diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index f9ca2466..76c53f4b 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -6,6 +6,7 @@ from simplekv.memory.redisstore import RedisStore
 
 from mailu import utils, debug, models, manage, configuration
 
+import hmac
 
 def create_app_from_config(config):
     """ Create a new application based on the given configuration
@@ -28,6 +29,8 @@ def create_app_from_config(config):
     utils.proxy.init_app(app)
     utils.migrate.init_app(app, models.db)
 
+    app.temp_token_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('WEBMAIL_TEMP_TOKEN_KEY', 'utf-8'), 'sha256').digest()
+
     # Initialize debugging tools
     if app.config.get("DEBUG"):
         debug.toolbar.init_app(app)
diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 600e438b..3f5582cc 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -7,7 +7,6 @@ import ipaddress
 import socket
 import tenacity
 
-
 SUPPORTED_AUTH_METHODS = ["none", "plain"]
 
 
@@ -26,8 +25,12 @@ def check_credentials(user, password, ip, protocol=None):
     if not user or not user.enabled or (protocol == "imap" and not user.enable_imap) or (protocol == "pop3" and not user.enable_pop):
         return False
     is_ok = False
+    # webmails
+    if len(password) == 64 and ip == app.config['WEBMAIL_ADDRESS']:
+        if user.verify_temp_token(password):
+            is_ok = True
     # All tokens are 32 characters hex lowercase
-    if len(password) == 32:
+    if not is_ok and len(password) == 32:
         for token in user.tokens:
             if (token.check_password(password) and
                 (not token.ip or token.ip == ip)):
diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index edd62e37..8ff10aed 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -43,6 +43,18 @@ def admin_authentication():
         return ""
     return flask.abort(403)
 
+@internal.route("/auth/user")
+def user_authentication():
+    """ Fails if the user is not authenticated.
+    """
+    if (not flask_login.current_user.is_anonymous
+        and flask_login.current_user.enabled):
+        response = flask.Response()
+        response.headers["X-User"] = flask_login.current_user.get_id()
+        response.headers["X-User-Token"] = models.User.get_temp_token(flask_login.current_user.get_id())
+        return response
+    return flask.abort(403)
+
 
 @internal.route("/auth/basic")
 def basic_authentication():
diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index c7787e74..796e467a 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -11,6 +11,7 @@ import sqlalchemy
 import time
 import os
 import glob
+import hmac
 import smtplib
 import idna
 import dns
@@ -458,6 +459,15 @@ in clear-text regardless of the presence of the cache.
         user = cls.query.get(email)
         return user if (user and user.enabled and user.check_password(password)) else None
 
+    @classmethod
+    def get_temp_token(cls, email):
+        user = cls.query.get(email)
+        return hmac.new(app.temp_token_key, bytearray("{}|{}".format(datetime.utcnow().strftime("%Y%m%d"), email), 'utf-8'), 'sha256').hexdigest() if (user and user.enabled) else None
+
+    def verify_temp_token(self, token):
+        return hmac.compare_digest(self.get_temp_token(self.email), token)
+
+
 
 class Alias(Base, Email):
     """ An alias is an email address that redirects to some destination.
diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index 625c02e1..eb5490bc 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -1,6 +1,7 @@
 from mailu import models
 from mailu.ui import ui, forms, access
 
+from flask import current_app as app
 import flask
 import flask_login
 
@@ -49,6 +50,9 @@ def announcement():
         flask.flash('Your announcement was sent', 'success')
     return flask.render_template('announcement.html', form=form)
 
+@ui.route('/webmail', methods=['GET'])
+def webmail():
+    return flask.redirect(app.config['WEB_WEBMAIL'])
 
 @ui.route('/client', methods=['GET'])
 def client():
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 7a212ebe..311b2821 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -136,9 +136,33 @@ http {
         include /etc/nginx/proxy.conf;
         client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
         proxy_pass http://$webmail;
+      {% if ADMIN == 'true' %}
+        auth_request /internal/auth/user;
+        error_page 403 @webmail_login;
       }
-      {% endif %}
 
