PHPackages                             mpipks/imap\_apppasswd - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. mpipks/imap\_apppasswd

ActiveRoundcube-plugin[Authentication &amp; Authorization](/categories/authentication)

mpipks/imap\_apppasswd
======================

Create App-Passwords for IMAP and SMTP

1.2.3-p1(1y ago)222[1 issues](https://github.com/bennet0496/imap_apppasswd/issues)MITPHPPHP &gt;=8.1CI passing

Since Sep 16Pushed 9mo ago1 watchersCompare

[ Source](https://github.com/bennet0496/imap_apppasswd)[ Packagist](https://packagist.org/packages/mpipks/imap_apppasswd)[ RSS](/packages/mpipks-imap-apppasswd/feed)WikiDiscussions main Synced 2d ago

READMEChangelogDependencies (1)Versions (16)Used By (0)

IMAP App Passwords
==================

[](#imap-app-passwords)

[![Screenshot from 2024-04-22 11-36-01](https://private-user-images.githubusercontent.com/4955327/324410193-233c02d1-9d29-41e2-8c91-4aef5ec5ba9a.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3ODMwMTc5ODcsIm5iZiI6MTc4MzAxNzY4NywicGF0aCI6Ii80OTU1MzI3LzMyNDQxMDE5My0yMzNjMDJkMS05ZDI5LTQxZTItOGM5MS00YWVmNWVjNWJhOWEucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI2MDcwMiUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNjA3MDJUMTg0MTI3WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MmM4NmViOTRkMjkwZWI1ODAyYTcyNTA3MWRiYWJiZDExZjdmZTI1NjNkYWIzMGY5YjMzN2QyMTM0MWQ5ZjAwMSZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmcmVzcG9uc2UtY29udGVudC10eXBlPWltYWdlJTJGcG5nIn0.BGAqR5_xPqOFzAPbBhMUvHqXp5Dv6tyabx4xckd-zSQ)](https://private-user-images.githubusercontent.com/4955327/324410193-233c02d1-9d29-41e2-8c91-4aef5ec5ba9a.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3ODMwMTc5ODcsIm5iZiI6MTc4MzAxNzY4NywicGF0aCI6Ii80OTU1MzI3LzMyNDQxMDE5My0yMzNjMDJkMS05ZDI5LTQxZTItOGM5MS00YWVmNWVjNWJhOWEucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI2MDcwMiUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNjA3MDJUMTg0MTI3WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MmM4NmViOTRkMjkwZWI1ODAyYTcyNTA3MWRiYWJiZDExZjdmZTI1NjNkYWIzMGY5YjMzN2QyMTM0MWQ5ZjAwMSZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmcmVzcG9uc2UtY29udGVudC10eXBlPWltYWdlJTJGcG5nIn0.BGAqR5_xPqOFzAPbBhMUvHqXp5Dv6tyabx4xckd-zSQ)

Add application specific password to your dovecot IMAP environment.

In a world where SSO is not only convenient, but also the norm, there is a problem when it comes to mandatory 2FA/MFA in conjunction with the mail protocols SMTP and IMAP. While most other webservices have MFA as a second line of defense in cases where users lose their password attacks including but not limited to phishing, IMAP and SMTP lack these capabilities and would allow an adversary to snoop a user's emails or to even impersonate them to peers. Established mail services like Gmail and Outlook circumvent this with XOAUTH2 (or app passwords). While Dovecot supports XOAUTH2, the problem is that the client implementation of it in Thunderbird (and maybe also other clients), require static OAUTH Keys that are hard coded in its source code. Thunderbird ships with keys from some large providers, enabling OAUTH usage for these, but there is no way to deploy you own keys, without shipping a fork of Thunderbird with is not really feasible.

Note

Apparently you can add Oauth Providers via Plugins now. But this will only cover Thunderbird for Desktop. You still don't have it on mobile or any other Mail Client People might use.

