Merge pull request #6905 from Ashitaka57/6646-pbkdf2-sha512-verify-hash

Support for PBKDF2-SHA512 hash algorithm in verify_hash() (FreeIPA compatibility) (issue 6646)

data/web/inc/functions.inc.php

@@ -814,6 +814,32 @@ function verify_hash($hash, $password) {
         $hash = $components[4];
         return hash_equals(hash_pbkdf2('sha1', $password, $salt, $rounds), $hash);
 
+      case "PBKDF2-SHA512":
+        // Handle FreeIPA-style hash: {PBKDF2-SHA512}10000$<base64_salt>$<base64_hash>
+        $components = explode('$', $hash);
+        if (count($components) !== 3) return false;
+
+        // 1st part: iteration count (integer)
+        $iterations = intval($components[0]);
+        if ($iterations <= 0) return false;
+
+        // 2nd part: salt (base64-encoded)
+        $salt = $components[1];
+        // 3rd part: hash (base64-encoded)
+        $stored_hash_b64 = $components[2];
+
+        // Decode salt and hash from base64
+        $salt_bin = base64_decode($salt, true);
+        $hash_bin = base64_decode($stored_hash_b64, true);
+        if ($salt_bin === false || $hash_bin === false) return false;
+        // Get length of hash in bytes
+        $hash_len = strlen($hash_bin);
+        if ($hash_len === 0) return false;
+
+        // Calculate PBKDF2-SHA512 hash for provided password
+        $test_hash = hash_pbkdf2('sha512', $password, $salt_bin, $iterations, $hash_len, true);
+        return hash_equals($hash_bin, $test_hash);
+
       case "PLAIN-MD4":
         return hash_equals(hash('md4', $password), $hash);
 

data/web/inc/functions.mailbox.inc.php

@@ -842,11 +842,11 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               continue;
             }
-            if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
-              $_SESSION['return'][] = array(
-                'type' => 'danger',
-                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                'msg' => 'access_denied'
+            if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => 'access_denied'
               );
               continue;
             }
@@ -2732,11 +2732,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 $gal                  = (isset($_data['gal'])) ? intval($_data['gal']) : $is_now['gal'];
                 $description          = (!empty($_data['description']) && isset($_SESSION['acl']['domain_desc']) && $_SESSION['acl']['domain_desc'] == "1") ? $_data['description'] : $is_now['description'];
                 (int)$relayhost       = (isset($_data['relayhost']) && isset($_SESSION['acl']['domain_relayhost']) && $_SESSION['acl']['domain_relayhost'] == "1") ? intval($_data['relayhost']) : intval($is_now['relayhost']);
-                $tags_raw             = isset($_data['tags']) ? $_data['tags'] : array();
-                $tags                 = is_array($tags_raw) ? $tags_raw : json_decode($tags_raw, true);
-                if (!is_array($tags)) {
-                  $tags = array();
-                }
+                $tags                 = (is_array($_data['tags']) ? $_data['tags'] : array());
               }
               else {
                 $_SESSION['return'][] = array(
@@ -2757,11 +2753,11 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 ':domain' => $domain
               ));
               // save tags
-              foreach($tags as $index => $tag){
-                if (empty($tag)) continue;
-                if ($index > $GLOBALS['TAGGING_LIMIT']) {
-                  $_SESSION['return'][] = array(
-                    'type' => 'warning',
+              foreach($tags as $index => $tag){
+                if (empty($tag)) continue;
+                if ($index > $GLOBALS['TAGGING_LIMIT']) {
+                  $_SESSION['return'][] = array(
+                    'type' => 'warning',
                     'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
                     'msg' => array('tag_limit_exceeded', 'limit '.$GLOBALS['TAGGING_LIMIT'])
                   );
@@ -2773,8 +2769,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                   ':tag_name' => $tag,
                 ));
               }
-              $stmt = $pdo->prepare("UPDATE `domain` SET `modified` = NOW() WHERE `domain` = :domain");
-              $stmt->execute(array(':domain' => $domain));
 
