Add Roundcube Oauth Documentation (Base) #853
Conversation
CodeShellDev
changed the title
|
Hello dear Contributors, I am wondering if I need to do something, the other pull requests have a |
That You, as the author of the pr, sees this pr a little bit different, than other people. Since you can't merge other peoples commit, you can only see, that a review is required (I also only see "Review required" on this pr). The current state is just, you need to wait for someone from the mailcow team, that reviews your change and then accept, denies or request changes for those changes. |
|
Thank you for the explanation, I thought I had missed something. |
I would recommend you to leave it. With this you insert values of source variables into the files. But now you get in final version of file this line (examlpe): $config['db_dsnw'] = 'mysql://roundcube:${DBROUNDCUBE}@mysql/roundcubemail';instead of $config['db_dsnw'] = 'mysql://roundcube:RandomCreatedSuperStrongPassword@mysql/roundcubemail'; |
it escapes the $ sign otherwise would it handle |
|
When I copy & pasted the file contents it didn‘t work, when removing the / it worked, so obviously the / shouldn‘t be there. And there were no variables that automatically got replaced. |
|
Ok so I have reverted the EOCONFIG change, but I am still convinced that "/" is not needed. |
|
Hello, just wanted to get an update if there is any interest in this being merged, any suggestions / changes needed to implement this or if this PR can be closed? Thanks in advance! |
|
@FingerlessGlov3s I guess you are using RC right? Maybe you can check it somehow |
|
I have a few thoughts on the instructions I like the idea, but I think the formatting needs adjusting. I think we need to split the page into 3 or 4 pages, if we're going to offer 2 methods, currently I think it's confusing for a less tech savvy user.
I think we should use a version tag instead of latest on the Roundcube image, then the community can up the version, once it's been tested, which is how we handle integrated updates. I test it to make sure it works, then update the docs. I'm also not sure Traefik config being in there is right... it doesn't match how traefik is configured in the docs See Here is another issue too. That's my opinions on the PR so far 😊 |
|
After further Investigation I noticed that I had resolved the Redirect URI issue without even using traefik. There had been an issue where mailcow was rejecting Roundcube's Oauth Request due to Redirect URI mismatch, (tho I will be probably adding this in a new PR + updating the traefik documentation in a new PR) So I think this resolves all of your issues mentioned above (IF Standalone Installation is really not needed) |
Update master branch
added new filename of Traefik R.P. v3 file
the last commit was accidentally pushed to the wrong branch :facepalm:
|
Hi. Thank you for working with this subject. I have a different problem, probably caused by using Nginx. How do you setup this with nginx with the regular installation, without Docker and proxy, but with php-fpm and fast-cgi? I have not found a described setup that really works |
|
Hi, @mfuryto, could you please further elaborate, I also had some issue with setting this up with NGINX, (and eventually moved on to to Standalone Install) but I don't remember exactly the issue, for me it was a Redirect URI mismatch. As I stated in some comment above I am 100% this works with Standalone Install (have it running on my machine) and it probably should also work with Integrated Install, but it hasn't been tested... |
|
Also I am running Oauth2 with RC without traefik too.
