Configure Mailcow to Use Keycloak for User Authentication
Prerequisites: Ensure Keycloak is deployed and configured as described in Keycloak Server Deployment and Keycloak Configuration, and that Mailcow is installed and reachable.
This guide explains how to integrate Mailcow with Keycloak using OpenID Connect. After configuration, LDAP users can authenticate through Keycloak and log in to Mailcow with Single Sign-On (SSO).
1. Create a Keycloak Client for Mailcow
-
Log in to the Keycloak admin console and select the
example-ssorealm. -
Open the Clients menu and click Create client.
-
Configure the client with the following values:
- Client ID:
mailcow - Client Protocol:
openid-connect - Client Authentication:
On - Standard Flow Enabled:
On - Direct Access Grants Enabled:
Off - Service Accounts Enabled:
Off
- Client ID:
-
Save the client.

-
In the client settings, set a valid redirect URI. Use the URI provided by Mailcow, for example:
https://mail.example.com/oidc/callbackIf Mailcow indicates a different callback path, use that value instead.
-
Open the Credentials tab and copy the Client Secret.

2. Create a Mailcow Client Scope
-
From the Keycloak left-hand menu, select Client scopes.
-
Click Create client scope and enter:
- Name:
mailcow-dedicated-scope - Protocol:
openid-connect
- Name:
-
Save the client scope.
-
Select the new scope and open the Mappers tab.
-
Add the following mapper:
- Name:
mailcow_username - Mapper Type:
User Property - Property:
username - Token Claim Name:
preferred_username - Claim JSON Type:
String
- Name:

- Edit the
mailcowclient and addmailcow-dedicated-scopeunder the Client scopes section.
3. Configure Mailcow to Use Keycloak
-
Log in to the Mailcow admin interface as the administrator user.
-
Go to System > Configuration.
-
Choose Access > Identity Provider.
-
Configure the provider with these values:
- Provider:
OpenID Connect - Issuer URL:
https://keycloak.example.com/realms/example-sso - Client ID:
mailcow - Client Secret: (paste the secret from Keycloak)
- Scopes:
openid email profile - Username attribute:
preferred_username - Email attribute:
email - Name attribute:
name
- Provider:
-
Save the configuration.

4. Verify User Login
-
Visit the Mailcow login page at
https://mail.example.com/. -
Confirm that the Single Sign-On button is visible.

-
Click the button and sign in with an LDAP user account from Keycloak, for example
mailuser. -
After successful authentication, you should be redirected back to Mailcow and logged in as that user.
5. Troubleshooting
- If the redirect fails, verify the Keycloak valid redirect URI matches the Mailcow callback URL exactly.
- Confirm the
Issuer URLuses the Keycloak realm root:https://keycloak.example.com/realms/example-sso. - Ensure
openid,email, andprofilescopes are enabled in Mailcow. - Check the Keycloak client secret is entered correctly in Mailcow.
- Review Mailcow and Keycloak logs for authentication or callback errors.