Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps - Status | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. OAuth2/OIDC + MFA support for Cloudron Mail clients

OAuth2/OIDC + MFA support for Cloudron Mail clients

Scheduled Pinned Locked Moved Feature Requests
7 Posts 5 Posters 410 Views 6 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F Offline
    F Offline
    Finn
    wrote on last edited by
    #1

    Hi,

    would it be possible to add modern authentication support for Cloudron Mail?

    Cloudron already supports 2FA for the user account, but external mail clients using IMAP/SMTP still authenticate with either the platform password or an app password. App passwords are useful, but they are still just single-factor secrets.

    It would be great if Cloudron Mail could support OAuth2/OIDC for IMAP/SMTP, so mail clients can use an MFA-capable login flow similar to Microsoft 365 or Google Workspace.

    Useful options could be:

    OAuth2/OIDC login for IMAP/SMTP
    app passwords as fallback for legacy clients
    admin option to disable platform-password login for mail
    per-client/device revocation

    This would make Cloudron Mail much more attractive for business use cases where password-only mail access is a security concern.

    Thanks!

    1 Reply Last reply
    6
    • jamesJ Online
      jamesJ Online
      james
      Staff
      wrote on last edited by
      #2

      Hello @finn and welcome to the Cloudron forum

      Since the future release of Cloudron 10 already does touch the Mail system of Cloudron, this might be something we could add.

      1 Reply Last reply
      4
      • F Offline
        F Offline
        Finn
        wrote on last edited by
        #3

        Hello @james, this is great to hear!

        If it turns out that this cannot be added in time for the Cloudron 10 release, it would already be very helpful to at least have an option to disable the platform password for mail login, so users are required to use app passwords instead.

        1 Reply Last reply
        5
        • C Offline
          C Offline
          charlesnw
          wrote last edited by
          #4

          I second this request . My board of directors is concerned about the lack of 2fa on mail. I am glad that all of the other parts and apps of cloudron are fully protected (alas we can’t set password policies , but the 2fa requirement gets us an exception).

          What are the blockers here ? Does roundcube support OIdC ? Would work need to be done in the cloudron core authentication / groups / permission layer ?

          1 Reply Last reply
          1
          • fbartelsF Offline
            fbartelsF Offline
            fbartels
            App Dev
            wrote last edited by
            #5

            I think the main holdup is that there are hardly any mail clients out there that can make use of oauth 2.0 with providers other than google/microsoft/... I think the best way for now is to only allow app password logins for imap/smtp connections.

            robiR 1 Reply Last reply
            0
            • fbartelsF fbartels

              I think the main holdup is that there are hardly any mail clients out there that can make use of oauth 2.0 with providers other than google/microsoft/... I think the best way for now is to only allow app password logins for imap/smtp connections.

              robiR Offline
              robiR Offline
              robi
              wrote last edited by
              #6

              @fbartels so basically let your agents handle mail via API? πŸ™‚

              Conscious tech

              fbartelsF 1 Reply Last reply
              0
              • robiR robi

                @fbartels so basically let your agents handle mail via API? πŸ™‚

                fbartelsF Offline
                fbartelsF Offline
                fbartels
                App Dev
                wrote last edited by
                #7

                @robi how did you land at "api"?

                If you want an ai agent to handle your inbox then there are probably better apis than the imap protocol, yes. but that is a different topic to oidc and mfa.

                1 Reply Last reply
                0

                Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                With your input, this post could be even better πŸ’—

                Register Login
                Reply
                • Reply as topic
                Log in to reply
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes


                • Login

                • Don't have an account? Register

                • Login or register to search.
                • First post
                  Last post
                0
                • Categories
                • Recent
                • Tags
                • Popular
                • Bookmarks
                • Search