|
|
Good evening. As of now I have given up Roundcube. I hope I have not done anything wrong and followed the instructions. Now I have switched to Snappymail integrated in my nextcloud. It gives me the ability to store the app-password in my user profile and use OIDC to login to nextcloud. Im using Keycloak as IDP, with mailcow as the "broker". It works as a charm with e-mail, adressbook with carddav-support, and PGP-encryption. |
|
Hi there,
Since you have moved on and you are getting a little bit out of scope (but no worries)... Still thank you for stopping by! |
|
Were you able to get it working? |
No, I didn't. Maybe tomorrow i will have more time |
Any hicups or issues? |
|
Hey there wanted to check back, ... |
I'm sorry. I didn't had that much time this week. Too much work at work 😅 |
|
So, I've updated my config to work with configs. run command: mkdir /opt/roundcube-webmailand than add additional volume to config: services:
roundcube:
image: roundcube/roundcubemail:latest
container_name: roundcube-webmail
restart: unless-stopped
environment:
ROUNDCUBEMAIL_DEFAULT_HOST: 'tls://${MAILCOW_HOSTNAME}'
ROUNDCUBEMAIL_SMTP_SERVER: 'tls://${MAILCOW_HOSTNAME}'
ROUNDCUBEMAIL_SMTP_PORT: 587
ROUNDCUBEMAIL_SMTP_USER: '%u'
ROUNDCUBEMAIL_SMTP_PASS: '%p'
ROUNDCUBEMAIL_SKIN: 'elastic'
TZ: '${TZ}'
ROUNDCUBEMAIL_PLUGINS: 'archive,zipdownload,managesieve,thunderbird_labels,show_folder_size,tls_icon,markasjunk,contextmenu,enigma,swipe,newmail_notifier,autologon,password,carddav,globaladdressbook,persistent_login,account_details,plugin_manager,jqueryui,contextmenu_folder'
ROUNDCUBEMAIL_COMPOSER_PLUGINS: "weird-birds/thunderbird_labels,jfcherng-roundcube/show-folder-size,germancoding/tls_icon,johndoh/swipe,roundcube/carddav,kitist/html5_notifier,johndoh/globaladdressbook,texxasrulez/persistent_login,texxasrulez/advanced_search,texxasrulez/account_details,texxasrulez/plugin_manager,random-cuber/contextmenu_folder,johndoh/contextmenu"
ROUNDCUBEMAIL_REQUEST_PATH: /rc
volumes:
- ../roundcube-webmail/:/var/www/html # FOr rc data
- roundcube-db:/var/roundcube/db # for db
- ../roundcube-webmail/config/:/var/www/html/config # for config
networks:
mailcow-network:
aliases:
- roundcube-webmail
depends_on:
- unbound-mailcow
- php-fpm-mailcow
- dovecot-mailcow
- postfix-mailcow
volumes:
roundcube-db:
Nope. I couldn't login with email and password either |
|
So still a roundcube issue? |
|
try using a pinned roundcube version (with apache) |
i don't know. i had time today only for server changing and rc installation. |
|
could you also post the rc config you‘re usinf |
So external RC is working? Just not the oauth |
yes |
|
OK good to know and what error are you getting again? Is it coming from rc or mailcow? |
it can't find installed roundcube |
|
could you post the logline? |
|
And also it would be really helpful if you could provide your configs, of course you can redact any private information. |
|
i followed the guide. config should be the same for all on mailcow i receive {
"error": "redirect_uri_mismatch",
"error_description": "The redirect URI provided is missing or does not match",
"error_uri": "http://tools.ietf.org/html/rfc6749#section-3.1.2"
}and if i try to login with email and password i guess the first line is the answer |
|
What did you set as Redirect URI since that is the main issue here. |
So standard login also doesn‘t work? Does it break when adding SSO or how did you still get the Screenshot of RC? |
<?php
$config['plugins'] = [
'archive',
'zipdownload',
'managesieve',
'thunderbird_labels',
'show_folder_size',
'tls_icon',
'markasjunk',
'contextmenu',
'enigma',
'swipe',
'newmail_notifier',
'autologon',
'password',
'carddav',
'globaladdressbook',
'persistent_login',
'account_details',
'plugin_manager',
'jqueryui',
'contextmenu_folder',
'dovecot_client_ip',
'dovecot_impersonate',
];
$config['log_driver'] = 'stdout';
$config['zipdownload_selection'] = TRUE;
$config['des_key'] = 'key';
$config['enable_spellcheck'] = TRUE;
$config['spellcheck_engine'] = 'pspell';
$config['managesieve_host'] = 'dovecot:4190';
$config['managesieve_vacation'] = 1;
include(__DIR__ . '/config.docker.inc.php');
include(__DIR__ . "/config.oauth.inc.php");
$config['dovecot_client_ip_trusted_proxies'] = ['172.22.1.0/24', 'fd4d:6169:6c63:6f77::/64'];
<?php
//// RCMCardDAV Plugin Admin Settings
///////////////////////////////////////////////////////////////////////
//// ////
//// ////
//// SEE doc/ADMIN-SETTINGS.md FOR DOCUMENTATION ON THE PARAMETERS ////
//// ////
//// ////
///////////////////////////////////////////////////////////////////////
//// ** GLOBAL SETTINGS
// Disallow users to add custom addressbooks (default: false)
// $prefs['_GLOBAL']['fixed'] = true;
// When enabled, this option hides the 'CardDAV' section inside Preferences.
// $prefs['_GLOBAL']['hide_preferences'] = true;
// Scheme for storing the CardDAV passwords, in order from least to best security.
// Options: plain, base64, des_key, encrypted (default)
$prefs['_GLOBAL']['pwstore_scheme'] = 'des_key';
$prefs['SOGo'] = [
'accountname' => 'SOGo',
'username' => '%u',
'password' => '%p',
'discovery_url' => 'http://sogo:20000/SOGo/dav/',
'name' => '%N',
'use_categories' => true,
'fixed' => ['username', 'password'],
];
// Specify minimum loglevels for logging for the plugin and the HTTP client
// The following are possible: DEBUG, INFO, NOTICE, WARNING, ERROR, CRITICAL, ALERT, EMERGENCY
// Defaults to ERROR
$prefs['_GLOBAL']['loglevel'] = \Psr\Log\LogLevel::WARNING;
$prefs['_GLOBAL']['loglevel_http'] = \Psr\Log\LogLevel::ERROR;
// Select addressbook from preset to use as Roundcube's collected recipients, collected/trusted senders or default
// addressbook, corresponding to the roundcube options of the same name available since roundcube 1.5.
// Note that only writeable addressbooks can be used for this. If you do not want to use these options, simply do not
// define them
// If no/several addressbooks match, the roundcube setting will not be changed
//$prefs['_GLOBAL']['collected_recipients'] = [
// // Key of the preset, i.e. whatever is used for <Presetname> in the template below
// 'preset' => '<Presetname>',
// // The placeholders that can be used in the url attribute can also be used inside these regular rexpressions
// // If both matchname and matchurl are given, both need to match for the addressbook to be used
// 'matchname' => '/collected recipients/i',
// 'matchurl' => '#http://carddav.example.com/abooks/%u/CollectedRecipients#',
//];
//$prefs['_GLOBAL']['collected_senders'] = [
// // Key of the preset, i.e. whatever is used for <Presetname> in the template below
// 'preset' => '<Presetname>',
// // The placeholders that can be used in the url attribute can also be used inside these regular rexpressions
// // If both matchname and matchurl are given, both need to match for the addressbook to be used
// 'matchname' => '/collected recipients/i',
// 'matchurl' => '#http://carddav.example.com/abooks/%u/CollectedRecipients#',
//];
//$prefs['_GLOBAL']['default_addressbook'] = [
// // Key of the preset, i.e. whatever is used for <Presetname> in the template below
// 'preset' => '<Presetname>',
// // The placeholders that can be used in the url attribute can also be used inside these regular rexpressions
// // If both matchname and matchurl are given, both need to match for the addressbook to be used
// 'matchname' => '/collected recipients/i',
// 'matchurl' => '#http://carddav.example.com/abooks/%u/CollectedRecipients#',
//];
//// ** ACCOUNT PRESETS
// Each account preset takes the following form:
/*
$prefs['<Presetname>'] = [
// Account attributes
//// required attributes
'accountname' => '<Account Name>',
//// required attributes unless passwordless authentication is used (Kerberos)
'username' => '<CardDAV Username>',
'password' => '<CardDAV Password>',
//// optional attributes
////// if discovery_url is not specified / null, addressbook discovery is disabled (see extra_addressbooks)
'discovery_url' => '<CardDAV Discovery URL>',
'rediscover_time' => '<Rediscover Time in Hours, Format HH[:MM[:SS]]>',
////// hide the account/addressbooks of this preset from CardDAV settings
'hide' => <true or false>,
////// send basic authentication data to the server even before requested by the server
'preemptive_basic_auth' => <true or false>,
////// disable verification of SSL certificate presented by CardDAV server
'ssl_noverify' => <true or false>,
// Auto-discovered addressbook attributes, and for extra addressbooks if not overridden there
//// optional attributes
'name' => '<Template for name of addressbooks>',
'active' => <true or false>,
'readonly' => <true or false>,
'refresh_time' => '<Refresh Time in Hours, Format HH[:MM[:SS]]>',
'use_categories' => <true or false>,
////// attributes that are fixed (i.e., not editable by the user) and auto-updated for this preset
'fixed' => [ < 0 or more of the other attribute keys > ],
////// only show contacts that have an email address (even in the addressbook view)
'require_always_email' => false,
// optional: manually add (non-discoverable) addressbooks
'extra_addressbooks' => [
// first manually-added addressbook
[
// required attributes
'url' => '<Addressbook URL>',
// optional attributes - if not specified, values from account are applied
'name' => '<Template for name of addressbook>',
'active' => <true or false>,
'readonly' => <true or false>,
'refresh_time' => '<Refresh Time in Hours, Format HH[:MM[:SS]]>',
'use_categories' => <true or false>,
// attributes that are fixed (i.e., not editable by the user) and auto-updated for this preset addressbook
'fixed' => [ < 0 or more of the other attribute keys > ],
// always require these attributes, even for addressbook view
'require_always' => ['email'],
],
// ... second manually-added addressbook ...
],
];
*/
// vim: ts=4:sw=4:expandtab:fenc=utf8:ff=unix:tw=120:ft=php
<?php
// Password Plugin options
// -----------------------
// A driver to use for password change. Default: "sql".
// See README file for list of supported driver names.
$config['password_driver'] = 'mailcow';
// A driver to use for checking password strength. Default: null (disabled).
// See README file for list of supported driver names.
$config['password_strength_driver'] = null;
// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;
// Require the new password to be a certain length.
// set to blank to allow passwords of any length
$config['password_minimum_length'] = 8;
// Require the new password to have at least the specified strength score.
// Note: Password strength is scored from 1 (week) to 5 (strong).
$config['password_minimum_score'] = 0;
// Enables logging of password changes into logs/password
$config['password_log'] = false;
// Array of login exceptions for which password change
// will be not available (no Password tab in Settings)
$config['password_login_exceptions'] = null;
// Array of hosts that support password changing.
// Listed hosts will feature a Password option in Settings; others will not.
// Example: ['mail.example.com', 'mail2.example.org'];
// Default is NULL (all hosts supported).
$config['password_hosts'] = null;
// Enables saving the new password even if it matches the old password. Useful
// for upgrading the stored passwords after the encryption scheme has changed.
$config['password_force_save'] = false;
// Enables forcing new users to change their password at their first login.
$config['password_force_new_user'] = false;
// Password hashing/crypting algorithm.
// Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt,
// sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, ssha256, ssha512, samba, ad, dovecot, clear.
// Also supported are password_hash() algoriths: hash-bcrypt, hash-argon2i, hash-argon2id.
// Default: 'clear' (no hashing)
// For details see password::hash_password() method.
$config['password_algorithm'] = 'clear';
// Additional options for password hashing function(s).
// For password_hash()-based passwords see https://www.php.net/manual/en/function.password-hash.php
// It can be used to set the Blowfish algorithm cost, e.g. ['cost' => 12]
$config['password_algorithm_options'] = [];
// Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated
// using password_algorithm above. Default: empty.
$config['password_algorithm_prefix'] = '';
// Path for dovecotpw/doveadm-pw (if not in the $PATH).
// Used for password_algorithm = 'dovecot'.
// $config['password_dovecotpw'] = '/usr/local/sbin/doveadm pw'; // for dovecot-2.x
$config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; // for dovecot-1.x
// Dovecot password scheme.
// Used for password_algorithm = 'dovecot'.
$config['password_dovecotpw_method'] = 'CRAM-MD5';
// Enables use of password with method prefix, e.g. {MD5}$1$LUiMYWqx$fEkg/ggr/L6Mb2X7be4i1/
// when using password_algorithm=dovecot
$config['password_dovecotpw_with_method'] = false;
// Number of rounds for the sha256 and sha512 crypt hashing algorithms.
// Must be at least 1000. If not set, then the number of rounds is left up
// to the crypt() implementation. On glibc this defaults to 5000.
// Be aware, the higher the value, the longer it takes to generate the password hashes.
//$config['password_crypt_rounds'] = 50000;
// This option temporarily disables the password change functionality.
// Use it when the users database server is in maintenance mode or something like that.
// You can set it to TRUE/FALSE or a text describing the reason
// which will replace the default.
$config['password_disabled'] = false;
// Various drivers/setups use different format of the username.
// This option allows you to force specified format use. Default: '%u'.
// Supported variables:
// %u - full username,
// %l - the local part of the username (in case the username is an email address)
// %d - the domain part of the username (in case the username is an email address)
// Note: This may no apply to some drivers implementing their own rules, e.g. sql.
$config['password_username_format'] = '%u';
// Options passed when creating Guzzle HTTP client, used to access various external APIs.
// This will overwrite global http_client settings. For example:
// [
// 'timeout' => 10,
// 'proxy' => 'tcp://localhost:8125',
// ]
$config['password_http_client'] = [];
// SQL Driver options
// ------------------
// PEAR database DSN for performing the query. By default
// Roundcube DB settings are used.
