Hi, I’m having trouble getting Mailcow to work with Authelia, and the “Error” message I’m getting is very non-descriptive. The error I receive is “Login failed” in the Mailcow UI.
My authelia conf:

identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
    - client_id: Random-string # Mailcow
      client_name: mailcow-dockerized
      client_secret: 'random-secret-digest'  
      authorization_policy: 'two_factor'
      redirect_uris:
        - https://mail.mydomain.tld
      scopes:
        - 'openid'
        - 'profile'
        - 'email'
        - 'mailcow_template'
      userinfo_signed_response_alg: 'none'
      token_endpoint_auth_method: 'client_secret_post'

My mailcow Identity Provider conf:

Identity Provider: Generic-OIDC
Authorization endpoint: https://oidc.mydomain.tld/api/oidc/authorization
Token endpoint: https://oidc.mydomain.tld/api/oidc/token
User info endpoint:  https://oidc.mydomain.tld/api/oidc/userinfo
Client ID: Random-string
Client Secret: 'random-secret'
Redirect Url: https://mail.mydomain.tld
Client Scopes: openid profile email mailcow_template

There’s nothing in my Authelia logs other than it initializing mariadb

authelia-mariadb  | ───────────────────────────────────────
authelia-mariadb  | 
authelia-mariadb  |       ██╗     ███████╗██╗ ██████╗
authelia-mariadb  |       ██║     ██╔════╝██║██╔═══██╗
authelia-mariadb  |       ██║     ███████╗██║██║   ██║
authelia-mariadb  |       ██║     ╚════██║██║██║   ██║
authelia-mariadb  |       ███████╗███████║██║╚██████╔╝
authelia-mariadb  |       ╚══════╝╚══════╝╚═╝ ╚═════╝
authelia-mariadb  | 
authelia-mariadb  |    Brought to you by linuxserver.io
authelia-mariadb  | ───────────────────────────────────────
authelia-mariadb  | 
authelia-mariadb  | To support LSIO projects visit:
authelia-mariadb  | https://www.linuxserver.io/donate/
authelia-mariadb  | 
authelia-mariadb  | ───────────────────────────────────────
authelia-mariadb  | GID/UID
authelia-mariadb  | ───────────────────────────────────────
authelia-mariadb  | 
authelia-mariadb  | User UID:    911
authelia-mariadb  | User GID:    911
authelia-mariadb  | ───────────────────────────────────────
authelia-mariadb  | Linuxserver.io version: 11.4.5-r0-ls178
authelia-mariadb  | Build-date: 2025-03-25T07:44:07+00:00
authelia-mariadb  | ───────────────────────────────────────
authelia-mariadb  |     
authelia-mariadb  | [custom-init] No custom files found, skipping...
authelia-mariadb  | 250326 23:37:23 mysqld_safe Logging to '/config/databases/6f6064ab3590.err'.
authelia-mariadb  | 250326 23:37:23 mysqld_safe Starting mariadbd daemon with databases from /config/databases
authelia-mariadb  | Connection to localhost (::1) 3306 port [tcp/mysql] succeeded!
authelia-mariadb  | 
authelia-mariadb  | 
authelia-mariadb  | 
authelia-mariadb  | #####################################################################################
authelia-mariadb  | #                                                                                   #
authelia-mariadb  | #                             Logrotate Instructions                                #
authelia-mariadb  | #                                                                                   #
authelia-mariadb  | #               Add the following to /config/custom.cnf under [mysqld]:             #
authelia-mariadb  | #                  log_error = /config/log/mysql/mariadb-error.log                  #
authelia-mariadb  | #                                                                                   #
authelia-mariadb  | #                 Login to the SQL shell inside the container using:                #
authelia-mariadb  | #                           mariadb -uroot -p<PASSWORD>                             #
authelia-mariadb  | #                          And run the following command:                           #
authelia-mariadb  | # GRANT ALL ON *.* TO root@localhost IDENTIFIED VIA unix_socket WITH GRANT OPTION ; #
authelia-mariadb  | #                                                                                   #
authelia-mariadb  | #                     Restart the container to apply the changes.                   #
authelia-mariadb  | #                                                                                   #
authelia-mariadb  | #              You can read more about root@localhost permissions here:             #
authelia-mariadb  | #             https://mariadb.com/kb/en/authentication-from-mariadb-10-4/           #
authelia-mariadb  | #                                                                                   #
authelia-mariadb  | #####################################################################################
authelia-mariadb  | 
authelia-mariadb  | 
authelia-mariadb  | 
authelia-mariadb  | 
authelia-mariadb  | 
authelia-mariadb  | 
authelia-mariadb  | #################################################################
authelia-mariadb  | #                                                               #
authelia-mariadb  | #           An upgrade is required on your databases.           #
authelia-mariadb  | #                                                               #
authelia-mariadb  | #         Stop any services that are accessing databases        #
authelia-mariadb  | #          in this container, and then run the command          #
authelia-mariadb  | #                                                               #
authelia-mariadb  | #                   mariadb-upgrade -u root                     #
authelia-mariadb  | #                                                               #
authelia-mariadb  | #################################################################
authelia-mariadb  | 
authelia-mariadb  | 
authelia-mariadb  |

Snippit from docker compose mailcow-dockerized logs -f

0
php-fpm-mailcow-1    | 172.22.1.10 -  26/Mar/2025:19:48:15 -0400 "GET /index.php" 302
nginx-mailcow-1      | 192.168.9.4 - - [26/Mar/2025:19:48:15 -0400] "GET /?iam_sso=1 HTTP/1.1" 302 5 "https://mail.mydomain.tld/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"
watchdog-mailcow-1   | Wed Mar 26 19:48:17 EDT 2025 MySQL/MariaDB health level: 100% (5/5), health trend: 0
nginx-mailcow-1      | 172.22.1.12 - - [26/Mar/2025:19:48:17 -0400] "GET / HTTP/1.1" 200 15 "-" "check_http/v (nagios-plugins 2.4.10)"
watchdog-mailcow-1   | Wed Mar 26 19:48:17 EDT 2025 Nginx health level: 100% (5/5), health trend: 0
watchdog-mailcow-1   | Wed Mar 26 19:48:17 EDT 2025 Unbound health level: 100% (5/5), health trend: 0
php-fpm-mailcow-1    | fd4d:6169:6c63:6f77::f -  26/Mar/2025:19:48:18 -0400 "GET /index.php" 200
nginx-mailcow-1      | 192.168.9.4 - - [26/Mar/2025:19:48:18 -0400] "GET /?code=authelia_ac_ASd2i2T-jZT81asodUDHASUQkuWA_l0bz0QeAzH2U4i-s.XqagWnzg106WC-kts1Xasidj922nZBNa_VIAOANVO&iss=https%3A%2F%2Foidc.mydomain.tld&scope=openid+profile+email+mailcow_template&state=29jf19f91o9a09ac0200a919a0c0nbba0 HTTP/1.1" 200 10796 "https://oidc.mydomain.tld/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"
php-fpm-mailcow-1    | 172.22.1.10 -  26/Mar/2025:19:48:18 -0400 "GET /json_api.php" 200
nginx-mailcow-1      | 192.168.9.4 - - [26/Mar/2025:19:48:18 -0400] "GET /api/v1/get/passwordpolicy/html HTTP/1.1" 200 31 "https://mail.mydomain.tld/?code=authelia_ac_Wk5d8jg2T-jZT817YC1BLQkuWA_l0bz0QeAzH2U4i-s.XqagWnzg106WC-kts1Xg67wpP8EonZBNa_VIAOANVO&iss=https%3A%2F%2Foidc.mydomain.tld&scope=openid+profile+email+mailcow_template&state=29jf19f91o9a09ac0200a919a0c0nbba0" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"
dovecot-mailcow-1    | Mar 26 19:48:19 a767a884fd52 dovecot: lmtp(8271): Connect from 172.22.1.12
dovecot-mailcow-1    | Mar 26 19:48:20 a767a884fd52 dovecot: auth-worker(9102): conn unix:auth-worker (pid=129,uid=401): auth-worker<1>: sql(watchdog@invalid,172.22.1.12): unknown user 
dovecot-mailcow-1    | Mar 26 19:48:20 a767a884fd52 dovecot: lmtp(8271): Disconnect from 172.22.1.12: Logged out (state=MAIL FROM)
dovecot-mailcow-1    | Mar 26 19:48:20 a767a884fd52 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.12, lip=172.22.1.250, TLS: Connection closed, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
dovecot-mailcow-1    | Mar 26 19:48:20 a767a884fd52 dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.12, lip=172.22.1.250
dovecot-mailcow-1    | Mar 26 19:48:20 a767a884fd52 dovecot: managesieve-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=172.22.1.12, lip=172.22.1.250
watchdog-mailcow-1   | Wed Mar 26 19:48:20 EDT 2025 Dovecot health level: 100% (12/12), health trend: 0
php-fpm-mailcow-1    | fd4d:6169:6c63:6f77::f -  26/Mar/2025:19:48:20 -0400 "HEAD /settings.php" 304
