From 3ed55cf513b6d014abbbdff6f22d60de23babbe1 Mon Sep 17 00:00:00 2001 From: udera Date: Sun, 21 Feb 2016 19:00:40 +0000 Subject: [PATCH 1/4] Use only username to login like it is used for all other authentication (IMAP/SMTP) --- vexim/config/authsite.php | 2 +- vexim/config/header.php | 4 ++-- vexim/config/variables.php.example | 10 --------- vexim/index.php | 32 +++------------------------ vexim/login.php | 35 ++++++++++++++---------------- 5 files changed, 22 insertions(+), 61 deletions(-) diff --git a/vexim/config/authsite.php b/vexim/config/authsite.php index ce17b04c..aa60d00f 100644 --- a/vexim/config/authsite.php +++ b/vexim/config/authsite.php @@ -16,7 +16,7 @@ die(); } - if ($_SESSION['localpart'] != "siteadmin"){ + if ($_SESSION['username'] != "siteadmin"){ header ("Location: index.php?login=failed"); die(); } diff --git a/vexim/config/header.php b/vexim/config/header.php index 772be473..60a8d199 100644 --- a/vexim/config/header.php +++ b/vexim/config/header.php @@ -1,9 +1,9 @@ prepare($headerquery); - $headersuccess = $headerresult->execute(array(':localpart'=>$_SESSION['localpart'], ':domain_id'=>$_SESSION['domain_id'])); + $headersuccess = $headerresult->execute(array(':username'=>$_SESSION['username'], ':domain_id'=>$_SESSION['domain_id'])); if ($headersuccess && $headerrow = $headerresult->fetch()) { if ($headerrow['domain'] === "0") { invalidate_session(); diff --git a/vexim/config/variables.php.example b/vexim/config/variables.php.example index de61453b..0d176d49 100644 --- a/vexim/config/variables.php.example +++ b/vexim/config/variables.php.example @@ -38,16 +38,6 @@ or bcrypt with complexity 2^12 -> $cryptscheme='$2a$12$' */ $cryptscheme = 'sha512'; - /* Choose the type of domain name input for the index page. It should - either be 'static', 'dropdown' or 'textbox'. Static causes the - domain name part of the URL to be used automatically, and the user - cannot change it. Dropdown uses a dropdown style menu with  @  - - query($query); - ?> - '; - } else if ($domaininput == 'textbox') { - print ' (domain name)'; - } else if ($domaininput == 'static') { - print $domain - . ''; - } - ?> - + : + : - + " class="longbutton"> diff --git a/vexim/login.php b/vexim/login.php index 4b36321b..78ace42a 100644 --- a/vexim/login.php +++ b/vexim/login.php @@ -5,35 +5,32 @@ # first check if we have sufficient post variables to achieve a successful login... if not the login fails immediately if (!isset($_POST['crypt']) || $_POST['crypt']==='' - || !isset($_POST['localpart']) || $_POST['localpart']==='' - || !isset($_POST['domain']) + || !isset($_POST['username']) || $_POST['username']==='' ){ header ('Location: index.php?login=failed'); die; } # construct the correct sql statement based on who the user is - if ($_POST['localpart'] === 'siteadmin') { - $query = "SELECT crypt,localpart,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled FROM users,domains + if ($_POST['username'] === 'siteadmin') { + $query = "SELECT crypt,localpart,username,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled FROM users,domains WHERE localpart='siteadmin' AND domain='admin' AND username='siteadmin' AND users.domain_id = domains.domain_id"; } else if ($AllowUserLogin) { - $query = "SELECT crypt,localpart,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled, users.enabled AS userenabled + $query = "SELECT crypt,username,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled, users.enabled AS userenabled FROM users,domains - WHERE localpart=:localpart - AND users.domain_id = domains.domain_id - AND domains.domain=:domain;"; + WHERE username=:username + AND users.domain_id = domains.domain_id"; } else { - $query = "SELECT crypt,localpart,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled FROM users,domains - WHERE localpart=:localpart + $query = "SELECT crypt,username,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled FROM users,domains + WHERE username=:username AND users.domain_id = domains.domain_id - AND domains.domain=:domain AND admin=1;"; } $sth = $dbh->prepare($query); - $success = $sth->execute(array(':localpart'=>$_POST['localpart'], ':domain'=>$_POST['domain'])); + $success = $sth->execute(array(':username'=>$_POST['username'])); if(!$success) { print_r($sth->errorInfo()); die(); @@ -47,16 +44,15 @@ $cryptedpass = crypt_password($_POST['crypt'], $row['crypt']); // Some debugging prints. They help when you don't know why auth is failing. - /* +/* print $query. "
\n";; - print $row['localpart']. "
\n"; - print $_POST['localpart'] . "
\n"; - print $_POST['domain'] . "
\n"; + print $row['username']. "
\n"; + print $_POST['username'] . "
\n"; print "Posted crypt: " .$_POST['crypt'] . "
\n"; print $row['crypt'] . "
\n"; print $cryptscheme . "
\n"; print $cryptedpass . "