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
$config['password_db_dsn'] = '';
// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as follows:
// %p is replaced with the plaintext new password
// %P is replaced with the crypted/hashed new password
// according to configured password_algorithm
// %o is replaced with the old (current) password
// %O is replaced with the crypted/hashed old (current) password
// according to configured password_algorithm
// %h is replaced with the imap host (from the session info)
// %u is replaced with the username (from the session info)
// %l is replaced with the local part of the username
// (in case the username is an email address)
// %d is replaced with the domain part of the username
// (in case the username is an email address)
// Escaping of macros is handled by this module.
// Default: "SELECT update_passwd(%P, %u)"
$config['password_query'] = 'SELECT update_passwd(%P, %u)';
// By default domains in variables are using unicode.
// Enable this option to use punycoded names
$config['password_idn_ascii'] = false;
// Poppassd Driver options
// -----------------------
// The host which changes the password (default: localhost)
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %h - IMAP host
// %z - IMAP domain without first part
// %s - domain name after the '@' from e-mail address provided at login screen
$config['password_pop_host'] = 'localhost';
// TCP port used for poppassd connections (default: 106)
$config['password_pop_port'] = 106;
// SASL Driver options
// -------------------
// Additional arguments for the saslpasswd2 call
$config['password_saslpasswd_args'] = '';
// LDAP, LDAP_SIMPLE and LDAP_EXOP Driver options
// -----------------------------------
// LDAP server name to connect to.
// You can provide one or several hosts in an array in which case the hosts are tried from left to right.
// Example: ['ldap1.example.com', 'ldap2.example.com'];
// Default: 'localhost'
$config['password_ldap_host'] = 'localhost';
// LDAP server port to connect to
// Default: '389'
$config['password_ldap_port'] = '389';
// TLS is started after connecting
// Using TLS for password modification is recommended.
// Default: false
$config['password_ldap_starttls'] = false;
// LDAP version
// Default: '3'
$config['password_ldap_version'] = '3';
// LDAP base name (root directory)
// Example: 'dc=example,dc=com'
$config['password_ldap_basedn'] = 'dc=example,dc=com';
// LDAP connection method
// There are two connection methods for changing a user's LDAP password.
// 'user': use user credential (recommended, require password_confirm_current=true)
// 'admin': use admin credential (this mode require password_ldap_adminDN and password_ldap_adminPW)
// Default: 'user'
$config['password_ldap_method'] = 'user';
// LDAP Admin DN
// Used only in admin connection mode
// Default: null
$config['password_ldap_adminDN'] = null;
// LDAP Admin Password
// Used only in admin connection mode
// Default: null
$config['password_ldap_adminPW'] = null;
// LDAP user DN mask
// The user's DN is mandatory and as we only have his login,
// we need to re-create his DN using a mask
// '%login' will be replaced by the current roundcube user's login
// '%name' will be replaced by the current roundcube user's name part
// '%domain' will be replaced by the current roundcube user's domain part
// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
// Example: 'uid=%login,ou=people,dc=example,dc=com'
$config['password_ldap_userDN_mask'] = 'uid=%login,ou=people,dc=example,dc=com';
// LDAP search DN
// The DN roundcube should bind with to find out user's DN
// based on his login. Note that you should comment out the default
// password_ldap_userDN_mask setting for this to take effect.
// Use this if you cannot specify a general template for user DN with
// password_ldap_userDN_mask. You need to perform a search based on
// users login to find his DN instead. A common reason might be that
// your users are placed under different ou's like engineering or
// sales which cannot be derived from their login only.
$config['password_ldap_searchDN'] = 'cn=roundcube,ou=services,dc=example,dc=com';
// LDAP search password
// If password_ldap_searchDN is set, the password to use for
// binding to search for user's DN. Note that you should comment out the default
// password_ldap_userDN_mask setting for this to take effect.
// Warning: Be sure to set appropriate permissions on this file so this password
// is only accessible to roundcube and don't forget to restrict roundcube's access to
// your directory as much as possible using ACLs. Should this password be compromised
// you want to minimize the damage.
$config['password_ldap_searchPW'] = 'secret';
// LDAP search base
// If password_ldap_searchDN is set, the base to search in using the filter below.
// Note that you should comment out the default password_ldap_userDN_mask setting
// for this to take effect.
$config['password_ldap_search_base'] = 'ou=people,dc=example,dc=com';
// LDAP search filter
// If password_ldap_searchDN is set, the filter to use when
// searching for user's DN. Note that you should comment out the default
// password_ldap_userDN_mask setting for this to take effect.
