mkuron
commented
6 years ago Duplicate of #1204. For the web interface, it would be easy to implement. For SOGo, one could write a plugin. For IMAP and SMTP, it's probably impossible: while Dovecot implements OAuth (the only standardized way to do that), few clients support it and most of them can only use it with Gmail. Using an IdP with email is very uncommon for this reason. For similar reasons, you can't use two-factor authentication with IMAP and SMTP.
If you are mainly interested in using an external authentication database, there is an open pull request for LDAP support at #1483. If you are interested in moving authentication out of the actual service, Kerberos is the correct way to go, but that is much more effort to set up and not currently supported by Mailcow.
thedarkside
Braintelligence
tromlet
Hi!
For some bundled applications of an organization, users often refuse to maintain different accounts. That's why I choose to go for a centralized IdP for those appliations, so users only have to maintain a single account / password and may be asked for a 2nd factor as well.
Is there any way to use mailcow for creating accounts (i.e. mailboxes), but an external solution for authentication? I already have a PAM integration for my login solution, what might come in handy later.
I know that some people were already interested in doing it the other way round, i.e. using mailcow as for example an OpenID provider. But why should this effort be done if there are already great open source and commercial solutions available (I'm thinking of the Unix philosophy here. There might be always a setting or feature that is missing, why not concentrate on improving what the solution is intended to do).
Long story short, is it already or can it be made possible to allow users to authenticate for
using either a PAM module or whatever standard to allow external authentication (for already created accounts only). I'm aware that users won't be able to change their passwords using SOGo this way.
Thanks in advance!