nginx-mailcow-1      | 172.22.1.9 - - [26/Mar/2025:19:48:20 -0400] "HEAD /settings.php HTTP/1.1" 304 0 "-" "rspamd-3.11.1"
dovecot-mailcow-1    | Mar 26 19:48:21 a767a884fd52 dovecot: imap(user@mydomain.tld)<8833><o1CbYUcxPq7AqAcD>: Disconnected: Logged out in=690 out=8012 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=4898
dovecot-mailcow-1    | Mar 26 19:48:21 a767a884fd52 dovecot: imap(user@mydomain.tld)<6797><xEOdz0YxqKfAqAcD>: Disconnected: Logged out in=200 out=3308 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
php-fpm-mailcow-1    | [26-Mar-2025 19:48:21] WARNING: [pool system-worker] child 36 said into stderr: "NOTICE: PHP message: MAILCOWAUTH: App auth for user user@mydomain.tld"
php-fpm-mailcow-1    | 172.22.1.10 -  26/Mar/2025:19:48:21 -0400 "POST /mailcowauth.php" 200
nginx-mailcow-1      | 172.22.1.250 - - [26/Mar/2025:19:48:21 -0400] "POST / HTTP/1.1" 200 27 "-" "LuaSocket 3.0.0"
dovecot-mailcow-1    | Mar 26 19:48:21 a767a884fd52 dovecot: imap-login: Login: user=<user@mydomain.tld>, method=PLAIN, rip=192.168.2.3, lip=172.22.1.250, mpid=9108, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
watchdog-mailcow-1   | Wed Mar 26 19:48:24 EDT 2025 Redis health level: 100% (5/5), health trend: 0
php-fpm-mailcow-1    | fd4d:6169:6c63:6f77::f -  26/Mar/2025:19:48:25 -0400 "GET /index.php" 200
rspamd-mailcow-1     | 2025-03-26 19:48:31 #40(controller) <561879>; csession; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 0 regexps matched, 3589 regexps total, 2598 regexps cached, 0B scanned using pcre, 102B scanned total
watchdog-mailcow-1   | Wed Mar 26 19:48:31 EDT 2025 Rspamd health level: 100% (5/5), health trend: 0
watchdog-mailcow-1   | Wed Mar 26 19:48:33 EDT 2025 Ratelimit health level: 100% (1/1), health trend: 0
watchdog-mailcow-1   | Wed Mar 26 19:48:34 EDT 2025 Postfix health level: 100% (8/8), health trend: 0
watchdog-mailcow-1   | Wed Mar 26 19:48:36 EDT 2025 Olefy health level: 100% (5/5), health trend: 0
ofelia-mailcow-1     | 2025-03-26T19:48:37.098-04:00  common.go:125 ▶ NOTICE [Job "sogo_sessions" (bca4bd50d864)] Started - /bin/bash -c "[[ ${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool -v expire-sessions ${SOGO_EXPIRE_SESSION} || exit 0"
ofelia-mailcow-1     | 2025-03-26T19:48:37.098-04:00  common.go:125 ▶ NOTICE [Job "phpfpm_keycloak_sync" (487660c405ed)] Started - /bin/bash -c "php /crons/keycloak-sync.php || exit 0"
ofelia-mailcow-1     | 2025-03-26T19:48:37.104-04:00  common.go:125 ▶ NOTICE [Job "phpfpm_ldap_sync" (420eddbd57b1)] Started - /bin/bash -c "php /crons/ldap-sync.php || exit 0"
ofelia-mailcow-1     | 2025-03-26T19:48:37.108-04:00  common.go:125 ▶ NOTICE [Job "sogo_ealarms" (5dd6e1ed8eb1)] Started - /bin/bash -c "[[ ${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-ealarms-notify -p /etc/sogo/cron.creds || exit 0"