\n"; - */ +*/ # if they have the wrong password bail out if ($cryptedpass !== $row['crypt']) { @@ -73,9 +69,9 @@ } # populate session variables from what was retrieved from the database (NOT what they posted) - $_SESSION['localpart'] = $row['localpart']; - $_SESSION['domain'] = $row['domain']; + $_SESSION['username'] = $row['username']; $_SESSION['domain_id'] = $row['domain_id']; + $_SESSION['domain'] = $row['domain']; $_SESSION['crypt'] = $row['crypt']; $_SESSION['user_id'] = $row['user_id']; @@ -88,6 +84,7 @@ header ('Location: site.php'); die(); } + if ($row['admin'] == '1') { header ('Location: admin.php'); die(); From d8ac35585604012723430d8acf603866ee364003 Mon Sep 17 00:00:00 2001 From: udera Date: Mon, 22 Feb 2016 17:57:10 +0000 Subject: [PATCH 2/4] Use a single sql-query to obtain login information --- vexim/login.php | 33 ++++++++++++--------------------- 1 file changed, 12 insertions(+), 21 deletions(-) diff --git a/vexim/login.php b/vexim/login.php index 78ace42a..1c52aa66 100644 --- a/vexim/login.php +++ b/vexim/login.php @@ -11,24 +11,11 @@ die; } - # construct the correct sql statement based on who the user is - if ($_POST['username'] === 'siteadmin') { - $query = "SELECT crypt,localpart,username,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled FROM users,domains - WHERE localpart='siteadmin' - AND domain='admin' - AND username='siteadmin' - AND users.domain_id = domains.domain_id"; - } else if ($AllowUserLogin) { - $query = "SELECT crypt,username,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled, users.enabled AS userenabled - FROM users,domains - WHERE username=:username - AND users.domain_id = domains.domain_id"; - } else { - $query = "SELECT crypt,username,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled FROM users,domains - WHERE username=:username - AND users.domain_id = domains.domain_id - AND admin=1;"; - } + # sql statement based on username + $query = "SELECT crypt,username,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled, users.enabled AS userenabled + FROM users,domains + WHERE username=:username + AND users.domain_id = domains.domain_id"; $sth = $dbh->prepare($query); $success = $sth->execute(array(':username'=>$_POST['username'])); if(!$success) { @@ -90,8 +77,12 @@ die(); } - # must be a user, send them to edit their own details - header ('Location: userchange.php'); - + # must be a user, send them to edit their own details, if User-Login is permitted + if($AllowUserLogin===1) { + header ('Location: userchange.php'); + die(); + } else { + header ('Location: index.php?login=failed'); + } ?> From d2faefaaa9184be131ec3c143c7f893ef734ded4 Mon Sep 17 00:00:00 2001 From: udera Date: Mon, 22 Feb 2016 18:11:39 +0000 Subject: [PATCH 3/4] Add option to guess the domain name automatically --- vexim/config/variables.php.example | 5 +++++ vexim/index.php | 6 +++++- vexim/login.php | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/vexim/config/variables.php.example b/vexim/config/variables.php.example index 0d176d49..5571be70 100644 --- a/vexim/config/variables.php.example +++ b/vexim/config/variables.php.example @@ -38,6 +38,11 @@ or bcrypt with complexity 2^12 -> $cryptscheme='$2a$12$' */ $cryptscheme = 'sha512'; + /* Guess domain name from hostname and allow login based on + local part only. It is off by default, set this value to 1 + in order to enable this function */ + $domainguess = 0; + /* The UID's and GID's control the default UID and GID for new domains and if postmasters can define their own. THE UID AND GID MUST BE NUMERIC! */ diff --git a/vexim/index.php b/vexim/index.php index 048a98f5..6d2b0ae5 100644 --- a/vexim/index.php +++ b/vexim/index.php @@ -15,7 +15,11 @@ - + diff --git a/vexim/login.php b/vexim/login.php index 1c52aa66..d027c5c3 100644 --- a/vexim/login.php +++ b/vexim/login.php @@ -11,6 +11,8 @@ die; } + if($domainguess === 1 && $_POST['username']!=='siteadmin') $_POST['username'].='@'.preg_replace ("/^mail\./", "", $_SERVER["SERVER_NAME"]); + # sql statement based on username $query = "SELECT crypt,username,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled, users.enabled AS userenabled FROM users,domains From 076361ad77fe4e2cf31ea3c407ca14e7b2d7ad0c Mon Sep 17 00:00:00 2001 From: udera Date: Wed, 24 Feb 2016 06:31:32 +0000 Subject: [PATCH 4/4] Put table-prefix into db-query and add specific error for disabled user login. --- vexim/config/header.php | 2 ++ vexim/login.php | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/vexim/config/header.php b/vexim/config/header.php index 60a8d199..1076ff7c 100644 --- a/vexim/config/header.php +++ b/vexim/config/header.php @@ -100,6 +100,8 @@ printf (_("-- %s is not a valid e-mail address."), $_GET['invalidforward']); } else if (isset($_GET['nodbquery'])) { print _("-- Database query failed, terminating session"); + } else if (isset($_GET['login']) && ($_GET['login'] === "disabled")) { + print _("-- Login is disabled. Please contact your administrator."); } if (isset($_GET['login']) && ($_GET['login'] == "failed")) { print _("Login failed"); } diff --git a/vexim/login.php b/vexim/login.php index d027c5c3..b57d9eac 100644 --- a/vexim/login.php +++ b/vexim/login.php @@ -14,7 +14,8 @@ if($domainguess === 1 && $_POST['username']!=='siteadmin') $_POST['username'].='@'.preg_replace ("/^mail\./", "", $_SERVER["SERVER_NAME"]); # sql statement based on username - $query = "SELECT crypt,username,user_id,domain,domains.domain_id,users.admin,users.type,domains.enabled AS domainenabled, users.enabled AS userenabled + $query = "SELECT users.crypt,users.username,users.user_id,domains.domain,domains.domain_id,users.admin,users.type, + domains.enabled AS domainenabled, users.enabled AS userenabled FROM users,domains WHERE username=:username AND users.domain_id = domains.domain_id"; @@ -83,8 +84,7 @@ if($AllowUserLogin===1) { header ('Location: userchange.php'); die(); - } else { - header ('Location: index.php?login=failed'); } + header ('Location: index.php?login=disabled'); ?>
: + +
: