BUG? User-shared mailboxes, shared through SOGo, not working for imap or Sogo

The issue is SOGo using only the username part of username@domain.com when setting ACL’s.

When ACL’s are set with for instance Thunderbird with ImapACL extension installed, to username@domain.com, everything starts working as expected.

This implies that it reads them different then it sets them. This seems a SOGo bug, possibly due to configuration, but maybe even dovecot as I remember having set them manually with doveadm iirc, to username@domain.com

@davidep some time ago you did a card (needs review) in the roadmap on the possibly removal of the @domain in vmail

does it is related ?

Haleluja. This is solved, for me at least, with major bug on the SOGo webmail and Exchange ActiveSync end:

username1: abc012@domain.com
username2: abct01@domain.com

email1: j.m.visser@domain.com
email2: t.account@domain.com

Special config:

config setprop sogod IMAPLoginFieldName mail
signal-event nethserver-sogo-update

Open ADUC:

  • set user e-mail to friendly email
  • rename user abc012 (to get rid of some references to abc012 and replace with j.m. visser, but leave login as is
  • do not rename abct01 for testing purpose

login with IMAP client (Thunderbird) and user-shared mailboxes are now displayed and working.
login with SOGo with abc012: shared mailbox is not displayed
login with SOGo with abct01: shared mailbox is displayed as abc012@domain.com

Keep in mind that in IMAP this is now fully working as expected and as I need, so I think the applied patch edits one field too much, where the config should actually use the pricipalname… this must be SOGo local.

In all, I dare say this is not a Nethserver issue, nor a dovecot issue, but a SOGo issue in both setting ACL permissions on mailboxes (leaving out the @domain.com part while trying to find the user with domainname attached) and processing the permissions.

If I leave out the mail address from the user AD properties, and default to abc0123@domain.com, sharing works as expected in SOGo too.

My knowledge is too limited to pinpoint the exact cause here … I’m glad I got this far :stuck_out_tongue:

@stephdl … which SOGo directive should I change back to userPrincipalName in order for SOGo to display the entered email address, but work with the username when going to the filesystem ?

SOGo: (The shared folder is a group mailbox)

Thunderbird:

It would be nice to be able to display the user display name below Shared in Thunderbird, but that is not as much as a bug as a feature request I would say :stuck_out_tongue:

The resulting new issue is both SOGo webclient and Exchange activesync implementation no longer find the mailbox. I can log in, I get an empty mailbox and no user-shared mailbox, but I do get the groiup-shared mailbox.

ls in …/nethserver/vmail reveals I know have a folder abc012@domain.com AND a j.m.visser@domain.com

I’d say that for my case the fix to get the alias to show, fixed too much, but this can be mended by using user-options. If we use the userPrincipalName, but set the desired email adres manually in SOGo settings and IMAP settings, all that remains are headers revealing a username, but the wanted alias is displayed to receiving users.

That is an idea to allow changing the host FQDN without moving Maildirs around. The internal identifier used by dovecot for ACLs could be affected too.

I want to read this thread carefully. Please give me some time to study it. Anyway I remember of troubles with SOGo and shared folders from the times of ns6.

1 Like

I created a lot of fuss in this topic, take my last input as leading please.

Setting ACL’s with SOGo, makes them inoperable for IMAP and SOGo.
Setting ACL’s with Thunderbird using IMAP ACL plugin, makes it work for both IMAP and SOGo.

Using the ‘fix’ to willfully use the AD mail property instead of userPrincipalName in SOGo configuration, makes IMAP work as desired, but breaks SOGo and Exchange Active Sync functionality, as it changes also the location where SOGo is looking for (and storing) mail.

I need to change the SOGo config and use userPrincipalName in one specific place to make SOGo read from there (and by extension EAX) and that part is fully functional.

The real issue is SOGo setting ACL’s wrong. That is, setting ACL’s through the webmail, will set the rights to user instead of user@domain.com. I dare say it is wrong, because it can not process them itself either. After setting ACL’s with Thunderbird and without using the ‘fix’ to use the AD mail property (and thus defaulting back to userPrincipalName) SOGo displays the user shared mailboxes as well.

So the real bug here is how SOGo sets the ACL’s.

1 Like

it could be a nice feature to be able to change the FQDN after the users are configured :slight_smile:

what did you modify please

That actually didn’t work either. This was an assumption that didn’t pan out.

I did discover that after setting the email and return address to the alias on the user imap settings page in sogo, most things start working as expected, inclusief geaderd. Annoyances left are purely visual on the user-end in the IMAP scenario. Will add screenshots when at work.

So … because I just wasnt sure where to look and what to set, and it seems not many people use this specific configuration, as well as confusion about what I was trying to do, I had a huge mess of assumptions running amok.