// '%login' will be replaced by the current roundcube user's login
// '%name' will be replaced by the current roundcube user's name part
// '%domain' will be replaced by the current roundcube user's domain part
// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
// Example: '(uid=%login)'
// Example: '(&(objectClass=posixAccount)(uid=%login))'
$config['password_ldap_search_filter'] = '(uid=%login)';
// LDAP password hash type
// Standard LDAP encryption type which must be one of options supported in password_algorithm.
// Set to 'default' if you want to use method specified in password_algorithm option above.
// Multiple password Values can be generated by concatenating encodings with a +. E.g. 'cram-md5+md5-crypt'
// Default: 'md5-crypt'.
$config['password_ldap_encodage'] = 'md5-crypt';
// LDAP password attribute
// Name of the ldap's attribute used for storing user password
// Default: 'userPassword'
$config['password_ldap_pwattr'] = 'userPassword';
// LDAP password force replace
// Force LDAP replace in cases where ACL allows only replace not read
// See http://pear.php.net/package/Net_LDAP2/docs/latest/Net_LDAP2/Net_LDAP2_Entry.html#methodreplace
// Default: true
$config['password_ldap_force_replace'] = true;
// LDAP Password Last Change Date
// Some places use an attribute to store the date of the last password change
// The date is measured in "days since epoch" (an integer value)
// Whenever the password is changed, the attribute will be updated if set (e.g. shadowLastChange)
$config['password_ldap_lchattr'] = '';
// LDAP Samba password attribute, e.g. sambaNTPassword
// Name of the LDAP's Samba attribute used for storing user password
$config['password_ldap_samba_pwattr'] = '';
// LDAP Samba Password Last Change Date attribute, e.g. sambaPwdLastSet
// Some places use an attribute to store the date of the last password change
// The date is measured in "seconds since epoch" (an integer value)
// Whenever the password is changed, the attribute will be updated if set
$config['password_ldap_samba_lchattr'] = '';
// LDAP PPolicy Driver options
// -----------------------------------
// LDAP Change password command - filename of the perl script
// Example: 'change_ldap_pass.pl'
$config['password_ldap_ppolicy_cmd'] = 'change_ldap_pass.pl';
// LDAP URI
// Example: 'ldap://ldap.example.com/ ldaps://ldap2.example.com:636/'
$config['password_ldap_ppolicy_uri'] = 'ldap://localhost/';
// LDAP base name (root directory)
// Example: 'dc=example,dc=com'
$config['password_ldap_ppolicy_basedn'] = 'dc=example,dc=com';
$config['password_ldap_ppolicy_searchDN'] = 'cn=someuser,dc=example,dc=com';
$config['password_ldap_ppolicy_searchPW'] = 'secret';
// LDAP search filter
// Example: '(uid=%login)'
// Example: '(&(objectClass=posixAccount)(uid=%login))'
$config['password_ldap_ppolicy_search_filter'] = '(uid=%login)';
// CA Certificate file if in URI is LDAPS connection
$config['password_ldap_ppolicy_cafile'] = '/etc/ssl/cacert.crt';
// DirectAdmin Driver options
// --------------------------
// The host which changes the password
// Use 'ssl://host' instead of 'tcp://host' when running DirectAdmin over SSL.
// The host can contain the following macros that will be expanded as follows:
// %h is replaced with the imap host (from the session info)
// %d is replaced with the domain part of the username (if the username is an email)
$config['password_directadmin_host'] = 'tcp://localhost';
// TCP port used for DirectAdmin connections
$config['password_directadmin_port'] = 2222;
// vpopmaild Driver options
// -----------------------
// The host which changes the password
$config['password_vpopmaild_host'] = 'localhost';
// TCP port used for vpopmaild connections
$config['password_vpopmaild_port'] = 89;
// Timeout used for the connection to vpopmaild (in seconds)
$config['password_vpopmaild_timeout'] = 10;
// cPanel Driver options
// ---------------------
// The cPanel Host name
$config['password_cpanel_host'] = 'host.domain.com';
// The cPanel port to use
$config['password_cpanel_port'] = 2096;
// XIMSS (Communigate server) Driver options
// -----------------------------------------
// Host name of the Communigate server
$config['password_ximss_host'] = 'mail.example.com';
// XIMSS port on Communigate server
$config['password_ximss_port'] = 11024;
// chpasswd Driver options
// ---------------------
// Command to use (see "Sudo setup" in README)
$config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2> /dev/null';
// XMail Driver options
// ---------------------
$config['xmail_host'] = 'localhost';
$config['xmail_user'] = 'YourXmailControlUser';
$config['xmail_pass'] = 'YourXmailControlPass';
$config['xmail_port'] = 6017;
// hMail Driver options
// -----------------------
// Remote hMailServer configuration
// true: HMailserver is on a remote box (php.ini: com.allow_dcom = true)
// false: Hmailserver is on same box as PHP
$config['hmailserver_remote_dcom'] = false;
// Windows credentials
$config['hmailserver_server'] = [
'Server' => 'localhost', // hostname or ip address
'Username' => 'administrator', // windows username
'Password' => 'password' // windows user password
];
// pw_usermod Driver options
// --------------------------
// Use comma delimited exlist to disable password change for users.
