kerem commented

Owner

Originally created by @ThePlouaxe on GitHub (Jul 21, 2025).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/3600

Impacted versions: 2.4.3

OS Type: Ubuntu
OS Version: 22.04
Database MariaDB
Database version: 10.6.22
Modoboa: 2.4.3
installer used: Yes
Webserver: Nginx

Steps to reproduce

Each time I am accessing to the webmail

Current behavior

After installation, everything is working well but I get a blank page while accessing to my webmail.
I got the following logs in my syslog from dovecot: auth: Error: oauth2 ..... oauth2 failed: Introspection failed: No username returned

Expected behavior

Webmail access.

Originally created by @ThePlouaxe on GitHub (Jul 21, 2025). Original GitHub issue: https://github.com/modoboa/modoboa/issues/3600 # Impacted versions: 2.4.3 * OS Type: Ubuntu * OS Version: 22.04 * Database MariaDB * Database version: 10.6.22 * Modoboa: 2.4.3 * installer used: Yes * Webserver: Nginx # Steps to reproduce Each time I am accessing to the webmail # Current behavior After installation, everything is working well but I get a blank page while accessing to my webmail. I got the following logs in my syslog from dovecot: auth: Error: oauth2 ..... oauth2 failed: Introspection failed: No username returned # Expected behavior Webmail access.

kerem closed this issue

2026-02-27 11:19:36 +03:00

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@picheljitsu commented on GitHub (Jul 21, 2025):

Same issue. Just sticks at the "attempting to log you in." It's been a nightmare trying to get this thing up.

@picheljitsu commented on GitHub (Jul 21, 2025): Same issue. Just sticks at the "attempting to log you in." It's been a nightmare trying to get this thing up.

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@Spitfireap commented on GitHub (Jul 21, 2025):

Hi, is it a new installation or an upgrade ?

Can you post the output of : cd /srv/modoboa/instance && /srv/modoboa/env/bin/python manage.py check --deploy ?

@Spitfireap commented on GitHub (Jul 21, 2025): Hi, is it a new installation or an upgrade ? Can you post the output of : ```cd /srv/modoboa/instance && /srv/modoboa/env/bin/python manage.py check --deploy``` ?

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@Spitfireap commented on GitHub (Jul 21, 2025):

Same issue. Just sticks at the "attempting to log you in." It's been a nightmare trying to get this thing up.

This seems like another issue. Please open another discussion or issue

@Spitfireap commented on GitHub (Jul 21, 2025): > Same issue. Just sticks at the "attempting to log you in." It's been a nightmare trying to get this thing up. This seems like another issue. Please open another discussion or issue

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@jserviceorg commented on GitHub (Jul 21, 2025):

i have the same issue. login to the web interface works, calendar works, contacts works. but webmail gives a blank page.

Ubuntu 24.04, Modoboa installer, Postgres

root@mail:~# cd /srv/modoboa/instance && /srv/modoboa/env/bin/python manage.py check --deploy
System check identified some issues:

WARNINGS:
?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will have no effect.

System check identified 1 issue (1 silenced).

@jserviceorg commented on GitHub (Jul 21, 2025): i have the same issue. login to the web interface works, calendar works, contacts works. but webmail gives a blank page. Ubuntu 24.04, Modoboa installer, Postgres root@mail:~# cd /srv/modoboa/instance && /srv/modoboa/env/bin/python manage.py check --deploy System check identified some issues: WARNINGS: ?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will have no effect. System check identified 1 issue (1 silenced).

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@ThePlouaxe commented on GitHub (Jul 21, 2025):

This is an update, as it failed with dependencies I reinstalled it keeping my database. from version 2.3.9

Here is the output:

/srv/modoboa/env/bin/python manage.py check --deploy
System check identified some issues:

WARNINGS:
?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will have no effect.

System check identified 1 issue (1 silenced).

@ThePlouaxe commented on GitHub (Jul 21, 2025): This is an update, as it failed with dependencies I reinstalled it keeping my database. from version 2.3.9 Here is the output: /srv/modoboa/env/bin/python manage.py check --deploy System check identified some issues: WARNINGS: ?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will have no effect. System check identified 1 issue (1 silenced).

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@picheljitsu commented on GitHub (Jul 21, 2025):

I had the same issue. Used that string to replace the one in MIDDLEWARE tuple inside settings.py which fixed it for me. But now I'm back to the introspection error, which I assume is something to do w/ the CA chain?

2025-07-21T20:45:08.555882+00:00 mail dovecot: auth: Error: oauth2([redacted],127.0.0.1,<gqoejXY6aKZ/AAAB>): oauth2 failed: Introspection failed: SSL handshaking with 10.240.3.167:443 failed: read(SSL (conn:10.240.3.167:443,id=1)) failed: Received invalid SSL certificate: self-signed certificate: /CN=[redacted] (check ssl_client_ca_* settings?)

@picheljitsu commented on GitHub (Jul 21, 2025): I had the same issue. Used that string to replace the one in `MIDDLEWARE` tuple inside `settings.py` which fixed it for me. But now I'm back to the introspection error, which I assume is something to do w/ the CA chain? ``` 2025-07-21T20:45:08.555882+00:00 mail dovecot: auth: Error: oauth2([redacted],127.0.0.1,<gqoejXY6aKZ/AAAB>): oauth2 failed: Introspection failed: SSL handshaking with 10.240.3.167:443 failed: read(SSL (conn:10.240.3.167:443,id=1)) failed: Received invalid SSL certificate: self-signed certificate: /CN=[redacted] (check ssl_client_ca_* settings?) ```

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@ThePlouaxe commented on GitHub (Jul 21, 2025):

@picheljitsu What string did you replace in the MIDDLEWARE?

@ThePlouaxe commented on GitHub (Jul 21, 2025): @picheljitsu What string did you replace in the MIDDLEWARE?

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@tonioo commented on GitHub (Jul 22, 2025):

@ThePlouaxe Check this: https://modoboa.readthedocs.io/en/latest/upgrade.html#required-changes-to-settings-py
@picheljitsu It won't work with self-signed certificate...

@tonioo commented on GitHub (Jul 22, 2025): @ThePlouaxe Check this: https://modoboa.readthedocs.io/en/latest/upgrade.html#required-changes-to-settings-py @picheljitsu It won't work with self-signed certificate...

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@picheljitsu commented on GitHub (Jul 22, 2025):

@picheljitsu What string did you replace in the MIDDLEWARE?

If you look close in settings.py you'll notice the output string from performing check is slightly different (sorry don't have the previous value)

MIDDLEWARE = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    ....

I also made sure the django-secure library was installed

sudo -u modoboa -i bash
. env/bin/activate
pip install django-secure

@picheljitsu commented on GitHub (Jul 22, 2025): > [@picheljitsu](https://github.com/picheljitsu) What string did you replace in the MIDDLEWARE? If you look close in `settings.py` you'll notice the output string from performing `check` is slightly different (sorry don't have the previous value) ``` MIDDLEWARE = ( 'django.contrib.sessions.middleware.SessionMiddleware', .... ``` I also made sure the django-secure library was installed ``` sudo -u modoboa -i bash . env/bin/activate pip install django-secure ```

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@safiullahtariq commented on GitHub (Jul 23, 2025):

i have the same issue. login to the web interface works, calendar works, contacts works. but webmail gives a blank page.

Ubuntu 24.04, Modoboa installer, Postgres

root@mail:~# cd /srv/modoboa/instance && /srv/modoboa/env/bin/python manage.py check --deploy System check identified some issues:

WARNINGS: ?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will have no effect.

System check identified 1 issue (1 silenced).

I have the same issue. Exact same error and no webmail.

@safiullahtariq commented on GitHub (Jul 23, 2025): > i have the same issue. login to the web interface works, calendar works, contacts works. but webmail gives a blank page. > > Ubuntu 24.04, Modoboa installer, Postgres > > root@mail:~# cd /srv/modoboa/instance && /srv/modoboa/env/bin/python manage.py check --deploy System check identified some issues: > > WARNINGS: ?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will have no effect. > > System check identified 1 issue (1 silenced). I have the same issue. Exact same error and no webmail.

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@ThePlouaxe commented on GitHub (Jul 23, 2025):

@ThePlouaxe Check this: https://modoboa.readthedocs.io/en/latest/upgrade.html#required-changes-to-settings-py @picheljitsu It won't work with self-signed certificate...

@tonioo Everything is okay especially as I made a new install and not an upgrade. I am using a letsencrypt certificate, not a self-signed one

@ThePlouaxe commented on GitHub (Jul 23, 2025): > [@ThePlouaxe](https://github.com/ThePlouaxe) Check this: https://modoboa.readthedocs.io/en/latest/upgrade.html#required-changes-to-settings-py [@picheljitsu](https://github.com/picheljitsu) It won't work with self-signed certificate... @tonioo Everything is okay especially as I made a new install and not an upgrade. I am using a letsencrypt certificate, not a self-signed one

kerem commented

2026-02-27 11:19:36 +03:00

Author

Owner

@safiullahtariq commented on GitHub (Jul 23, 2025):

@ThePlouaxe Check this: https://modoboa.readthedocs.io/en/latest/upgrade.html#required-changes-to-settings-py @picheljitsu It won't work with self-signed certificate...

