Dovecot ACLs and XOAUTH2

Aki Tuomi aki.tuomi at open-xchange.com
Wed Jun 15 05:50:13 UTC 2022 

> On 14/06/2022 12:52 Felix Auringer <felix.auringer at giz.berlin> wrote:
> 
>  
> Hi,
> 
> we're trying to set up an IMAP server using Dovecot as part of a new 
> email system in a middle-sized company (around 150 employees). We have a 
> keycloak identity server that is used for all logins and we would also 
> like to use it for the new email system so that the non-technical 
> employees (the majority) will have no issues using it.
> 
> It's very nice that XOAUTH2 is already included in Dovecot, it works 
> very well with our Roundcube web client. However, it seems that other 
> clients like Thunderbird or Android Apps like FairEmail are not easy to 
> set up as they have their XOAUTH providers hardcoded somewhere 
> (https://bugzilla.mozilla.org/show_bug.cgi?id=1602166). Are you aware of 
> any solution to integrate a dovecot server using XOAUTH2 into local 
> clients (like Thunderbird)? We are currently trying to do it with 
> passwords that can be set in Keycloak only for the purpose of email that 
> can then be used to receive a valid token via a direct access grant but 
> it's not a really nice solution as it introduces an additional password.
> 

Unfortunately this is a client-side restriction. You should use either device passwords or you can use the "password grant mode" where dovecot authenticates to keycloak with username & password.

Dovecot supports openid_configuration_url which should be supported eventually.

> Additionally, we would like to have all permission-related information 
> saved in our identity server. For email, this includes shared mailboxes 
> that a user is allowed to access. The ACL plugin that is used for shared 
> mailboxes currently reads the permissions from disk which is not really 
> feasible if the user base is large and setting these permissions should 
> happen automatically. We are thinking the best way to do this is to 
> encode the user's permissions in the token that dovecot receives in the 
> login process. But as the token is only available in the authentication 
> process and it does not seem to be intended to return such information 
> from the password database 
> (https://doc.dovecot.org/configuration_manual/authentication/password_database_extra_fields/), 
> we are unsure on how to process these information from the token. We did 
> not find any plugin hooks in the authentication processes and the normal 
> plugin hooks do not have access to information from the token anymore. 
> What do you think is the best way to do this? We would be okay modifying 
> some dovecot source code and contributing it back if desired.
> 

You can't really store this in your identity server. Currently the only supported backing for acl information is file, so there is no mechanism for passing ACL permissions via passdb, and it would not be that feasible either.

In general, dovecot makes fields present in JWT tokens available if you use local validation, you can use %{oauth2:field} to export them into mail process from passdb using pass_attrs:

pass_attrs = userdb_foo=%{oauth2:field}

> Best regards,
> Felix Auringer
> ---

Regards,
--
Aki

More information about the dovecot mailing list