Solved Cannot login to SOGo anymore

NuLL3rr0r

NuLL3rr0r

I am not sure what caused this (maybe a portmaster upgrade). But, since a few days ago I have not been able to login to my SOGo instance while my Android client (K9) and Geary are working just fine.

When I try to login from SOGo it gets stuck in the "Authenticating " screen. I check the mail log and see the following:

Code: 
Mar 29 22:31:20 3rr0r dovecot[26274]: managesieve-login: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied

I have these inside my dovecot.conf:

Code: 
service managesieve-login {
  chroot =
  drop_priv_before_exec = yes
  group = dovenull
  inet_listener sieve {
    port = 4190
  }
  process_min_avail = 0
  service_count = 1
  user = dovenull
  vsz_limit = 64 M
}
.
.
.
service stats {
  fifo_listener stats-mail {
    group = mail
    mode = 0600
    user = mailnull
  }
  unix_listener stats-reader {
    group = mail
    mode = 0600
    user = mailnull
  }
  unix_listener stats-writer {
    group = mail
    mode = 0660
    user = dovecot
  }
}

Either I have to set mode = 0666 on unix_listener stats-writer or drop_priv_before_exec = no on service managesieve-login for the permission denied error to disappear; which obviously is not the correct way to do things. And, this configuration has been working for years.

Even after the error disappears the SOGo web frontend still gets stuck in the 'Authenticating' screen. Checking the SOGo logs:

Code: 
Mar 29 22:37:34 sogod [31888]: 127.0.0.1 "GET /SOGo HTTP/1.1" 302 0/0 0.005 - - -
Mar 29 22:37:35 sogod [31888]: 127.0.0.1 "GET /SOGo/ HTTP/1.1" 200 7438/0 0.027 27592 73% -
Mar 29 22:37:45 sogod [31888]: SOGoRootPage successful login from '127.0.0.1' for user 'someinbox@babaei.net' - expire = -1  grace = -1
Mar 29 22:37:45 sogod [31888]: 127.0.0.1 "POST /SOGo/connect HTTP/1.1" 200 51/86 0.055 - - -

As can be seen, the login is also successful. I have not idea why this is not working. Any ideas?
 
OK, I finally figured out what was wrong. For anyone coming across the same issue, I did enable some nginx hardening on my server and that was the real cause of the issue. Even enabling enable more verbose logging in SOGo did not help:

Code: 
  GCSFolderDebugEnabled = YES;
  GCSFolderStoreDebugEnabled = YES;
  LDAPDebugEnabled = YES;
  MySQL4DebugEnabled = YES;
  NGImap4DisableIMAP4Pooling = YES;
  ImapDebugEnabled = YES;
  OCSFolderManagerSQLDebugEnabled = YES;
  PGDebugEnabled = YES;
  SOGoDebugRequests = YES;
  SOGoMailKeepDraftsAfterSend = YES;
  SOGoUIxDebugEnabled = YES;
  SoDebugObjectTraversal = YES;
  SoSecurityManagerDebugEnabled = YES;
  WODontZipResponse = YES;
  WODebugZipResponse = YES;

By chance, I decided to investigate the Firefox console and I noticed some inline scripts and font files were failed to load due to Content-Security-Policy. So, I changed the following line in my Nginx configuration from:

Code: 
add_header  Content-Security-Policy     "default-src 'none'; base-uri 'self'; child-src https://embed.ted.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src https://embed.ted.com https://www.youtube-nocookie.com; img-src 'self' https://i.vimeocdn.com; media-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";

To:

Code: 
add_header  Content-Security-Policy     "default-src 'none'; base-uri 'self'; child-src https://embed.ted.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self' data:; form-action 'self'; frame-ancestors 'none'; frame-src https://embed.ted.com https://www.youtube-nocookie.com; img-src 'self' https://i.vimeocdn.com; media-src 'self'; object-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";

Effectively changing font-src 'self'; to font-src 'self' data:; and script-src 'self'; to script-src 'self' 'unsafe-eval' 'unsafe-inline';.

That solved it for me.
 
You must log in or register to reply here.
Back
Top