1 Topic by dnwahs (edited by dnwahs 2015-10-31 03:24:19)

  • dnwahs
  • Member
  • Offline
  • Registered: 2015-10-30
  • Posts: 3

Topic: Security issue Domains not truly isolated

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Centos6.7 x86_64
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? iRedAdmin (not pro)
- Related log if you're reporting an issue:
====

So we have created two domains domain.aa and domain.bb
And when sharing (calendar, folder, or even contacts) we are able to do a search and see domain.bb
Is there a database setting that stops this?

Not sure if it makes a difference but:

This server has multiple domains pointed at it in dns to the one ip address. Currently the apache config for SOGO has

<Proxy http://127.0.0.1:20000/SOGo>
## adjust the following to your configuration
  RequestHeader set "x-webobjects-server-port" "443"
  RequestHeader set "x-webobjects-server-name" "mail.domain.aa"
  RequestHeader set "x-webobjects-server-url" "https://mail.domain.aa"

## When using proxy-side autentication, you need to uncomment and
## adjust the following line:
  RequestHeader unset "x-webobjects-remote-user"
#  RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" env=REMOTE_USER

  RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Security issue Domains not truly isolated

Try this: find '//bindAsCurrentUser = YES;' in /etc/sogo/sogo.conf, remove the '//' to enable it, restart SOGo service and try again.

3 Reply by dnwahs

  • dnwahs
  • Member
  • Offline
  • Registered: 2015-10-30
  • Posts: 3

Re: Security issue Domains not truly isolated

That is an option for LDAP not mysql. Per the original post im running mysql with the default sogo.conf from iRedMail install. Please advise. I tried putting the  domain setting in the sogo.conf and moving SOGOUserSources under each domain per sogo documentation but that didnt work. That killed the server upon logi in as it ate up all system resources.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Security issue Domains not truly isolated

I have no idea.

We create a SQL VIEW in SOGo database, then SOGo query this VIEW to get login username/password. But i didn't find any setting which can control the SQL query performed by SOGo. So if you want to achieve this with default iRedMail setting, i suggest you ask this question in SOGo mailing list instead.

Another way to achieve this is mentioned in SOGo document: http://www.sogo.nu/files/docs/SOGo%20In … 0Guide.pdf

Check section "Multi-domains Configuration".

5 Reply by dnwahs

  • dnwahs
  • Member
  • Offline
  • Registered: 2015-10-30
  • Posts: 3

Re: Security issue Domains not truly isolated

Ok, so i figured out the issue.

Firstly I'm running SOGo 2.3.2 and with it you no longer need the domain definitions in the sogo.conf file.
After looking at source code and mysql setting this was the issue:

Your sql view does not include a reference to domain the domain from vmail.mailbox
I added domain to the sogo.users view
also added the following two lines to /etc/sogo.conf
SOGoEnableDomainBasedUID = YES;
DomainFieldName = "domain";

Thanks for your help and the issue is now resovled.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Security issue Domains not truly isolated

Thanks for sharing, i tested and it works.

Next iRedMail release will have this isolated global address book enabled by default. smile
https://bitbucket.org/zhb/iredmail/comm … f2d444aef0

== UPDATE ==

This change is covered in upgrade tutorial for upcoming iRedMail release (0.9.3).