mailcow-dockerized-docs/docs/debug-admin_login_sogo.md

45 Zeilen
2,3 KiB
Markdown

2019-03-24 11:23:32 +01:00
This is an experimental feature that allows admins and domain admins to directly
log into SOGo as a mailbox user, without knowing the users password.
For this, an additional link to SOGo is displayed in the mailbox list.
Multiple concurrent admin-logins to different mailboxes are also possible when using this feature.
## Enabling the feature
The feature is disabled by default. It can be enabled in the `mailcow.conf` by setting:
```
ALLOW_ADMIN_EMAIL_LOGIN=y
```
2020-04-15 19:46:54 +02:00
and recreating the affected containers with
2019-03-24 11:23:32 +01:00
```
docker-compose up -d
```
## Drawbacks when enabled
- Each SOGo page-load and each Active-Sync request will cause an additional execution of an internal PHP script.
This might impact load-times of SOGo / EAS.
In most cases, this should not be noticeable but should be kept in mind if you face any performance issues.
- SOGo will not display a logout link for admin-logins, to login normally one has to logout from the mailcow UI so the PHP session is destroyed.
- Subscribing to another user's calendar or address book while logged in as admin does not work. Neither does inviting other users to calendar events. The page will reload when these things are attempted.
2019-03-24 11:23:32 +01:00
## Technical details
SOGoTrustProxyAuthentication option is set to YES which makes SOGo trust the x-webobjects-remote-user header.
Dovecot will receive a random master-password which is valid for all mailboxes when used by the SOGo container.
Clicking on the SOGo button in the mailbox list will open sogo-auth.php which checks permissions, sets session variables and redirects to the SOGo mailbox.
Each SOGo, CardDAV, CalDAV and EAS http request will cause an additional, nginx internal auth_request call to sogo-auth.php with the following behavior:
- If a basic_auth header is present, the script will validate the credentials in place of SOGo and provide the following headers:
`x-webobjects-remote-user`, `Authorization` and `x-webobjects-auth-type`.
- If no basic_auth header is present, the script will check for an active mailcow admin session for the requested email user and provide the same headers but with the dovecot master password used in the `Authorization` header.
- If both fails the headers will be set empty, which makes SOGo use its standard authentication methods.
All of these options / behaviors are disabled if the `ALLOW_ADMIN_EMAIL_LOGIN` is not enabled in the config.