+      location {{ WEB_WEBMAIL }}/sso.php {
+        {% if WEB_WEBMAIL != '/' %}
+        rewrite ^({{ WEB_WEBMAIL }})$ $1/ permanent;
+        rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
+        {% endif %}
+        include /etc/nginx/proxy.conf;
+        client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
+        auth_request /internal/auth/user;
+        auth_request_set $user $upstream_http_x_user;
+        auth_request_set $token $upstream_http_x_user_token;
+        proxy_set_header X-Remote-User $user;
+        proxy_set_header X-Remote-User-Token $token;
+        proxy_pass http://$webmail;
+        error_page 403 @webmail_login;
+      }
+
+      location @webmail_login {
+        return 302 {{ WEB_ADMIN }}/ui/login?next=ui.webmail;
+      }
+      {% else %}
+      }
+      {% endif %}{% endif %}
       {% if ADMIN == 'true' %}
       location {{ WEB_ADMIN }} {
         return 301 {{ WEB_ADMIN }}/ui;
diff --git a/tests/compose/rainloop/mailu.env b/tests/compose/rainloop/mailu.env
index 08b0f8a4..1f5fce0c 100644
--- a/tests/compose/rainloop/mailu.env
+++ b/tests/compose/rainloop/mailu.env
@@ -51,7 +51,7 @@ DISABLE_STATISTICS=False
 ###################################
 
 # Expose the admin interface (value: true, false)
-ADMIN=true
+ADMIN=false
 
 # Choose which webmail to run if any (values: roundcube, rainloop, none)
 WEBMAIL=rainloop
diff --git a/tests/compose/roundcube/mailu.env b/tests/compose/roundcube/mailu.env
index faf1198f..ba153ac2 100644
--- a/tests/compose/roundcube/mailu.env
+++ b/tests/compose/roundcube/mailu.env
@@ -51,7 +51,7 @@ DISABLE_STATISTICS=False
 ###################################
 
 # Expose the admin interface (value: true, false)
-ADMIN=true
+ADMIN=false
 
 # Choose which webmail to run if any (values: roundcube, rainloop, none)
 WEBMAIL=roundcube
diff --git a/towncrier/newsfragments/783.feature b/towncrier/newsfragments/783.feature
new file mode 100644
index 00000000..fcafceef
--- /dev/null
+++ b/towncrier/newsfragments/783.feature
@@ -0,0 +1 @@
+Centralize the authentication of webmails behind the admin interface
diff --git a/webmails/rainloop/Dockerfile b/webmails/rainloop/Dockerfile
index ee040f25..9987330e 100644
--- a/webmails/rainloop/Dockerfile
+++ b/webmails/rainloop/Dockerfile
@@ -35,6 +35,7 @@ RUN apt-get update && apt-get install -y \
  && rm -rf /var/lib/apt/lists
 
 COPY include.php /var/www/html/include.php
+COPY sso.php /var/www/html/sso.php
 COPY php.ini /php.ini
 
 COPY application.ini /application.ini
diff --git a/webmails/rainloop/application.ini b/webmails/rainloop/application.ini
index 5bd9943d..0504f174 100644
--- a/webmails/rainloop/application.ini
+++ b/webmails/rainloop/application.ini
@@ -8,6 +8,10 @@ allow_admin_panel = Off
 
 [labs]
 allow_gravatar = Off
+{% if ADMIN == "true" %}
+custom_login_link='sso.php'
+custom_logout_link='{{ WEB_ADMIN }}/ui/logout'
+{% endif %}
 
 [contacts]
 enable = On
diff --git a/webmails/rainloop/sso.php b/webmails/rainloop/sso.php
new file mode 100644
index 00000000..2415f45c
--- /dev/null
+++ b/webmails/rainloop/sso.php
@@ -0,0 +1,31 @@
+<?php
+
+$_ENV['RAINLOOP_INCLUDE_AS_API'] = true;
+if (!defined('APP_VERSION')) {
+	$version = file_get_contents('/data/VERSION');
+	if ($version) {
+		define('APP_VERSION', $version);
+		define('APP_INDEX_ROOT_FILE', __FILE__);
+		define('APP_INDEX_ROOT_PATH', str_replace('\\', '/', rtrim(dirname(__FILE__), '\\/').'/'));
+	}
+}
+
+if (file_exists(APP_INDEX_ROOT_PATH.'rainloop/v/'.APP_VERSION.'/include.php')) {
+	include APP_INDEX_ROOT_PATH.'rainloop/v/'.APP_VERSION.'/include.php';
+} else {
+	echo '[105] Missing version directory';
+	exit(105);
+}
+
+// Retrieve email and password
+if (in_array('HTTP_X_REMOTE_USER', $_SERVER) && in_array('HTTP_X_REMOTE_USER_TOKEN', $_SERVER)) {
+	$email = $_SERVER['HTTP_X_REMOTE_USER'];
+	$password = $_SERVER['HTTP_X_REMOTE_USER_TOKEN'];
+	$ssoHash = \RainLoop\Api::GetUserSsoHash($email, $password);
+
+	// redirect to webmail sso url
+	header('Location: index.php?sso&hash='.$ssoHash);
+}
+else {
+	header('HTTP/1.0 403 Forbidden');
+}
diff --git a/webmails/rainloop/start.py b/webmails/rainloop/start.py
index d32efdfe..2d537284 100755
--- a/webmails/rainloop/start.py
+++ b/webmails/rainloop/start.py
@@ -24,6 +24,7 @@ conf.jinja("/application.ini", os.environ, "/data/_data_/_default_/configs/appli
 conf.jinja("/php.ini", os.environ, "/usr/local/etc/php/conf.d/rainloop.ini")
 
