-
-
Notifications
You must be signed in to change notification settings - Fork 0
Konfiguration.en
Deutsch | English
Most configuration is done via the dashboard under Settings (admin-only). Operator secrets (app SECRET_KEY, DB password) stay in the .env.
- Local login (email/password) is the primary method. Accounts are created by admins (no self-signup). Passwords: Argon2id.
- OIDC / Single Sign-On is an optional second method for any provider (Authentik, Keycloak, Entra ID, Okta, …). Configuration in the dashboard: issuer URL, client ID, client secret, redirect URI. Without an active OIDC config, the app runs fully without an IdP.
-
SAML SSO (Enterprise add-on) is another optional second method. Configured under Settings → SAML/SSO: IdP entity ID, IdP SSO URL (HTTP redirect), IdP signing certificate (X.509), SP entity ID, SP ACS URL and optional attribute mapping (email/display name; empty = NameID as email). The assertion must be signed; the app validates signature, validity period and audience. SP metadata at
/auth/saml/metadata.
- Methods: authenticator app (TOTP), email one-time code or — with a Business license — passkey (WebAuthn) — selectable per user.
-
Passkeys (Business): registration and sign-in via WebAuthn (fingerprint, face or security key). Multiple passkeys per account possible; managed under My Profile. The RP ID is derived from
APP_DOMAIN; the origin can be overridden viaWEBAUTHN_ORIGIN(defaulthttps://{APP_DOMAIN}). Backup codes serve as recovery in case of device loss. - Backup codes at setup (single-use).
- Enforceable by admins under Settings → Security: off / admins only / everyone. Affected users are guided through setup on their next login.
- Admins can reset a user's 2FA (device loss).
- Secrets are stored encrypted (Fernet), backup codes only as a hash.
- Global fallback SMTP under Settings → SMTP (applies when a campaign uses no dedicated sending profile).
- Sending profiles bundle SMTP credentials and sender identity per campaign.
- Provider-agnostic (IONOS, Hetzner, Mailgun, SES, Postmark, your own mail server …). Passwords encrypted at rest; the API never returns them (only a
has_*flag).
Recipient import from a directory service (Active Directory / OpenLDAP) under Settings → LDAP: host/port, LDAPS/StartTLS, bind DN + password, base DN, user filter, attribute mapping. Then import under Groups → LDAP import.
For LDAPS/StartTLS, a CA/server certificate (PEM) can optionally be provided. If set, the server certificate is verified (recommended for internal or self-signed CAs); without a certificate no validation is performed.
For the country breakdown in the dashboard, the operator stores in the .env the path to a local country database in MMDB format (GEOIP_DB_PATH), e.g. MaxMind GeoLite2-Country or DB-IP Country Lite. The lookup runs entirely locally — no external service is ever called. Without a configured file, the country statistics simply stay empty; private/internal IP addresses are never resolved.
GEOIP_DB_PATH=/path/to/GeoLite2-Country.mmdbUnder Settings → Activity → Audit Events: sign-in events (success/failure/blocked) and system changes (users, settings, 2FA) — with timestamp and IP.
See also: Features
Deutsch
- Home
- Installation
- Konfiguration
- Funktionen
- Architektur
- Sicherheit
- NIS2 und BSI
- FAQ
- Fehlerbehebung
- Roadmap
English