mirror of https://github.com/authelia/authelia.git
187 lines
6.9 KiB
Markdown
187 lines
6.9 KiB
Markdown
---
|
|
title: "Roundcube"
|
|
description: "Integrating Roundcube and Dovecot with the Authelia OpenID Connect 1.0 Provider."
|
|
summary: ""
|
|
date: 2023-11-15T08:58:00+11:00
|
|
draft: true
|
|
images: []
|
|
weight: 620
|
|
toc: true
|
|
support:
|
|
level: community
|
|
versions: true
|
|
integration: true
|
|
seo:
|
|
title: "" # custom title (optional)
|
|
description: "" # custom description (recommended)
|
|
canonical: "" # custom canonical URL (optional)
|
|
noindex: false # false (default) or true
|
|
---
|
|
|
|
## Tested Versions
|
|
|
|
* [Authelia]
|
|
* [4.38.0](https://github.com/authelia/authelia/releases/tag/v4.38.0)
|
|
* [Roundcube]
|
|
* [1.6.5](https://github.com/roundcube/roundcubemail/releases/tag/1.6.4)
|
|
* [Dovecot]
|
|
* [2.3.20](https://dovecot.org/doc/NEWS)
|
|
* [Postfix]
|
|
* [3.7.6](https://www.postfix.org/announcements/postfix-3.8.1.html)
|
|
|
|
{{% oidc-common %}}
|
|
|
|
### Assumptions
|
|
|
|
This example makes the following assumptions:
|
|
|
|
* __Application Root URL:__ `https://roundcube.{{< sitevar name="domain" nojs="example.com" >}}/`
|
|
* __Authelia Root URL:__ `https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/`
|
|
* __Client ID:__ `roundcube`
|
|
* __Client Secret:__ `insecure_secret`
|
|
|
|
Some of the values presented in this guide can automatically be replaced with documentation variables.
|
|
|
|
{{< sitevar-preferences >}}
|
|
|
|
## Configuration
|
|
|
|
### Authelia
|
|
|
|
The following YAML configuration is an example __Authelia__ [client configuration] for use with [Roundcube] which will
|
|
operate with the application example:
|
|
|
|
```yaml {title="configuration.yml"}
|
|
identity_providers:
|
|
oidc:
|
|
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
|
|
## See: https://www.authelia.com/c/oidc
|
|
clients:
|
|
- client_id: 'roundcube'
|
|
client_name: 'Roundcube'
|
|
client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
|
|
public: false
|
|
authorization_policy: 'two_factor'
|
|
redirect_uris:
|
|
- 'https://roundcube.{{< sitevar name="domain" nojs="example.com" >}}/oauth/callback/'
|
|
scopes:
|
|
- 'openid'
|
|
- 'profile'
|
|
- 'email'
|
|
userinfo_signed_response_alg: 'none'
|
|
token_endpoint_auth_method: 'client_secret_post'
|
|
```
|
|
|
|
### Application
|
|
|
|
Configure [Roundcube OAuth2] to use Authelia as an [OpenID Connect 1.0] Provider. Edit your [Roundcube]
|
|
`/etc/roundcube/config.inc.php` configuration file and add the following:
|
|
|
|
```php
|
|
// Most probably you need this
|
|
$config['use_https'] = true;
|
|
|
|
$config['oauth_provider'] = 'generic';
|
|
$config['oauth_provider_name'] = 'Authelia OIDC';
|
|
$config['oauth_client_id'] = 'roundcube';
|
|
$config['oauth_client_secret'] = 'insecure_secret';
|
|
$config['oauth_auth_uri'] = 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/authorization';
|
|
$config['oauth_token_uri'] = 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/token';
|
|
$config['oauth_identity_uri'] = 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/userinfo';
|
|
$config['oauth_identity_fields'] = ['email'];
|
|
$config['oauth_scope'] = 'email openid profile';
|
|
// Optionally, skip Roundcube's login page
|
|
// $config['oauth_login_redirect'] = true;
|
|
```
|
|
|
|
{{< callout context="caution" title="Important Note" icon="outline/alert-triangle" >}}
|
|
Roundcube's redirect URI is not configurable, but is dynamically built with bits coming from the
|
|
FCGI environment: `<scheme>://<fqdn>[:<port>]/...`. Specifically, the FQDN comes from the `HTTP_HOST` header. With
|
|
Authelia, non-localhost HTTP redirection is not allowed, thus you might want to force HTTPS via Roundcube's conf flag
|
|
`use_https`. However, the redirection breaks when the upstream application is listening on a explicit port, because the
|
|
resulting redirect URI would be something like `https://<fqdn>:<port>/...`. Thus, to obtain the correct redirect URI
|
|
`https://<fqdn>/...`, your reverse proxy's `fastcgi` parameter `SERVER_PORT` should be unset.
