SSO and RoundCube?

maddler

Is there a way to configure RoundCube to use Mailcow’s SSO, just like SoGo?

esackbauer

Sure, just follow the docs:
https://docs.mailcow.email/third_party/roundcube/third_party-roundcube/

maddler

Unless I’ve gone blind, it doesn’t cover SSO.

esackbauer

Roundcube uses authentication from dovecot. It has no separate auth database.
Otherwise it wouldn’t make sense to have a password change option for mailcow in Roundcube, like it is mentioned in the docs.

maddler

That would still not enable SSO tho’

esackbauer

What do you mean then with “SSO”? That you are redirected from mailcows UI directly to Roundcube your mailbox?

maddler

Single Sign On, you access to mailcow portal and can go to RC directly without having to login again in RoundCube.

ETNyx

This cover topic of using “external login service” in case you will be able to configure roundcube as well it may work https://mailcow.email/posts/2023/mailcow-idp/

esackbauer

Ok, sorry i mixed it up.
Seems to be difficult or impossible according to this thread:
https://community.mailcow.email/d/1203-oauth-redirect-not-working

maddler

Let me have a look.

esackbauer uhm, good find. That was couple years ago, maybe something got fixed/improved in the meantime. I’ll give it a go later today.
Thanks!

CodeShellDev

Hey, just stumbled upon this Thread and wanted to know if there are any new ways to use roundcube and sso?
Now that OIDC is officially supported in the newest version.
@maddler Have you figured out a way or did you go back to SoGo?

Strateg5

Hello,
I am also interested to know if it is possible to configure roundcube with new version of mailcow to log in via SSO. I tried to do it myself according to the instructions for the RC, but nothing worked.

CodeShellDev

OK, so I think I have done it, I think I correctly setup sso with roundcube, so I am going to share all of my knowledge:

Before going on…
mail.yourdomain.com is your mailcow host (make sure to use HTTPs)

You need Roundcube running in a seperate container
Your docker-compose.yml should look like this:

    roundcube:
      image: roundcube/roundcubemail:latest
      container_name: roundcube
      environment:
        DBROUNDCUBE: ${DBROUNDCUBE}
        IPV4_NETWORK: ${IPV4_NETWORK:-172.22.1}
        IPV6_NETWORK: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
        ROUNDCUBEMAIL_DB_TYPE: mysql
        ROUNDCUBEMAIL_DB_HOST: mysql
        ROUNDCUBEMAIL_DB_USER: roundcube
        ROUNDCUBEMAIL_DB_PASSWORD: ${DBROUNDCUBE}
        ROUNDCUBEMAIL_DB_NAME: roundcubemail
        ROUNDCUBEMAIL_DEFAULT_HOST: ssl://dovecot:143
        ROUNDCUBEMAIL_SMTP_SERVER: ssl://postfix:587
        ROUNDCUBEMAIL_PLUGINS: dovecot_client_ip, archive, managesieve, acl, markasjunk, zipdownload
        ROUNDCUBEMAIL_COMPOSER_PLUGINS: "foorschtbar/dovecot_client_ip:~2"
      labels:
        - traefik.enable=true
        - traefik.http.routers.roundcube-mail-secure.entrypoints=websecure
        - traefik.http.routers.roundcube-mail-secure.rule=Host(`roundcube.yourdomain.com`)
        - traefik.http.routers.roundcube-mail-secure.tls=true
        - traefik.http.routers.roundcube-mail-secure.tls.certresolver=cloudflare
        - traefik.http.routers.roundcube-mail-secure.service=roundcube-svc
        - traefik.http.services.roundcube-svc.loadbalancer.server.port=80

        - traefik.docker.network=frontend
      volumes:
        - ./data/rc/html:/var/www/html
        - ./data/rc/config:/var/roundcube/config
        - ./data/rc/db:/var/roundcube/db
      depends_on:
        - mysql-mailcow
        - dovecot-mailcow
      restart: unless-stopped
      networks:
        mailcow-network:
          aliases:
            - roundcube
        proxy:

Create a oauth2 app
i. navigate to Admin > oauth2 Apps
ii. now create a oauth2 App and set the redirect uri to https://roundcube.yourdomain.com/index.php/login/oauth
iii. take note of the client id and the client secret

Create config.oauth.inc.php (inside of roundcubes config folder)

<?php
// ----------------------------------
// OAuth
// ----------------------------------

// Enable OAuth2 by defining a provider. Use 'generic' here
$config['oauth_provider'] = 'generic';

// Provider name to be displayed on the login button
$config['oauth_provider_name'] = 'SSO';

// Mandatory: OAuth client ID for your Roundcube installation
// Get this from the oauth2 app in the mailcow UI
$config['oauth_client_id'] = 'your_client_id';

// Mandatory: OAuth client secret
// Get this from the oauth2 app in the mailcow UI
$config['oauth_client_secret'] = 'your_client_secret'; 

// Mandatory: URI for OAuth user authentication (redirect)
$config['oauth_auth_uri'] = 'https://mail.yourdomain.com/oauth/authorize';

// Mandatory: Endpoint for OAuth authentication requests (server-to-server)
$config['oauth_token_uri'] = 'https://mail.yourdomain.com/oauth/token';

// Optional: Endpoint to query user identity if not provided in auth response
$config['oauth_identity_uri'] = 'https://mail.yourdomain.com/oauth/profile';

// Optional: disable SSL certificate check on HTTP requests to OAuth server
// See http://docs.guzzlephp.org/en/stable/request-options.html#verify for possible values
$config['oauth_verify_peer'] = false;

// Mandatory: OAuth scopes to request (space-separated string)
$config['oauth_scope'] = 'profile';

// Optional: additional query parameters to send with login request (hash array)
$config['oauth_auth_parameters'] = [];

// Optional: array of field names used to resolve the username within the identity information
$config['oauth_identity_fields'] = ['email'];

// Boolean: automatically redirect to OAuth login when opening Roundcube without a valid session
$config['oauth_login_redirect'] = false;

Now when going to your Roundcube main page you will see a “SSO” Button

Setup Dovecot to work with oauth
i. add this to your extra.conf file inside of mailcow/data/conf/dovecot:

passdb {
  driver = oauth2
  mechanisms = xoauth2
  args = /etc/dovecot/dovecot-oauth2.conf.ext
}

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/vmail/%d/%n
}

ii. create dovecot-oauth2.conf.ext inside of mailcow/data/conf/dovecot:

grant_url = https://mail.yourdomain.com/oauth/token
client_id = your_client_id
client_secret = your_client_secret
introspection_url = https://mail.yourdomain.com/oauth/profile
introspection_mode = auth
use_grant_password = no
username_attribute = email

esackbauer

Great work!
Maybe you could create a pull request for the documentation?
mailcow/mailcow-dockerized-docs

CodeShellDev

esackbauer I would gladly do that, just let me figure gihtub pull requests out…

CodeShellDev

esackbauer first time doing this…
mailcow/mailcow-dockerized-docs853 unsure if I’ve done this correctly…