Dovecot Gmail OAuth2.0 Setting Question
Dear Sir or Madam
Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
passdb
passdb {
driver = oauth2
mechanisms = oauthbearer xoauth2
args = /etc/dovecot/dovecot-oauth2.token.conf.ext
}
passdb {
driver = oauth2
mechanisms = plain login
args = /etc/dovecot/dovecot-oauth2.plain.conf.ext
}
-
create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api2.
grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself? 3.
I use a Gmail service account, so I don’t need a client ID and secret ID, right? 4.
Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response? 5.
The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com;%{if;%s;eq;pop3;smtp .gmail.com;pop.gmail.com}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”? 6.
What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both?
I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply.
Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
On 19/01/2021 07:17 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Sir or Madam Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.
- Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
- passdb passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /etc/dovecot/dovecot-oauth2.token.conf.ext }
passdb { driver = oauth2 mechanisms = plain login args = /etc/dovecot/dovecot-oauth2.plain.conf.ext }
The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.
- create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api
- grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
- I use a Gmail service account, so I don’t need a client ID and secret ID, right?
- Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
- The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com (http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com);pop.gmail.com (http://pop.gmail.com)}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with username_format=%s
The access token is also imported as %{token} in passdb.
- What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both? I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply. Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo introspection_mode = auth username_attribute = email pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb { driver = oauth2 args = /etc/dovecot/oauth2-token.conf.ext result_success = continue-ok }
passdb { driver = passwd-file args = username_format=%s /etc/dovecot/endpoints skip = unauthenticated }
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com pop3::::::: host=pop3.gmail.com submission::::::: host=smtp.gmail.com
Aki
Thank you for your reply. But I need more help.
How do I set request parameter of https://www.googleapis.com/oauth2/v2/userinfo?
Logs:
dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host session created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Need to perform DNS lookup dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Performing asynchronous DNS lookup dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: DNS lookup successful; got 20 IPs dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (shared): Peer created dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: Peer pool created dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Peer created dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Setting up connection to 172.217.31.170:443 (SSL=www.googleapis.com) (1 requests pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Linked queue https://www.googleapis.com:443 (1 queues linked) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Started new connection to 172.217.31.170:443 (SSL=www.googleapis.com) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Making new connection 1 of 1 (0 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Connecting dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Waiting for connect (fd=22) to finish for max 0 msecs dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: HTTPS connection created (1 parallel connections exist) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Client connected (fd=22) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Connected dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Starting SSL handshake dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x10, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv2/v3 write client hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server hello A dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1 dovecot[30307]: auth: Received valid SSL certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=upload.video.google.com dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server certificate A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server key exchange A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server done A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write client key exchange A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 flush data dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x20, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: SSL handshake successful dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Ready for requests dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Using 1 idle connections to handle 1 requests (1 total connections ready) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Connection to peer 172.217.31.170:443 claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Sent header dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No more requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Got 401 response for request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46 ms + 59 ms in queue) dovecot[30307]: auth: Error: oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No username returned dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Response payload stream destroyed (0 ms after initial response) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Finished dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Dropping request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host is idle (timeout = 1799906 msecs) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: No more requests queued; going idle (timeout = 60000 msecs) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth] dovecot[30307]: imap-login: Disconnected (auth service reported temporary failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199, lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H> dovecot[30307]: lmtp(30317): Connect from 10.243.148.174 dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174: Remote closed connection (state=READY)
I would appreciate your reply.
Yours faithfully,
2021年1月19日(火) 15:34 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 19/01/2021 07:17 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Sir or Madam Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.
- Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
- passdb passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /etc/dovecot/dovecot-oauth2.token.conf.ext } passdb { driver = oauth2 mechanisms = plain login args = /etc/dovecot/dovecot-oauth2.plain.conf.ext }
The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.
- create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api
- grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
- I use a Gmail service account, so I don’t need a client ID and secret ID, right?
- Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
- The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com ( http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com); pop.gmail.com (http://pop.gmail.com)}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with username_format=%s
The access token is also imported as %{token} in passdb.
- What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both? I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply. Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo introspection_mode = auth username_attribute = email pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb { driver = oauth2 args = /etc/dovecot/oauth2-token.conf.ext result_success = continue-ok }
passdb { driver = passwd-file args = username_format=%s /etc/dovecot/endpoints skip = unauthenticated }
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com pop3::::::: host=pop3.gmail.com submission::::::: host=smtp.gmail.com
Aki
Dear Mr. Tuomi,
This is just to remind you that I haven’t received your response to my e-mail I sent you. I’m afraid my e-mail may not have reached you. If you have any questions or concerns, please let me know.
