Merge pull request #139 from mhofer117/master

Add page "Admin login to SOGo"
Dieser Commit ist enthalten in:
André Peters 2019-03-31 19:16:31 +02:00 committet von GitHub
Commit 568beb87b8
Es konnte kein GPG-SchlĂĽssel zu dieser Signatur gefunden werden
GPG-SchlĂĽssel-ID: 4AEE18F83AFDEB23
2 geänderte Dateien mit 44 neuen und 0 gelöschten Zeilen

Datei anzeigen

@ -0,0 +1,43 @@
This is an experimental feature that allows admins and domain admins to directly
log into SOGo as a mailbox user, without knowing the users password.
For this, an additional link to SOGo is displayed in the mailbox list.
Multiple concurrent admin-logins to different mailboxes are also possible when using this feature.
## Enabling the feature
The feature is disabled by default. It can be enabled in the `mailcow.conf` by setting:
```
ALLOW_ADMIN_EMAIL_LOGIN=y
```
and restarting the affected containers with
```
docker-compose up -d
```
## Drawbacks when enabled
- Each SOGo page-load and each Active-Sync request will cause an additional execution of an internal PHP script.
This might impact load-times of SOGo / EAS.
In most cases, this should not be noticeable but should be kept in mind if you face any performance issues.
- SOGo will not display a logout link for admin-logins, to login normally one has to logout from the mailcow UI so the PHP session is destroyed.
## Technical details
SOGoTrustProxyAuthentication option is set to YES which makes SOGo trust the x-webobjects-remote-user header.
Dovecot will receive a random master-password which is valid for all mailboxes when used by the SOGo container.
Clicking on the SOGo button in the mailbox list will open sogo-auth.php which checks permissions, sets session variables and redirects to the SOGo mailbox.
Each SOGo, CardDAV, CalDAV and EAS http request will cause an additional, nginx internal auth_request call to sogo-auth.php with the following behavior:
- If a basic_auth header is present, the script will validate the credentials in place of SOGo and provide the following headers:
`x-webobjects-remote-user`, `Authorization` and `x-webobjects-auth-type`.
- If no basic_auth header is present, the script will check for an active mailcow admin session for the requested email user and provide the same headers but with the dovecot master password used in the `Authorization` header.
- If both fails the headers will be set empty, which makes SOGo use its standard authentication methods.
All of these options / behaviors are disabled if the `ALLOW_ADMIN_EMAIL_LOGIN` is not enabled in the config.

Datei anzeigen

@ -48,6 +48,7 @@ nav:
- 'Reset Passwords': 'debug-reset_pw.md' - 'Reset Passwords': 'debug-reset_pw.md'
- 'Remove Persistent Data': 'debug-rm_volumes.md' - 'Remove Persistent Data': 'debug-rm_volumes.md'
- 'Common Problems': 'debug-common_problems.md' - 'Common Problems': 'debug-common_problems.md'
- 'Admin login to SOGo': 'debug-admin_login_sogo.md'
- 'Backup & Restore': - 'Backup & Restore':
- 'Helper script': - 'Helper script':
- 'Backup': 'b_n_r_backup.md' - 'Backup': 'b_n_r_backup.md'