I have since cleaned that mess, and the end result is almost as I like it.

First of all, the SOGo bug regarding setting ACL’s is real in my perception, the rest is not.
The real issue is SOGo setting ACL's wrong. That is, setting ACL's through the webmail, will set the rights to user instead of user@domain.com. I dare say it is wrong, because it can not process them itself either. After setting ACL's with Thunderbird and without using the 'fix' to use the AD mail property (and thus defaulting back to userPrincipalName) SOGo displays the user shared mailboxes as well.

What follows is a quick and dirty on how to get my current config and what that does. It has several undocumented features that, once you know them, really help you out here, intended or not.

  1. install nethserver 1 with samba ad and create users user1 and user2
  2. install nethserver 2, join it to that AD, install SOGo
  3. create aliasses for both users; t.account@domain.com and t.account2@domain.com
  4. log-in to the SOGo web-interface and fill in the e-mail alias as shown below:
  5. open ADUC and set AD property mail to the e-mail alias

Note I did not apply the userPrincipalName fix for the IMAPLoginFieldName.

Logging into SOGo now displays:

IMAP thru Thunderbird shows:

Headers while sending mail from t.account@domain.com:

IMAP:

X-Spam-Status: No, score=0.0, required= 4.0
X-MS-Exchange-Organization-PCL: 0
X-MS-Exchange-Organization-SCL: 0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) * on
	server1.domain2.local * at Wed, 22 Nov 2017 09:39:28 +0100
X-Spam-Status: No, score=-0.0, hits=-0.0, required= 8, autolearn=no
	autolearn_force=no, shortcircuit=no
X-Spam-Report: * -0.5 ALL_TRUSTED Passed through trusted hosts only via SMTP
	* -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%
	*      [score: 0.1791]
	*  0.5 JAM_SHORT_MAIL_WITH_URL Mail with less than 150 chars and containing
	*       an URL
X-Process: ESTProcessDone
Received: from server2.domain.com (172.16.1.12) by
 remote.domain2.nl (192.168.50.2) with Microsoft SMTP Server id
 8.3.485.1; Wed, 22 Nov 2017 10:22:38 +0100
Received: from server2.domain.com (localhost [127.0.0.1])	by
 server2.domain.com (Postfix) with ESMTP id C7F031802C393	for
 <jeroenvisser@domain2.nl>; Wed, 22 Nov 2017 10:22:38 +0100 (CET)
Received: from [192.168.50.38] (unknown [192.168.50.38])	(Authenticated
 sender: lmst01)	by server2.domain.com (Postfix) with ESMTPSA	for
 <jeroenvisser@domain2.nl>; Wed, 22 Nov 2017 10:22:38 +0100 (CET)
To: jeroenvisser@domain2.nl
From: Test Account <t.account@domain.com>
Subject: IMAP header test
Message-ID: <c6776887-38b1-0206-f95b-8ebf250d3bdb@domain.com>
Date: Wed, 22 Nov 2017 10:22:43 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: nl
X-Antivirus: Avast (VPS 171121-4, 21-11-2017), Outbound message
X-Antivirus-Status: Clean
Return-Path: t.account@domain.com
X-Antivirus: avast! (VPS 171121-4, 21-11-2017), Inbound message
X-Antivirus-Status: Clean

SOGo:

X-Spam-Status: No, score=-2.4, required= 4.0
X-MS-Exchange-Organization-PCL: 0
X-MS-Exchange-Organization-SCL: 0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) * on
	server2.domain2.local * at Wed, 22 Nov 2017 09:39:28 +0100
X-Spam-Status: No, score=-2.4, hits=-2.4, required= 8, autolearn=no
	autolearn_force=no, shortcircuit=no
X-Spam-Report: * -0.5 ALL_TRUSTED Passed through trusted hosts only via SMTP
	* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
	*      [score: 0.0002]
	*  0.0 HTML_MESSAGE BODY: HTML included in message
X-Process: ESTProcessDone
Received: from server1.domain.com (172.16.1.12) by
 remote.domain2.nl (192.168.50.2) with Microsoft SMTP Server id
 8.3.485.1; Wed, 22 Nov 2017 10:25:51 +0100
Received: from server1.domain.com (localhost [127.0.0.1])	by
 server1.domain.com (Postfix) with ESMTP id 0F063180336F7	for
 <jeroenvisser@domain2.nl>; Wed, 22 Nov 2017 10:25:51 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])	by server1.domain.com
 (Postfix) with ESMTP	for <jeroenvisser@domain2.nl>; Wed, 22 Nov 2017
 10:25:50 +0100 (CET)
Content-Type: multipart/alternative;
	boundary="----=_=-_OpenGroupware_org_NGMime-5635-1511342750.890552-1------"
From: Test Account <t.account@domain.com>
Reply-To: t.account@domain.com
X-Forward: 192.168.50.38
Date: Wed, 22 Nov 2017 10:25:50 +0100
To: jeroenvisser@domain2.nl
MIME-Version: 1.0
Message-ID: <1603-5a154280-b-29a18ac0@211616679>
Subject: SOGo header test
User-Agent: SOGoMail 3.2.10
Return-Path: t.account@domain.com
X-Antivirus: avast! (VPS 171121-4, 21-11-2017), Inbound message
X-Antivirus-Status: Clean

