VermiumSifell
commented
8 months ago I can see this is still a issue
Open derfabianpeter opened 9 months ago
VermiumSifell
commented
8 months ago I can see this is still a issue
davidus05
commented
8 months ago I can confirm that OIDC does not work with authentik. Also clicking "Test connection" does not work and shows a strange response.
Support for authentik was also discussed here: https://github.com/mailcow/mailcow-dockerized/issues/2316
{"type":"error","msg":"Cannot edit item"}
FreddleSpl0it
commented
8 months ago Please update your mailcow nightly and try again. I found an issue which was caused by removing all trailing / from the IdP URLs before saving. All HTTP requests then ended up at the wrong endpoint and Authentik returned 405 Method not allowed
Not sure if it was the only issue.
Test Connection will continue to fail because for Authentik, client_id and client_secret are not enough to test the credentials with grant_type=client_credentials https://goauthentik.io/docs/providers/oauth2/client_credentials
Commit: https://github.com/mailcow/mailcow-dockerized/commit/1a302d8335289aa455d81d040b4cd814755795c8
davidus05
commented
8 months ago Awesome, thank you! Fixed and working, except for mailboxes not being created on first login.
FreddleSpl0it
commented
8 months ago Probably because generic-oidc provider is only requesting hardcoded scopes openid profile email. I'll try to add a input field to set custom scopes
FreddleSpl0it
commented
8 months ago The requested client scopes are now configurable for generic-oidc. Now mailbox creation on first login is working for me.
Commit: https://github.com/mailcow/mailcow-dockerized/commit/dc2f61a27c3ca1eecf412478a94a75f2cef45637
davidus05
commented
8 months ago Which scopes do you specify to get mailbox creation working?
FreddleSpl0it
commented
8 months ago In Authentik, go to Providers -> click the Edit button of your OAuth provider, then expand “Advanced protocol settings” and in Scopes select openid, email, profile and your created Property Mapping. In my case it was mailcow_template in your case it should be maildow-dedicated. In mailcow add maildow-dedicated to the scopes separated by whitespace.
davidus05
commented
8 months ago Hmm, there seems to be something wrong at my end. Maybe because I have multiple domains?
Property mapping is set correctly, log in is working, but protocols are all red and logging into Webmail is unauthorized.
My expression:return { "mailcow_template": "default" }
FreddleSpl0it
commented
8 months ago Can you log in as admin and check the mailcow UI Logs? Maybe there is a hint.
davidus05
commented
8 months ago Not really ...
["logged_in_as","mail@example.com"] Call ["identity_provider","mail@example.com","user"]
Did you change anything with the template?
The user seems to be recognized and created, but no mailbox. I can't even find that user anywhere in the admin view.
derfabianpeter
commented
8 months ago I've updated and while the original error has vanished, I now see the following in the logs after trying to login via IDP (which fails):
["identity_provider",null,null]@derfabianpeter i have added some additional log messages. Please update and try again. https://github.com/mailcow/mailcow-dockerized/commit/89ed9147a658bd9004354d742e2fc2472b6e7699
@davidus05 Seems like some error occurred on mailbox creation. This is the function https://github.com/mailcow/mailcow-dockerized/blob/89ed9147a658bd9004354d742e2fc2472b6e7699/data/web/inc/functions.mailbox.inc.php#L1318. I'll try to add more error handling
derfabianpeter
commented
8 months ago @FreddleSpl0it I've updated as you suggested. Logging has improved:
I've configured the attribute mapping as you suggested in one of your previous comments and additionally added mailcow-dedicated to the claims in Mailcow. Same result unfortunately.
EDIT: I actually changed the property mapping and scope name in Authentik to mailcow_template (instead of mailcow-dedicated) and now it all works!
Aterfax
commented
7 months ago Would one of you folks be willing to fully document the steps for getting this working as a Gist or similar?
I'd be happy to see if I can convert it into documentation on the Authentik community pages.
Had a crack at getting this working today but was getting curl failures against the token endpoint.
["login_failed","cURL error 28: Failed to connect to auth.domain.com port 443 after 131001 ms: Couldn't connect to server (see https:\/\/curl.haxx.se\/libcurl\/c\/libcurl-errors.html) for https:\/\/auth.domain.com\/application\/o\/token\/"]
davidroler
commented
6 months ago Hi there,
I'm trying to setup mailcow to work with Authentik following the instructions provided for Keycloak and the comments add to this thread.
I'm not getting any authentication error, but after authenticating on Authentik I'm getting redirected to the URL https://authentik.example.com/application/o/mailcow/.well-known/openid-configuration with the following content.
Does anybody know what could be missing on my configuration?
