External authentication (LDAP Support)

[ciroiriarte]

Hi!, I see there are several requests for external authentation but no solution for any of them.

I would like to know what's the best approach to introduce mailcow to an ecosystem where an authentication platform is already inplace and used for all the application (LDAP/SAML/OAuth).

I usually see AD/OpenLDAP/LemonLDAP/Gluu in the wild as authentication source and would be nice to be able to do it by domain (I'm just thinking out loud).

Any thoughts on this?.

Ref:

1483

706

684

[maverick85]

Hey man I'm with you. We have an IPA server and we'd like to have mailcow integrated managing mail.

I have also came across those other issues but apparently its all stalled?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[rennerdo30]

Any news regarding this topic? I would like to connect my mailcow to my active directory,

[andryyy]

Not interested. It’s a commercial feature I don’t plan to add to the open source mailcow ever.

[Braintelligence]

@Rennerdo30 You can go ahead and fork the project anytime. I'm sure many people would like to help if you'd incorporate Gluu; Mailcow is GPLv3 after all :).

[andryyy]

That’s true. :)

[ghost]

Not interested. It’s a commercial feature I don’t plan to add to the open source mailcow ever.

I wouldn't say it's a commercial only feature. Of course it's standard but people who are using this software are often IT hobbists or something like this. These kind of people are more likely to have an private LDAP or something like this.

And why don't you want to add something just because it's a commercial feature?

[fastfend]

Sounds like sso.tax

[BloodyIron]

Not interested. It’s a commercial feature I don’t plan to add to the open source mailcow ever.

LDAP/central auth is not a commercial feature, and even still, don't you provide paid support for mailcow when a client wants it? I guarantee you this is a barrier to implementation for those considering alternatives to the now-not-open-source Zimbra 9. No central auth? Not even ready for actual account organisation. Oh, and there are many examples of not-commercial LDAP implementations, openLDAP, FreeIPA, etc.

[ghost]

Sounds like sso.tax

Added it :P

LDAP/central auth is not a commercial feature,[...]

I have to agree, it's not. It's a security feature. Of course, the normal person don't use it, what kind of people use mailcow? Mostly IT nerds and maybe a few small companies. I would call myself an IT nerd and I run a local LDAP instance for my local stuff. I would use it in a personal environment.

[maverick85]

+1 for the previously comments about integration of LDAP. I'm also not sure what is commercial about LDAP? Does someone sell LDAP directories? Is it something that only companies can use? Do you have to pay hefty prices to third party players to get it? I don't think so. Also, I would like to know exactly what kind of clients (I mean, paying clients, for mailcow support and whatever services they sell) is mailcow org expecting to attract, shutting down the possibility of such features (as stated, "ever") and calling them "commercial" in some context no one understands.

[LucaDev]

Does someone sell LDAP directories?

Actually yes. Microsoft with Active Directory for example.

Nevertheless, I fully agree with you. I - just like many others here - would also love to see native LDAP connectivity

[maverick85]

Does someone sell LDAP directories?

Actually yes. Microsoft with Active Directory for example.

Hehe I have to leave my opinion here regarding this point. I disagree. Active Directory is a commercial directory service yes, its LDAP-compatible (has a framework to allow compat), but is not LDAP. So one can't say Microsoft sells LDAP directories, they sell Active Directory, which is very much different product altogether.

[BloodyIron]

Does someone sell LDAP directories?

Actually yes. Microsoft with Active Directory for example.

Hehe I have to leave my opinion here regarding this point. I disagree. Active Directory is a commercial directory service yes, its LDAP-compatible (has a framework to allow compat), but is not LDAP. So one can't say Microsoft sells LDAP directories, they sell Active Directory, which is very much different product altogether.

Active Directory provides LDAP as a component that is LDAP DN compliant.

[LucaDev]

@patschi since you reopened this: Is this planned or just considered not as "uninteresting" as before?

[patschi]

Unfortunately there're no concrete plans implementing this as of now.

I don't think it's "uninteresting" (quite the opposite for me personally actually), but there's not been a requirement or funding to get this implemented. Most regular, private users don't need external authentication via LDAP or so, so it's not a priority.

