Default ACL settings for calendar permissions & calendar access with non-domain authentication

[flo1212]

Contribution guidelines

• I've read the contribution guidelines and wholeheartedly agree

Checklist prior issue creation

• I understand that failure to follow below instructions may cause this issue to be closed.
• I understand that vague, incomplete or inaccurate information may cause this issue to be closed.
• I understand that this form is intended solely for reporting software bugs and not for support-related inquiries.
• I understand that all responses are voluntary and community-driven, and do not constitute commercial support.
• I confirm that I have reviewed previous issues to ensure this matter has not already been addressed.
• I confirm that my environment meets all prerequisite requirements as specified in the official documentation.

Description

According to the update from December 15, 2022, the default values ​​for calendar sharing should all be set to "None" when creating a new calendar: https://docs.mailcow.email/manual-guides/Dovecot/u_e-dovecot-any_acl/

Problem 1:
These values ​​are not being set correctly; instead, calendars are still being created with the permissions "View All" and "View the Date & Time."?

Problem 2:
Furthermore, it is possible to access data in calendars belonging to users outside the own domain by authenticating with one's own user credentials instead of the calendar owner's credentials (without an explicit invitation!).

• Example: The calendar of "info@test.de" can be accessed using the credentials of "test@info.de" if, for example, the ICS URL for "Authenticated User Access" is accessed.

Steps to reproduce:

Problem 1:

1. Open SOGo -> Calenders & Add new
2. Click on the 3 dots -> "Sharing..." & Check the rights for "Any authenticated User"
   = "Public -> View All"; "Confidential -> View the Date & Time"; "Private -> View the Date & Time"

Problem 2:

1. Stay logged into SOGo with your user account and click again on the three dots in the calendar.

• Open "Links to this Calendar" -> "Authenticated User Access" and copy the URL, e.g., "WebDAV ICS URL".
• Open this URL in another browser (in incognito/private mode).
  -> Login credentials required: Log in here with a completely different SOGo user account, and the file will be downloaded with all the calender event-informations.

Logs:

n/a

Which branch are you using?

master (stable)

Which architecture are you using?

x86_64

Operating System:

Debian GNU/Linux 12 (bookworm)

Server/VM specifications:

32 GB 8 vCores

Is Apparmor, SELinux or similar active?

Apparmor

Virtualization technology:

KVM

Docker version:

29.1.3

docker-compose version or docker compose version:

v2.9.0

mailcow version:

2025-12a

Reverse proxy:

none

Logs of git diff:

n/a

Logs of iptables -L -vn:

n/a

Logs of ip6tables -L -vn:

n/a

Logs of iptables -L -vn -t nat:

n/a

Logs of ip6tables -L -vn -t nat:

n/a

DNS check:

n/a

[flo1212]

The following entry is set in /opt/mailcow-dockerized/mailcow.conf:

ACL_ANYONE=disallow

[FreddleSpl0it]

I can't reproduce this. If i create a new Calender "Any authenticated User" has no rights.
Problem 2 will then result in a .ics download for me but without content.

[flo1212]

https://flonas.de:5001/sharing/rXxJJihYr
Attached is a video showing that the permissions are set automatically. Our mailcow is up to date.

[flo1212]

I think I've found the settings:

/opt/mailcow-dockerized/data/conf/sogo/sogo.conf
SOGO parameter: SOGoCalendarDefaultRoles
If this is commented out, then no permissions are granted:

SOGoCalendarDefaultRoles = (
PublicViewer,
ConfidentialDAndTViewer,
PrivateDAndTViewer
);

alternativ:
SOGoCalendarDefaultRoles = ();