{ "issuer": "https://authentik.example.com/application/o/mailcow/", "authorization_endpoint": "https://authentik.example.com/application/o/authorize/", "token_endpoint": "https://authentik.example.com/application/o/token/", "userinfo_endpoint": "https://authentik.example.com/application/o/userinfo/", "end_session_endpoint": "https://authentik.example.com/application/o/mailcow/end-session/", "introspection_endpoint": "https://authentik.example.com/application/o/introspect/", "revocation_endpoint": "https://authentik.example.com/application/o/revoke/", "device_authorization_endpoint": "https://authentik.example.com/application/o/device/", "response_types_supported": [ "code", "id_token", "id_token token", "code token", "code id_token", "code id_token token" ], "response_modes_supported": [ "query", "fragment", "form_post" ], "jwks_uri": "https://authentik.example.com/application/o/mailcow/jwks/", "grant_types_supported": [ "authorization_code", "refresh_token", "implicit", "client_credentials", "password", "urn:ietf:params:oauth:grant-type:device_code" ], "id_token_signing_alg_values_supported": [ "RS256" ], "subject_types_supported": [ "public" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic" ], "acr_values_supported": [ "goauthentik.io/providers/oauth2/default" ], "scopes_supported": [ "openid", "email", "profile", "ak_proxy", "mailcow_template" ], "request_parameter_supported": false, "claims_supported": [ "sub", "iss", "aud", "exp", "iat", "auth_time", "acr", "amr", "nonce", "sid", "ak_proxy", "email", "email_verified", "mailcow_template", "name", "given_name", "preferred_username", "nickname", "groups" ], "claims_parameter_supported": false, "code_challenge_methods_supported": [ "plain", "S256" ] }
davidroler
commented
6 months ago I've just found the issue on my configuration. There was a redirect URI missing on Authentik with the value http://mail.example.com
After adding the URI http://mail.example.com to service provider and updating Mailcow it worked just fine for me.
alexsalex
commented
5 months ago It will be nice to have the instruction for authentik too... Like you write for keycloak.
vnen
commented
5 months ago It worked for me with Authentik. Basic instructions:
mailcow_template. On expression, add the following:
return {
"mailcow_template": user.attributes.get("mailcow_template", "default"),
}This allows you to add a template for each user in their custom attributes, or use default if none is set.
Under Applications > Providers create a new OAuth2/OpenID Provider.
https://mail.example.com).Advanced protocol settings section, include the mailcow_template scope besides the default ones.Under Applications > Applications, create a new application.
mailcowOn the list of applications, click on the mailcow provider name. This will get you to the provider page with all the URLs.
Go to System > Configuration. Then Access > Identity Provider.
https://authentik.example.com/application/o/authorize/https://authentik.example.com/application/o/token/https://authentik.example.com/application/o/userinfo/https://mail.example.com).openid profile email mailcow_templatedefault -> Default, so the attribute set as default in Authentik will use the Default mailbox template in mailcow).Do not bother clicking on "Test Connection" because it won't work for the reasons mentioned before in this issue.
This should be enough. You can create a new user to test the login. Their email address will be set as a new mailbox in mailcow.
If you want a different mailbox template, you can add this to the user's Attributes box in Authentik:
mailcow_template: some_templateAssuming that some_template is mapped to a template in the mailcow config.
I hope this is helpful for anyone trying this.
pbvdven
commented
3 months ago Is there a way to add the users display name from authentik to mailcow thats now not getting trough to mailcow when the users mailbox is created.
pbvdven
commented
3 months ago @vnen Did you ever tried setting up authentik ldap as provider in mailcow? i would like to auto setup email in nextcloud for the users but for that to work the passwords need to be the same with oidc the user needs to create an app password in mailcow thats not great solution i would rather use there authentik password.
but Ive i can connect mailcow to authentik ldap that no issue the passwords would be the same except you probably cant use both in mailcow at the moment you should be able to use oidc and ldap at the same time that also solves the problem. But for now i rather have ldap with auto email setup in nextcloud that also has SSO and users that can use there normal password for imap connections instead of app password.
Creating an app password is an issue most of my users use there own desktop or mobile clients for email and dont have any clue where to do that i dont want to create an helpdesk for this.
aep
commented
1 month ago the instructions from vnen work for me, except i get
["login_failed","mailbox creation failed"]
["identity_provider","aep@domain"]how do you even debug the oidc flow? is there a way to get a proper log? the docker logs dont show anything useful and the ui is very high level
with a pre-created mailbox i get one step further. login to the mailcow webui works, but sogo says "Unauthorized"
ok finally got it working. after setting up oidc, you need to still create the users in mailcow, and then restart sogo.
DecDuck
commented
5 days ago @pbvdven sorry to bump such an old thread, but did you manage to get Mailcow to import display names from Authentik?
Contribution guidelines
I've found a bug and checked that ...
Description
Logs:
Steps to reproduce:
Which branch are you using?
nightly
Operating System:
Ubuntu 22.04
Server/VM specifications:
16GB Ram, 4 Cores
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
KVM
Docker version:
24.0.6
docker-compose version or docker compose version:
Docker Compose version v2.21.0
mailcow version:
2023-09
Reverse proxy:
-
Logs of git diff:
Logs of iptables -L -vn:
Logs of ip6tables -L -vn:
Logs of iptables -L -vn -t nat:
Logs of ip6tables -L -vn -t nat:
DNS check: