BUG? User-shared mailboxes, shared through SOGo, not working for imap or Sogo

Edited the last post to reflect all information that is relevant to this issue, and re-marked the sollution.

Note that email headers on EAX are sending the wrong return path. Other then that, remaining issues are aesthetic, yet will cause user-moaning.

@alefattorini or @stephdl should I transfer the set ACL issue with SOGo to the bug forum and the rest to the feature request?

1 Like

Please @planet_jeroen can u test something for me

vim /etc/sogo/sogo.conf

then you need to change something

  /* 45 AD authentication */
    SOGoUserSources =(
     {
        id = AD_Users;
        type = ldap;
        CNFieldName = cn;
        IDFieldName = sAMAccountName;
  -     UIDFieldName = sAMAccountName;
  +    UIDFieldName = userPrincipalName;

once done restart the sogod service

systemctl restart sogod
systemctl status sogod

then you can go to the inbox sharing panel, remove them if they exist, and add a new acl property

you can check it is the good one by looking in a file for example

vim /var/lib/nethserver/vmail/tata\@nethservertest.org//Maildir/dovecot-acl

It is workable for me, try to login with ‘user@domain’ and ‘user’

I don’t know if you are aware, but if you want to send an email with another user, you must delegate the account by another way

you must use the setting on the full email address name

let me reboot to linux and set up my VPN … will test right away!

1 Like

try to catch some hours of sleep :smiley:

Sleep is overrated :stuck_out_tongue:

This worsens my scenario:

I need to use the ‘mail’ attribute, as the userPrincipalName will be lmst01@domain.com instead of t.account@domain.com

I tested with userPrincipalName and got above, I tested with ‘mail’ and got the same as with ‘sAMAccountName’, neither does anything for the mail header from EAX nor the existing ACL’s.

EDIT: please confirm that there is a difference between what you asked me to do and editing the custom template and running a signal-event nethserver-sogo-update ? I just tried what you asked, circumventing the signal-event, and that actually broke SOGo till I ran signal-event and gave a reboot. Maybe I need some of that overrated stuff … I’ll test again after coffee tomorrow

When you do a signal-event you rewrite the file like it was before you modified it. So if you modify directly a configuration file without a custom-template, you just need to restart the service.

You just need to change the line
UIDFieldName = sAMAccountName;
to
UIDFieldName = userPrincipalName;

if you prefer the mail field then change to
UIDFieldName = mail;

I did not catch you story about user1 with an alias t.account@domain.com maybe specific to your user case, it is why I did a fix to choose what is the email address in LDAP

One question, why not simply call you user t.account, for my understanding, the alias is made to rather change the domain name if is not fully related to the FQDN of the server

Just a tip which save my life in discourse, try to answer to one of my post or call me with @stephdl, I receive a notification…I’m a lazzy boy … like every dev.

…must be IT, sysadmin , not much better here :stuck_out_tongue:

1 Like

What I ask you to do in the BUG? User-shared mailboxes, shared through SOGo, not working for imap or Sogo is to set the correct acl to imap.

You spoke that sogo set the acl to user instead of user@domain.com, for my test, now sogo set the good acl to user@domain.com.

My concern is now that you created some aliases with complete different name of sAMAccountName. I explain it

the login field with sogo is user or user@domain.com
but you created an alias like toto@domain.com to user@domain.com
I just tried but sogo cannot find you in ldap with toto@domain.com therefore to perform a login I must use user or user@domain.com

I must say you puzzled me, hence your users will be also :smiley:

The withdraw with Nethserver is that you cannot have several (real) FQDN for email, you must adjust it manually and probably say to your users to use only the sAMAccountName in the login field (user for example)

I would be interested to understand why you created an alias on the name of the user ?

1 Like

Aah … now I get it. You where right, should have been in bed instead of testing :stuck_out_tongue:
I will test right away if this is fixed that way.

Now for my funny configuration:

I am used to enterprise environements, and secure environments. Both demand that your email address does not reveal any useraccount information. It also prevents funny logins.

My users get an account, and an email address. I do not intend to tell them their account can also be used as email. Because of that, I do not want to show the username but only the alias.
With my current config I can log in with user and get alias displayed:

dovecot.conf shared user namespace:

namespace SHARED_USERS {
type = shared
disabled = no
separator = /
prefix = Shared/%%n@domain.com/
location = maildir:/var/lib/nethserver/vmail/%%u/Maildir:INDEXPVT=~/Maildir/shared/%%u
subscriptions = no
list = children
}

sogo.conf

 SOGoUserSources =(
     { 
        id = AD_Users;
        type = ldap;
        CNFieldName = cn;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        IMAPLoginFieldName = userPrincipalName;
        canAuthenticate = YES;
        bindDN = "sogobind@domain.com";
        bindPassword = "password";
        baseDN = "DC=ad,DC=domain,DC=com";
        bindFields = (
                sAMAccountName,
                userPrincipalName
        );
        hostname = ldaps://nsdc-gr105.ad.domain.com;
        filter = "(objectClass='user')";
        MailFieldNames = ("userPrincipalName");
        scope = SUB;
        displayName = "domain.com users";
        isAddressBook = YES;
     },

So my goal is to create a situation where people who receive mail from us, do not automatically have our usernames. I can live with it appearing in a header, but even that is subobtimal given security issues that arise from broadcasting usernames.

This fully works right now, with 2 visual and 1 technical issue remaining.

Visual:

  • SOGo displays the username on the SOGo webpage
  • IMAP ofcourse reads the account and not the alias and displays that under Other Users.
    These two are illustrated above, but I doubt they are fixable.

Technical:

  • Exchange ActiveSync (and ONLY EAX) sends a wrong return address header. (SOGo doesnt)
2 Likes

Has the problem been fixed meanwhile? In Nethserver 7.5/7.6 i have the same problem to share mailfolders from a user mailbox (no problem with sharing shared-mailboxes).
regards yummiweb

maybe a bit late - but in nethserver 7.9 this behavior seems to be fixed.

yesterday i was woundered about some disfunctional dovecot related scripts, they was functional more as one year (since 7.7).

it seems, that since nethserver 7.9 dovecot is using as name for the mailboxusers the ad username with addition of the @domain. without this addition the mailuser is “non existent” for dovecot.

so the sogo foldersharing is administrable and functionable in the sogo webgui (now? since them?).

was this (new behavior chcnging in 7.9 documented somewhere? or i have miss this?

regards yummiweb