Best regards,
2021年1月19日(火) 18:52 福田泰葵 <taiki.fukuda@justsystems.com>:
Thank you for your reply. But I need more help.
How do I set request parameter of https://www.googleapis.com/oauth2/v2/userinfo?
Logs:
dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host session created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Need to perform DNS lookup dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Performing asynchronous DNS lookup dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: DNS lookup successful; got 20 IPs dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (shared): Peer created dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: Peer pool created dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Peer created dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Setting up connection to 172.217.31.170:443 (SSL=www.googleapis.com) (1 requests pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Linked queue https://www.googleapis.com:443 (1 queues linked) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Started new connection to 172.217.31.170:443 (SSL=www.googleapis.com) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Making new connection 1 of 1 (0 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Connecting dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Waiting for connect (fd=22) to finish for max 0 msecs dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: HTTPS connection created (1 parallel connections exist) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Client connected (fd=22) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Connected dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Starting SSL handshake dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x10, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv2/v3 write client hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server hello A dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1 dovecot[30307]: auth: Received valid SSL certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=upload.video.google.com dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server certificate A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server key exchange A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server done A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write client key exchange A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 flush data dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x20, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: SSL handshake successful dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Ready for requests dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Using 1 idle connections to handle 1 requests (1 total connections ready) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Connection to peer 172.217.31.170:443 claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Sent header dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No more requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Got 401 response for request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46 ms + 59 ms in queue) dovecot[30307]: auth: Error: oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No username returned dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Response payload stream destroyed (0 ms after initial response) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Finished dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Dropping request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host is idle (timeout = 1799906 msecs) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: No more requests queued; going idle (timeout = 60000 msecs) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth] dovecot[30307]: imap-login: Disconnected (auth service reported temporary failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199, lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H> dovecot[30307]: lmtp(30317): Connect from 10.243.148.174 dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174: Remote closed connection (state=READY)
I would appreciate your reply.
Yours faithfully,
2021年1月19日(火) 15:34 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 19/01/2021 07:17 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Sir or Madam Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.
- Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
- passdb passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /etc/dovecot/dovecot-oauth2.token.conf.ext } passdb { driver = oauth2 mechanisms = plain login args = /etc/dovecot/dovecot-oauth2.plain.conf.ext }
The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.
- create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api
- grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
- I use a Gmail service account, so I don’t need a client ID and secret ID, right?
- Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
- The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com ( http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com );pop.gmail.com (http://pop.gmail.com)}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with username_format=%s
The access token is also imported as %{token} in passdb.
- What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both? I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply. Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo introspection_mode = auth username_attribute = email pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb { driver = oauth2 args = /etc/dovecot/oauth2-token.conf.ext result_success = continue-ok }
passdb { driver = passwd-file args = username_format=%s /etc/dovecot/endpoints skip = unauthenticated }
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com pop3::::::: host=pop3.gmail.com submission::::::: host=smtp.gmail.com
Aki
Your emails come through to the mailing list, you can verify this from https://dovecot.org/pipermail/dovecot
Try turning on rawlogs for the oauth2 requests and see what google is sending you?
You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
On 22/01/2021 02:51 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi,
This is just to remind you that I haven’t received your response to my e-mail I sent you. I’m afraid my e-mail may not have reached you. If you have any questions or concerns, please let me know.
Best regards,
2021年1月19日(火) 18:52 福田泰葵 <taiki.fukuda@justsystems.com>:
Thank you for your reply. But I need more help. How do I set request parameter of https://www.googleapis.com/oauth2/v2/userinfo? Logs: dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): Host created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): Host session created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): Need to perform DNS lookup dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): Performing asynchronous DNS lookup dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): DNS lookup successful; got 20 IPs dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (http://172.217.31.170:443) (shared): Peer created dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (http://172.217.31.170:443): Peer pool created dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Peer created dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Setting up connection to 172.217.31.170:443 (http://172.217.31.170:443) (SSL=www.googleapis.com (http://www.googleapis.com)) (1 requests pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Linked queue https://www.googleapis.com:443 (1 queues linked) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Started new connection to 172.217.31.170:443 (http://172.217.31.170:443) (SSL=www.googleapis.com (http://www.googleapis.com)) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Making new connection 1 of 1 (0 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Connecting dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Waiting for connect (fd=22) to finish for max 0 msecs dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: HTTPS connection created (1 parallel connections exist) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Client connected (fd=22) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Connected dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Starting SSL handshake dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x10, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv2/v3 write client hello A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server hello A dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1 dovecot[30307]: auth: Received valid SSL certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=upload.video.google.com (http://upload.video.google.com) dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server certificate A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server key exchange A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server done A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write client key exchange A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 flush data dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x20, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: SSL handshake successful dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Ready for requests dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (http://172.217.31.170:443): Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Using 1 idle connections to handle 1 requests (1 total connections ready) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Connection to peer 172.217.31.170:443 (http://172.217.31.170:443) claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Sent header dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): No more requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Got 401 response for request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46 ms + 59 ms in queue) dovecot[30307]: auth: Error: oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No username returned dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Response payload stream destroyed (0 ms after initial response) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Finished dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Dropping request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): Host is idle (timeout = 1799906 msecs) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): No requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: No more requests queued; going idle (timeout = 60000 msecs) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 (http://10.243.148.110): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 (http://10.243.148.110): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 (http://10.243.148.110): Remote closed connection (state=READY) sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth] dovecot[30307]: imap-login: Disconnected (auth service reported temporary failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199, lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H> dovecot[30307]: lmtp(30317): Connect from 10.243.148.174 dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY)
I would appreciate your reply. Yours faithfully, 2021年1月19日(火) 15:34 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 19/01/2021 07:17 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Sir or Madam Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.
- Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
- passdb passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /etc/dovecot/dovecot-oauth2.token.conf.ext } passdb { driver = oauth2 mechanisms = plain login args = /etc/dovecot/dovecot-oauth2.plain.conf.ext }
The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.
- create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api
- grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
- I use a Gmail service account, so I don’t need a client ID and secret ID, right?
- Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
- The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com (http://imap.gmail.com) (http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com) (http://gmail.com);pop.gmail.com (http://pop.gmail.com) (http://pop.gmail.com)}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with username_format=%s
The access token is also imported as %{token} in passdb.
- What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both? I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply. Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo introspection_mode = auth username_attribute = email pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb { driver = oauth2 args = /etc/dovecot/oauth2-token.conf.ext result_success = continue-ok }
passdb { driver = passwd-file args = username_format=%s /etc/dovecot/endpoints skip = unauthenticated }
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com (http://imap.gmail.com) pop3::::::: host=pop3.gmail.com (http://pop3.gmail.com) submission::::::: host=smtp.gmail.com (http://smtp.gmail.com)
Aki
Dear Mr. Tuomi
Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this?
Best regards,
1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5963): Disconnect from 10.243.148.110: Remote closed connection (state=READY) 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5963): Connect from 10.243.148.174 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5963): Disconnect from 10.243.148.174: Remote closed connection (state=READY) 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Connect from 10.243.148.174 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Disconnect from 10.243.148.174: Remote closed connection (state=READY) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: Host created 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: Host session created 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: Need to perform DNS lookup 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: Performing asynchronous DNS lookup 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: DNS lookup successful; got 20 IPs 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: peer 172.217.31.138:443 (shared): Peer created 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: peer 172.217.31.138:443: Peer pool created 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Peer created 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Setting up connection to 172.217.31.138:443 (SSL=www.googleapis.com) (1 requests pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Linked queue https://www.googleapis.com:443 (1 queues linked) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Started new connection to 172.217.31.138:443 (SSL=www.googleapis.com) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Making new connection 1 of 1 (0 connections exist, 0 pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Connecting 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Waiting for connect (fd=22) to finish for max 0 msecs 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: HTTPS connection created (1 parallel connections exist) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Client connected (fd=22) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Connected 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Starting SSL handshake 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x10, ret=1: before/connect initialization 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: before/connect initialization 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv2/v3 write client hello A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server hello A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Received valid SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Received valid SSL certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=upload.video.google.com 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server certificate A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server key exchange A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server done A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write client key exchange A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 flush data 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x20, ret=1: SSL negotiation finished successfully 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=1: SSL negotiation finished successfully 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: SSL handshake successful 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Ready for requests 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Successfully connected (1 connections exist, 0 pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: peer 172.217.31.138:443: Successfully connected (1 connections exist, 0 pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Using 1 idle connections to handle 1 requests (1 total connections ready) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Connection to peer 172.217.31.138:443 claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Sent header 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: No more requests to service for this peer (1 connections exist, 0 pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Got 401 response for request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 50 ms + 66 ms in queue) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Error: oauth2(fukudata,118.103.29.199,<EYgxBLW5h812Zx3H>): oauth2 failed: No username returned 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Response payload stream destroyed (0 ms after initial response) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Finished 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Dropping request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: Host is idle (timeout = 1799900 msecs) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: No requests to service for this peer (1 connections exist, 0 pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: No more requests queued; going idle (timeout = 60000 msecs) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Connect from 10.243.148.174 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Disconnect from 10.243.148.174: Remote closed connection (state=READY) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Connect from 10.243.148.174
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月22日(金) 15:51 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
Your emails come through to the mailing list, you can verify this from
https://dovecot.org/pipermail/dovecot
Try turning on rawlogs for the oauth2 requests and see what google is sending you?
