&$value) { if ($data == 'csrf_token') { continue; } $value = json_decode($value, true); if ($value) { if (is_array($value)) unset($value["csrf_token"]); foreach ($value as $key => &$val) { if(preg_match("/pass/i", $key)) { $val = '*'; } } $value = json_encode($value); } $data_var[] = $data . "='" . $value . "'"; } try { $log_line = array( 'time' => time(), 'uri' => $_SERVER['REQUEST_URI'], 'method' => $_SERVER['REQUEST_METHOD'], 'remote' => get_remote_ip(), 'data' => implode(', ', $data_var) ); $redis->lPush('API_LOG', json_encode($log_line)); } catch (RedisException $e) { $_SESSION['return'][] = array( 'type' => 'danger', 'msg' => 'Redis: '.$e ); return false; } } if (isset($_GET['query'])) { $query = explode('/', $_GET['query']); $action = (isset($query[0])) ? $query[0] : null; $category = (isset($query[1])) ? $query[1] : null; $object = (isset($query[2])) ? $query[2] : null; $extra = (isset($query[3])) ? $query[3] : null; // accept json in request body if(strpos($_SERVER['HTTP_CONTENT_TYPE'], 'application/json') !== false) { $request = file_get_contents('php://input'); $requestDecoded = json_decode($request, true); // check for valid json if ($action != 'get' && $requestDecoded === null) { http_response_code(400); echo json_encode(array( 'type' => 'error', 'msg' => 'Request body doesn\'t contain valid json!' )); exit; } // add if ($action == 'add') { $_POST['attr'] = $request; } // edit if ($action == 'edit') { $_POST['attr'] = json_encode($requestDecoded['attr']); $_POST['items'] = json_encode($requestDecoded['items']); } // delete if ($action == 'delete') { $_POST['items'] = $request; } } api_log($_POST); $request_incomplete = json_encode(array( 'type' => 'error', 'msg' => 'Cannot find attributes in post data' )); switch ($action) { case "add": if ($_SESSION['mailcow_cc_api_access'] == 'ro' || isset($_SESSION['pending_mailcow_cc_username'])) { http_response_code(403); echo json_encode(array( 'type' => 'error', 'msg' => 'API read/write access denied' )); exit(); } function process_add_return($return) { $generic_failure = json_encode(array( 'type' => 'error', 'msg' => 'Cannot add item' )); $generic_success = json_encode(array( 'type' => 'success', 'msg' => 'Task completed' )); if ($return === false) { echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_failure; } else { echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_success; } } if (!isset($_POST['attr']) && $category != "fido2-registration" && $category != "webauthn-tfa-registration") { echo $request_incomplete; exit; } else { if ($category != "fido2-registration" && $category != "webauthn-tfa-registration") { $attr = (array)json_decode($_POST['attr'], true); } unset($attr['csrf_token']); } // only allow POST requests to POST API endpoints if ($_SERVER['REQUEST_METHOD'] != 'POST') { http_response_code(405); echo json_encode(array( 'type' => 'error', 'msg' => 'only POST method is allowed' )); exit(); } switch ($category) { // fido2-registration via POST case "fido2-registration": header('Content-Type: application/json'); if (isset($_SESSION["mailcow_cc_role"])) { $post = trim(file_get_contents('php://input')); if ($post) { $post = json_decode($post); } $clientDataJSON = base64_decode($post->clientDataJSON); $attestationObject = base64_decode($post->attestationObject); $challenge = $_SESSION['challenge']; try { $data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']); } catch (Throwable $ex) { $return = new stdClass(); $return->success = false; $return->msg = $ex->getMessage(); echo json_encode($return); exit; } fido2(array("action" => "register", "registration" => $data)); $return = new stdClass(); $return->success = true; echo json_encode($return); exit; } else { echo $request_incomplete; exit; } break; case "webauthn-tfa-registration": if (isset($_SESSION["mailcow_cc_role"])) { // parse post data $post = trim(file_get_contents('php://input')); if ($post) $post = json_decode($post); // process registration data from authenticator try { // decode base64 strings $clientDataJSON = base64_decode($post->clientDataJSON); $attestationObject = base64_decode($post->attestationObject); // processCreate($clientDataJSON, $attestationObject, $challenge, $requireUserVerification=false, $requireUserPresent=true, $failIfRootMismatch=true) $data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $_SESSION['challenge'], false, true); // safe authenticator in mysql `tfa` table $_data['tfa_method'] = $post->tfa_method; $_data['key_id'] = $post->key_id; $_data['confirm_password'] = $post->confirm_password; $_data['registration'] = $data; set_tfa($_data); } catch (Throwable $ex) { // err $return = new stdClass(); $return->success = false; $return->msg = $ex->getMessage(); echo json_encode($return); exit; } // send response $return = new stdClass(); $return->success = true; echo json_encode($return); exit; } else { // err - request incomplete echo $request_incomplete; exit; } break; case "time_limited_alias": process_add_return(mailbox('add', 'time_limited_alias', $attr)); break; case "relayhost": process_add_return(relayhost('add', $attr)); break; case "transport": process_add_return(transport('add', $attr)); break; case "rsetting": process_add_return(rsettings('add', $attr)); break; case "mailbox": switch ($object) { case "template": process_add_return(mailbox('add', 'mailbox_templates', $attr)); break; default: process_add_return(mailbox('add', 'mailbox', $attr)); break; } break; case "oauth2-client": process_add_return(oauth2('add', 'client', $attr)); break; case "domain": switch ($object) { case "template": process_add_return(mailbox('add', 'domain_templates', $attr)); break; default: process_add_return(mailbox('add', 'domain', $attr)); break; } break; case "resource": process_add_return(mailbox('add', 'resource', $attr)); break; case "alias": process_add_return(mailbox('add', 'alias', $attr)); break; case "filter": process_add_return(mailbox('add', 'filter', $attr)); break; case "global-filter": process_add_return(mailbox('add', 'global_filter', $attr)); break; case "domain-policy": process_add_return(policy('add', 'domain', $attr)); break; case "mailbox-policy": process_add_return(policy('add', 'mailbox', $attr)); break; case "alias-domain": process_add_return(mailbox('add', 'alias_domain', $attr)); break; case "fwdhost": process_add_return(fwdhost('add', $attr)); break; case "dkim": process_add_return(dkim('add', $attr)); break; case "dkim_duplicate": process_add_return(dkim('duplicate', $attr)); break; case "dkim_import": process_add_return(dkim('import', $attr)); break; case "domain-admin": process_add_return(domain_admin('add', $attr)); break; case "sso": switch ($object) { case "domain-admin": $data = domain_admin_sso('issue', $attr); if($data) { echo json_encode($data); exit(0); } process_add_return($data); break; } break; case "admin": process_add_return(admin('add', $attr)); break; case "syncjob": process_add_return(mailbox('add', 'syncjob', $attr)); break; case "bcc": process_add_return(bcc('add', $attr)); break; case "recipient_map": process_add_return(recipient_map('add', $attr)); break; case "tls-policy-map": process_add_return(tls_policy_maps('add', $attr)); break; case "app-passwd": process_add_return(app_passwd('add', $attr)); break; // return no route found if no case is matched default: http_response_code(404); echo json_encode(array( 'type' => 'error', 'msg' => 'route not found' )); exit(); } break; case "process": // only allow POST requests to process API endpoints if ($_SERVER['REQUEST_METHOD'] != 'POST') { http_response_code(405); echo json_encode(array( 'type' => 'error', 'msg' => 'only POST method is allowed' )); exit(); } switch ($category) { case "fido2-args": header('Content-Type: application/json'); $post = trim(file_get_contents('php://input')); if ($post) { $post = json_decode($post); } $clientDataJSON = base64_decode($post->clientDataJSON); $authenticatorData = base64_decode($post->authenticatorData); $signature = base64_decode($post->signature); $id = base64_decode($post->id); $challenge = $_SESSION['challenge']; $process_fido2 = fido2(array("action" => "get_by_b64cid", "cid" => $post->id)); if ($process_fido2['pub_key'] === false) { $return = new stdClass(); $return->success = false; echo json_encode($return); exit; } try { $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG_LOGIN'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']); } catch (Throwable $ex) { unset($process_fido2); $return = new stdClass(); $return->success = false; echo json_encode($return); exit; } $return = new stdClass(); $return->success = true; $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username"); $stmt->execute(array(':username' => $process_fido2['username'])); $obj_props = $stmt->fetch(PDO::FETCH_ASSOC); if ($obj_props['superadmin'] === 1) { $_SESSION["mailcow_cc_role"] = "admin"; } elseif ($obj_props['superadmin'] === 0) { $_SESSION["mailcow_cc_role"] = "domainadmin"; } else { $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username"); $stmt->execute(array(':username' => $process_fido2['username'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); if ($row['username'] == $process_fido2['username']) { $_SESSION["mailcow_cc_role"] = "user"; } } if (empty($_SESSION["mailcow_cc_role"])) { session_unset(); session_destroy(); exit; } $_SESSION["mailcow_cc_username"] = $process_fido2['username']; $_SESSION["fido2_cid"] = $process_fido2['cid']; unset($_SESSION["challenge"]); $_SESSION['return'][] = array( 'type' => 'success', 'log' => array("fido2_login"), 'msg' => array('logged_in_as', $process_fido2['username']) ); echo json_encode($return); break; } break; case "get": function process_get_return($data, $object = true) { if ($object === true) { $ret_str = '{}'; } else { $ret_str = '[]'; } echo (!isset($data) || empty($data)) ? $ret_str : json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT); } // only allow GET requests to GET API endpoints if ($_SERVER['REQUEST_METHOD'] != 'GET') { http_response_code(405); echo json_encode(array( 'type' => 'error', 'msg' => 'only GET method is allowed' )); exit(); } switch ($category) { // fido2 case "fido2-registration": header('Content-Type: application/json'); if (isset($_SESSION["mailcow_cc_role"])) { // Exclude existing CredentialIds, if any $excludeCredentialIds = fido2(array("action" => "get_user_cids")); $createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, true, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], null, $excludeCredentialIds); print(json_encode($createArgs)); $_SESSION['challenge'] = $WebAuthn->getChallenge(); return; } else { return; } break; case "fido2-get-args": header('Content-Type: application/json'); // Login without username, no ids! // $ids = fido2(array("action" => "get_all_cids")); // if (count($ids) == 0) { // return; // } $ids = NULL; $getArgs = $WebAuthn->getGetArgs($ids, 30, false, false, false, false, $GLOBALS['FIDO2_UV_FLAG_LOGIN']); print(json_encode($getArgs)); $_SESSION['challenge'] = $WebAuthn->getChallenge(); return; break; // webauthn two factor authentication case "webauthn-tfa-registration": if (isset($_SESSION["mailcow_cc_role"])) { // Exclude existing CredentialIds, if any $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = :authmech"); $stmt->execute(array( ':username' => $_SESSION['mailcow_cc_username'], ':authmech' => 'webauthn' )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while($row = array_shift($rows)) { $excludeCredentialIds[] = base64_decode($row['keyHandle']); } // getCreateArgs($userId, $userName, $userDisplayName, $timeout=20, $requireResidentKey=false, $requireUserVerification=false, $crossPlatformAttachment=null, $excludeCredentialIds=array()) // cross-platform: true, if type internal is not allowed // false, if only internal is allowed // null, if internal and cross-platform is allowed $createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, false, $GLOBALS['WEBAUTHN_UV_FLAG_REGISTER'], null, $excludeCredentialIds); print(json_encode($createArgs)); $_SESSION['challenge'] = $WebAuthn->getChallenge(); return; } else { return; } break; case "webauthn-tfa-get-args": $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = :authmech"); $stmt->execute(array( ':username' => $_SESSION['pending_mailcow_cc_username'], ':authmech' => 'webauthn' )); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); if (count($rows) == 0) { print(json_encode(array( 'type' => 'error', 'msg' => 'Cannot find matching credentialIds' ))); exit; } while($row = array_shift($rows)) { $cids[] = base64_decode($row['keyHandle']); } $getArgs = $WebAuthn->getGetArgs($cids, 30, false, false, false, false, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN']); $getArgs->publicKey->extensions = array('appid' => "https://".$getArgs->publicKey->rpId); print(json_encode($getArgs)); $_SESSION['challenge'] = $WebAuthn->getChallenge(); return; break; } if (isset($_SESSION['mailcow_cc_role'])) { switch ($category) { case "rspamd": switch ($object) { case "actions": $data = rspamd_actions(); if ($data) { echo json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT); } else { echo '{}'; } break; } break; case "domain": switch ($object) { case "all": $tags = null; if (isset($_GET['tags']) && $_GET['tags'] != '') $tags = explode(',', $_GET['tags']); $domains = mailbox('get', 'domains', null, $tags); if (!empty($domains)) { foreach ($domains as $domain) { if ($details = mailbox('get', 'domain_details', $domain)) { $data[] = $details; } else { continue; } } process_get_return($data); } else { echo '{}'; } break; case "template": switch ($extra){ case "all": process_get_return(mailbox('get', 'domain_templates')); break; default: process_get_return(mailbox('get', 'domain_templates', $extra)); break; } break; default: $data = mailbox('get', 'domain_details', $object); process_get_return($data); break; } break; case "passwordpolicy": switch ($object) { case "html": $password_complexity_rules = password_complexity('html'); if ($password_complexity_rules !== false) { process_get_return($password_complexity_rules); } else { echo '{}'; } break; default: $password_complexity_rules = password_complexity('get'); if ($password_complexity_rules !== false) { process_get_return($password_complexity_rules); } else { echo '{}'; } break; } break; case "app-passwd": switch ($object) { case "all": if (empty($extra)) { $app_passwds = app_passwd('get'); } else { $app_passwds = app_passwd('get', array('username' => $extra)); } if (!empty($app_passwds)) { foreach ($app_passwds as $app_passwd) { $details = app_passwd('details', $app_passwd['id']); if ($details !== false) { $data[] = $details; } else { continue; } } process_get_return($data); } else { echo '{}'; } break; default: $data = app_passwd('details', array('id' => $object['id'])); process_get_return($data); break; } break; case "mailq": switch ($object) { case "all": $mailq = mailq('get'); if (!empty($mailq)) { echo $mailq; } else { echo '[]'; } break; } break; case "postcat": switch ($object) { default: $data = mailq('cat', array('qid' => $object)); echo $data; break; } break; case "global_filters": $global_filters = mailbox('get', 'global_filter_details'); switch ($object) { case "all": if (!empty($global_filters)) { process_get_return($global_filters); } else { echo '{}'; } break; case "prefilter": if (!empty($global_filters['prefilter'])) { process_get_return($global_filters['prefilter']); } else { echo '{}'; } break; case "postfilter": if (!empty($global_filters['postfilter'])) { process_get_return($global_filters['postfilter']); } else { echo '{}'; } break; } break; case "rl-domain": switch ($object) { case "all": $domains = array_merge(mailbox('get', 'domains'), mailbox('get', 'alias_domains')); if (!empty($domains)) { foreach ($domains as $domain) { if ($details = ratelimit('get', 'domain', $domain)) { $details['domain'] = $domain; $data[] = $details; } else { continue; } } process_get_return($data); } else { echo '{}'; } break; default: $data = ratelimit('get', 'domain', $object); process_get_return($data); break; } break; case "rl-mbox": switch ($object) { case "all": $domains = mailbox('get', 'domains'); if (!empty($domains)) { foreach ($domains as $domain) { $mailboxes = mailbox('get', 'mailboxes', $domain); if (!empty($mailboxes)) { foreach ($mailboxes as $mailbox) { if ($details = ratelimit('get', 'mailbox', $mailbox)) { $details['mailbox'] = $mailbox; $data[] = $details; } else { continue; } } } } process_get_return($data); } else { echo '{}'; } break; default: $data = ratelimit('get', 'mailbox', $object); process_get_return($data); break; } break; case "relayhost": switch ($object) { case "all": $relayhosts = relayhost('get'); if (!empty($relayhosts)) { foreach ($relayhosts as $relayhost) { if ($details = relayhost('details', $relayhost['id'])) { $data[] = $details; } else { continue; } } process_get_return($data); } else { echo '{}'; } break; default: $data = relayhost('details', $object); process_get_return($data); break; } break; case "last-login": if ($object) { // extra == days if (isset($extra) && intval($extra) >= 1) { $data = last_login('get', $object, intval($extra)); } else { $data = last_login('get', $object); } process_get_return($data); } break; // Todo: move to delete case "reset-last-login": if ($object) { $data = last_login('reset', $object); process_get_return($data); } break; case "transport": switch ($object) { case "all": $transports = transport('get'); if (!empty($transports)) { foreach ($transports as $transport) { if ($details = transport('details', $transport['id'])) { $data[] = $details; } else { continue; } } process_get_return($data); } else { echo '{}'; } break; default: $data = transport('details', $object); process_get_return($data); break; } break; case "rsetting": switch ($object) { case "all": $rsettings = rsettings('get'); if (!empty($rsettings)) { foreach ($rsettings as $rsetting) { if ($details = rsettings('details', $rsetting['id'])) { $data[] = $details; } else { continue; } } process_get_return($data); } else { echo '{}'; } break; default: $data = rsettings('details', $object); process_get_return($data); break; } break; case "oauth2-client": switch ($object) { case "all": $clients = oauth2('get', 'clients'); if (!empty($clients)) { foreach ($clients as $client) { if ($details = oauth2('details', 'client', $client)) { $data[] = $details; } else { continue; } } process_get_return($data); } else { echo '{}'; } break; default: $data = oauth2('details', 'client', $object); process_get_return($data); break; } break; case "logs": switch ($object) { case "dovecot": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('dovecot-mailcow', $extra); } else { $logs = get_logs('dovecot-mailcow'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "ratelimited": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('ratelimited', $extra); } else { $logs = get_logs('ratelimited'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "netfilter": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('netfilter-mailcow', $extra); } else { $logs = get_logs('netfilter-mailcow'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "postfix": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('postfix-mailcow', $extra); } else { $logs = get_logs('postfix-mailcow'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "autodiscover": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('autodiscover-mailcow', $extra); } else { $logs = get_logs('autodiscover-mailcow'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "sogo": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('sogo-mailcow', $extra); } else { $logs = get_logs('sogo-mailcow'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "ui": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('mailcow-ui', $extra); } else { $logs = get_logs('mailcow-ui'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "sasl": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('sasl', $extra); } else { $logs = get_logs('sasl'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "watchdog": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('watchdog-mailcow', $extra); } else { $logs = get_logs('watchdog-mailcow'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "acme": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('acme-mailcow', $extra); } else { $logs = get_logs('acme-mailcow'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "api": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('api-mailcow', $extra); } else { $logs = get_logs('api-mailcow'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "rspamd-history": // 0 is first record, so empty is fine if (isset($extra)) { $extra = preg_replace('/[^\d\-]/i', '', $extra); $logs = get_logs('rspamd-history', $extra); } else { $logs = get_logs('rspamd-history'); } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; case "rspamd-stats": $logs = get_logs('rspamd-stats'); echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; // return no route found if no case is matched default: http_response_code(404); echo json_encode(array( 'type' => 'error', 'msg' => 'route not found' )); exit(); } break; case "mailbox": switch ($object) { case "all": case "reduced": $tags = null; if (isset($_GET['tags']) && $_GET['tags'] != '') $tags = explode(',', $_GET['tags']); if (empty($extra)) $domains = mailbox('get', 'domains'); else $domains = explode(',', $extra); if (!empty($domains)) { foreach ($domains as $domain) { $mailboxes = mailbox('get', 'mailboxes', $domain, $tags); if (!empty($mailboxes)) { foreach ($mailboxes as $mailbox) { if ($details = mailbox('get', 'mailbox_details', $mailbox, $object)) $data[] = $details; else continue; } } } process_get_return($data); } else { echo '{}'; } break; case "template": switch ($extra){ case "all": process_get_return(mailbox('get', 'mailbox_templates')); break; default: process_get_return(mailbox('get', 'mailbox_templates', $extra)); break; } break; default: $tags = null; if (isset($_GET['tags']) && $_GET['tags'] != '') $tags = explode(',', $_GET['tags']); if ($tags === null) { $data = mailbox('get', 'mailbox_details', $object); process_get_return($data); } else { $mailboxes = mailbox('get', 'mailboxes', $object, $tags); if (is_array($mailboxes)) { foreach ($mailboxes as $mailbox) { if ($details = mailbox('get', 'mailbox_details', $mailbox)) $data[] = $details; } } process_get_return($data, false); } break; } break; case "bcc-destination-options": $domains = mailbox('get', 'domains'); $alias_domains = mailbox('get', 'alias_domains'); $data = array(); if (!empty($domains)) { foreach ($domains as $domain) { $data['domains'][] = $domain; $mailboxes = mailbox('get', 'mailboxes', $domain); foreach ($mailboxes as $mailbox) { $data['mailboxes'][$mailbox][] = $mailbox; $user_alias_details = user_get_alias_details($mailbox); foreach ($user_alias_details['direct_aliases'] as $k => $v) { $data['mailboxes'][$mailbox][] = $k; } foreach ($user_alias_details['shared_aliases'] as $k => $v) { $data['mailboxes'][$mailbox][] = $k; } } } } if (!empty($alias_domains)) { foreach ($alias_domains as $alias_domain) { $data['alias_domains'][] = $alias_domain; } } process_get_return($data); break; case "syncjobs": switch ($object) { case "all": $domains = mailbox('get', 'domains'); if (!empty($domains)) { foreach ($domains as $domain) { $mailboxes = mailbox('get', 'mailboxes', $domain); if (!empty($mailboxes)) { foreach ($mailboxes as $mailbox) { $syncjobs = mailbox('get', 'syncjobs', $mailbox); if (!empty($syncjobs)) { foreach ($syncjobs as $syncjob) { if (isset($extra)) { $details = mailbox('get', 'syncjob_details', $syncjob, explode(',', $extra)); } else { $details = mailbox('get', 'syncjob_details', $syncjob); } if ($details) { $data[] = $details; } else { continue; } } } } } } process_get_return($data); } else { echo '{}'; } break; default: $syncjobs = mailbox('get', 'syncjobs', $object); if (!empty($syncjobs)) { foreach ($syncjobs as $syncjob) { if (isset($extra)) { $details = mailbox('get', 'syncjob_details', $syncjob, explode(',', $extra)); } else { $details = mailbox('get', 'syncjob_details', $syncjob); } if ($details) { $data[] = $details; } else { continue; } } } process_get_return($data); break; } break; case "active-user-sieve": if (isset($object)) { $sieve_filter = mailbox('get', 'active_user_sieve', $object); if (!empty($sieve_filter)) { $data[] = $sieve_filter; } } process_get_return($data); break; case "filters": switch ($object) { case "all": $domains = mailbox('get', 'domains'); if (!empty($domains)) { foreach ($domains as $domain) { $mailboxes = mailbox('get', 'mailboxes', $domain); if (!empty($mailboxes)) { foreach ($mailboxes as $mailbox) { $filters = mailbox('get', 'filters', $mailbox); if (!empty($filters)) { foreach ($filters as $filter) { if ($details = mailbox('get', 'filter_details', $filter)) { $data[] = $details; } else { continue; } } } } } } process_get_return($data); } else { echo '{}'; } break; default: $filters = mailbox('get', 'filters', $object); if (!empty($filters)) { foreach ($filters as $filter) { if ($details = mailbox('get', 'filter_details', $filter)) { $data[] = $details; } else { continue; } } } process_get_return($data); break; } break; case "bcc": switch ($object) { case "all": $bcc_items = bcc('get'); if (!empty($bcc_items)) { foreach ($bcc_items as $bcc_item) { if ($details = bcc('details', $bcc_item)) { $data[] = $details; } else { continue; } } } process_get_return($data); break; default: $data = bcc('details', $object); if (!empty($data)) { $data[] = $details; } process_get_return($data); break; } break; case "recipient_map": switch ($object) { case "all": $recipient_map_items = recipient_map('get'); if (!empty($recipient_map_items)) { foreach ($recipient_map_items as $recipient_map_item) { if ($details = recipient_map('details', $recipient_map_item)) { $data[] = $details; } else { continue; } } } process_get_return($data); break; default: $data = recipient_map('details', $object); if (!empty($data)) { $data[] = $details; } process_get_return($data); break; } break; case "tls-policy-map": switch ($object) { case "all": $tls_policy_maps_items = tls_policy_maps('get'); if (!empty($tls_policy_maps_items)) { foreach ($tls_policy_maps_items as $tls_policy_maps_item) { if ($details = tls_policy_maps('details', $tls_policy_maps_item)) { $data[] = $details; } else { continue; } } } process_get_return($data); break; default: $data = tls_policy_maps('details', $object); if (!empty($data)) { $data[] = $details; } process_get_return($data); break; } break; case "policy_wl_mailbox": switch ($object) { default: $data = policy('get', 'mailbox', $object)['whitelist']; process_get_return($data); break; } break; case "policy_bl_mailbox": switch ($object) { default: $data = policy('get', 'mailbox', $object)['blacklist']; process_get_return($data); break; } break; case "policy_wl_domain": switch ($object) { default: $data = policy('get', 'domain', $object)['whitelist']; process_get_return($data); break; } break; case "policy_bl_domain": switch ($object) { default: $data = policy('get', 'domain', $object)['blacklist']; process_get_return($data); break; } break; case "time_limited_aliases": switch ($object) { default: $data = mailbox('get', 'time_limited_aliases', $object); process_get_return($data); break; } break; case "fail2ban": switch ($object) { default: $data = fail2ban('get'); process_get_return($data); break; } break; case "resource": switch ($object) { case "all": $domains = mailbox('get', 'domains'); if (!empty($domains)) { foreach ($domains as $domain) { $resources = mailbox('get', 'resources', $domain); if (!empty($resources)) { foreach ($resources as $resource) { if ($details = mailbox('get', 