|
|
{{< /callout >}}
|
|
|
|
IMAP and SMTP backend configuration:
|
|
- For an IMAP instance on localhost, the default conf should be enough. Otherwise, set the corresponding SSL/TLS options
|
|
via 'imap_host' and 'imap_conn_options';
|
|
- For a SMTP instance on localhost, no auth would be required. However
|
|
[Roundcube OAuth enforces](https://github.com/roundcube/roundcubemail/issues/9183) 'smtp_auth_type' = 'XOAUTH2' plus
|
|
credentials, thus you *must* use TLS or SSL via `smtp_host` and `smtp_conn_options`!
|
|
|
|
|
|
### Dovecot
|
|
|
|
[Dovecot OAuth2] configuration goes into two files.
|
|
|
|
#### Common configuration
|
|
|
|
Normally in file `/etc/dovecot/dovecot.conf` or one of its ancillary files in
|
|
`/etc/dovecot/conf.d/`:
|
|
|
|
```bash
|
|
auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
|
|
|
|
passdb {
|
|
args = /etc/dovecot/dovecot-oauth2.conf.ext
|
|
driver = oauth2
|
|
mechanisms = xoauth2 oauthbearer
|
|
}
|
|
|
|
# Optional for Postfix SASL on smtpd/submission
|
|
service auth {
|
|
unix_listener /var/spool/postfix/private/auth {
|
|
group = postfix
|
|
mode = 0666
|
|
user = postfix
|
|
}
|
|
}
|
|
```
|
|
|
|
#### Backend configuration
|
|
|
|
As defined above, in file, `/etc/dovecot/dovecot-oauth2.conf.ext`:
|
|
|
|
```bash
|
|
introspection_mode = post
|
|
introspection_url = https://roundcube:insecure_secret@{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/introspection
|
|
username_attribute = username
|
|
```
|
|
|
|
{{< callout context="caution" title="Important Note" icon="outline/alert-triangle" >}}
|
|
The client ID and secret must figure as credentials in
|
|
the `introspection_url`.
|
|
{{< /callout >}}
|
|
|
|
### Postfix
|
|
|
|
Even though no authentication would be required when your Postfix instance is on the same host, Roundcube OAuth2
|
|
[enforces 'XOAUTH2' auth type plus credentials](https://github.com/roundcube/roundcubemail/issues/9183) and gives up the SMTP + SSL/TLS handshaking as no auth options
|
|
would be offered from Postfix. Thus, Postfix must be configured with (Dovecot-type) [SASL](https://www.postfix.org/SASL_README.html) on port 25 (smtpd) or
|
|
587 (submission), with the following minimum set of options:
|
|
|
|
```bash
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_path = private/auth
|
|
smtpd_sasl_security_options = noanonymous, noplaintext
|
|
smtpd_sasl_tls_security_options = noanonymous
|
|
smtpd_sasl_type = dovecot
|
|
```
|
|
|
|
## See Also
|
|
|
|
* [Roundcube OAuth2]
|
|
* [Dovecot OAuth2]
|
|
* [Postfix SASL]
|
|
|
|
[Authelia]: https://www.authelia.com
|
|
[Roundcube]: https://roundcube.net/
|
|
[Roundcube OAuth2]: https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2
|
|
[OpenID Connect 1.0]: ../../openid-connect/introduction.md
|
|
[Dovecot]: https://dovecot.org/
|
|
[Dovecot OAuth2]: https://doc.dovecot.org/configuration_manual/authentication/oauth2/
|
|
[Postfix]: https://www.postfix.org/
|
|
[Postfix SASL]: https://www.postfix.org/SASL_README.html
|
|
[client configuration]: ../../../configuration/identity-providers/openid-connect/clients.md
|