               $_SESSION['return'][] = array(
                 'type' => 'success',
@@ -2797,11 +2791,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 $maxquota             = (!empty($_data['maxquota'])) ? $_data['maxquota'] : ($is_now['max_quota_for_mbox'] / 1048576);
                 $quota                = (!empty($_data['quota'])) ? $_data['quota'] : ($is_now['max_quota_for_domain'] / 1048576);
                 $description          = (!empty($_data['description'])) ? $_data['description'] : $is_now['description'];
-                $tags_raw             = isset($_data['tags']) ? $_data['tags'] : array();
-                $tags                 = is_array($tags_raw) ? $tags_raw : json_decode($tags_raw, true);
-                if (!is_array($tags)) {
-                  $tags = array();
-                }
+                $tags                 = (is_array($_data['tags']) ? $_data['tags'] : array());
                 if ($relay_all_recipients == '1') {
                   $backupmx = '1';
                 }
@@ -2941,19 +2931,17 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                   );
                   break;
                 }
-                $stmt = $pdo->prepare("INSERT INTO `tags_domain` (`domain`, `tag_name`) VALUES (:domain, :tag_name)");
-                $stmt->execute(array(
-                  ':domain' => $domain,
-                  ':tag_name' => $tag,
-                ));
-              }
-              $stmt = $pdo->prepare("UPDATE `domain` SET `modified` = NOW() WHERE `domain` = :domain");
-              $stmt->execute(array(':domain' => $domain));
-
-              $_SESSION['return'][] = array(
-                'type' => 'success',
-                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                'msg' => array('domain_modified', htmlspecialchars($domain))
+                $stmt = $pdo->prepare("INSERT INTO `tags_domain` (`domain`, `tag_name`) VALUES (:domain, :tag_name)");
+                $stmt->execute(array(
+                  ':domain' => $domain,
+                  ':tag_name' => $tag,
+                ));
+              }
+
+              $_SESSION['return'][] = array(
+                'type' => 'success',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => array('domain_modified', htmlspecialchars($domain))
               );
             }
           }
@@ -6120,15 +6108,14 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           else {
             $domains = $_data['domain'];
           }
-          $tags_raw = isset($_data['tags']) ? $_data['tags'] : array();
-          $tags = is_array($tags_raw) ? $tags_raw : json_decode($tags_raw, true);
+          $tags = $_data['tags'];
           if (!is_array($tags)) $tags = array();
 
-          $modifiedDomains = array();
-          $wasModified = false;
-          foreach ($domains as $domain) {
-            if (!is_valid_domain_name($domain)) {
-              $_SESSION['return'][] = array(
+
+          $wasModified = false;
+          foreach ($domains as $domain) {
+            if (!is_valid_domain_name($domain)) {
+              $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
                 'msg' => 'domain_invalid'
@@ -6141,44 +6128,27 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
                 'msg' => 'access_denied'
               );
-              return false;
+              return false;
             }
 
-            $domainModified = false;
-            foreach($tags as $tag){
-              // delete tag
-              $domainModified = true;
-              $wasModified = true;
-              $stmt = $pdo->prepare("DELETE FROM `tags_domain` WHERE `domain` = :domain AND `tag_name` = :tag_name");
-              $stmt->execute(array(
-                ':domain' => $domain,
-                ':tag_name' => $tag,
-              ));
-            }
-            if ($domainModified) {
-              $modifiedDomains[] = $domain;
-            }
-          }
-
-          if (!$wasModified) return false;
-          if (!empty($modifiedDomains)) {
-            $placeholders = array();
-            $params = array();
-            foreach ($modifiedDomains as $idx => $modifiedDomain) {
-              $placeholders[] = ":domain".$idx;
-              $params[":domain".$idx] = $modifiedDomain;
-            }
-            $stmt = $pdo->prepare("UPDATE `domain` SET `modified` = NOW() WHERE `domain` IN (".implode(',', $placeholders).")");
-            $stmt->execute($params);
-            $modifiedDomains = array_map('htmlspecialchars', $modifiedDomains);
-          }
-          $modifiedDomains = (empty($modifiedDomains)) ? array('-') : $modifiedDomains;
-          $_SESSION['return'][] = array(
-            'type' => 'success',
-            'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-            'msg' => array('domain_modified', implode(', ', $modifiedDomains))
-          );
-        break;
+            foreach($tags as $tag){
+              // delete tag
+              $wasModified = true;
+              $stmt = $pdo->prepare("DELETE FROM `tags_domain` WHERE `domain` = :domain AND `tag_name` = :tag_name");
+              $stmt->execute(array(
+                ':domain' => $domain,
+                ':tag_name' => $tag,
+              ));
+            }
+          }
+
+          if (!$wasModified) return false;
+          $_SESSION['return'][] = array(
+            'type' => 'success',
+            'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+            'msg' => array('domain_modified', $domain)
+          );
+        break;
         case 'tags_mailbox':
           if (!is_array($_data['username'])) {
             $usernames = array();