If there's interest from companies, it can be funded if required to prioritize this one. I've just re-opened this one to have this tracked accordingly.

[BloodyIron]

Honestly this is a chicken and the egg thing. I can appreciate that you have limited resources (time, etc) to contribute to this project. But the harsh reality is a company typically isn't going to bankroll adding a feature if there's no guarantee of it. Companies will pass on this suite because that feature is not already implemented. So if you want to attract companies as prospective clients (paying or otherwise), you need to invest in this and other common features they care about first, otherwise you're just limiting how many will consider even trying your tool.

This is ultimately going to be a you decision to make, but I guarantee you there are already companies that have decided to not consider this suite for their needs based on this one absent feature.

[andryyy]

So you want to provide it? When do you start? :)

We have a bunch of companies using mailcow, I wonder why they don't complain.

[maverick85]

We have a bunch of companies using mailcow, I wonder why they don't complain.

Those must be some amazing companies, without central identity allowing to link ones identity to the variety of required tools for their users, probably relying on cumbersome processes to create the same user repeatedly for different apps. And the termination process for those users, we've all seen that for sure. It's what you usually find on companies that have nothing to do with technology, or with mediocre technical managers.

But hey, if that's even an argument for you, if you really think that was such a brilliant reply, I can only be sorry for those who rely on your input for the decision-making process. I'm sure you'll lure lots of decent and proper companies with that attitude.

This is ultimately going to be a you decision to make, but I guarantee you there are already companies that have decided to not consider this suite for their needs based on this one absent feature.

Without a pinch of doubt.

[waja]

Can we please stop throwing shit on each other? Maybe this will be implemented or not. You are all free start committing code for feature requests and creating Pull Requests.

Any did I say that you also can fork this project and implement what ever you like for your own (or pay someone else to do it)?

[LucaDev]

Please calm down. Mailcow is a public project. Anyone can contribute to it. I would like to see external authentication as well. But this is no reason to tell @andryyy in any way how to run his business. I agree that some businesses might be more inclined to mailcow if it has support for it (I can even name one or two that are using custom tools like https://github.com/Programmierus/ldap-mailcow to add user synchronisation). Nonetheless, it is @andryyy's decision what to implement and what not to. I'm sure he would merge it right away if someone put up a PR to implement it. His time - just like all of our time - is limited. He has to decide what and when he wants to implement something.

Danm it @waja was faster than me :P Nevertheless: Thank you. I'm glad that I'm not the only one with this opinion

[andryyy]

Thank you. :)

[theoneandonly-vector]

As LDAP is quite easy to add using the API (there are already working projects on github doing exactly this), I really would love someone to implement OAUTH or SAML instead as this is much harder to do.. but would really add value at least when you like 2FA on your apps.

[f466162]

If I can support you, please feel free to drop me a line. As I am considering Mailcow for a 100+ person non-profit, missing LDAP integration is currently a show stopper. If one could outline the structure what has to be done where, I can make a start and could evaluate the implementation in our environment (about 100+ users in a FreeIPA directory including Keycloak).

[andryyy]

We plan to setup a crowdfund for this.

[momab]

I would also love to see SAML / OIDC added too. I am currently trying to set my Mailcow Server as an Identity Provider for Keycloak, as I currently use Mailcow in Production.

[theoneandonly-vector]

I would also love to see SAML / OIDC added too. I am currently trying to set my Mailcow Server as an Identity Provider for Keycloak, as I currently use Mailcow in Production.

if you use sogo.. this already works. you just need to disable mailcows UI for users smh

[ghost]

Just chiming in here: Would also very much like to see this added. I appreciate the plan to setup crowdfunding and will contribute for sure!

[twstagg]

We plan to setup a crowdfund for this.

I will contribute!

I just spent the last 24 hours failing at configuring https://github.com/Programmierus/ldap-mailcow properly - there are some things that I could not get fully working (IMAP login for one...)

I'd be interested in donating/contributing for this

I think https://github.com/Programmierus/ldap-mailcow is a good start - I just could not for the life of me get Dovecot/IMAP login working with this setup. Has anyone gotten this working with Active DIrectory? I would like to see configuration examples if it is usable!

