Closed amaccuish closed 2 months ago
We are facing a similar challenge: we plan to move from LDAP to SAML authentication for nextcloud to offer a true Single-Sign-On user experience.
When looking at the oc_mail_accounts
table, I see inbound_password
and outbound_password
and I learned, that this table stores only any additionally account configured by the user in the settings of the Mail app. The default mail account uses the parameters from the config file and the same password given at login, which we don't have anymore available with SAML authentication. The Auto Mail Accounts
App would create also a default account in the oc_mail_accounts
table, but we still would not get the password.
A master user setup at the mail server is not an option to us, as our users can define their mail account name themselves, which would allow anybody to impersonate.
It seems that this is our only choice: Remove the default mail config option and write the mail parameters directly into the oc_mail_accounts
table. Any password change in LDAP would need to be synced to inbound_password
and outbound_password
, though. This way we would be able to write the encrypted and salted password from LDAP, and not use a symmetric one, so we also gain security. Or even more secure: tweak Dovecot's account query so that it takes the mail account user_id
from theoc_mail_accounts
table and the password from LDAP.
Any concerns so far?
Have you ever been successful with writing login data for an external mail directly to oc_mail_accounts? I would need the same to provision the access to a mail server without user interaction, so it is all ready to use. Configuration by the user is a hassle, specifically if autodetection is not working and users have to deal with IMAP server, ports and protocols.
I was just wondering: If an account is added in oc_mail_accounts is there a need to create other data in e.g. oc_mail_mailboxes as well or is it done automatically when the user first opens mail? How is the password encrypted? Is it a hash function?
I'm curious about this as well, or rather, lets say I would use imap as authentication to nextcloud, can we make it so we can skip the authentication of the mail app? This would make it seemless for users.
That works already
@ChristophWurst Ah, that's great, can you share some more info? All I found was that you need 'external_user' plugin to do imap auth (which I haven't even got working yet :p)
See the admin groupware settings. For support please use https://help.nextcloud.com/c/support/7
Is this feature request solved by https://github.com/nextcloud/mail/pull/9008?
My users login using SAML, so nextcloud doesn't have access to their password from LDAP. It would be sweet if I there could also be a "imapPass" and "smtpPass" in the config file, I have a master user setup on my mail server which can impersonate users so the user's actual password isn't needed, just the master one.
Cheers!