data/web/templates/base.twig

@@ -144,7 +144,7 @@
 
 <form action="/" method="post" id="logout"><input type="hidden" name="logout"></form>
 
-{% if ui_texts.ui_announcement_text and ui_texts.ui_announcement_active and not is_root_uri %}
+{% if ui_texts.ui_announcement_text and ui_texts.ui_announcement_active and not is_root_uri and mailcow_cc_username %}
 <div class="container mt-4">
   <div class="alert alert-{{ ui_texts.ui_announcement_type }}">{{ ui_texts.ui_announcement_text }}</div>
 </div>

docker-compose.yml

@@ -321,7 +321,7 @@ services:
         ofelia.job-exec.dovecot_clean_q_aged.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu vmail /usr/local/bin/clean_q_aged.sh || exit 0\""
         ofelia.job-exec.dovecot_maildir_gc.schedule: "0 */30 * * * *"
         ofelia.job-exec.dovecot_maildir_gc.command: "/bin/bash -c \"source /source_env.sh ; /usr/local/bin/gosu vmail /usr/local/bin/maildir_gc.sh\""
-        ofelia.job-exec.dovecot_sarules.schedule: "0 0 0 * * *"
+        ofelia.job-exec.dovecot_sarules.schedule: "@every 24h"
         ofelia.job-exec.dovecot_sarules.command: "/bin/bash -c \"/usr/local/bin/sa-rules.sh\""
         ofelia.job-exec.dovecot_fts.schedule: "0 0 0 * * *"
         ofelia.job-exec.dovecot_fts.command: "/bin/bash -c \"/usr/local/bin/gosu vmail /usr/local/bin/optimize-fts.sh\""

helper-scripts/backup_and_restore.sh

@@ -91,6 +91,44 @@ if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then
   exit 1
 fi
 
+# Add image prefetch function
+function prefetch_image() {
+  echo "Checking Docker image: ${DEBIAN_DOCKER_IMAGE}"
+  
+  # Get local image digest if it exists
+  local local_digest=$(docker image inspect ${DEBIAN_DOCKER_IMAGE} --format='{{index .RepoDigests 0}}' 2>/dev/null | cut -d'@' -f2)
+  
+  # Get remote image digest without pulling
+  local remote_digest=$(docker manifest inspect ${DEBIAN_DOCKER_IMAGE} 2>/dev/null | grep -oP '"digest":\s*"\K[^"]+' | head -1)
+  
+  if [[ -z "${remote_digest}" ]]; then
+    echo "Warning: Unable to check remote image"
+    if [[ -n "${local_digest}" ]]; then
+      echo "Using cached version"
+      echo
+      return 0
+    else
+      echo "Error: Image ${DEBIAN_DOCKER_IMAGE} not found locally or remotely"
+      exit 1
+    fi
+  fi
+  
+  if [[ "${local_digest}" != "${remote_digest}" ]]; then
+    echo "Image update available, pulling ${DEBIAN_DOCKER_IMAGE}"
+    if docker pull ${DEBIAN_DOCKER_IMAGE} 2>/dev/null; then
+      echo "Successfully pulled ${DEBIAN_DOCKER_IMAGE}"
+    else
+      echo "Error: Failed to pull ${DEBIAN_DOCKER_IMAGE}"
+      exit 1
+    fi
+  else
+    echo "Image is up to date (${remote_digest:0:12}...)"
+  fi
+  echo
+}
+
+# Prefetch the image early in the script
+prefetch_image
 
 function backup() {
   DATE=$(date +"%Y-%m-%d-%H-%M-%S")