You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
- 59 ms in queue)
dovecot[30307]: auth: Error: oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No username returned dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Response payload stream destroyed (0 ms after initial response) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Finished dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Dropping request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): Host is idle (timeout = 1799906 msecs) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): No requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: No more requests queued; going idle (timeout = 60000 msecs) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 ( http://10.243.148.110): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 ( http://10.243.148.110): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 ( http://10.243.148.110): Remote closed connection (state=READY) sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth] dovecot[30307]: imap-login: Disconnected (auth service reported temporary failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199, lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H> dovecot[30307]: lmtp(30317): Connect from 10.243.148.174 dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY)
I would appreciate your reply. Yours faithfully, 2021年1月19日(火) 15:34 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 19/01/2021 07:17 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Sir or Madam Unable to build OAuth2.0 authentication to Gmail using dovecot as
I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.
- Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
- passdb passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /etc/dovecot/dovecot-oauth2.token.conf.ext } passdb { driver = oauth2 mechanisms = plain login args = /etc/dovecot/dovecot-oauth2.plain.conf.ext }
The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.
- create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api
- grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
- I use a Gmail service account, so I don’t need a client ID and secret ID, right?
- Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
- The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com ( http://imap.gmail.com) (http://imap.gmail.com);%{if;%s;eq;pop3;smtp . gmail.com (http://gmail.com) (http://gmail.com);pop.gmail.com ( http://pop.gmail.com) (http://pop.gmail.com)}}
proxy. port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with
username_format=%s
The access token is also imported as %{token} in passdb.
- What is the difference between dovecot-oauth2.token.conf.ext
and dovecot-oauth2.plain.conf.ext ? Do I need to configure both?
I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply. Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo introspection_mode = auth username_attribute = email pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb { driver = oauth2 args = /etc/dovecot/oauth2-token.conf.ext result_success = continue-ok }
passdb { driver = passwd-file args = username_format=%s /etc/dovecot/endpoints skip = unauthenticated }
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com (http://imap.gmail.com) pop3::::::: host=pop3.gmail.com (http://pop3.gmail.com) submission::::::: host=smtp.gmail.com (http://smtp.gmail.com)
Aki
On 22/01/2021 02:51 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi,
This is just to remind you that I haven’t received your response to my e-mail I sent you. I’m afraid my e-mail may not have reached you. If you have any questions or concerns, please let me know.