'resource_details', $resource)) { $data[] = $details; } else { continue; } } } } process_get_return($data); } else { echo '{}'; } break; default: $data = mailbox('get', 'resource_details', $object); process_get_return($data); break; } break; case "fwdhost": switch ($object) { case "all": process_get_return(fwdhost('get')); break; default: process_get_return(fwdhost('details', $object)); break; } break; case "quarantine": // "all" will not print details switch ($object) { case "all": process_get_return(quarantine('get'), false); break; default: process_get_return(quarantine('details', $object), false); break; } break; case "alias-domain": switch ($object) { case "all": $alias_domains = mailbox('get', 'alias_domains'); if (!empty($alias_domains)) { foreach ($alias_domains as $alias_domain) { if ($details = mailbox('get', 'alias_domain_details', $alias_domain)) { $data[] = $details; } else { continue; } } } process_get_return($data); break; default: process_get_return(mailbox('get', 'alias_domain_details', $object)); break; } break; case "alias": switch ($object) { case "all": if (empty($extra)) { $domains = array_merge(mailbox('get', 'domains'), mailbox('get', 'alias_domains')); } else { $domains = explode(',', $extra); } if (!empty($domains)) { foreach ($domains as $domain) { $aliases = mailbox('get', 'aliases', $domain); if (!empty($aliases)) { foreach ($aliases as $alias) { if ($details = mailbox('get', 'alias_details', $alias)) { $data[] = $details; } else { continue; } } } } process_get_return($data); } else { echo '{}'; } break; default: process_get_return(mailbox('get', 'alias_details', $object)); break; } break; case "domain-admin": switch ($object) { case "all": $domain_admins = domain_admin('get'); if (!empty($domain_admins)) { foreach ($domain_admins as $domain_admin) { if ($details = domain_admin('details', $domain_admin)) { $data[] = $details; } else { continue; } } process_get_return($data); } else { echo '{}'; } break; default: process_get_return(domain_admin('details', $object)); break; } break; case "admin": switch ($object) { case "all": $admins = admin('get'); if (!empty($admins)) { foreach ($admins as $admin) { if ($details = admin('details', $admin)) { $data[] = $details; } else { continue; } } process_get_return($data); } else { echo '{}'; } break; default: process_get_return(admin('details', $object)); break; } break; case "dkim": switch ($object) { default: $data = dkim('details', $object); process_get_return($data); break; } break; case "presets": switch ($object) { case "rspamd": process_get_return(presets('get', 'rspamd')); break; case "sieve": process_get_return(presets('get', 'sieve')); break; } break; case "status": if ($_SESSION['mailcow_cc_role'] == "admin") { switch ($object) { case "containers": $containers = (docker('info')); foreach ($containers as $container => $container_info) { $container . ' (' . $container_info['Config']['Image'] . ')'; $containerstarttime = ($container_info['State']['StartedAt']); $containerstate = ($container_info['State']['Status']); $containerimage = ($container_info['Config']['Image']); $temp[$container] = array( 'type' => 'info', 'container' => $container, 'state' => $containerstate, 'started_at' => $containerstarttime, 'image' => $containerimage ); } echo json_encode($temp, JSON_UNESCAPED_SLASHES); break; case "container": $container_stats = docker('container_stats', $extra); echo json_encode($container_stats); break; case "vmail": $exec_fields_vmail = array('cmd' => 'system', 'task' => 'df', 'dir' => '/var/vmail'); $vmail_df = explode(',', json_decode(docker('post', 'dovecot-mailcow', 'exec', $exec_fields_vmail), true)); $temp = array( 'type' => 'info', 'disk' => $vmail_df[0], 'used' => $vmail_df[2], 'total'=> $vmail_df[1], 'used_percent' => $vmail_df[4] ); echo json_encode($temp, JSON_UNESCAPED_SLASHES); break; case "solr": $solr_status = solr_status(); $solr_size = ($solr_status['status']['dovecot-fts']['index']['size']); $solr_documents = ($solr_status['status']['dovecot-fts']['index']['numDocs']); if (strtolower(getenv('SKIP_SOLR')) != 'n') { $solr_enabled = false; } else { $solr_enabled = true; } echo json_encode(array( 'type' => 'info', 'solr_enabled' => $solr_enabled, 'solr_size' => $solr_size, 'solr_documents' => $solr_documents )); break; case "host": if (!$extra){ $stats = docker("host_stats"); echo json_encode($stats); } else if ($extra == "ip") { // get public ips $curl = curl_init(); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POST, 0); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($curl, CURLOPT_TIMEOUT, 15); curl_setopt($curl, CURLOPT_URL, 'http://ipv4.mailcow.email'); $ipv4 = curl_exec($curl); curl_setopt($curl, CURLOPT_URL, 'http://ipv6.mailcow.email'); $ipv6 = curl_exec($curl); $ips = array( "ipv4" => $ipv4, "ipv6" => $ipv6 ); curl_close($curl); echo json_encode($ips); } break; case "version": echo json_encode(array( 'version' => $GLOBALS['MAILCOW_GIT_VERSION'] )); break; } } break; break; // return no route found if no case is matched default: http_response_code(404); echo json_encode(array( 'type' => 'error', 'msg' => 'route not found' )); exit(); } } break; case "delete": if ($_SESSION['mailcow_cc_api_access'] == 'ro' || isset($_SESSION['pending_mailcow_cc_username']) || !isset($_SESSION["mailcow_cc_username"])) { http_response_code(403); echo json_encode(array( 'type' => 'error', 'msg' => 'API read/write access denied' )); exit(); } function process_delete_return($return) { $generic_failure = json_encode(array( 'type' => 'error', 'msg' => 