diff --git a/CHANGES b/CHANGES
index 6a35ea447..8704fb6ad 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2787,4 +2787,5 @@
 * Initial Ubuntu 24.04 (Noble Numbat) support
 * syslog: handle potential multiline syslog input
 * user directory: fixes to mandatory 2fa setting when cloudron connector is used
+* notification: do not send login notification for external users
 
diff --git a/src/oidc.js b/src/oidc.js
index 55b6f96bc..7b2b03243 100644
--- a/src/oidc.js
+++ b/src/oidc.js
@@ -568,7 +568,7 @@ function interactionLogin(provider) {
 
             const auditSource = AuditSource.fromOidcRequest(req);
             await eventlog.add(user.ghost ? eventlog.ACTION_USER_LOGIN_GHOST : eventlog.ACTION_USER_LOGIN, auditSource, { userId: user.id, user: users.removePrivateFields(user), appId: clientId });
-            if (!user.ghost) safe(users.notifyLoginLocation(user, ip, userAgent, auditSource), { debug });
+            await safe(users.notifyLoginLocation(user, ip, userAgent, auditSource), { debug });
 
             // clear token as it is one-time use
             await tokens.delByAccessToken(req.body.autoLoginToken);
@@ -602,7 +602,7 @@ function interactionLogin(provider) {
 
         const auditSource = AuditSource.fromOidcRequest(req);
         await eventlog.add(user.ghost ? eventlog.ACTION_USER_LOGIN_GHOST : eventlog.ACTION_USER_LOGIN, auditSource, { userId: user.id, user: users.removePrivateFields(user), appId: clientId });
-        if (!user.ghost) safe(users.notifyLoginLocation(user, ip, userAgent, auditSource), { debug });
+        await safe(users.notifyLoginLocation(user, ip, userAgent, auditSource), { debug });
 
         // debug(`route interaction login post result redirectTo:${redirectTo}`);
 
diff --git a/src/routes/auth.js b/src/routes/auth.js
index 28f547cad..7dc4f27fb 100644
--- a/src/routes/auth.js
+++ b/src/routes/auth.js
@@ -41,7 +41,7 @@ async function login(req, res, next) {
 
     const auditSource = AuditSource.fromRequest(req);
     await eventlog.add(req.user.ghost ? eventlog.ACTION_USER_LOGIN_GHOST : eventlog.ACTION_USER_LOGIN, auditSource, { userId: req.user.id, user: users.removePrivateFields(req.user), type, appId: tokens.ID_CLI });
-    if (!req.user.ghost) safe(users.notifyLoginLocation(req.user, ip, userAgent, auditSource), { debug });
+    await safe(users.notifyLoginLocation(req.user, ip, userAgent, auditSource), { debug });
 
     next(new HttpSuccess(200, token));
 }
diff --git a/src/users.js b/src/users.js
index 834db9d96..f0200e05e 100644
--- a/src/users.js
+++ b/src/users.js
@@ -743,6 +743,7 @@ async function notifyLoginLocation(user, ip, userAgent, auditSource) {
 
     if (constants.DEMO) return;
     if (constants.TEST && ip === '127.0.0.1') return;
+    if (user.ghost || user.source) return; // for external users, rely on the external source to send login notification to avoid dup login emails
 
     const response = await superagent.get('https://geolocation.cloudron.io/json').query({ ip }).ok(() => true);
     if (response.statusCode !== 200) return debug(`Failed to get geoip info. statusCode: ${response.statusCode}`);