Summary #
In this blog post, I talk about the problems I faced when trying to connect authentik with mailcow and Roundcube. I will explain what went wrong and how I fixed it, hoping to help others dealing with similar issues.
Please note that this blog post DOES NOT provide step-by-step instructions, it offers insights gained from troubleshooting encountered issues.
You must have already created an application in Authentik and have a working installation of Mailcow with Roundcube
Introduction #
Mailcow #
Mailcow is an open-source email server solution, designed for Docker, that simplifies the setup of email services on Linux.
Authentik #
Authentik is an identity provider for Single-Sign-on (SSO) focused on ease of use.
Roundcube #
Roundcube is a web-based IMAP email client. Roundcube’s most prominent feature is the pervasive use of Ajax technology.
Problems #
404 Not Found on Roundcube #
Once a user has logged in via SSO the redirection will show a 404 not found page, The URL is similar to the one below:
https://webmail.local.home/rc/index.php/login/oauth?code=fc031dfe6a7e4060a407c7be99a85aa8&state=KGK1Hto3XfFB
This error has something to do with nginx finding .php files
Below is the PHP location block from Mailcow
location ~ \.php$ {
# try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9002;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
}
The error here is the location ~ \.php$
nginx was not able to properly find php files. To fix this i replaced it with location ~ [^/]\.php(/|$)
So your PHP location block should be like this:
location ~ [^/]\.php(/|$) {
# try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9002;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
}
To load the changes run:
docker compose restart nginx-mailcow
SASL Auth Error #
If you encountered this problem there’s something wrong with your configuration, I will share below the configurations I have used to fix the problem.
-
cd to
/opt/mailcow-dockerized/data/conf/dovecot
-
Edit extra.conf and add the config below
# this is for oauth auth
passdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = /etc/dovecot/dovecot-oauth2.conf.ext
}
# this is for plain auth
passdb {
driver = oauth2
mechanisms = plain login
args = /etc/dovecot/dovecot-oauth2.plain.conf.ext
}
- Create
/opt/mailcow-dockerized/data/conf/dovecot/dovecot-oauth2.conf.ext
and use the config below
tokeninfo_url = https://authentik.domain/application/o/userinfo/?access_token=
introspection_url = https://client_id:[email protected]/application/o/introspect/
openid_configuration_url = https://authentik.domain/application/o/app_name/.well-known/openid-configuration
introspection_mode = auth
username_attribute = email
- Create
/opt/mailcow-dockerized/data/conf/dovecot/dovecot-oauth2.plain.conf.ext
and use the config below
openid_configuration_url = https://authentik.domain/application/o/app_name/.well-known/openid-configuration
tokeninfo_url = https://authentik.domain/application/o/userinfo/?access_token=
client_id =
client_secret =
introspection_url = https://client_id:[email protected]/application/o/introspect/
introspection_mode = post
use_grant_password = yes
### remove debug after testing
debug = yes
###
username_attribute = email
pass_attrs = pass=%{oauth2:access_token}
active_attribute = active
force_introspection = yes
active_value = true
- Edit
/opt/mailcow-dockerized/data/conf/dovecot/dovecot.conf
Modifyauth_mechanisms
Final result should be like this:
auth_mechanisms = plain oauthbearer xoauth2
- Restart the container
docker compose restart dovecot-mailcow
I hope this helps.