user enumeration in sogo with GAL disabled via subscriptions

[CodeNameTheOnlyOne]

Contribution guidelines

• I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• ... I have understood that answers are voluntary and community-driven, and not commercial support.
• ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

by going into the address book or calendar in sogo and attempting to subscribe to something i can view all users in the domain's email addresses,(simpy type the domain name to see all users) i dont have access to the calendar/address book but i can see a list of all email addresses on the server. i would like to disable this user enumeration, just disabling the ability to subscribe and delegate access would be acceptable.

i realize that this is more of a sogo configuration issue and a quick search of their config options and nothing stood out to disable this, just thought i would ask here.

Logs:

not applicable.

Steps to reproduce:

1. login to sogo on a domain with multiple users.
2. click on address book or calendar in the upper right.
3. click the plus sign next to subscribe
4. type part of the domain in the field.
5. observe as you are now able to view all emails existing for the domain.

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

AlmaLinux release 9.6

Server/VM specifications:

8gb/8 cores

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

Vmware

Docker version:

28.3.3

docker-compose version or docker compose version:

v2.39.1

mailcow version:

2025-05

Reverse proxy:

caddy

Logs of git diff:

not applicable.
dev envroment, testing for production.

Logs of iptables -L -vn:

not applicable.
dev envroment, testing for production.

Logs of ip6tables -L -vn:

not applicable.
dev envroment, testing for production.

Logs of iptables -L -vn -t nat:

not applicable.
dev envroment, testing for production.

Logs of ip6tables -L -vn -t nat:

not applicable.
dev envroment, testing for production.

DNS check:

not applicable.
dev envroment, testing for production.