ofelia-mailcow-1     | 2025-03-26T19:48:37.112-04:00  common.go:125 ▶ NOTICE [Job "dovecot_imapsync_runner" (b28e2b08cfc2)] Started - /bin/bash -c "[[ ${MASTER} == y ]] && /usr/local/bin/gosu nobody /usr/local/bin/imapsync_runner.pl || exit 0"
ofelia-mailcow-1     | 2025-03-26T19:48:37.116-04:00  common.go:125 ▶ NOTICE [Job "dovecot_trim_logs" (60c934535e1c)] Started - /bin/bash -c "[[ ${MASTER} == y ]] && /usr/local/bin/gosu vmail /usr/local/bin/trim_logs.sh || exit 0"
ofelia-mailcow-1     | 2025-03-26T19:48:37.282-04:00  common.go:125 ▶ NOTICE [Job "dovecot_trim_logs" (60c934535e1c)] Finished in "165.624406ms", failed: false, skipped: false, error: none
ofelia-mailcow-1     | 2025-03-26T19:48:37.282-04:00  common.go:125 ▶ NOTICE [Job "sogo_ealarms" (5dd6e1ed8eb1)] Finished in "173.231258ms", failed: false, skipped: false, error: none
ofelia-mailcow-1     | 2025-03-26T19:48:37.333-04:00  common.go:125 ▶ NOTICE [Job "dovecot_imapsync_runner" (b28e2b08cfc2)] Finished in "221.192494ms", failed: false, skipped: false, error: none
ofelia-mailcow-1     | 2025-03-26T19:48:37.336-04:00  common.go:125 ▶ NOTICE [Job "phpfpm_keycloak_sync" (487660c405ed)] Finished in "238.232589ms", failed: false, skipped: false, error: none
ofelia-mailcow-1     | 2025-03-26T19:48:37.341-04:00  common.go:125 ▶ NOTICE [Job "phpfpm_ldap_sync" (420eddbd57b1)] Finished in "236.798849ms", failed: false, skipped: false, error: none
ofelia-mailcow-1     | 2025-03-26T19:48:37.359-04:00  common.go:125 ▶ NOTICE [Job "sogo_sessions" (bca4bd50d864)] StdErr: 2025-03-26 19:48:37.352 sogo-tool[4836:4836] Remove all sessions older than 480 min
ofelia-mailcow-1     | 2025-03-26 19:48:37.356 sogo-tool[4836:4836] No session to remove
ofelia-mailcow-1     | 2025-03-26T19:48:37.359-04:00  common.go:125 ▶ NOTICE [Job "sogo_sessions" (bca4bd50d864)] Finished in "260.685914ms", failed: false, skipped: false, error: none
php-fpm-mailcow-1    | 172.22.1.10 -  26/Mar/2025:19:48:41 -0400 "HEAD /forwardinghosts.php" 200
nginx-mailcow-1      | 172.22.1.9 - - [26/Mar/2025:19:48:41 -0400] "HEAD /forwardinghosts.php HTTP/1.1" 200 0 "-" "rspamd-3.11.1"
php-fpm-mailcow-1    | 172.22.1.10 -  26/Mar/2025:19:48:41 -0400 "GET /forwardinghosts.php" 200
nginx-mailcow-1      | fd4d:6169:6c63:6f77::e - - [26/Mar/2025:19:48:41 -0400] "GET /forwardinghosts.php HTTP/1.1" 200 27 "-" "rspamd-3.11.

Forgot to mention, the connection test in the Mailcow UI gives “Connection Successful”, and the domain does exist within mailcow

If I make a new user within Authelia it appears that no issue occurs and it makes the account successfully, but for existing users it just throws this generic error. Is this a bug?

Okay, I’ve figured out the issue somewhat.

You need to edit the user to allow them to log into Mailcow with Generic-OIDC, and they can NOT log in if the OIDC uses an Alias.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

No one is typing