feat(provisioning): add support for Dovecot master user auth #12306
+229
−10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tnxfi
requested review from
ChristophWurst,
GretaD and
kesselb
as code owners
|
Thanks for opening your first pull request in this repository! ✌️ |
added 2 commits
January 24, 2026 13:48
…n with new columns and UI updates Signed-off-by: Timo Nieminen <timo.nieminen@tnnet.fi>
…client factories and tests Signed-off-by: Timo Nieminen <timo.nieminen@tnnet.fi>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Nextcloud mail app has an option called "Master password". This name is not to be mixed with Dovecot Master password system.
The functionalitys is slightly misnamed. The correct name should be "Static password for all users".
Dovecot server for pop3, imap and sieve allows various ways of authenticating users. In this case "Static password" means that Dovecot is configured so that every account has the same static password and every account can log in with the same password. That means users like user_ann@example.com and user_dean@example.com will have the same password for their accounts.
Dovecot does allow to limit the usage of static password to specific CIDR. This can be useful in some cases (webmail system and SSO).
But this system is extremely problematic if the users need to be able to use passwords to log in from other system like Thunderbird client software.
Dovecot has a more advanced system called Master passwords, which allows us to configure one or more master users that have their own passwords. For example we could have user masteruser that has password MASTERPASS. When logging into imap, pop3 or sieve, master users can use username in format "user_ann@example.com*masteruser" to log in as any specific user they are allowed to represent. Default separator in the format is * (star sign), but it is configurable in Dovecot. In all other ways the login process is exactly the same as in standard imap, pop3 or sieve login. Only the username has both useraccount and masteraccount specified with the separator.
This configuration is a lot more flexible than static user passwords. Master passwords can also be limited to being accepted from specific CIDRs.
When using this system, the users still can have their own default passwords and the master password system doesn't affect their normal usage in any way. The system also allows granular permissions for master users.
This patch adds the ability to set master user and optionally master user separator character in Nextcloud Mail app. Patch still uses master password field for the password.
If Master user is not set, old style static password is used and only defined user is used as login. If Master user is set, login will use Dovecot style user in logins.
This patch assumes that user can use Dovecot master authentication for all services. Note that Dovecot includes SMTP Submission ability to help with master password login using SMTP.