Best regards,
2021年1月19日(火) 18:52 福田泰葵 <taiki.fukuda@justsystems.com>:
Thank you for your reply. But I need more help. How do I set request parameter of https://www.googleapis.com/oauth2/v2/userinfo? Logs: dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): Host created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): Host session created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): Need to perform DNS lookup dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): Performing asynchronous DNS lookup dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): DNS lookup successful; got 20 IPs dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 ( http://172.217.31.170:443) (shared): Peer created dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 ( http://172.217.31.170:443): Peer pool created dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Peer created dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Setting up connection to 172.217.31.170:443 (http://172.217.31.170:443) (SSL=www.googleapis.com ( http://www.googleapis.com)) (1 requests pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Linked queue https://www.googleapis.com:443 (1 queues linked) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Started new connection to 172.217.31.170:443 (http://172.217.31.170:443) (SSL=www.googleapis.com ( http://www.googleapis.com)) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Making new connection 1 of 1 (0 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Connecting dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Waiting for connect (fd=22) to finish for max 0 msecs dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: HTTPS connection created (1 parallel connections exist) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Client connected (fd=22) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Connected dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Starting SSL handshake dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x10, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv2/v3 write client hello A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server hello A dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1 dovecot[30307]: auth: Received valid SSL certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN= upload.video.google.com (http://upload.video.google.com) dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server certificate A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server key exchange A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server done A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write client key exchange A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 flush data dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x20, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: SSL handshake successful dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Ready for requests dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 ( http://172.217.31.170:443): Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Using 1 idle connections to handle 1 requests (1 total connections ready) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Connection to peer 172.217.31.170:443 ( http://172.217.31.170:443) claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Sent header dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): No more requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Got 401 response for request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46 ms
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
## ## Logging verbosity and debugging. ##
# Log filter is a space-separated list conditions. If any of the conditions # match, the log filter matches (i.e. they're ORed together). Parenthesis # are supported if multiple conditions need to be matched together. # Supported conditions are: # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. # source:<filename>[:<line number>] - Match source code filename [and line] # field:<key>=<value wildcard> - Match field key to a value. Can be specified # multiple times to match multiple keys. # cat[egory]:<value> - Match a category. Can be specified multiple times to # match multiple categories. # For example: event:http_request_* (cat:error cat:storage)
# Filter to specify what debug logging to enable. This will eventually replace # mail_debug and auth_debug settings. log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. /etc/dovecot/conf.d/10-logging.conf: ## ## Logging verbosity and debugging. ##
# Log filter is a space-separated list conditions. If any of the conditions # match, the log filter matches (i.e. they're ORed together). Parenthesis # are supported if multiple conditions need to be matched together. # Supported conditions are: # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. # source:<filename>[:<line number>] - Match source code filename [and line] # field:<key>=<value wildcard> - Match field key to a value. Can be specified # multiple times to match multiple keys. # cat[egory]:<value> - Match a category. Can be specified multiple times to # match multiple categories. # For example: event:http_request_* (cat:error cat:storage)
# Filter to specify what debug logging to enable. This will eventually replace # mail_debug and auth_debug settings. log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. /etc/dovecot/conf.d/10-logging.conf: ## ## Logging verbosity and debugging. ##
# Log filter is a space-separated list conditions. If any of the conditions # match, the log filter matches (i.e. they're ORed together). Parenthesis # are supported if multiple conditions need to be matched together. # Supported conditions are: # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. # source:<filename>[:<line number>] - Match source code filename [and line] # field:<key>=<value wildcard> - Match field key to a value. Can be specified # multiple times to match multiple keys. # cat[egory]:<value> - Match a category. Can be specified multiple times to # match multiple categories. # For example: event:http_request_* (cat:error cat:storage)
# Filter to specify what debug logging to enable. This will eventually replace # mail_debug and auth_debug settings. log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the
request parameter for authentication in google’s Get User API request.
But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
That is because you are using systemd, where the unit file, by default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. /etc/dovecot/conf.d/10-logging.conf: ## ## Logging verbosity and debugging. ##
