Fix DEV_MODE bypass to work when SESS_REMOTE_UA not set

Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>

data/Dockerfiles/dovecot/docker-entrypoint.sh

@@ -121,13 +121,7 @@ echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_flatcu
 echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_flatcurve listescape replication' > /etc/dovecot/mail_plugins_imap
 echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_flatcurve notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
 fi
-
-# Create empty extra plugin files if they don't exist (can be populated via extra.conf or direct file)
-for plugin_file in mail_plugins_extra mail_plugins_imap_extra mail_plugins_lmtp_extra; do
-  [[ ! -f /etc/dovecot/${plugin_file} ]] && touch /etc/dovecot/${plugin_file}
-done
-
-chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /etc/dovecot/mail_plugins_extra /etc/dovecot/mail_plugins_imap_extra /etc/dovecot/mail_plugins_lmtp_extra /templates/quarantine.tpl
+chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl
 
 cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
 # Autogenerated by mailcow

data/conf/dovecot/dovecot.conf

@@ -1,25 +1,6 @@
 # --------------------------------------------------------------------------
 # Please create a file "extra.conf" for persistent overrides to dovecot.conf
 # --------------------------------------------------------------------------
-# To extend mail_plugins, you have two options:
-#
-# Option 1 (Recommended): Use the extra plugin files directly
-#   Create/edit data/conf/dovecot/mail_plugins_extra (for global plugins)
-#   Create/edit data/conf/dovecot/mail_plugins_imap_extra (for IMAP-specific plugins)
-#   Create/edit data/conf/dovecot/mail_plugins_lmtp_extra (for LMTP-specific plugins)
-#   Note: These paths are on the host. Inside the container they are /etc/dovecot/mail_plugins_*
-#   Example to add the virtual plugin for IMAP:
-#     echo -n ' virtual' > data/conf/dovecot/mail_plugins_imap_extra
-#     docker-compose restart dovecot-mailcow
-#
-# Option 2: Override protocol sections in extra.conf
-#   Create data/conf/dovecot/extra.conf with protocol-specific overrides:
-#     protocol imap {
-#       mail_plugins = $mail_plugins virtual
-#     }
-#   Note: This requires redefining the entire protocol block and may override
-#   other settings. Option 1 is simpler and less prone to conflicts.
-# --------------------------------------------------------------------------
 # LDAP example:
 #passdb {
 #  args = /etc/dovecot/ldap/passdb.conf
@@ -40,7 +21,7 @@ disable_plaintext_auth = yes
 login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"
 mail_home = /var/vmail/%d/%n
 mail_location = maildir:~/
-mail_plugins = </etc/dovecot/mail_plugins </etc/dovecot/mail_plugins_extra
+mail_plugins = </etc/dovecot/mail_plugins
 mail_attachment_fs = crypt:set_prefix=mail_crypt_global:posix:
 mail_attachment_dir = /var/attachments
 mail_attachment_min_size = 128k
@@ -199,12 +180,12 @@ userdb {
   skip = found
 }
 protocol imap {
-  mail_plugins = </etc/dovecot/mail_plugins_imap </etc/dovecot/mail_plugins_imap_extra
+  mail_plugins = </etc/dovecot/mail_plugins_imap
   imap_metadata = yes
 }
 mail_attribute_dict = file:%h/dovecot-attributes
 protocol lmtp {
-  mail_plugins = </etc/dovecot/mail_plugins_lmtp </etc/dovecot/mail_plugins_lmtp_extra
+  mail_plugins = </etc/dovecot/mail_plugins_lmtp
   auth_socket_path = /var/run/dovecot/auth-master
 }
 protocol sieve {

data/web/inc/functions.inc.php

@@ -3397,6 +3397,8 @@ function set_user_loggedin_session($user) {
   session_regenerate_id(true);
   $_SESSION['mailcow_cc_username'] = $user;
   $_SESSION['mailcow_cc_role'] = 'user';
+  // Update User-Agent after session regeneration to prevent validation errors
+  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
   $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
   $_SESSION['sogo-sso-user-allowed'][] = $user;
   $_SESSION['sogo-sso-pass'] = $sogo_sso_pass;

data/web/inc/sessions.inc.php

@@ -43,6 +43,9 @@ if (!isset($_SESSION['SESS_REMOTE_UA'])) {
 if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $SESSION_LIFETIME)) {
   session_unset();
   session_destroy();
+  session_start();
+  // After destroying session, we need to reset the User-Agent for the new session
+  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 }
 $_SESSION['LAST_ACTIVITY'] = time();
 
@@ -134,6 +137,12 @@ function session_check() {
     return true;
   }
   if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {
+    // In development mode, allow User-Agent changes (e.g., for responsive testing in dev tools)
+    // Validate UA is not empty and has reasonable length (most UAs are under 200 chars, 500 is safe upper limit)
+    if (isset($GLOBALS['DEV_MODE']) && $GLOBALS['DEV_MODE'] && !empty($_SERVER['HTTP_USER_AGENT']) && strlen($_SERVER['HTTP_USER_AGENT']) < 500) {
+      $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
+      return true;
+    }
     $_SESSION['return'][] = array(
       'type' => 'warning',
       'msg' => 'session_ua'

data/web/inc/triggers.admin.inc.php

@@ -50,6 +50,8 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
     session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "admin";
+		// Update User-Agent after session regeneration to prevent validation errors
+		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /admin/dashboard");
     die();
 	}

data/web/inc/triggers.domainadmin.inc.php

@@ -7,6 +7,8 @@ if (!empty($_GET['sso_token'])) {
     session_regenerate_id(true);
     $_SESSION['mailcow_cc_username'] = $username;
     $_SESSION['mailcow_cc_role'] = 'domainadmin';
+    // Update User-Agent after session regeneration to prevent validation errors
+    $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
     header('Location: /domainadmin/mailbox');
   }
 }
@@ -61,6 +63,8 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
     session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "domainadmin";
+		// Update User-Agent after session regeneration to prevent validation errors
+		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /domainadmin/mailbox");
     die();
 	}