Application and/or Groups Passwords for Mailboxes
-
Lets say I want to setup some shared mailboxes:
- accounts@
- marketing@
- developers@
- hr@
Common usage in setting up Help Desk client apps, so it needs to be Mailboxes and not Mailing Lists, then departmental email visibility is segregated, especially important with a shared mailbox like hr@ can contain private personnel information.
Currently I have to select a User and then that's the mailbox password - but then that user's password has to be used in mail clients, and needs to also be shared with other system admins - but it would be a user password being shared.
The only workaround I can see is setting up these generic users with my email address and setting the passwords up that way and selecting those as the mailbox owners - but then that's unnecessary user accounts.
An alternative to Application and/or Groups Passwords could just be to setup these mailbox users in a group that has no Dashboard access, since these users are just for mail clients. How to change the passwords in that context still needs considering or to remain available though.
A creative solution could be to allow multiple user owners for Mailboxes, if that would allow for each user to use their own password for mailbox connection and therefore revoking the user would revoke their access to these group mailboxes but I suspect that might be hacky behind the scenes.
Searching I didn't find anyone else with this use-case or need strangely, but it seems a pretty standard thing I just expected so maybe I'm missing something?
Web Design https://www.evergreen.je
Development https://brandlight.org
Life https://marcusquinn.com -
Lets say I want to setup some shared mailboxes:
- accounts@
- marketing@
- developers@
- hr@
Common usage in setting up Help Desk client apps, so it needs to be Mailboxes and not Mailing Lists, then departmental email visibility is segregated, especially important with a shared mailbox like hr@ can contain private personnel information.
Currently I have to select a User and then that's the mailbox password - but then that user's password has to be used in mail clients, and needs to also be shared with other system admins - but it would be a user password being shared.
The only workaround I can see is setting up these generic users with my email address and setting the passwords up that way and selecting those as the mailbox owners - but then that's unnecessary user accounts.
An alternative to Application and/or Groups Passwords could just be to setup these mailbox users in a group that has no Dashboard access, since these users are just for mail clients. How to change the passwords in that context still needs considering or to remain available though.
A creative solution could be to allow multiple user owners for Mailboxes, if that would allow for each user to use their own password for mailbox connection and therefore revoking the user would revoke their access to these group mailboxes but I suspect that might be hacky behind the scenes.
Searching I didn't find anyone else with this use-case or need strangely, but it seems a pretty standard thing I just expected so maybe I'm missing something?
-
@marcusquinn Just setup an alias and add the users in question to it.
@murgero that doesn't work. FreeScout is Cloudron app, so that can be the example, it needs one or more mailboxes to connect too.
Let's say you setup a
customerservices@domain.commailbox.Now, what Cloudron User to you assign to that mailbox?
If I use my user, now my Cloudron password is saved in FreeScout.
Let's say I'm off-duty and another sys admin has an issue and need to re-add the password in FreeScout. Do they use my password or change that mailbox to be their username?
But let's say EspoCRM also has that mailbox setup, they have to change it there too now.
The current data-relationship is One User to Many Mailboxes but it needs to be either Many to Many or there should be Application Passwords, which can probably still be Cloudron users behind the scenes but then you need to attach an email address to receive the password set/reset email.
I guess that email address could be changed by any Sys Admin to their own if they need to change the password for any reason.
Right now, that's the only way to create an independent password for a Shared Mailbox managed by more than one Sys Admin.
(we have between 3 and 10 Sys Admins depending on the area of the business)
-
What we do is: Create a user called
support. Generate a random password. Now assign this user as the owner of all the shared mailboxes. We then setup Freescout (the help desk app we use) with the mailboxes. Nobody other than the one who sets up Freescout needs to know the password because once the shared mailboxes are setup, other people don't need to know the password. We have a similar setup going inside EspoCRM as well.If for some reason, you have to pass around a password (maybe you all want to use different clients), then you can generate mail passwords. Login as this
supportuser and go to Profile -> App Passwords. There is a Mail Client option in the drop down. For example, to hand out a password for User1. This also makes it easy for you to revoke it later.
Finally, for 5.5, I am looking into shared mailboxes. This is dovecot acl mailbox sharing. With this, if you setup a shared mailbox, then when people login with an IMAP client, they will already see the shared mailbox as a subdirectory. I cannot guarantee how well this feature will work in practice though. I have not used shared mailboxes via IMAP in the past but we are building it for a client.