# Log filter is a space-separated list conditions. If any of the conditions # match, the log filter matches (i.e. they're ORed together). Parenthesis # are supported if multiple conditions need to be matched together. # Supported conditions are: # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. # source:<filename>[:<line number>] - Match source code filename [and line] # field:<key>=<value wildcard> - Match field key to a value. Can be specified # multiple times to match multiple keys. # cat[egory]:<value> - Match a category. Can be specified multiple times to # match multiple categories. # For example: event:http_request_* (cat:error cat:storage)
# Filter to specify what debug logging to enable. This will eventually replace # mail_debug and auth_debug settings. log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running
with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf: ## ## Logging verbosity and debugging. ##
# Log filter is a space-separated list conditions. If any of the conditions # match, the log filter matches (i.e. they're ORed together). Parenthesis # are supported if multiple conditions need to be matched together. # Supported conditions are: # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. # source:<filename>[:<line number>] - Match source code filename [and line] # field:<key>=<value wildcard> - Match field key to a value. Can be specified # multiple times to match multiple keys. # cat[egory]:<value> - Match a category. Can be specified multiple times to # match multiple categories. # For example: event:http_request_* (cat:error cat:storage)
# Filter to specify what debug logging to enable. This will eventually replace # mail_debug and auth_debug settings. log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
> On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com>
wrote:
> > > Dear Mr. Tuomi > Google is responding to me as Unauthorized. > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > But I don’t know how to configure dovecot to achieve that. > Could you please help me with this? > Best regards, > > ------------------------------ > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > e-mail: taiki.fukuda@justsystems.com > 内線: 5158 > TEL: 03-5324-7900 > > mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
No, the directory must exist. I'm sorry I wasn't clear enough when I replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. /etc/dovecot/conf.d/10-logging.conf: ## ## Logging verbosity and debugging. ##
# Log filter is a space-separated list conditions. If any of the conditions # match, the log filter matches (i.e. they're ORed together). Parenthesis # are supported if multiple conditions need to be matched together. # Supported conditions are: # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. # source:<filename>[:<line number>] - Match source code filename [and line] # field:<key>=<value wildcard> - Match field key to a value. Can be specified # multiple times to match multiple keys. # cat[egory]:<value> - Match a category. Can be specified multiple times to # match multiple categories. # For example: event:http_request_* (cat:error cat:storage)
# Filter to specify what debug logging to enable. This will eventually replace # mail_debug and auth_debug settings. log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > Dear Mr. Tuomi > > Google is responding to me as Unauthorized. > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > But I don’t know how to configure dovecot to achieve that. > > Could you please help me with this? > > Best regards, > > > > ------------------------------ > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > e-mail: taiki.fukuda@justsystems.com > > 内線: 5158 > > TEL: 03-5324-7900 > > > > mobile: 080-6198-7328 > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > So, > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > Aki >
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by
You can look under /tmp for dovecot private tmp directory and create
default, has PrivateTmp=yes. the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to
/etc/dovecot/dovecot-oauth2.conf.ext
However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of
/etc/dovecot/conf.d/10-logging.conf: ## ## Logging verbosity and debugging. ##
# Log filter is a space-separated list conditions. If any of
running with oauth debug logging enabled. the conditions
# match, the log filter matches (i.e. they're ORed together). Parenthesis # are supported if multiple conditions need to be matched together. # Supported conditions are: # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. # source:<filename>[:<line number>] - Match source code filename [and line] # field:<key>=<value wildcard> - Match field key to a value. Can be specified # multiple times to match multiple keys. # cat[egory]:<value> - Match a category. Can be specified multiple times to # match multiple categories. # For example: event:http_request_* (cat:error cat:storage)
# Filter to specify what debug logging to enable. This will eventually replace # mail_debug and auth_debug settings. log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > /etc/dovecot/conf.d/10-logging.conf: > >
>> > > >
> 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > e-mail: taiki.fukuda@justsystems.com > 内線: 5158 > TEL: 03-5324-7900 > mobile: 080-6198-7328 >
> > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > Dear Mr. Tuomi > > > Google is responding to me as Unauthorized. > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > But I don’t know how to configure dovecot to achieve that. > > > Could you please help me with this? > > > Best regards, > > > > > > ------------------------------ > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > e-mail: taiki.fukuda@justsystems.com > > > 内線: 5158 > > > TEL: 03-5324-7900 > > > > > > mobile: 080-6198-7328 > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > So, > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > Aki > >
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by
You can look under /tmp for dovecot private tmp directory and create
default, has PrivateTmp=yes. the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to
/etc/dovecot/dovecot-oauth2.conf.ext
However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
> On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > Yes. In my last email, I sent you the log of the result of
> /etc/dovecot/conf.d/10-logging.conf: > ## > ## Logging verbosity and debugging. > ## > > # Log filter is a space-separated list conditions. If any of
running with oauth debug logging enabled. the conditions
