how to make SAML work with Dovecot, hopefully 
without patching and recompiling:
https://wiki.auf.org/wikiteki/Projet/SOGo/TestsSAML 


Christoph.
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SAML2 authentication requirements

[Christoph Kreutzer]

> Am 01.07.2013 um 20:10 schrieb Stephen Ingram :
> 
> On Sat, Jun 29, 2013 at 6:13 AM, Ludovic Marcotte  <mailto:lmarco...@inverse.ca>> wrote:
> On 2013-06-29 1:57 AM, Stephen Ingram wrote:
>> The makefile in SoObjects/SOGo (line 149) indicates the presence of this 
>> metadata file, but there is none. The code in SOGoSAML2Session also appears 
>> to look for this file (SOGoSAML2Metadata.xml). Does this need to be added 
>> before compiling? I've tried adding it to the WebserverResources directory, 
>> but SOGo still doesn't pick it up.
> Try placing it in /usr/sbin/Resources/sogod/Resources/  (adjust depending on 
> where your sogod binary is located and create the Resources directory).
> 
> That is just to some brain damage in the bundle loading code.
> 
> That doesn't work, but it did give me a hint as to where it should be. The 
> magic location is /usr/lib/GNUstep/Frameworks/SOGo.framework/Resources/. I 
> can now see the metadata when browsing to 
> https://webmail.4test.net/SOGo/saml2-metadata 
> <https://webmail.4test.net/SOGo/saml2-metadata>. If I try to login at 
> https://webmail.4test.net/SOGo <https://webmail.4test.net/SOGo> I am 
> correctly re-directed to the IdP for authentication.
> 
> I still don't have a working system as once authenticating at the IdP, SOGo 
> apparently doesn't receive what it's looking for and tries to login with 
> nothing:
> 
> EXCEPTION:  NAME:NSInvalidArgumentException 
> REASON:Tried to add nil value for key 'login' to dictionary INFO:{}
> 
> which results in a proxy error:
> 
> The proxy server received an invalid response from an upstream server. The 
> proxy server could not handle the request POST /SOGo/saml2-signon-post.
> 
> Looking at the code, I see that SOGo maybe only wants either the uid or mail 
> attributes encoded in a SAML2NameID format. I'm not sure if the endpoint 
> /SOGo/saml2-signon-post is correct or not as I gleaned it from error logs 
> listing typical SOGo requests. Are /SOGo/saml2-metadata and 
> /SOGo/saml2-signon-post the only two endpoints?
> 
> Steve


Hi,

I know that was long ago, but maybe someone can help. I tried setting up SOGo 
3.1.5 on Debian Jessie with SAML Auth (SimpleSAMLphp IdP is working properly 
with Shibboleth SP).
Following Configuration:

// SAML
SOGoAuthenticationType = saml2;
SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp.crt";
SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp.crt";
SOGoSAML2LoginAttribute = mail;
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://example.com“;

I also tried it without SOGoSAML2LoginAttribute, but I get the same error as 
above:

Sep 16 19:01:00 sogod [17999]: <0x0x7f7b1f9a4fc0[SOGoCache]> Cache 
cleanup interval set every 300.00 seconds
Sep 16 19:01:00 sogod [17999]: <0x0x7f7b1f9a4fc0[SOGoCache]> Using 
host(s) 'localhost' as server(s)
EXCEPTION:  
NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'login' 
to dictionary INFO:{}
Sep 16 19:01:00 sogod [17945]: <0x0x7f7b1fc00530[WOWatchDogChild]> 
child 17999 exited
Sep 16 19:01:00 sogod [17945]: <0x0x7f7b1fc00530[WOWatchDogChild]>  
(terminated due to signal 6)
Sep 16 19:01:00 sogod [17945]: <0x0x7f7b1fa1c190[WOWatchDog]> child 
spawned with pid 18002

How could you resolve this, Stephen?


Thanks,
Christoph

PS: There is a typo in the documentation: SOGoSAML2CertiTicateLocation ;) Cost 
me half an hour to find out.
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

[SOGo] SAML2 authentication requirements

[Stephen Ingram]

I'm trying to setup SAML2 authentication for SOGo and not sure of the
requirements. According to the installation guide, only changes to to the
SOGo configuration are necessary. Of course, you must then use something
like the crudesaml plugin to handle the authentication to the IMAP server,
but that is not necessary for SOGo itself. I set
SOGoAuthenticationType=saml2 along with all of the cert and Idp metadata
information, but nothing seems to happen. I get a proxy error when trying
to bring up the login page with the log saying:

GLib-GObject-WARNING **: invalid cast from `LassoLibAuthnRequest' to
`LassoSamlp2AuthnRequest'

The installation manual leads you believe that everything is automatic
beyond the SOGoSAML2... configuration lines in sogo.conf. Does SOGo
actually do everything including SP functionality or do you have to setup
something like a Shibboleth SP to get things working?

Also, the metadata link turns up a HTTP 200 with a blank page. Is there
another way to get the metadata as the IdP obviously needs it to work
properly?

Steve
-- 
users@sogo.nu
https://inverse.ca/sogo/lists