EAX: (return path wrong)

X-Spam-Status: No, score=-0.6, required= 4.0
X-MS-Exchange-Organization-PCL: 0
X-MS-Exchange-Organization-SCL: 0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) * on
	server2.domain2.local * at Wed, 22 Nov 2017 10:39:42 +0100
X-Spam-Status: No, score=-0.6, hits=-0.6, required= 8, autolearn=ham
	autolearn_force=no, shortcircuit=no
X-Spam-Report: * -0.5 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  0.4 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	* -0.5 BAYES_05 BODY: Bayes spam probability is 1 to 5%
	*      [score: 0.0256]
X-Process: ESTProcessDone
Received: from server1.domain.com (172.16.1.12) by
 remote.domain2.nl (192.168.50.2) with Microsoft SMTP Server id
 8.3.485.1; Wed, 22 Nov 2017 10:45:12 +0100
Received: from server1.domain.com (localhost [127.0.0.1])	by
 server1.domain.com (Postfix) with ESMTP id 03EB5180336F8	for
 <jeroenvisser@domain2.nl>; Wed, 22 Nov 2017 10:45:12 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])	by server1.domain.com
 (Postfix) with ESMTP	for <jeroenvisser@domain2.nl>; Wed, 22 Nov 2017
 10:45:11 +0100 (CET)
From: Test Account <t.account@domain.com>
To: <jeroenvisser@domain2.nl>
Subject: EAX header test
Date: Wed, 22 Nov 2017 10:45:16 +0100
Message-ID: <001201d36376$9a34d200$ce9e7600$@domain.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0013_01D3637E.FBF98820"
X-Mailer: Microsoft Outlook 16.0
Content-Language: nl
Thread-Index: AdNjdpd2gB1RuivzQiaqcxBYqUJm8Q==
Return-Path: lmst01@domain.com
X-Antivirus: avast! (VPS 171121-4, 21-11-2017), Inbound message
X-Antivirus-Status: Clean

The only 3 issues left, are mainly aesthetic, but will cause users to moan. They are:

  1. SOGo Webinterface displaying the username instead of the email alias in top left
  2. IMAP (dovecot) will display the Shared mailbox using the username instead of the Full name or the email alias.
  3. Returnpath for EAX mail is using the username instead of the alias. Only shows in the header.

It seems I messed op some replace actions for domain and domain2, rendering the headers a bit confusing. The part that matters is that t.account is used and not lmst01 (the user in this scenario)

2 Likes

Edited the last post to reflect all information that is relevant to this issue, and re-marked the sollution.

Note that email headers on EAX are sending the wrong return path. Other then that, remaining issues are aesthetic, yet will cause user-moaning.

@alefattorini or @stephdl should I transfer the set ACL issue with SOGo to the bug forum and the rest to the feature request?

1 Like

Please @planet_jeroen can u test something for me

vim /etc/sogo/sogo.conf

then you need to change something

  /* 45 AD authentication */
    SOGoUserSources =(
     {
        id = AD_Users;
        type = ldap;
        CNFieldName = cn;
        IDFieldName = sAMAccountName;
  -     UIDFieldName = sAMAccountName;
  +    UIDFieldName = userPrincipalName;

once done restart the sogod service

systemctl restart sogod
systemctl status sogod

then you can go to the inbox sharing panel, remove them if they exist, and add a new acl property

you can check it is the good one by looking in a file for example

vim /var/lib/nethserver/vmail/tata\@nethservertest.org//Maildir/dovecot-acl

It is workable for me, try to login with ‘user@domain’ and ‘user’

I don’t know if you are aware, but if you want to send an email with another user, you must delegate the account by another way

you must use the setting on the full email address name

let me reboot to linux and set up my VPN … will test right away!

1 Like

try to catch some hours of sleep :smiley:

Sleep is overrated :stuck_out_tongue:

This worsens my scenario:

I need to use the ‘mail’ attribute, as the userPrincipalName will be lmst01@domain.com instead of t.account@domain.com

I tested with userPrincipalName and got above, I tested with ‘mail’ and got the same as with ‘sAMAccountName’, neither does anything for the mail header from EAX nor the existing ACL’s.

