API Access for domain administrators

[burntout]

Is your feature request related to a problem? Please describe. I've had a request for API access from a client. The client has several hundred mailboxes, and it's taking them significant effort to manage them through the web interface. They are trying to simplify their management process.

As far as I can tell looking at the API configuration, it generates a single API key that is used by system wide for all operations. There is no auditing of different uses of the API key, and it can't be used to delegate domain administration independently from the complete mailsystem.

Describe the solution you'd like Be able to issue individual API keys to domain administrators, with scope of action limited to the particular email domains.

[julianuphoff]

I would love this too! I've dug through and found this two files, wich need editing.

https://github.com/mailcow/mailcow-dockerized/blob/155dfc66ee46879063d0090b80ac70c1b2cf947a/data/web/inc/init_db.inc.php#L177 First the 'api' table must be extended with a relationship to 'domain_admins'

https://github.com/mailcow/mailcow-dockerized/blob/caff918b69d9bfd4356892bc73f171b0761c1625/data/web/inc/sessions.inc.php#L57 The type of an apikey must be checked. If the key is from a domainadmin 'mailcow_cc_role' must be set to 'domainadmin' and 'mailcow_cc_username' to the username of the domainadmin.

For now I could't find the files for the apikey admin page. This must be reworked to allow multible apikeys. Also I would like to see an api endpoint for creating new apikeys. Maybe the api endpoint for domainadmins could be extended for this.

[VermiumSifell]

I'm still interested in this, allowing domain administrators manage their domain and mailboxes and everything they can manage with their ACL. Via the API. Would be so cool if multiple API tokens would be implemented to allow admins to have one api key per external application.