 os.system("chown -R www-data:www-data /data")
+os.system("chmod -R a+rX /var/www/html/")
 
 os.execv("/usr/local/bin/apache2-foreground", ["apache2-foreground"])
 
diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index 1c303342..0c8a1f42 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -46,6 +46,7 @@ RUN apt-get update && apt-get install -y \
 
 COPY php.ini /php.ini
 COPY config.inc.php /var/www/html/config/
+COPY mailu.php /var/www/html/plugins/mailu/mailu.php
 COPY start.py /start.py
 
 EXPOSE 80/tcp
diff --git a/webmails/roundcube/config.inc.php b/webmails/roundcube/config.inc.php
index 627b96a7..797f229c 100644
--- a/webmails/roundcube/config.inc.php
+++ b/webmails/roundcube/config.inc.php
@@ -36,7 +36,11 @@ $config['managesieve_host'] = $imap;
 $config['managesieve_usetls'] = false;
 
 // Customization settings
-$config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : '';
+if (filter_var(getenv('ADMIN'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)) {
+	array_push($config['plugins'], 'mailu');
+	$config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : '';
+	$config['sso_logout_url'] = getenv('WEB_ADMIN').'/ui/logout';
+}
 $config['product_name'] = 'Mailu Webmail';
 
 // We access the IMAP and SMTP servers locally with internal names, SSL
diff --git a/webmails/roundcube/mailu.php b/webmails/roundcube/mailu.php
new file mode 100644
index 00000000..bb4d65e9
--- /dev/null
+++ b/webmails/roundcube/mailu.php
@@ -0,0 +1,59 @@
+<?php
+
+class mailu extends rcube_plugin
+{
+
+  function init()
+  {
+    $this->add_hook('startup', array($this, 'startup'));
+    $this->add_hook('authenticate', array($this, 'authenticate'));
+    $this->add_hook('login_after', array($this, 'login'));
+    $this->add_hook('login_failed', array($this, 'login_failed'));
+    $this->add_hook('logout_after', array($this, 'logout'));
+  }
+
+  function startup($args)
+  {
+    if (empty($_SESSION['user_id'])) {
+        $args['action'] = 'login';
+    }
+
+    return $args;
+  }
+
+  function authenticate($args)
+  {
+    if (!in_array('HTTP_X_REMOTE_USER', $_SERVER) || !in_array('HTTP_X_REMOTE_USER_TOKEN', $_SERVER)) {
+        header('HTTP/1.0 403 Forbidden');
+        die();
+    }
+    $args['user'] = $_SERVER['HTTP_X_REMOTE_USER'];
+    $args['pass'] = $_SERVER['HTTP_X_REMOTE_USER_TOKEN'];
+
+    $args['cookiecheck'] = false;
+    $args['valid'] = true;
+
+    return $args;
+  }
+
+  function logout($args) {
+    // Redirect to global SSO logout path.
+    $this->load_config();
+
+    $sso_logout_url = rcmail::get_instance()->config->get('sso_logout_url');
+    header("Location: " . $sso_logout_url, true);
+    exit;
+  }
+
+  function login($args)
+  {
+      header('Location: index.php');
+      exit();
+  }
+  function login_failed($args)
+  {
+      header('Location: sso.php');
+      exit();
+  }
+
+}
diff --git a/webmails/roundcube/start.py b/webmails/roundcube/start.py
index f87e460f..cd42ba06 100755
--- a/webmails/roundcube/start.py
+++ b/webmails/roundcube/start.py
@@ -37,6 +37,8 @@ conf.jinja("/php.ini", os.environ, "/usr/local/etc/php/conf.d/roundcube.ini")
 os.system("mkdir -p /data/gpg /var/www/html/logs")
 os.system("touch /var/www/html/logs/errors.log")
 os.system("chown -R www-data:www-data /var/www/html/logs")
+os.system("chmod -R a+rX /var/www/html/")
+os.system("ln -sf /var/www/html/index.php /var/www/html/sso.php")
 
 try:
     print("Initializing database")