PHPackages mpipks/imap\_apppasswd - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. mpipks/imap\_apppasswd ActiveRoundcube-plugin[Authentication & Authorization](/categories/authentication) mpipks/imap\_apppasswd ====================== Create App-Passwords for IMAP and SMTP 1.2.3-p1(1y ago)022[1 issues](https://github.com/bennet0496/imap_apppasswd/issues)MITPHPPHP >=8.1CI passing Since Sep 16Pushed 7mo ago1 watchersCompare [ Source](https://github.com/bennet0496/imap_apppasswd)[ Packagist](https://packagist.org/packages/mpipks/imap_apppasswd)[ RSS](/packages/mpipks-imap-apppasswd/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (1)Versions (16)Used By (0) IMAP App Passwords ================== [](#imap-app-passwords) [![Screenshot from 2024-04-22 11-36-01](https://private-user-images.githubusercontent.com/4955327/324410193-233c02d1-9d29-41e2-8c91-4aef5ec5ba9a.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NzU1ODkzMjIsIm5iZiI6MTc3NTU4OTAyMiwicGF0aCI6Ii80OTU1MzI3LzMyNDQxMDE5My0yMzNjMDJkMS05ZDI5LTQxZTItOGM5MS00YWVmNWVjNWJhOWEucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI2MDQwNyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNjA0MDdUMTkxMDIyWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MjIyYWY4NmJlZTVlMWQ1ZjVkN2U3OWM2ODI0ZmI2YTdkNTJjNjkzYmFhN2Q2ODRhNzJmMmU5NmQ0YTZkODBiNCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.SWExpBNBX3axW4TJHTFPaOwabhVVnaMPrKbzNq_KcGM)](https://private-user-images.githubusercontent.com/4955327/324410193-233c02d1-9d29-41e2-8c91-4aef5ec5ba9a.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NzU1ODkzMjIsIm5iZiI6MTc3NTU4OTAyMiwicGF0aCI6Ii80OTU1MzI3LzMyNDQxMDE5My0yMzNjMDJkMS05ZDI5LTQxZTItOGM5MS00YWVmNWVjNWJhOWEucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI2MDQwNyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNjA0MDdUMTkxMDIyWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MjIyYWY4NmJlZTVlMWQ1ZjVkN2U3OWM2ODI0ZmI2YTdkNTJjNjkzYmFhN2Q2ODRhNzJmMmU5NmQ0YTZkODBiNCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.SWExpBNBX3axW4TJHTFPaOwabhVVnaMPrKbzNq_KcGM) Add application specific password to your dovecot IMAP environment. In a world where SSO is not only convenient, but also the norm, there is a problem when it comes to mandatory 2FA/MFA in conjunction with the mail protocols SMTP and IMAP. While most other webservices have MFA as a second line of defense in cases where users lose their password attacks including but not limited to phishing, IMAP and SMTP lack these capabilities and would allow an adversary to snoop a user's emails or to even impersonate them to peers. Established mail services like Gmail and Outlook circumvent this with XOAUTH2 (or app passwords). While Dovecot supports XOAUTH2, the problem is that the client implementation of it in Thunderbird (and maybe also other clients), require static OAUTH Keys that are hard coded in its source code. Thunderbird ships with keys from some large providers, enabling OAUTH usage for these, but there is no way to deploy you own keys, without shipping a fork of Thunderbird with is not really feasible. Note Apparently you can add Oauth Providers via Plugins now. But this will only cover Thunderbird for Desktop. You still don't have it on mobile or any other Mail Client People might use. So the next best option are application specific passwords for each client the user is going to use. If you don't already have an IdP/IAM and Account Console to create and manage these, then the next best place might be the Webmailer that hopefully has 2FA anyway. This is what this plugin is for. You can create App passwords, see where they were last used and delete them if not needed any more. However, this plugin also requires you Dovecot (and SMTP Server \[eg. Exim, Postfix\]) to be set up a certain way. Prepare the database -------------------- [](#prepare-the-database) For the database, you can use any host you'd like to hold the data. This doesn't necessarily need to be the same host, Roundcube or Dovecot are running on; however, both will need database access. This host will need to have mariadb (or mysql) installed ``` apt install mariadb-server ``` Then create the database, users e.g. with ``` CREATE DATABASE mail_auth; GRANT USAGE ON *.