'Cannot delete item' )); $generic_success = json_encode(array( 'type' => 'success', 'msg' => 'Task completed' )); if ($return === false) { echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_failure; } else { echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_success; } } if (!isset($_POST['items'])) { echo $request_incomplete; exit; } else { $items = (array)json_decode($_POST['items'], true); } // only allow POST requests to POST API endpoints if ($_SERVER['REQUEST_METHOD'] != 'POST') { http_response_code(405); echo json_encode(array( 'type' => 'error', 'msg' => 'only POST method is allowed' )); exit(); } switch ($category) { case "alias": process_delete_return(mailbox('delete', 'alias', array('id' => $items))); break; case "oauth2-client": process_delete_return(oauth2('delete', 'client', array('id' => $items))); break; case "app-passwd": process_delete_return(app_passwd('delete', array('id' => $items))); break; case "relayhost": process_delete_return(relayhost('delete', array('id' => $items))); break; case "transport": process_delete_return(transport('delete', array('id' => $items))); break; case "rsetting": process_delete_return(rsettings('delete', array('id' => $items))); break; case "syncjob": process_delete_return(mailbox('delete', 'syncjob', array('id' => $items))); break; case "filter": process_delete_return(mailbox('delete', 'filter', array('id' => $items))); break; case "mailq": process_delete_return(mailq('delete', array('qid' => $items))); break; case "qitem": process_delete_return(quarantine('delete', array('id' => $items))); break; case "bcc": process_delete_return(bcc('delete', array('id' => $items))); break; case "recipient_map": process_delete_return(recipient_map('delete', array('id' => $items))); break; case "tls-policy-map": process_delete_return(tls_policy_maps('delete', array('id' => $items))); break; case "fwdhost": process_delete_return(fwdhost('delete', array('forwardinghost' => $items))); break; case "dkim": process_delete_return(dkim('delete', array('domains' => $items))); break; case "domain": switch ($object){ case "tag": process_delete_return(mailbox('delete', 'tags_domain', array('tags' => $items, 'domain' => $extra))); break; case "template": process_delete_return(mailbox('delete', 'domain_templates', array('ids' => $items))); break; default: process_delete_return(mailbox('delete', 'domain', array('domain' => $items))); } break; case "alias-domain": process_delete_return(mailbox('delete', 'alias_domain', array('alias_domain' => $items))); break; case "mailbox": switch ($object){ case "tag": process_delete_return(mailbox('delete', 'tags_mailbox', array('tags' => $items, 'username' => $extra))); break; case "template": process_delete_return(mailbox('delete', 'mailbox_templates', array('ids' => $items))); break; default: process_delete_return(mailbox('delete', 'mailbox', array('username' => $items))); } break; case "resource": process_delete_return(mailbox('delete', 'resource', array('name' => $items))); break; case "mailbox-policy": process_delete_return(policy('delete', 'mailbox', array('prefid' => $items))); break; case "domain-policy": process_delete_return(policy('delete', 'domain', array('prefid' => $items))); break; case "time_limited_alias": process_delete_return(mailbox('delete', 'time_limited_alias', array('address' => $items))); break; case "eas_cache": process_delete_return(mailbox('delete', 'eas_cache', array('username' => $items))); break; case "sogo_profile": process_delete_return(mailbox('delete', 'sogo_profile', array('username' => $items))); break; case "domain-admin": process_delete_return(domain_admin('delete', array('username' => $items))); break; case "admin": process_delete_return(admin('delete', array('username' => $items))); break; case "rlhash": echo ratelimit('delete', null, implode($items)); break; // return no route found if no case is matched default: http_response_code(404); echo json_encode(array( 'type' => 'error', 'msg' => 'route not found' )); exit(); } break; case "edit": if ($_SESSION['mailcow_cc_api_access'] == 'ro' || isset($_SESSION['pending_mailcow_cc_username']) || !isset($_SESSION["mailcow_cc_username"])) { http_response_code(403); echo json_encode(array( 'type' => 'error', 'msg' => 'API read/write access denied' )); exit(); } function process_edit_return($return) { $generic_failure = json_encode(array( 'type' => 'error', 'msg' => 'Cannot edit item' )); $generic_success = json_encode(array( 'type' => 'success', 'msg' => 'Task completed' )); if ($return === false) { echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_failure; } else { echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_success; } } if (!isset($_POST['attr'])) { echo $request_incomplete; exit; } else { $attr = (array)json_decode($_POST['attr'], true); unset($attr['csrf_token']); $items = isset($_POST['items']) ? (array)json_decode($_POST['items'], true) : null; } // only allow POST requests to POST API endpoints if ($_SERVER['REQUEST_METHOD'] != 'POST') { http_response_code(405); echo json_encode(array( 'type' => 'error', 'msg' => 'only POST method is allowed' )); exit(); } switch ($category) { case "bcc": process_edit_return(bcc('edit', array_merge(array('id' => $items), $attr))); break; case "pushover": process_edit_return(pushover('edit', array_merge(array('username' => $items), $attr))); break; case "pushover-test": process_edit_return(pushover('test', array_merge(array('username' => $items), $attr))); break; case "oauth2-client": process_edit_return(oauth2('edit', 