HTTP 403 /SOGo/so/passwordRecoveryEnabled after successful login in SOGo

[dittodhole]

Contribution guidelines

• [X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

When logging in with valid credentials, a 403 gets logged, leading to a crowdsec alert and blocking the IP. This did not happen with 2024-08(a).
Even setting a Password recovery email does result in a 403.

Logs:

nginx-mailcow-1  | 62.240.154.144 - - [19/Nov/2024:13:54:16 +0100] "GET /SOGo/so/ HTTP/1.1" 200 9472 "https://webmail.my.tld/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
nginx-mailcow-1  | 127.0.0.1 - - [19/Nov/2024:13:54:29 +0100] "GET /sogo-auth HTTP/1.0" 200 0 "https://webmail.my.tld/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
nginx-mailcow-1  | 62.240.154.144 - - [19/Nov/2024:13:54:29 +0100] "GET /SOGo/so/ HTTP/1.1" 200 9472 "https://webmail.my.tld/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
nginx-mailcow-1  | 127.0.0.1 - - [19/Nov/2024:13:54:42 +0100] "GET /sogo-auth HTTP/1.0" 200 0 "https://webmail.my.tld/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
nginx-mailcow-1  | 62.240.154.144 - - [19/Nov/2024:13:54:42 +0100] "POST /SOGo/so/passwordRecoveryEnabled HTTP/1.1" 403 0 "https://webmail.my.tld/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"

Steps to reproduce:

1. Login with valid credentials

Which branch are you using?

master

Which architecture are you using?

ARM64 (aarch64)

Operating System:

v24.8.4 for Orange Pi 5 Plus running Armbian Linux 6.1.75-vendor-rk35xx

Server/VM specifications:

32GB, 8 Cores

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

N/A

Docker version:

27.3.1

docker-compose version or docker compose version:

v2.29.7

mailcow version:

2024-11b

Reverse proxy:

NPMplus

Logs of git diff:

N/A

Logs of iptables -L -vn:

N/A

Logs of ip6tables -L -vn:

N/A

Logs of iptables -L -vn -t nat:

N/A

Logs of ip6tables -L -vn -t nat:

N/A

DNS check:

N/A

[dittodhole]

Inspired by nextcloud-whitelist, one could define a whiteliste, eg

name: custom/SOGo-whitelist
description: "Whitelist events from SOGo"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
  reason: "SOGo Whitelist"
  expression:
   - evt.Meta.http_status == '403' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path contains '/SOGo/so/passwordRecoveryEnabled'