Address code review feedback

- Clarify host vs container paths in documentation
- Use loop for creating extra plugin files to reduce duplication
- Update example to show IMAP-specific plugin addition

Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>

data/Dockerfiles/dovecot/docker-entrypoint.sh

@@ -121,7 +121,13 @@ echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_flatcu
 echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_flatcurve listescape replication' > /etc/dovecot/mail_plugins_imap
 echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_flatcurve notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
 fi
-chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl
+
+# Create empty extra plugin files if they don't exist (can be populated via extra.conf or direct file)
+for plugin_file in mail_plugins_extra mail_plugins_imap_extra mail_plugins_lmtp_extra; do
+  [[ ! -f /etc/dovecot/${plugin_file} ]] && touch /etc/dovecot/${plugin_file}
+done
+
+chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /etc/dovecot/mail_plugins_extra /etc/dovecot/mail_plugins_imap_extra /etc/dovecot/mail_plugins_lmtp_extra /templates/quarantine.tpl
 
 cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
 # Autogenerated by mailcow

data/conf/dovecot/dovecot.conf

@@ -1,6 +1,25 @@
 # --------------------------------------------------------------------------
 # Please create a file "extra.conf" for persistent overrides to dovecot.conf
 # --------------------------------------------------------------------------
+# To extend mail_plugins, you have two options:
+#
+# Option 1 (Recommended): Use the extra plugin files directly
+#   Create/edit data/conf/dovecot/mail_plugins_extra (for global plugins)
+#   Create/edit data/conf/dovecot/mail_plugins_imap_extra (for IMAP-specific plugins)
+#   Create/edit data/conf/dovecot/mail_plugins_lmtp_extra (for LMTP-specific plugins)
+#   Note: These paths are on the host. Inside the container they are /etc/dovecot/mail_plugins_*
+#   Example to add the virtual plugin for IMAP:
+#     echo -n ' virtual' > data/conf/dovecot/mail_plugins_imap_extra
+#     docker-compose restart dovecot-mailcow
+#
+# Option 2: Override protocol sections in extra.conf
+#   Create data/conf/dovecot/extra.conf with protocol-specific overrides:
+#     protocol imap {
+#       mail_plugins = $mail_plugins virtual
+#     }
+#   Note: This requires redefining the entire protocol block and may override
+#   other settings. Option 1 is simpler and less prone to conflicts.
+# --------------------------------------------------------------------------
 # LDAP example:
 #passdb {
 #  args = /etc/dovecot/ldap/passdb.conf
@@ -21,7 +40,7 @@ disable_plaintext_auth = yes
 login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"
 mail_home = /var/vmail/%d/%n
 mail_location = maildir:~/
-mail_plugins = </etc/dovecot/mail_plugins
+mail_plugins = </etc/dovecot/mail_plugins </etc/dovecot/mail_plugins_extra
 mail_attachment_fs = crypt:set_prefix=mail_crypt_global:posix:
 mail_attachment_dir = /var/attachments
 mail_attachment_min_size = 128k
@@ -180,12 +199,12 @@ userdb {
   skip = found
 }
 protocol imap {
-  mail_plugins = </etc/dovecot/mail_plugins_imap
+  mail_plugins = </etc/dovecot/mail_plugins_imap </etc/dovecot/mail_plugins_imap_extra
   imap_metadata = yes
 }
 mail_attribute_dict = file:%h/dovecot-attributes
 protocol lmtp {
-  mail_plugins = </etc/dovecot/mail_plugins_lmtp
+  mail_plugins = </etc/dovecot/mail_plugins_lmtp </etc/dovecot/mail_plugins_lmtp_extra
   auth_socket_path = /var/run/dovecot/auth-master
 }
 protocol sieve {

data/web/inc/functions.inc.php

@@ -3397,8 +3397,6 @@ function set_user_loggedin_session($user) {
   session_regenerate_id(true);
   $_SESSION['mailcow_cc_username'] = $user;
   $_SESSION['mailcow_cc_role'] = 'user';
-  // Update User-Agent after session regeneration to prevent validation errors
-  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
   $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
   $_SESSION['sogo-sso-user-allowed'][] = $user;
   $_SESSION['sogo-sso-pass'] = $sogo_sso_pass;

data/web/inc/sessions.inc.php

@@ -43,9 +43,6 @@ if (!isset($_SESSION['SESS_REMOTE_UA'])) {
 if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $SESSION_LIFETIME)) {
   session_unset();
   session_destroy();
-  session_start();
-  // After destroying session, we need to reset the User-Agent for the new session
-  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 }
 $_SESSION['LAST_ACTIVITY'] = time();
 
@@ -137,12 +134,6 @@ function session_check() {
     return true;
   }
   if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {
-    // In development mode, allow User-Agent changes (e.g., for responsive testing in dev tools)
-    // Validate UA is not empty and has reasonable length (most UAs are under 200 chars, 500 is safe upper limit)
-    if (isset($GLOBALS['DEV_MODE']) && $GLOBALS['DEV_MODE'] && !empty($_SERVER['HTTP_USER_AGENT']) && strlen($_SERVER['HTTP_USER_AGENT']) < 500) {
-      $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
-      return true;
-    }
     $_SESSION['return'][] = array(
       'type' => 'warning',
       'msg' => 'session_ua'

data/web/inc/triggers.admin.inc.php

@@ -50,8 +50,6 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
     session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "admin";
-		// Update User-Agent after session regeneration to prevent validation errors
-		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /admin/dashboard");
     die();
 	}

data/web/inc/triggers.domainadmin.inc.php

@@ -7,8 +7,6 @@ if (!empty($_GET['sso_token'])) {
     session_regenerate_id(true);
     $_SESSION['mailcow_cc_username'] = $username;
     $_SESSION['mailcow_cc_role'] = 'domainadmin';
-    // Update User-Agent after session regeneration to prevent validation errors
-    $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
     header('Location: /domainadmin/mailbox');
   }
 }
@@ -63,8 +61,6 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
     session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "domainadmin";
-		// Update User-Agent after session regeneration to prevent validation errors
-		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /domainadmin/mailbox");
     die();
 	}