[theoneandonly-vector]

@twstagg hey there.. as you can see in the issues.. Me and a few others were also not able to get it running.. but this project works: https://github.com/myOmikron/mailcow-ldap-sync

[twstagg]

@theoneandonly-vector I tried that one and also was unable to get it working with MS Active Directory Domain Services - are you using OpenLDAP or ADDS?

I would be willing to settle for that solution if it works. userPassword attribute is not used in ADDS

[MDKAOD]

Tossing in support for AD authentication. Is that crowdfunding campaign going yet?

[mniewiera]

Any news regarding the crowd funding? I would like to add a bit.

[Andre15711]

Yes, a LDAP connector would be more than perfect! Mailcow is currently the only service with a non synced password. :-(

[ranomier]

I'm running authentik as a private user. So all the services i host for my friends and family have the same accounts. And my family has only to remember one password. I can even do 2FA for all services as once.

So ldap/oauth/openid/saml support would be awesome

[benedikt-bartscher]

OIDC Auth would be awesome. I love the idea to support this feature via crowd funding

[henrj]

I'm running authentik as a private user. So all the services i host for my friends and family have the same accounts. And my family has only to remember one password. I can even do 2FA for all services as once.

So ldap/oauth/openid/saml support would be awesome

Hey there @ranomier, would you mind sharing about how you accomplished that setup? Thanks in advance.

[ranomier]

@henrj Authentik does everything for you, it supports oauth2/openid, saml and an ldap server emulation.

[JackPala]

Would love a tightly integrated LDAP integration for Mailcow, it would make it perfect!

[flifloo]

Mailcow should integrate this, it's the only part of my system for friend and family that don't have SSO and this is a bit awkward.

The fact that mailcow can be an SSO provider is a great feature, but for advanced use, the support of OpenID/SAML/LDAP is necessary.

[Akhun-Delar]

We plan to setup a crowdfund for this.

Any news on that? @andryyy

[benedikt-bartscher]

We plan to setup a crowdfund for this.

lets go!

[akoyaxd]

A thought from a security perspective: What about SSO / LDAP only for the Mailcow Account settings but not for the actual IMAP Password. As I see it, it's best practice to not use account passwords in mail clients, but define a secure "Device Password" in the account settings anyway. Keeping this passwords separated should also make an implementation for SSO (OIDC, SAML2 etc.) quite a lot easier, right?

[benedikt-bartscher]

SSO only for the admin console would also be a good start

[KiaraGrouwstra]

couldn't we just take a PR from one of the existing forks?

[hasechris]

@all Please wait to send money until André has responded. Maybe they can't use the money from bountysource or something.

Hey @andryyy,

We plan to setup a crowdfund for this.

Because your crowdfunding plans are now over six months old i now made the step. I just setup a bountysource entry for this issue. Could this suffice in regards to your Crowdfunding plans? https://app.bountysource.com/issues/69985512-external-authentication-ldap-support

Best Regards hasechris

[subedinfo-it]

We've been following this for a few years now, we find it interesting that first this was something with no interest, then many people contribute via open-source for a solution that works, and now all of the sudden gained interest, but don't mind the solutions already here: it's all about the "crowdfunding".

I wonder why this project/company the one that sells "paid support" doesn't have a R&D budget. For things that already are in open-source.

[guyguy333]

As a first step, what about :

• Using OAuth2 Proxy in front of Mailcow to use IdP
• Authenticate users in Mailcow using Token Header (I think it's how SoGo is currently working with Mailcow)
• Force users to setup App Passwords for SMTP and IMAP
• Disable password set/change for a user account
• Optional: Disable password login (except with a specific URL as NextCloud does when using SAML)

If developers could confirm it's an option then I could check how to add user auth with Token Header.

[ranomier]

The idea of forcing people to us app passwords, gets rid of the requirement of ldap.

Amaizing idea. Never thought that way.

[ghost]

In the case of multiple domains, would this require multiple LDAP servers or will the user's email address be used?

Assuming that this would be used as part of a larger auth setup, it seems like a disadvantage to have each user's username be their email address.

Any thoughts?