website/integrations: add documentation for roundcube webmail client (#2104)

* Add documentation for roundcube webmail client

Includes required dovecot configuration snippet.

* added roundcube to sidebar links

* fixed typo

* clean up formatting 

Tighten up extra info and match format to other integration documents

* fix roundcube wiki url display
This commit is contained in:
xpufx 2022-02-08 14:24:14 +03:00 committed by GitHub
parent 6ba150f737
commit cb1e70be7f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 87 additions and 0 deletions

View File

@ -0,0 +1,86 @@
---
title: Roundcube
---
## What is Roundcube
From https://roundcube.net
:::note
**Roundcube** is a browser-based multilingual IMAP client with an application-like user interface.
It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking
:::
This integration describes how to use Roundcube's oauth support with authentik to automatically sign into an email account.
The mail server must support XOAUTH2 for both SMTPD and IMAP/POP. Postfix SMTP server can also use Dovecot for authentication which provides Postfix with xoauth2 capability without configuring it separately.
## Preperation
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
Create a new oauth2 Scope Mapping which does not return the 'group' values and associate this mapping
in the provider settings instead of the default oauth mapping.
Under _Property Mappings_, create a _Scope Mapping_. Give it a name like "oauth2-Scope-dovecot". Set the scope name to `dovecotprofile` and the expression to the following
```
return {
"name": request.user.name,
"given_name": request.user.name,
"family_name": "",
"preferred_username": request.user.username,
"nickname": request.user.username,
#DO NOT INCLUDE groups
}
```
Create an application in authentik. Create an _OAuth2/OpenID Provider_ with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email, and the scope you created above
- Signing Key: Select any available key
## Roundcube Configuration
```
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'authentik';
$config['oauth_client_id'] = '<Client ID>';
$config['oauth_client_secret'] = '<Client Secret>';
$config['oauth_auth_uri'] = 'https://authentik.company/application/o/authorize/';
$config['oauth_token_uri'] = 'https://authentik.company/application/o/token/';
$config['oauth_identity_uri'] = 'https://authentik.company/application/o/userinfo/';
$config['oauth_scope'] = "email openid dovecotprofile";
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['email'];
```
## Dovecot Configuration
Add xoauth2 as an authentication mechanism and configure the following parameters in your Dovecot configuration.
```
tokeninfo_url = https://authentik.company/application/o/userinfo/?access_token=
introspection_url = https://<Client ID>:<Client Secret>@authentik.company/application/o/introspect/
introspection_mode = post
force_introspection = yes
active_attribute = active
active_value = true
username_attribute = email
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
```
:::note
With this setup Dovecot can also be used with other email clients that support XOAUTH2 authentication, however
most available software (including Fair Email for Android and Thunderbird) only come with support for Gmail,
Outlook etc with no way to configure custom email servers.
:::
## Additional Resources
Please refer to the following for further configuration information:
- https://roundcube.net
- https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2
- https://doc.dovecot.org/configuration_manual/authentication/oauth2/

View File

@ -29,6 +29,7 @@ module.exports = {
"services/powerdns-admin/index", "services/powerdns-admin/index",
"services/proxmox-ve/index", "services/proxmox-ve/index",
"services/rancher/index", "services/rancher/index",
"services/roundcube/index",
"services/sentry/index", "services/sentry/index",
"services/sssd/index", "services/sssd/index",
"services/sonarr/index", "services/sonarr/index",