Allow SSO users to send and recieve mail via master password

SSO users do not have a password set, and the auto provisioning of mail does not work for SSO user. It is also inconvenient to synchronize the password database between Nextcloud and the mail server used. So to allow SSO user to use the mail app we can instead configure a shared password for all users, this will work well with for example Dovecot that has a concept of a "master password"[0] that can be used to authenticate users. To use this feature we must convince the mail app that the user has a password available, which we can set with occ like so: ``` ./occ config:app:set mail master_password --value 'very-secret-master-password' ``` We can then configure dovecot to allow this password from the Nextcloud server, in this example 89.46.21.198: ``` passdb { args = password=very-secret-master-password allow_nets=89.46.21.198/32 driver = static } ``` If we configure postfix to use SASL auth against dovecot, we can then both send and recieve mail from Nextcloud mail app, for SSO users. 0. https://doc.dovecot.org/configuration_manual/authentication/master_users/ Signed-off-by: Micke Nordin <[email protected]>
nextcloud · Sep 30, 2023 · 110e460 · 110e460
1 parent 25419cb
commit 110e460
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php
@@ -176,6 +176,12 @@ public function index(): TemplateResponse {
 		} catch (CredentialsUnavailableException | PasswordUnavailableException $e) {
 			$passwordIsUnavailable = true;
 		}
+
+		$masterPassword =  $this->config->getAppValue('mail', 'master_password');
+		if ($masterPassword) {
+			$passwordIsUnavailable = false;
+		}
+
 		$this->initialStateService->provideInitialState(
 			'password-is-unavailable',
 			$passwordIsUnavailable,

diff --git a/lib/IMAP/IMAPClientFactory.php b/lib/IMAP/IMAPClientFactory.php
@@ -83,6 +83,11 @@ public function getClient(Account $account, bool $useCache = true): Horde_Imap_C
 		if ($account->getMailAccount()->getInboundPassword() !== null) {
 			$decryptedPassword = $this->crypto->decrypt($account->getMailAccount()->getInboundPassword());
 		}
+
+		$masterPassword =  $this->config->getAppValue('mail', 'master_password');
+		if ($masterPassword) {
+			$decryptedPassword = $masterPassword;
+		}
 		$port = $account->getMailAccount()->getInboundPort();
 		$sslMode = $account->getMailAccount()->getInboundSslMode();
 		if ($sslMode === 'none') {

diff --git a/lib/SMTP/SmtpClientFactory.php b/lib/SMTP/SmtpClientFactory.php
@@ -69,6 +69,10 @@ public function create(Account $account): Horde_Mail_Transport {
 		if ($mailAccount->getOutboundPassword() !== null) {
 			$decryptedPassword = $this->crypto->decrypt($mailAccount->getOutboundPassword());
 		}
+		$masterPassword =  $this->config->getAppValue('mail', 'master_password');
+		if ($masterPassword) {
+			$decryptedPassword = $masterPassword;
+		}
 		$security = $mailAccount->getOutboundSslMode();
 		$params = [
 			'localhost' => $this->hostNameFactory->getHostName(),