Stalwart mailserver integration

[SinnySupernova]

I would like to use Kanidm as IDP for Stalwart mailserver. This currently is challenging due to stalwart only supporting a few directories. Among the options only the LDAP directory has the closest chance for integration with Kanidm.

Stalwart can be configured to have access to the service account credentials, and is using them to retrieve account information.

I checked all the LDAP queries that it executes, and have run into an issue #2978 with a filter that validates local domains.

Apart from that, Stalwart wants to read the following attributes from LDAP. Notably:

• secret (LDAP attribute for the user's password) - is not available in Kanidm
• description, I mapped it to displayname for now
• email can be mapped to mail;primary, and I'm not sure what to map email-alias to

Thinking of ways to integrate outside of LDAP, I was thinking if OIDC powered directory would be possible to implement on Stalwart's end. However my knowledge rn is not enough to evaluate that possibility properly.

[Firstyear]

email-alias is mapped to mail;alternative OR emailalternative. Similar to primary mail being mail;primary OR emailprimary. These are both "virtual" attrs so they are always present.

You should NOT use "secret" as a method. No LDAP server today in 2024 allows this, and it's absolutely wild and irresponsible that stalwart wants to try it.

See the "bind authentication" section in the stalwart docs. Similar, see our feature we about to merge for "ldap application passwords" to support uses cases like this. #2968

This will allow a you to specify an external application stalwart, and users can create "application passwords". For example, I could login to Kanidm, see that I have a mail application access. I can then generate a password for my laptop, and a different password for my phone.

Stalwart can connect to ldap with the dn "user=username,app=stalwart,o=my-idm", and Kanidm knows to route the auth requests to application passwords for stalwart. Kani then will check if the presented password is the laptop or phone pw.

This way, the user can have per-device passwords, stalwart has no idea this takes place and just sees "ldap".

[kri164]

Stalwart bugs No.1194 and No.1369 are closed.

stalwartlabs/stalwart#1194
stalwartlabs/stalwart#1369

Does it means we can use Kanidm as OIDC provider for Stalwart now? And mail clients will work?

[Firstyear]

If they have closed the bugs then provided there are no more issues in stalwart, yes you can use it.

[Gabgobie]

Could you share which mail client you are using? I'd like to deploy kanidm and stalwart but my client of choice (Thunderbird) has limited OAuth to specific providers. To my understanding I'd need to patch and recompile Thunderbird to work with any other OAuth provider or mail server.

• https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat#OAuth2
• https://bugzilla.mozilla.org/show_bug.cgi?id=1602166

Best,

Edit:

As it seems I don't have to patch and recompile but use a new add-on API for custom OIDC providers, see https://bugzilla.mozilla.org/show_bug.cgi?id=1967370

[kri164]

After upgrade Stalwart 0.12.3 -> 0.12.4 ldap is not working.
LDAP Authentication Method need change from
"Lookup using bind DN" to "Bind authentication after lookup"