'client', array_merge(array('id' => $items), $attr))); break; case "recipient_map": process_edit_return(recipient_map('edit', array_merge(array('id' => $items), $attr))); break; case "app-passwd": process_edit_return(app_passwd('edit', array_merge(array('id' => $items), $attr))); break; case "tls-policy-map": process_edit_return(tls_policy_maps('edit', array_merge(array('id' => $items), $attr))); break; case "alias": process_edit_return(mailbox('edit', 'alias', array_merge(array('id' => $items), $attr))); break; case "rspamd-map": process_edit_return(rspamd_maps('edit', array_merge(array('map' => $items), $attr))); break; case "fido2-fn": process_edit_return(fido2(array('action' => 'edit_fn', 'fido2_attrs' => $attr))); break; case "app_links": process_edit_return(customize('edit', 'app_links', $attr)); break; case "passwordpolicy": process_edit_return(password_complexity('edit', $attr)); break; case "relayhost": process_edit_return(relayhost('edit', array_merge(array('id' => $items), $attr))); break; case "transport": process_edit_return(transport('edit', array_merge(array('id' => $items), $attr))); break; case "rsetting": process_edit_return(rsettings('edit', array_merge(array('id' => $items), $attr))); break; case "delimiter_action": process_edit_return(mailbox('edit', 'delimiter_action', array_merge(array('username' => $items), $attr))); break; case "tls_policy": process_edit_return(mailbox('edit', 'tls_policy', array_merge(array('username' => $items), $attr))); break; case "quarantine_notification": process_edit_return(mailbox('edit', 'quarantine_notification', array_merge(array('username' => $items), $attr))); break; case "quarantine_category": process_edit_return(mailbox('edit', 'quarantine_category', array_merge(array('username' => $items), $attr))); break; case "qitem": process_edit_return(quarantine('edit', array_merge(array('id' => $items), $attr))); break; case "quarantine": process_edit_return(quarantine('edit', $attr)); break; case "quota_notification": process_edit_return(quota_notification('edit', $attr)); break; case "quota_notification_bcc": process_edit_return(quota_notification_bcc('edit', $attr)); break; case "domain-wide-footer": process_edit_return(mailbox('edit', 'domain_wide_footer', $attr)); break; case "mailq": process_edit_return(mailq('edit', array_merge(array('qid' => $items), $attr))); break; case "time_limited_alias": process_edit_return(mailbox('edit', 'time_limited_alias', array_merge(array('address' => $items), $attr))); break; case "mailbox": switch ($object) { case "template": process_edit_return(mailbox('edit', 'mailbox_templates', array_merge(array('ids' => $items), $attr))); break; default: process_edit_return(mailbox('edit', 'mailbox', array_merge(array('username' => $items), $attr))); break; } break; case "syncjob": process_edit_return(mailbox('edit', 'syncjob', array_merge(array('id' => $items), $attr))); break; case "filter": process_edit_return(mailbox('edit', 'filter', array_merge(array('id' => $items), $attr))); break; case "resource": process_edit_return(mailbox('edit', 'resource', array_merge(array('name' => $items), $attr))); break; case "domain": switch ($object) { case "template": process_edit_return(mailbox('edit', 'domain_templates', array_merge(array('ids' => $items), $attr))); break; default: process_edit_return(mailbox('edit', 'domain', array_merge(array('domain' => $items), $attr))); break; } break; case "rl-domain": process_edit_return(ratelimit('edit', 'domain', array_merge(array('object' => $items), $attr))); break; case "rl-mbox": process_edit_return(ratelimit('edit', 'mailbox', array_merge(array('object' => $items), $attr))); break; case "user-acl": process_edit_return(acl('edit', 'user', array_merge(array('username' => $items), $attr))); break; case "da-acl": process_edit_return(acl('edit', 'domainadmin', array_merge(array('username' => $items), $attr))); break; case "alias-domain": process_edit_return(mailbox('edit', 'alias_domain', array_merge(array('alias_domain' => $items), $attr))); break; case "spam-score": process_edit_return(mailbox('edit', 'spam_score', array_merge(array('username' => $items), $attr))); break; case "domain-admin": process_edit_return(domain_admin('edit', array_merge(array('username' => $items), $attr))); break; case "admin": process_edit_return(admin('edit', array_merge(array('username' => $items), $attr))); break; case "fwdhost": process_edit_return(fwdhost('edit', array_merge(array('fwdhost' => $items), $attr))); break; case "fail2ban": process_edit_return(fail2ban('edit', array_merge(array('network' => $items), $attr))); break; case "ui_texts": process_edit_return(customize('edit', 'ui_texts', $attr)); break; case "ip_check": process_edit_return(customize('edit', 'ip_check', $attr)); break; case "self": if ($_SESSION['mailcow_cc_role'] == "domainadmin") { process_edit_return(domain_admin('edit', $attr)); } elseif ($_SESSION['mailcow_cc_role'] == "user") { process_edit_return(edit_user_account($attr)); } break; case "cors": process_edit_return(cors('edit', $attr)); break; // return no route found if no case is matched default: http_response_code(404); echo json_encode(array( 'type' => 'error', 'msg' => 'route not found' )); exit(); } break; // return no route found if no case is matched default: http_response_code(404); echo json_encode(array( 'type' => 'error', 'msg' => 'route not found' )); exit(); } } if ($_SESSION['mailcow_cc_api'] === true) { if (isset($_SESSION['mailcow_cc_api']) && $_SESSION['mailcow_cc_api'] === true) { unset($_SESSION['return']); } }