So the next best option are application specific passwords for each client the user is going to use. If you don't already have an IdP/IAM and Account Console to create and manage these, then the next best place might be the Webmailer that hopefully has 2FA anyway. This is what this plugin is for. You can create App passwords, see where they were last used and delete them if not needed any more.

However, this plugin also requires you Dovecot (and SMTP Server \[eg. Exim, Postfix\]) to be set up a certain way.

Prepare the database
--------------------

[](#prepare-the-database)

For the database, you can use any host you'd like to hold the data. This doesn't necessarily need to be the same host, Roundcube or Dovecot are running on; however, both will need database access. This host will need to have mariadb (or mysql) installed

```
apt install mariadb-server
```

Then create the database, users e.g. with

```
CREATE DATABASE mail_auth;
GRANT USAGE ON *.* TO `mailserver`@`localhost` IDENTIFIED BY 'password123';
GRANT USAGE ON *.* TO `roundcube`@`webmail.example.com` IDENTIFIED BY 'password123';

GRANT SELECT ON `mail_auth`.`log` TO `roundcube`@`webmail.example.com`;
GRANT SELECT, SHOW VIEW ON `mail_auth`.`app_passwords_with_log` TO `roundcube`@`webmail.example.com`;
GRANT SELECT, INSERT, UPDATE (`comment`), DELETE ON `mail_auth`.`app_passwords` TO `roundcube`@`webmail.example.com`;

GRANT SELECT ON `mail_auth`.`app_passwords` TO `mailserver`@`localhost`;
GRANT SELECT, INSERT ON `mail_auth`.`log` TO `mailserver`@`localhost`;
```

The table structure is described in the Repo for the Dovecot service [here](https://github.com/bennet0496/dovecot_web_auth)

Setup the mail server
---------------------

[](#setup-the-mail-server)

To set up the mail server, either setup the purpose build [Dovecot Web Auth](https://github.com/bennet0496/dovecot_web_auth) or otherwise set your mail server up to use the database. E.g. with a [sql authdb and post-login Script](https://github.com/bennet0496/dovecot-apppasswd).

Plugin Setup
------------

[](#plugin-setup)

Install the plugin with composer

```
composer require mpipks/imap_apppasswd

```

and configure it using `config.inc.php`.

The most important option is correctly setting up the database connection, by setting the DSN and credentials. You also need to set up how the username is derived. Here it is important to set it up the same way Dovecot will actually match the username after canonicalization. Meaning that even if you allow Login with the email as username Dovecot, if in the background it just matches against the local part, you need to set matching against the local part here.

###  Health Score

31

—

LowBetter than 66% of packages

Maintenance40

Moderate activity, may be stable

Popularity9

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity56

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~9 days

Recently: every ~2 days

Total

15

Last Release

523d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/4955327?v=4)[Bennet B.](/maintainers/bennet0496)[@bennet0496](https://github.com/bennet0496)

---

Top Contributors

[![bennet0496](https://avatars.githubusercontent.com/u/4955327?v=4)](https://github.com/bennet0496 "bennet0496 (74 commits)")

### Embed Badge

![Health badge](/badges/mpipks-imap-apppasswd/health.svg)

```
[![Health](https://phpackages.com/badges/mpipks-imap-apppasswd/health.svg)](https://phpackages.com/packages/mpipks-imap-apppasswd)
```

###  Alternatives

[roundcube/roundcubemail

The Roundcube Webmail suite

7.1k2.4k3](/packages/roundcube-roundcubemail)[toteph42/identity_switch

This plugin allows users to switch between different identities (and check for new mails) in a single Roundcube session.

221.5k](/packages/toteph42-identity-switch)[pimlie/authres_status

This authres\_status plugin checks the Authentication-Results headers of your emails and displays the verification status. The verification status is displayed when you read an email, but you can also add a column to your message list.

424.0k](/packages/pimlie-authres-status)[radialapps/roundcube-oidc

OpenID Connect 1.0 login plugin for roundcube

101.2k](/packages/radialapps-roundcube-oidc)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
