How to disable ActiveSync for specific users - security issue

JMR

Hi all,
Critical issue: Users with read-only calendar permissions can delete entire shared calendars via ActiveSync (iPhone/iPad). When they remove a subscribed calendar from their device, it deletes the calendar on the server despite having read-only rights.

Setup:
Mailcow dockerized + SOGo
80 users need read-only calendar access
5 specific users need Exchange/ActiveSync for calendar management
Shared calendars in central account

Question:
How can we disable ActiveSync for most users while keeping it active for 5 specific accounts?
Our provider says he doesn’t know how to do this, but I’ve seen IMAP/POP3 can be disabled per user. Why not ActiveSync?

Tried so far:
No ActiveSync toggle in mailbox settings (only IMAP/POP3/SMTP/Sieve)
Provider suggested external Layer 7 firewall or MDM (seems overkill)

Any working solution or nginx config example? This is urgent as calendars keep getting accidentally deleted.
Thanks!

esackbauer

So far only this quick fix is found with forum search(!):
https://community.mailcow.email/d/561-disable-sogo-activesync

JMR

esackbauer Thanks for the link! That post shows how to disable ActiveSync completely, which would work as a last resort.
However, we need ActiveSync to remain active for 5 specific users who manage the calendars, while blocking it for the other 80 users.
Would it be possible to modify the sogo_eas.template.sh to check usernames first? Something like allowing ActiveSync only for specific accounts and returning 410 for everyone else?
Any examples of conditional nginx rules based on $remote_user would be really helpful!

esackbauer

With a Web Application Firewall you can possibly do so - also with tweaking the nginx configs but I am not an expert in this.
But why not configuring the 5 specific users with CalDAV as well? Its very easy with the profiles:
https://docs.mailcow.email/client/client-apple/#method-14-imap-smtp-and-calcarddav-with-app-password
See Method 1.4
User needs to login to mailcow from his Apple device and click on the respective link for auto configuration.

JMR

esackbauer Thanks for the suggestion! CalDAV isn’t viable for our 5 admin users because:

They must use Outlook (organizational requirement)
CalDAV Synchronizer for Outlook has been unreliable for us
Exchange provides critical features they need (meeting scheduling, delegate access, real-time sync)

The nginx filtering approach is our best option. Could someone share a working example using $http_x_webobjects_remote_user to whitelist specific accounts?
We need Exchange/ActiveSync for these 5 accounts only, while blocking it for the other 80 users to prevent accidental calendar deletions.

esackbauer

Sorry I am not able to help you further, but have you checked with the SOGo support mailing list? That calendar deletion bug is most likely in their hands (or a bug with Apple iOS).
Could you pinpoint it to a specific iOS version and tried to isolate it? I guess not all iOS versions would have that problem.

JMR

esackbauer Thanks for your input! The issue isn’t a bug in SOGo or iOS - it’s actually documented behavior:
When an iOS device removes a subscribed calendar via Exchange ActiveSync, it sends a DELETE command. SOGo processes this without checking if the user has delete permissions on the original calendar. This affects ALL iOS versions using Exchange/ActiveSync.
The problem is specific to the ActiveSync protocol implementation, not CalDAV (which correctly respects permissions). That’s why we need to restrict ActiveSync access to only the 5 users who actually need delete permissions.
The nginx filtering solution would prevent unauthorized users from accessing ActiveSync entirely, eliminating the risk. Still hoping someone has a working example of the user-based filtering approach!

esackbauer

I asked the AI and it came up with this solution:

Basic idea

Identify ActiveSync requests by URL path /Microsoft-Server-ActiveSync.
Use map on $remote_user to mark whitelisted users.
In the ActiveSync location, deny all for non‑whitelisted users and only proxy_pass for allowed ones.

Example nginx config

In the http {} block (global, not inside a server):

# Map authenticated username to a flag
map $remote_user $eas_allowed {
    default        0;                 # deny by default
    user1@example.com 1;              # whitelisted user
    user2@example.com 1;              # another whitelisted user
}

In your Exchange reverse‑proxy server {}:

server {
    listen 443 ssl;
    server_name mail.example.com;

    # ... SSL, upstream, etc ...

    # ActiveSync endpoint
    location /Microsoft-Server-ActiveSync {
        # make sure auth headers are passed so $remote_user is set
        auth_basic           "Exchange";
        auth_basic_user_file /etc/nginx/htpasswd-exchange;

        # block everyone except mapped users
        if ($eas_allowed = 0) {
            return 403;
        }

        proxy_pass https://exchange_backend;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # other locations (OWA, EWS, etc.)
}

This setup denies ActiveSync to all accounts except those explicitly listed in the map, while still allowing the same users to use other protocols/paths you proxy normally. map is evaluated very efficiently and is the recommended way to branch on usernames or other variables in nginx.

JMR

esackbauer Thanks for sharing! That’s exactly the right approach. The AI’s solution aligns with what we need.
Important note for Mailcow/SOGo setup:
In Mailcow, the authentication header might be $http_x_webobjects_remote_user instead of $remote_user (as SOGo uses x-webobjects-remote-user header for auth).
So the map would be:
nginxmap $http_x_webobjects_remote_user $eas_allowed {
default 0;
“admin1@example.com” 1;
“admin2@example.com” 1;
}
The location block logic remains the same - return 403 if $eas_allowed = 0.
For Mailcow specifically, this would go into /opt/mailcow-dockerized/data/conf/nginx/templates/sogo_eas.template.sh to survive container restarts.
Has anyone successfully tested this in a production Mailcow environment? Would be great to confirm before we implement it.