Dovecot ACLs and XOAUTH2

Felix Auringer felix.auringer at giz.berlin
Tue Jun 14 09:52:23 UTC 2022 

Hi,

we're trying to set up an IMAP server using Dovecot as part of a new 
email system in a middle-sized company (around 150 employees). We have a 
keycloak identity server that is used for all logins and we would also 
like to use it for the new email system so that the non-technical 
employees (the majority) will have no issues using it.

It's very nice that XOAUTH2 is already included in Dovecot, it works 
very well with our Roundcube web client. However, it seems that other 
clients like Thunderbird or Android Apps like FairEmail are not easy to 
set up as they have their XOAUTH providers hardcoded somewhere 
(https://bugzilla.mozilla.org/show_bug.cgi?id=1602166). Are you aware of 
any solution to integrate a dovecot server using XOAUTH2 into local 
clients (like Thunderbird)? We are currently trying to do it with 
passwords that can be set in Keycloak only for the purpose of email that 
can then be used to receive a valid token via a direct access grant but 
it's not a really nice solution as it introduces an additional password.

Additionally, we would like to have all permission-related information 
saved in our identity server. For email, this includes shared mailboxes 
that a user is allowed to access. The ACL plugin that is used for shared 
mailboxes currently reads the permissions from disk which is not really 
feasible if the user base is large and setting these permissions should 
happen automatically. We are thinking the best way to do this is to 
encode the user's permissions in the token that dovecot receives in the 
login process. But as the token is only available in the authentication 
process and it does not seem to be intended to return such information 
from the password database 
(https://doc.dovecot.org/configuration_manual/authentication/password_database_extra_fields/), 
we are unsure on how to process these information from the token. We did 
not find any plugin hooks in the authentication processes and the normal 
plugin hooks do not have access to information from the token anymore. 
What do you think is the best way to do this? We would be okay modifying 
some dovecot source code and contributing it back if desired.

Best regards,
Felix Auringer
---
Gesellschaft für interkulturelles
Zusammenleben gGmbH (GIZ)
Felix Auringer
IT
Reformationsplatz 2
13597 Berlin

Tel: 030/513 0100 00; Fax: 030/513 0100 09 
www.giz.berlin; felix.auringer at giz.berlin

Amtsgericht Charlottenburg HRB 200872 B
Geschäftsführerin: Dr. Britta Marschke

More information about the dovecot mailing list