Hello Am 19.09.24 um 16:13 schrieb Kees van Vloten (keesvanvlo...@gmail.com):
On 19-09-2024 15:56, qhivert (qhiv...@alinto.eu) wrote:To add my 2cents by reading the code, in the case of SOGoTrustProxyAuthentication = YES; Sogo will check the presence of the header"x-webobjects-auth-type" : "Basic"If yes, it will use the Basic access authentication -> https://en.wikipedia.org/wiki/Basic_access_authentication to get the password.I don't know how you make apache retrieve the password and put it in this header though...I would not know how to do that either, but Sogo **will** get the username from Apache. Since Apache has done the authentication and the user has passed it, we trust the user. Another check that the user can pass authentication will render the same result, hence it has no added value.
[cut] As you are having all on one server, that is true.But if you have a seperate IMAP + SMTP server, and someone compromises the SOGo server, in your setting that person has complete access to all postboxes from the SOGo server and can send as whoever he likes. If you have to authenticate against IMAP and SMTP, then he only can misuse those postboxes currently logged in.
Kind regards, Christian Mack -- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung, Lehre, Infrastruktur 78457 Konstanz +49 7531 88-4416
smime.p7s
Description: Kryptografische S/MIME-Signatur
