Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Is there a way to integrate login with imap or pop3?

I was wondering if there's a plugin, or maybe an API (but I'm talking about open source, not cloud) for integrating imap or pop3 authentication into the login system? That would allow users from an existing email database to login to Vanilla without any additional registration


  • Options
    LincLinc Detroit Admin

    I'm curious what your use case is for an IMAP/POP3 single sign-on solution. I'm not aware of such a plugin.

  • Options
    x00x00 MVP
    edited January 2015

    POP3 is a stateless protocol, IMAP is a state protocol, but you still need to login to use it. But these are just a means to an end. in reality. The email service has a database, it has HTTP authentication, POP3 and maybe IMAP. Only HTTP is really relevant.

    I'm not sure what it is you are proposing. Are you saying that people enter their mail host password, becuase that is a really bad idea for them to do.

    The client is a browser, which usually doesn’t keep or share POP3/IMAP credentials that an email client does, or know if the person has recently authenticate via these means. The protocol of the web is largely HTTP.

    'Logged in' is a fictional state in most web protocols, as far getting that information from servers. There simply is "not logged" in with stateless authentication on servers. You are only logged in becuase the client has a authentication cookie or token which it tags on to a request.

    If you are talking about checking if they are logged into their web mail. Well the secure way to do is like OpenID/OAuth type thing, you can already check if someone is logged into their Google/Yahoo Account or Facebook.

    However unless you yourself are running the hosted email service, you cannot treat POP3/IMAP to an arbitrary sever as a trusted authentication provider or "authority".

    If you a running a hosted service POP3/IMAP is still not relevant externally for SSO. You have a database, you have a means of authenticating them, their session is stored by the client (webmail), so then you can use the webmail service as a SSO authority.

    If you a trusted authority, then you can use a cross domain technique like jsConnect.

    grep is your friend.

  • Options

    If you are confused, that is becuase this is not a simple subject.

    grep is your friend.

  • Options

    I understand, certainly not a simple subject. My question is mostly regarding not having to duplicate registration to the forum for users within a hosted email system

    Let's say there is already a number of users for a particular domain's email system. I wanted to use that user set and give them access (via authentication) to the Vanilla forum, therefore bypassing the registration system and using a common user database

    For example if there were an authentication API, I could in the background authenticate a user's credentials against existing email user database. For the Vanilla forum, the user could provide the credentials via https and in the backend I could have a php script that authenticates against the existing database (email). I don't know if this is possible with Vanilla - but the bottom line is leveraging into Vanilla an existing user database

  • Options

    but the bottom line is leveraging into Vanilla an existing user database

    Yes, that is absolutely possible using jsconnect:

  • Options

    Awesome, thank you! I will look into that

  • Options

    You have to own the email service to do this, or you can use a service that already use open authentication protocol, or an API with authentication (which you can proxy for SSO).

    Using POP3/IMAP alone as authority is a bad idea, becuase it is bad idea for your user to provide the password to you so you can proxy it for verification.

    Beside they will need to provide three pieces of information, IMAP/POP3 server, account user name/email and password.

    Most major webmail services are not isolated services. So gmail for instance you are using a google account. This can be verified.

    grep is your friend.

  • Options

    understood. in this case it would be a privately hosted email service.

  • Options

    Yep jsConnect would be the way. First create the authority end point, which would check their webmail session, this would be used by jsConnect.

    grep is your friend.

Sign In or Register to comment.