@tonioo Everything is okay especially as I made a new install and not an upgrade. I am using a letsencrypt certificate, not a self-signed one

were you able to solve the issue ?

@safiullahtariq commented on GitHub (Jul 23, 2025): > > [@ThePlouaxe](https://github.com/ThePlouaxe) Check this: https://modoboa.readthedocs.io/en/latest/upgrade.html#required-changes-to-settings-py [@picheljitsu](https://github.com/picheljitsu) It won't work with self-signed certificate... > > [@tonioo](https://github.com/tonioo) Everything is okay especially as I made a new install and not an upgrade. I am using a letsencrypt certificate, not a self-signed one were you able to solve the issue ?

kerem commented

2026-02-27 11:19:37 +03:00

Author

Owner

@ThePlouaxe commented on GitHub (Jul 24, 2025):

@safiullahtariq No, tried to disable oauth2 in settings.py but if I do so I have been unable to log into admin...
Also tried to disable oauth2 in dovecot, I then got the oauthbearer error (and nothing if i disable it in dovecot)

Still looking for a solution to solve the problem.

@ThePlouaxe commented on GitHub (Jul 24, 2025): @safiullahtariq No, tried to disable oauth2 in settings.py but if I do so I have been unable to log into admin... Also tried to disable oauth2 in dovecot, I then got the oauthbearer error (and nothing if i disable it in dovecot) Still looking for a solution to solve the problem.

kerem commented

2026-02-27 11:19:37 +03:00

Author

Owner

@safiullahtariq commented on GitHub (Jul 24, 2025):

@safiullahtariq No, tried to disable oauth2 in settings.py but if I do so I have been unable to log into admin... Also tried to disable oauth2 in dovecot, I then got the oauthbearer error (and nothing if i disable it in dovecot)

Still looking for a solution to solve the problem.

I uninstalled iredmail and installed this, now i am stuck with no webmail.

@safiullahtariq commented on GitHub (Jul 24, 2025): > [@safiullahtariq](https://github.com/safiullahtariq) No, tried to disable oauth2 in settings.py but if I do so I have been unable to log into admin... Also tried to disable oauth2 in dovecot, I then got the oauthbearer error (and nothing if i disable it in dovecot) > > Still looking for a solution to solve the problem. I uninstalled iredmail and installed this, now i am stuck with no webmail.

kerem commented

2026-02-27 11:19:37 +03:00

Author

Owner

@Spitfireap commented on GitHub (Jul 24, 2025):

What's the content of /etc/dovecot/conf.d/dovecot-oauth2.conf.ext ? Be aware to remove the client secret for introspection_url, ie : https://dovecot:<client_secret>@.....

@Spitfireap commented on GitHub (Jul 24, 2025): What's the content of ```/etc/dovecot/conf.d/dovecot-oauth2.conf.ext``` ? Be aware to remove the client secret for introspection_url, ie : https://dovecot:<client_secret>@.....

kerem commented

2026-02-27 11:19:37 +03:00

Author

Owner

@Spitfireap commented on GitHub (Jul 24, 2025):

Also try this : tail -f /var/log/mail.log then try to open the webmail and look for errors

@Spitfireap commented on GitHub (Jul 24, 2025): Also try this : ```tail -f /var/log/mail.log``` then try to open the webmail and look for errors

kerem commented

2026-02-27 11:19:37 +03:00

Author

Owner

@ThePlouaxe commented on GitHub (Jul 24, 2025):

@Spitfireap Just got the same error with the webmail: dovecot: auth: Error: oauth2(xxx@xxx.fr,127.0.0.1,<mlMfv6o6KKB/AAAB>): oauth2 failed: Introspection failed: No username returned

@ThePlouaxe commented on GitHub (Jul 24, 2025): @Spitfireap Just got the same error with the webmail: dovecot: auth: Error: oauth2(xxx@xxx.fr,127.0.0.1,<mlMfv6o6KKB/AAAB>): oauth2 failed: Introspection failed: No username returned

kerem commented

2026-02-27 11:19:37 +03:00

Author

Owner

@sparky5214 commented on GitHub (Jul 27, 2025):

I had this on new install (bookworm) and fixed it by deleting the Dovecot row in oauth2_provider_application in the database and recreating the application key and then updating the key in dovecot-auth2.conf.ext

delete from oauth2_provider_application where name = 'Dovecot'

and then in the virtual env for modoboa create a new application client, that will output the key

sudo su - modoboa -s /bin/bash

. env/bin/activate  

python manage.py createapplication --name=Dovecot --skip-authorization --client-id=dovecot confidential client-credentials

replace the client key that is in the basic auth url in

/etc/dovecot/conf.d/dovecot-oauth2.conf.ext

systemctl restart dovecot.service

for a debugging hint in /etc/dovecot/conf.d/10-logging.conf turn on
auth_verbose = yes
auth_debug = yes

