[Web] Allow force_tfa for LDAP and Keycloak users

[ACME] Skip autodiscover/mta-sts subdomains covered by wildcard certificates

data/Dockerfiles/acme/acme.sh

@@ -323,11 +323,9 @@ while true; do
 
   # Check if MAILCOW_HOSTNAME is covered by a wildcard in ADDITIONAL_SAN
   MAILCOW_HOSTNAME_COVERED=0
-  if [[ ! -z ${VALIDATED_MAILCOW_HOSTNAME} && ! -z ${ADDITIONAL_SAN} ]]; then
-    # Extract parent domain from MAILCOW_HOSTNAME (e.g., mail.example.com -> example.com)
-    MAILCOW_PARENT_DOMAIN=$(echo ${VALIDATED_MAILCOW_HOSTNAME} | cut -d. -f2-)
-    # Check if ADDITIONAL_SAN contains a wildcard for this parent domain
-    if [[ "${ADDITIONAL_SAN}" == *"*.${MAILCOW_PARENT_DOMAIN}"* ]]; then
+  if [[ ! -z ${VALIDATED_MAILCOW_HOSTNAME} ]]; then
+    if is_covered_by_wildcard "${VALIDATED_MAILCOW_HOSTNAME}"; then
+      MAILCOW_PARENT_DOMAIN=$(echo ${VALIDATED_MAILCOW_HOSTNAME} | cut -d. -f2-)
       log_f "MAILCOW_HOSTNAME '${VALIDATED_MAILCOW_HOSTNAME}' is covered by wildcard '*.${MAILCOW_PARENT_DOMAIN}' - skipping explicit hostname"
       MAILCOW_HOSTNAME_COVERED=1
     fi

data/Dockerfiles/acme/functions.sh

@@ -136,12 +136,19 @@ verify_challenge_path(){
   fi
 }
 
-# Check if a domain is covered by a wildcard in ADDITIONAL_SAN
+# Check if a domain is covered by a wildcard (*.example.com) in ADDITIONAL_SAN
 # Usage: is_covered_by_wildcard "subdomain.example.com"
 # Returns: 0 if covered, 1 if not covered
+# Note: Only returns 0 (covered) when DNS-01 challenge is enabled,
+#       as wildcards cannot be validated with HTTP-01 challenge
 is_covered_by_wildcard() {
   local DOMAIN=$1
 
+  # Only skip if DNS challenge is enabled (wildcards require DNS-01)
+  if [[ ${ACME_DNS_CHALLENGE} != "y" ]]; then
+    return 1
+  fi
+
   # Return early if no ADDITIONAL_SAN is set
   if [[ -z ${ADDITIONAL_SAN} ]]; then
     return 1

data/web/inc/functions.mailbox.inc.php

@@ -1115,6 +1115,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
           if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
             $force_pw_update = 0;
+          }
+          if ($authsource == 'generic-oidc'){
             $force_tfa = 0;
           }
           $mailbox_attrs = json_encode(
@@ -3126,6 +3128,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               }
               if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
                 $force_pw_update = 0;
+              }
+              if ($authsource == 'generic-oidc'){
                 $force_tfa = 0;
               }
               $pw_recovery_email    = (isset($_data['pw_recovery_email']) && $authsource == 'mailcow') ? $_data['pw_recovery_email'] : $is_now['attributes']['recovery_email'];