* TO `mailserver`@`localhost` IDENTIFIED BY 'password123'; GRANT USAGE ON *.* TO `roundcube`@`webmail.example.com` IDENTIFIED BY 'password123'; GRANT SELECT ON `mail_auth`.`log` TO `roundcube`@`webmail.example.com`; GRANT SELECT, SHOW VIEW ON `mail_auth`.`app_passwords_with_log` TO `roundcube`@`webmail.example.com`; GRANT SELECT, INSERT, UPDATE (`comment`), DELETE ON `mail_auth`.`app_passwords` TO `roundcube`@`webmail.example.com`; GRANT SELECT ON `mail_auth`.`app_passwords` TO `mailserver`@`localhost`; GRANT SELECT, INSERT ON `mail_auth`.`log` TO `mailserver`@`localhost`; ``` The table structure is described in the Repo for the Dovecot service [here](https://github.com/bennet0496/dovecot_web_auth) Setup the mail server --------------------- [](#setup-the-mail-server) To set up the mail server, either setup the purpose build [Dovecot Web Auth](https://github.com/bennet0496/dovecot_web_auth) or otherwise set your mail server up to use the database. E.g. with a [sql authdb and post-login Script](https://github.com/bennet0496/dovecot-apppasswd). Plugin Setup ------------ [](#plugin-setup) Install the plugin with composer ``` composer require mpipks/imap_apppasswd ``` and configure it using `config.inc.php`. The most important option is correctly setting up the database connection, by setting the DSN and credentials. You also need to set up how the username is derived. Here it is important to set it up the same way Dovecot will actually match the username after canonicalization. Meaning that even if you allow Login with the email as username Dovecot, if in the background it just matches against the local part, you need to set matching against the local part here. ### Health Score 34 — LowBetter than 77% of packages Maintenance58 Moderate activity, may be stable Popularity6 Limited adoption so far Community7 Small or concentrated contributor base Maturity56 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~9 days Recently: every ~2 days Total 15 Last Release 467d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/c24146bfa454c72a4142d06b8d49d55dd638d91bb3bd7e53a7221b945ac5a1aa?d=identicon)[bennet0496](/maintainers/bennet0496) --- Top Contributors [![bennet0496](https://avatars.githubusercontent.com/u/4955327?v=4)](https://github.com/bennet0496 "bennet0496 (74 commits)") ### Embed Badge ![Health badge](/badges/mpipks-imap-apppasswd/health.svg) ``` [![Health](https://phpackages.com/badges/mpipks-imap-apppasswd/health.svg)](https://phpackages.com/packages/mpipks-imap-apppasswd) ``` ### Alternatives [illuminate/auth The Illuminate Auth package. 9327.3M1.0k](/packages/illuminate-auth)[amocrm/amocrm-api-library amoCRM API Client 182728.5k6](/packages/amocrm-amocrm-api-library)[openeuropa/oe_authentication Authentication against the OpenEuropa Authentication service. 17314.8k2](/packages/openeuropa-oe-authentication)[pimlie/authres_status This authres\_status plugin checks the Authentication-Results headers of your emails and displays the verification status. The verification status is displayed when you read an email, but you can also add a column to your message list. 413.5k](/packages/pimlie-authres-status)[texxasrulez/persistent_login This server-side plugin is useful for all Roundcube users who don’t like to log into their e-mail account each time they open their browser. The plugin stores a persistent login cookie which automatically logs the user in the next time he or she visits the Roundcube web mailer. 174.8k](/packages/texxasrulez-persistent-login) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)