Keycloak + MaMilcow SSO Working, but Thunderbird Fails - App Passwords Needed?

enriluis

Hello everyone,

I have successfully integrated Keycloak with Mailcow for authentication. My setup is working partially:

✅ What works:
User creation in Keycloak
Automatic user import/sync to Mailcow
Single Sign-On (SSO) to SOGo webmail via Keycloak works perfectly

❌ What doesn’t work:
Using the same Keycloak password in Thunderbird (or any other email client like Outlook)
IMAP/SMTP authentication fails with “invalid credentials”
My question is: In this Keycloak-Mailcow integration setup, is it necessary to create Application-Specific Passwords for email clients like Thunderbird? Or should the main Keycloak password work directly?
Whats happen with app password when i delete user account from keycloak, it delete user app password too?
it is using openid-connect, for OIDC the same?

esackbauer

enriluis is it necessary to create Application-Specific Passwords for email clients like Thunderbird?

Yes. Because IMAP, SMTP and ActiveSync do not support this kind of integration, they rely on mailcows internal authentication.

enriluis

esackbauer
thanks, so why i can not login in Thunderbird using a app password?
with normal account yes, i do login, but with an account with KC as IDP and an app password not.

esackbauer

enriluis
Are you sure you log in with the mailbox address as username? Do not use keycloaks user names.

enriluis

esackbauer
in KC i use email as username…. it is no the same or this is making some kid of conflict?

enriluis

enriluis
“After troubleshooting, I realized the issue: having ‘login with email as username’ enabled in KC was causing a conflict. I disabled that setting, created a normal account in KC with a simple username and email as email field, and then login with SSO in SoGo, added an app password, configured Thunderbird using this app password. This solution worked! Therefore, enabling ‘login with email as username’ in KC causes a conflict when using app passwords in Mailcow”