dovecot - Aug 2019 - Dovecot - Microsoft Azure AD

Hello,
I am currently trying to connect my Dovecot mail server to Microsoft's
Azure-AD and use it as password and user database. I am using version 2.3.7.1.

Using the Azure-AD as passdb already works. In this context I noticed that the
scope implementation is not yet merged.

Since I haven't found any hints for an OAuth2 userdb implementation yet, I
wanted to ask if there are any plans for an implementation.

Greetings
Lennart Boettcher

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190814/4fd3d7f1/attachment.html>

> On 14/08/2019 15:36 Lennart Boettcher via dovecot <dovecot at
dovecot.org> wrote:
> 
> 
>   
>  Hello,
>  
> I am currently trying to connect my Dovecot mail server to Microsoft's
Azure-AD and use it as password and user database. I am using version 2.3.7.1.
> 
>  
> 
> 
>  
> Using the Azure-AD as passdb already works. In this context I noticed that
the scope implementation is not yet merged.
> 
>  
> 
> 
>  
> Since I haven't found any hints for an OAuth2 userdb implementation
yet, I wanted to ask if there are any plans for an implementation.
>  
> 
> 
>  
> Greetings
>  
> Lennart Boettcher
> 
>  
> 
>
Dovecot 2.3 supports oauth2. I don't know how "oauth2 user
database" would work, since oauth2 is an authentication mechanism. I
suggest you use LDAP or static userdb, or set mail_* settings for user settings.

Aki

Hi!

Dovecot supports Lua userdb, which can be used to implement custom user
databases, maybe this might work for you? See
https://doc.dovecot.org/configuration_manual/authentication/lua_based_authentication
for more details.

Aki
> On 15/08/2019 12:16 Lennart Boettcher <lennart.boettcher at
secpoint.onmicrosoft.com> wrote:
> 
> 
>   Hello,
>  
> Thank you for the quick reply.
> 
>  
> 
> 
>  
> I have expressed myself wrongly. Our idea was to use the Azure-AD as userdb
by doing the user lookup with the help of Microsoft's Graph API. OAuth2
would then of course only be the authorization procedure to access the user
accounts using the Graph API.
> 
>  
> 
> 
>  
> One would then implement a graph-userdb and no oauth-userdb. OAuth is, as
you correctly mentioned, only an authorization mechanism.
> 
>  
> 
> 
>  
> Here is a link to the GraphAPI:
https://docs.microsoft.com/de-de/graph/api/overview?view=graph-rest-1.0
> 
>  
> And here is another link to the Graph Explorer, with which you can see how
the GraphAPI works: https://developer.microsoft.com/en-us/graph/graph-explorer
>  
> 
> 
>  
> We already use this procedure for the passdb lookup and it works very well.
>  
> 
> 
>  
> Greetings
>  
> Lennart Boettcher
> 
>  
>  
>  
> ------------------------------
>  
> From: Aki Tuomi <aki.tuomi at open-xchange.com>
>  Sent: 14 August 2019 14:57
>  To: Lennart Boettcher <lennart.boettcher at
secpoint.onmicrosoft.com>; Lennart Boettcher via dovecot <dovecot at
dovecot.org>
>  Subject: Re: Dovecot - Microsoft Azure AD 
>  
> 
>  > On 14/08/2019 15:36 Lennart Boettcher via dovecot <dovecot at
dovecot.org> wrote:
>  > 
>  > 
>  > 
>  > Hello,
>  > 
>  > I am currently trying to connect my Dovecot mail server to
Microsoft's Azure-AD and use it as password and user database. I am using
version 2.3.7.1.
>  > 
>  > 
>  > 
>  > 
>  > 
>  > Using the Azure-AD as passdb already works. In this context I noticed
that the scope implementation is not yet merged.
>  > 
>  > 
>  > 
>  > 
>  > 
>  > Since I haven't found any hints for an OAuth2 userdb
implementation yet, I wanted to ask if there are any plans for an
implementation.
>  > 
>  > 
>  > 
>  > 
>  > Greetings
>  > 
>  > Lennart Boettcher
>  > 
>  > 
>  > 
>  >
>  
>  Dovecot 2.3 supports oauth2. I don't know how "oauth2 user
database" would work, since oauth2 is an authentication mechanism. I
suggest you use LDAP or static userdb, or set mail_* settings for user settings.
>  
>  Aki
>