EDIT: please confirm that there is a difference between what you asked me to do and editing the custom template and running a signal-event nethserver-sogo-update ? I just tried what you asked, circumventing the signal-event, and that actually broke SOGo till I ran signal-event and gave a reboot. Maybe I need some of that overrated stuff … I’ll test again after coffee tomorrow

When you do a signal-event you rewrite the file like it was before you modified it. So if you modify directly a configuration file without a custom-template, you just need to restart the service.

You just need to change the line
UIDFieldName = sAMAccountName;
to
UIDFieldName = userPrincipalName;

if you prefer the mail field then change to
UIDFieldName = mail;

I did not catch you story about user1 with an alias t.account@domain.com maybe specific to your user case, it is why I did a fix to choose what is the email address in LDAP

One question, why not simply call you user t.account, for my understanding, the alias is made to rather change the domain name if is not fully related to the FQDN of the server

Just a tip which save my life in discourse, try to answer to one of my post or call me with @stephdl, I receive a notification…I’m a lazzy boy … like every dev.

…must be IT, sysadmin , not much better here :stuck_out_tongue:

1 Like

What I ask you to do in the BUG? User-shared mailboxes, shared through SOGo, not working for imap or Sogo is to set the correct acl to imap.

You spoke that sogo set the acl to user instead of user@domain.com, for my test, now sogo set the good acl to user@domain.com.

My concern is now that you created some aliases with complete different name of sAMAccountName. I explain it

the login field with sogo is user or user@domain.com
but you created an alias like toto@domain.com to user@domain.com
I just tried but sogo cannot find you in ldap with toto@domain.com therefore to perform a login I must use user or user@domain.com

I must say you puzzled me, hence your users will be also :smiley:

The withdraw with Nethserver is that you cannot have several (real) FQDN for email, you must adjust it manually and probably say to your users to use only the sAMAccountName in the login field (user for example)

I would be interested to understand why you created an alias on the name of the user ?

1 Like

Aah … now I get it. You where right, should have been in bed instead of testing :stuck_out_tongue:
I will test right away if this is fixed that way.

Now for my funny configuration:

I am used to enterprise environements, and secure environments. Both demand that your email address does not reveal any useraccount information. It also prevents funny logins.

My users get an account, and an email address. I do not intend to tell them their account can also be used as email. Because of that, I do not want to show the username but only the alias.
With my current config I can log in with user and get alias displayed:

dovecot.conf shared user namespace:

namespace SHARED_USERS {
type = shared
disabled = no
separator = /
prefix = Shared/%%n@domain.com/
location = maildir:/var/lib/nethserver/vmail/%%u/Maildir:INDEXPVT=~/Maildir/shared/%%u
subscriptions = no
list = children
}

sogo.conf

 SOGoUserSources =(
     { 
        id = AD_Users;
        type = ldap;
        CNFieldName = cn;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        IMAPLoginFieldName = userPrincipalName;
        canAuthenticate = YES;
        bindDN = "sogobind@domain.com";
        bindPassword = "password";
        baseDN = "DC=ad,DC=domain,DC=com";
        bindFields = (
                sAMAccountName,
                userPrincipalName
        );
        hostname = ldaps://nsdc-gr105.ad.domain.com;
        filter = "(objectClass='user')";
        MailFieldNames = ("userPrincipalName");
        scope = SUB;
        displayName = "domain.com users";
        isAddressBook = YES;
     },

So my goal is to create a situation where people who receive mail from us, do not automatically have our usernames. I can live with it appearing in a header, but even that is subobtimal given security issues that arise from broadcasting usernames.

This fully works right now, with 2 visual and 1 technical issue remaining.

Visual:

  • SOGo displays the username on the SOGo webpage
  • IMAP ofcourse reads the account and not the alias and displays that under Other Users.
    These two are illustrated above, but I doubt they are fixable.

Technical:

  • Exchange ActiveSync (and ONLY EAX) sends a wrong return address header. (SOGo doesnt)
2 Likes

Has the problem been fixed meanwhile? In Nethserver 7.5/7.6 i have the same problem to share mailfolders from a user mailbox (no problem with sharing shared-mailboxes).
regards yummiweb

maybe a bit late - but in nethserver 7.9 this behavior seems to be fixed.

yesterday i was woundered about some disfunctional dovecot related scripts, they was functional more as one year (since 7.7).

it seems, that since nethserver 7.9 dovecot is using as name for the mailboxusers the ad username with addition of the @domain. without this addition the mailuser is “non existent” for dovecot.

so the sogo foldersharing is administrable and functionable in the sogo webgui (now? since them?).

was this (new behavior chcnging in 7.9 documented somewhere? or i have miss this?

regards yummiweb