Input Buffer Full with OAuth login
I’m running Dovecot 2.3.21.1 using Authentik for OAuth authentication. I’m using SOGo 5.12.0 as a UI, also with OAuth authentication. When SOGo connects to Dovecot and authenticates with OAuth, it fails and the following is logged:
imap-login: Info: Disconnected: Input buffer full (no auth attempts in 0 secs): user=<>, rip=10.42.1.1, lip=10.42.1.196, TLS, session=<NZnp7zMxQuMKKgEB>
My dovecot-oauth2.conf.ext looks like this: openid_configuration_url = https://auth.koehn.com/application/o/dovecot-oauth2/.well-known/openid-confi... introspection_url = https://auth.koehn.com/application/o/introspect/
introspection_mode = post
client_id = [redacted] client_secret = [redacted] username_attribute = email
debug = yes
rawlog_dir = /tmp/oauth2
And my auth-oauth2.conf.ext looks like this: passdb {
driver = oauth2 mechanisms = xoauth2 oauthbearer args = /etc/dovecot/conf.d/dovecot-oauth2.conf.ext }
I’m using the Dovecot Debian packages from repo.dovecot.org.
I’ve tried auth for introspection_mode, to no avail. There’s nothing extra in the logs when I turn on debug, and there’s nothing logged in the /tmp/oauth2 directory either, FWIW.
Any ideas?
— Brad
I’m running Dovecot 2.3.21.1 using Authentik for OAuth authentication. I’m using SOGo 5.12.0 as a UI, also with OAuth authentication.
When SOGo connects to Dovecot and authenticates with OAuth, it fails and the following is logged:
imap-login: Info: Disconnected: Input buffer full (no auth attempts in 0 secs): user=<>, rip=10.42.1.1, lip=10.42.1.196, TLS, session=<NZnp7zMxQuMKKgEB>
My dovecot-oauth2.conf.ext looks like this: openid_configuration_url = https://auth.koehn.com/application/o/dovecot- oauth2/.well-known/openid-configuration introspection_url = https://auth.koehn.com/application/o/introspect/ introspection_mode = post client_id = [redacted] client_secret = [redacted] username_attribute = email debug = yes rawlog_dir = /tmp/oauth2
And my auth-oauth2.conf.ext looks like this: passdb { driver = oauth2 mechanisms = xoauth2 oauthbearer args = /etc/dovecot/conf.d/dovecot-oauth2.conf.ext }
I’m using the Dovecot Debian packages from repo.dovecot.org.
I’ve tried auth for introspection_mode, to no avail. There’s nothing extra in the logs when I turn on debug, and there’s nothing logged in the /tmp/ oauth2 directory either, FWIW.
Any ideas?
— Brad
This is running on OS: Linux 6.1.0-28-amd64 x86_64 Debian 11.11 on amd64 hardware with an ext4 filesystem.
My uneducated guess is authentik sent a token that was bigger than Dovecot expected; the OAuth2 spec doesn’t define a maximum size. As an example, Authentik client secrets are 128 characters long by default, which looks like it would overflow the payload buffer defined in oauth2_client_secret_start. (I edited my Authentik client secret to make it small enough to fit and it didn’t fix the problem).
On 26/03/2025 04:44 EET Brad Koehn via dovecot <dovecot@dovecot.org> wrote:
This is running on OS: Linux 6.1.0-28-amd64 x86_64 Debian 11.11 on amd64 hardware with an ext4 filesystem.
My uneducated guess is authentik sent a token that was bigger than Dovecot expected; the OAuth2 spec doesn’t define a maximum size. As an example, Authentik client secrets are 128 characters long by default, which looks like it would overflow the
payloadbuffer defined inoauth2_client_secret_start. (I edited my Authentik client secret to make it small enough to fit and it didn’t fix the problem).
The actual fix is to tell SOGo to not do
1 AUTHENTICATE XOAUTH2 <token>
but instead
C: 1 AUTHENTICATE XOAUTH2 S: + C: <token here>
If the token is long enough, client must use interactive sasl.
Aki
Thanks; I was eventually able to work through the myriad issues (this one was caused by not noticing that SOGo needs to be told to authenticate to Dovecot using XOAUTH2 using its NGImap4AuthMechanism setting, if anyone else should experience the same problem).
I wasn't able to get Dovecot XOAUTH2 to work with Authentik unless I dropped the profile scope from SOGo (even using the dovecotprofile scope recommended in the Authentik RoundCube documentation didn't work). With either of those scopes in place Dovecot always got 401 errors from Authentik when invoking the tokeninfo_url. I was able to get it to work by having SOGo request tokens with openid email scopes.
In any event, I was eventually able to get Authentik, Dovecot, and SOGo working together using OpenID/XOAUTH2 authentication. Thanks to everyone here for making a great mail server; it's served my family and I well for many years.
participants (3)
-
Aki Tuomi
-
Brad Koehn
-
brad@koe.hn