-
What we do is: Create a user called
support. Generate a random password. Now assign this user as the owner of all the shared mailboxes. We then setup Freescout (the help desk app we use) with the mailboxes. Nobody other than the one who sets up Freescout needs to know the password because once the shared mailboxes are setup, other people don't need to know the password. We have a similar setup going inside EspoCRM as well.If for some reason, you have to pass around a password (maybe you all want to use different clients), then you can generate mail passwords. Login as this
supportuser and go to Profile -> App Passwords. There is a Mail Client option in the drop down. For example, to hand out a password for User1. This also makes it easy for you to revoke it later.Finally, for 5.5, I am looking into shared mailboxes. This is dovecot acl mailbox sharing. With this, if you setup a shared mailbox, then when people login with an IMAP client, they will already see the shared mailbox as a subdirectory. I cannot guarantee how well this feature will work in practice though. I have not used shared mailboxes via IMAP in the past but we are building it for a client.
@girish Sounds good - will work with what we have and leave you in peace for that which I'll certainly help with testing and feedback on too.
-
@murgero that doesn't work. FreeScout is Cloudron app, so that can be the example, it needs one or more mailboxes to connect too.
Let's say you setup a
customerservices@domain.commailbox.Now, what Cloudron User to you assign to that mailbox?
If I use my user, now my Cloudron password is saved in FreeScout.
Let's say I'm off-duty and another sys admin has an issue and need to re-add the password in FreeScout. Do they use my password or change that mailbox to be their username?
But let's say EspoCRM also has that mailbox setup, they have to change it there too now.
The current data-relationship is One User to Many Mailboxes but it needs to be either Many to Many or there should be Application Passwords, which can probably still be Cloudron users behind the scenes but then you need to attach an email address to receive the password set/reset email.
I guess that email address could be changed by any Sys Admin to their own if they need to change the password for any reason.
Right now, that's the only way to create an independent password for a Shared Mailbox managed by more than one Sys Admin.
(we have between 3 and 10 Sys Admins depending on the area of the business)
-
What we do is: Create a user called
support. Generate a random password. Now assign this user as the owner of all the shared mailboxes. We then setup Freescout (the help desk app we use) with the mailboxes. Nobody other than the one who sets up Freescout needs to know the password because once the shared mailboxes are setup, other people don't need to know the password. We have a similar setup going inside EspoCRM as well.If for some reason, you have to pass around a password (maybe you all want to use different clients), then you can generate mail passwords. Login as this
supportuser and go to Profile -> App Passwords. There is a Mail Client option in the drop down. For example, to hand out a password for User1. This also makes it easy for you to revoke it later.Finally, for 5.5, I am looking into shared mailboxes. This is dovecot acl mailbox sharing. With this, if you setup a shared mailbox, then when people login with an IMAP client, they will already see the shared mailbox as a subdirectory. I cannot guarantee how well this feature will work in practice though. I have not used shared mailboxes via IMAP in the past but we are building it for a client.
-
@oj We tried to implement this for 5.6 (via IMAP mailbox sharing) but getting this to work with SOGo+LDAP has been a nightmare. So, it's not part of the release.
I think maybe a better approach for Cloudron is to just allow a mailbox to have multiple owners (instead of the single owner now). That way they 2 users can access the same mailbox with their own password.
-
@oj We tried to implement this for 5.6 (via IMAP mailbox sharing) but getting this to work with SOGo+LDAP has been a nightmare. So, it's not part of the release.
I think maybe a better approach for Cloudron is to just allow a mailbox to have multiple owners (instead of the single owner now). That way they 2 users can access the same mailbox with their own password.
@girish Completely understood, that would be a happy, secure and intuitive manageable solution.
-
@oj We tried to implement this for 5.6 (via IMAP mailbox sharing) but getting this to work with SOGo+LDAP has been a nightmare. So, it's not part of the release.
I think maybe a better approach for Cloudron is to just allow a mailbox to have multiple owners (instead of the single owner now). That way they 2 users can access the same mailbox with their own password.
-
@oj We tried to implement this for 5.6 (via IMAP mailbox sharing) but getting this to work with SOGo+LDAP has been a nightmare. So, it's not part of the release.
I think maybe a better approach for Cloudron is to just allow a mailbox to have multiple owners (instead of the single owner now). That way they 2 users can access the same mailbox with their own password.
-
@oj We tried to implement this for 5.6 (via IMAP mailbox sharing) but getting this to work with SOGo+LDAP has been a nightmare. So, it's not part of the release.
I think maybe a better approach for Cloudron is to just allow a mailbox to have multiple owners (instead of the single owner now). That way they 2 users can access the same mailbox with their own password.
-
@girish I was just looking up how to do something similar as the OP, and I believe this solution would be sufficient.