// See "Sudo setup" in README file.
$config['password_pw_usermod_cmd'] = 'sudo /usr/sbin/pw usermod -h 0 -n';
// DBMail Driver options
// -------------------
// Additional arguments for the dbmail-users call
$config['password_dbmail_args'] = '-p sha512';
// Expect Driver options
// ---------------------
// Location of expect binary
$config['password_expect_bin'] = '/usr/bin/expect';
// Location of expect script (see helpers/passwd-expect)
$config['password_expect_script'] = '';
// Arguments for the expect script. See the helpers/passwd-expect file for details.
// This is probably a good starting default:
// -telnet -host localhost -output /tmp/passwd.log -log /tmp/passwd.log
$config['password_expect_params'] = '';
// smb Driver options
// ---------------------
// Samba host (default: localhost)
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
$config['password_smb_host'] = 'localhost';
// Location of smbpasswd binary (default: /usr/bin/smbpasswd)
$config['password_smb_cmd'] = '/usr/bin/smbpasswd';
// gearman driver options
// ---------------------
// Gearman host (default: localhost)
$config['password_gearman_host'] = 'localhost';
// Plesk/PPA Driver options
// --------------------
// You need to allow RCP for IP of roundcube-server in Plesk/PPA Panel
// Plesk RCP Host
$config['password_plesk_host'] = '10.0.0.5';
// Plesk RPC Username
$config['password_plesk_user'] = 'admin';
// Plesk RPC Password
$config['password_plesk_pass'] = 'password';
// Plesk RPC Port
$config['password_plesk_rpc_port'] = '8443';
// Plesk RPC Path
$config['password_plesk_rpc_path'] = 'enterprise/control/agent.php';
// kpasswd Driver options
// ---------------------
// Command to use
$config['password_kpasswd_cmd'] = '/usr/bin/kpasswd';
// Modoboa Driver options
// ---------------------
// put token number from Modoboa server
$config['password_modoboa_api_token'] = '';
// Mail-in-a-Box Driver options
// ----------------------------
// the url to the control panel of Mail-in-a-Box, e.g. https://box.example.com/admin/
$config['password_miab_url'] = '';
// name (email) of the admin user used to access api
$config['password_miab_user'] = '';
// password of the admin user used to access api
$config['password_miab_pass'] = '';
// TinyCP
// --------------
// TinyCP host, port, user and pass.
$config['password_tinycp_host'] = '';
$config['password_tinycp_port'] = '';
$config['password_tinycp_user'] = '';
$config['password_tinycp_pass'] = '';
// HTTP-API Driver options
// ---------------------
// Base URL of password change API. HTTPS recommended.
$config['password_httpapi_url'] = 'https://passwordserver.example.org';
// Method (also affects how vars are sent). Default: POST.
// GET is not recommended as passwords will appears in the remote webserver's access log
$config['password_httpapi_method'] = 'POST';
// GET or POST variable in which to put the username
$config['password_httpapi_var_user'] = 'user';
// GET or POST variable in which to put the current password
$config['password_httpapi_var_curpass'] = 'curpass';
// GET or POST variable in which to put the new password
$config['password_httpapi_var_newpass'] = 'newpass';
// HTTP codes other than 2xx are assumed to mean the password changed failed.
// Optionally, if set, this variable additionally checks the body of the 2xx response to
// confirm the change. It's a preg_match regular expression.