@sparky5214 commented on GitHub (Jul 27, 2025): I had this on new install (bookworm) and fixed it by deleting the Dovecot row in oauth2_provider_application in the database and recreating the application key and then updating the key in dovecot-auth2.conf.ext `delete from oauth2_provider_application where name = 'Dovecot'` and then in the virtual env for modoboa create a new application client, that will output the key ``` sudo su - modoboa -s /bin/bash . env/bin/activate python manage.py createapplication --name=Dovecot --skip-authorization --client-id=dovecot confidential client-credentials ``` replace the client key that is in the basic auth url in /etc/dovecot/conf.d/dovecot-oauth2.conf.ext systemctl restart dovecot.service for a debugging hint in /etc/dovecot/conf.d/10-logging.conf turn on auth_verbose = yes auth_debug = yes

kerem commented

2026-02-27 11:19:37 +03:00

Author

Owner

@ThePlouaxe commented on GitHub (Jul 30, 2025):

@sparky5214 This solved the problem. Thanks a lot.

@ThePlouaxe commented on GitHub (Jul 30, 2025): @sparky5214 This solved the problem. Thanks a lot.

kerem commented

2026-02-27 11:19:37 +03:00

Author

Owner

@safiullahtariq commented on GitHub (Jul 30, 2025):

I had this on new install (bookworm) and fixed it by deleting the Dovecot row in oauth2_provider_application in the database and recreating the application key and then updating the key in dovecot-auth2.conf.ext

delete from oauth2_provider_application where name = 'Dovecot'

and then in the virtual env for modoboa create a new application client, that will output the key
sudo su - modoboa -s /bin/bash

. env/bin/activate  

python manage.py createapplication --name=Dovecot --skip-authorization --client-id=dovecot confidential client-credentials
replace the client key that is in the basic auth url in

/etc/dovecot/conf.d/dovecot-oauth2.conf.ext

systemctl restart dovecot.service

for a debugging hint in /etc/dovecot/conf.d/10-logging.conf turn on auth_verbose = yes auth_debug = yes

I dont know what I have done wrong but this has not solved my issue. I did upgrade modoboa and then did what you said. Should I try again ?

@safiullahtariq commented on GitHub (Jul 30, 2025): > I had this on new install (bookworm) and fixed it by deleting the Dovecot row in oauth2_provider_application in the database and recreating the application key and then updating the key in dovecot-auth2.conf.ext > > `delete from oauth2_provider_application where name = 'Dovecot'` > > and then in the virtual env for modoboa create a new application client, that will output the key > > ``` > sudo su - modoboa -s /bin/bash > > . env/bin/activate > > python manage.py createapplication --name=Dovecot --skip-authorization --client-id=dovecot confidential client-credentials > ``` > > replace the client key that is in the basic auth url in > > /etc/dovecot/conf.d/dovecot-oauth2.conf.ext > > systemctl restart dovecot.service > > for a debugging hint in /etc/dovecot/conf.d/10-logging.conf turn on auth_verbose = yes auth_debug = yes I dont know what I have done wrong but this has not solved my issue. I did upgrade modoboa and then did what you said. Should I try again ?

kerem commented

2026-02-27 11:19:37 +03:00

Author

Owner

@sparky5214 commented on GitHub (Jul 31, 2025):

On 7/30/25 3:23 PM, safiullahtariq wrote:

for a debugging hint in /etc/dovecot/conf.d/10-logging.conf turn
on auth_verbose = yes auth_debug = yes
I dont know what I have done wrong but this has not solved my issue. I
did upgrade modoboa and then did what you said. Should I try again ?

I'd turn on the dovecot auth logging and see if you can see why the
webmail app doesn't have access.

@sparky5214 commented on GitHub (Jul 31, 2025): On 7/30/25 3:23 PM, safiullahtariq wrote: > > for a debugging hint in /etc/dovecot/conf.d/10-logging.conf turn > on auth_verbose = yes auth_debug = yes > > I dont know what I have done wrong but this has not solved my issue. I > did upgrade modoboa and then did what you said. Should I try again ? > I'd turn on the dovecot auth logging and see if you can see why the webmail app doesn't have access.

Rows
Columns

[GH-ISSUE #3600] Modoboa 2.4.3: Blank page on webmail #1863

Impacted versions: 2.4.3

Steps to reproduce

Current behavior

Expected behavior