$config['password_httpapi_expect'] = '/^ok$/i';
// dovecot_passwdfile
// ------------------
$config['password_dovecot_passwdfile_path'] = '/etc/mail/imap.passwd';
// Mailcow driver options
// ----------------------
$config['password_mailcow_api_host'] = 'https://mail.cow';
$config['password_mailcow_api_token'] = 'API_KEY';
<?php
$config['db_dsnw'] = 'sqlite:////var/roundcube/db/sqlite.db?mode=0646';
$config['db_dsnr'] = '';
$config['imap_host'] = 'tls://mail.cow:143';
$config['smtp_host'] = 'tls://mail.cow:587';
$config['username_domain'] = '';
$config['temp_dir'] = '/tmp/roundcube-temp';
$config['skin'] = 'elastic';
$config['request_path'] = '/rc';
$config['plugins'] = array_filter(array_unique(array_merge($config['plugins'], ['archive', 'zipdownload', 'managesieve', 'thunderbird_labels', 'show_folder_size', 'tls_icon', 'markasjunk', 'contextmenu', 'enigma', 'swipe', 'newmail_notifier', 'autologon', 'password', 'carddav', 'globaladdressbook', 'persistent_login', 'account_details', 'plugin_manager', 'jqueryui', 'contextmenu_folder'])));
$config['enigma_pgp_homedir'] = '/var/roundcube/enigma';
|
|
Where exactly did you set the Oauth2 Settings? |
|
Try adding |
./data/conf/dovecot/dovecot-oauth2.conf.ext
when i will be at home i will try it |
|
No I mean the oauth config for Roundcube. |
<?php
// ----------------------------------
// OAuth
// ----------------------------------
// Enable OAuth2 by defining a provider. Use 'generic' here
$config['oauth_provider'] = 'generic';
// Provider name to be displayed on the login button
$config['oauth_provider_name'] = 'SSO';
// Mandatory: OAuth client ID for your Roundcube installation
// Get this from the oauth2 app in the mailcow UI
$config['oauth_client_id'] = 'clientID';
// Mandatory: OAuth client secret
// Get this from the oauth2 app in the mailcow UI
$config['oauth_client_secret'] = 'clientSecret';
// Mandatory: URI for OAuth user authentication (redirect)
$config['oauth_auth_uri'] = 'https://mail.cow/oauth/authorize';
// Mandatory: Endpoint for OAuth authentication requests (server-to-server)
$config['oauth_token_uri'] = 'https://mail.cow/oauth/token';
// Optional: Endpoint to query user identity if not provided in auth response
$config['oauth_identity_uri'] = 'https://mail.cow/oauth/profile';
// Optional: disable SSL certificate check on HTTP requests to OAuth server
// See http://docs.guzzlephp.org/en/stable/request-options.html#verify for possible values
$config['oauth_verify_peer'] = false;
// Mandatory: OAuth scopes to request (space-separated string)
$config['oauth_scope'] = 'profile';
// Optional: additional query parameters to send with login request (hash array)
$config['oauth_auth_parameters'] = [];
// Optional: array of field names used to resolve the username within the identity information
$config['oauth_identity_fields'] = ['email'];
// Boolean: automatically redirect to OAuth login when opening Roundcube without a valid session
$config['oauth_login_redirect'] = false; |
|
Have you tried debugging what Roundcube is using as Redirect URI? |
i guess i know what the issue is. when i close my notebook and open it after a period of time roundcube tries to chec activity not by /rc?_task=mail but by /?_task=mail. it just ignores /rc/ path on domain. but i didn't had time to do this. and i dont think i will have time this and / or next week |
|
oh yeah, you need to set request path to /rc... |
|
|
it was setted but requests are still going to main domain. i think i will try to take rc on subdomain |
6 participants
cat <<EOCONFIG >, which modifies php to add a/infront of every line (could confuse non-technicals or php newbies)Added Standalone Installation to enable Roundcube and Oauth (and also to remove nesting)
You will now be able to follow the documentation to setup roundcube inside of a seperate docker container,
this will enable more complex environments to work and as a bonus it will walk you through, how to setup traefik as a reverse proxy.
Which I'd say is easier to setup and easier to manage, update and mantain.
Removed confusing
cat <<EOCONFIG >and cleaned up code blocks.cat <<EOCONFIG >seems to be not needed and for that was removed in my fork.Lastly the Reason for this pull request:
Added documentation for setting up mailcow as oauth source for Roundcube...
Now you won't have to login twice,
Very sorry for the splitting part, not sure if it was a good decision, can also remove that...
Important
This is the Source that #889 is based on
Please continue in #889 instead
Related: Community Post