> # match, the log filter matches (i.e. they're ORed together). Parenthesis > # are supported if multiple conditions need to be matched together. > # Supported conditions are: > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > # source:<filename>[:<line number>] - Match source code filename [and line] > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > # multiple times to match multiple keys. > # cat[egory]:<value> - Match a category. Can be specified multiple times to > # match multiple categories. > # For example: event:http_request_* (cat:error cat:storage) > > # Filter to specify what debug logging to enable. This will eventually replace > # mail_debug and auth_debug settings. > log_debug=category=oauth2 > > ------------------------------ > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > e-mail: taiki.fukuda@justsystems.com > 内線: 5158 > TEL: 03-5324-7900 > mobile: 080-6198-7328 > ------------------------------ > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > /etc/dovecot/conf.d/10-logging.conf: > > > >
> >> > > > > > > >
> > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > e-mail: taiki.fukuda@justsystems.com > > 内線: 5158 > > TEL: 03-5324-7900 > > mobile: 080-6198-7328 > >
> > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > Dear Mr. Tuomi > > > > Google is responding to me as Unauthorized. > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > But I don’t know how to configure dovecot to achieve that. > > > > Could you please help me with this? > > > > Best regards, > > > > > > > > ------------------------------ > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > e-mail: taiki.fukuda@justsystems.com > > > > 内線: 5158 > > > > TEL: 03-5324-7900 > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > So, > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > Aki > > >
Your clue is in the log:
1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 }
On Thu, 28 Jan 2021 at 09:25, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by
default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and
create the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to
/etc/dovecot/dovecot-oauth2.conf.ext
However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>: > Yes, however I still cannot see rawlogs. > > Aki > > > On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com>
> > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > /etc/dovecot/conf.d/10-logging.conf: > > ## > > ## Logging verbosity and debugging. > > ## > > > > # Log filter is a space-separated list conditions. If any of
wrote: the conditions
> > # match, the log filter matches (i.e. they're ORed together). Parenthesis > > # are supported if multiple conditions need to be matched together. > > # Supported conditions are: > > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > > # source:<filename>[:<line number>] - Match source code filename [and line] > > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > > # multiple times to match multiple keys. > > # cat[egory]:<value> - Match a category. Can be specified multiple times to > > # match multiple categories. > > # For example: event:http_request_* (cat:error cat:storage) > > > > # Filter to specify what debug logging to enable. This will eventually replace > > # mail_debug and auth_debug settings. > > log_debug=category=oauth2 > > > > ------------------------------ > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > e-mail: taiki.fukuda@justsystems.com > > 内線: 5158 > > TEL: 03-5324-7900 > > mobile: 080-6198-7328 > > ------------------------------ > > > > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > >
> > >> > > > > > > > > > > >
> > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > e-mail: taiki.fukuda@justsystems.com > > > 内線: 5158 > > > TEL: 03-5324-7900 > > > mobile: 080-6198-7328 > > >
> > > > > > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > > > > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > Dear Mr. Tuomi > > > > > Google is responding to me as Unauthorized. > > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > > But I don’t know how to configure dovecot to achieve that. > > > > > Could you please help me with this? > > > > > Best regards, > > > > > > > > > > ------------------------------ > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > 内線: 5158 > > > > > TEL: 03-5324-7900 > > > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > > > So, > > > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > > > Aki > > > > >
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 3:30 Odhiambo Washington <odhiambo@gmail.com>:
Your clue is in the log:
1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 }
On Thu, 28 Jan 2021 at 09:25, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by
default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and
create the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
> On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > Dear Mr. Tuomi > > I have added the setting rawlog_dir = /tmp/oauth2 to
/etc/dovecot/dovecot-oauth2.conf.ext
> However, /tmp/oauth2 was not created. > > Best regards, > > >
> 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > e-mail: taiki.fukuda@justsystems.com > 内線: 5158 > TEL: 03-5324-7900 > mobile: 080-6198-7328 >
> > > > 2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>: > > Yes, however I still cannot see rawlogs. > > > > Aki > > > > > On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > /etc/dovecot/conf.d/10-logging.conf: > > > ## > > > ## Logging verbosity and debugging. > > > ## > > > > > > # Log filter is a space-separated list conditions. If any of the conditions > > > # match, the log filter matches (i.e. they're ORed together). Parenthesis > > > # are supported if multiple conditions need to be matched together. > > > # Supported conditions are: > > > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > > > # source:<filename>[:<line number>] - Match source code filename [and line] > > > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > > > # multiple times to match multiple keys. > > > # cat[egory]:<value> - Match a category. Can be specified multiple times to > > > # match multiple categories. > > > # For example: event:http_request_* (cat:error cat:storage) > > > > > > # Filter to specify what debug logging to enable. This will eventually replace > > > # mail_debug and auth_debug settings. > > > log_debug=category=oauth2 > > > > > > ------------------------------ > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > e-mail: taiki.fukuda@justsystems.com > > > 内線: 5158 > > > TEL: 03-5324-7900 > > > mobile: 080-6198-7328 > > > ------------------------------ > > > > > > > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > > > >
> > > >> > > > > > > > > > > > > > > >
> > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > e-mail: taiki.fukuda@justsystems.com > > > > 内線: 5158 > > > > TEL: 03-5324-7900 > > > > mobile: 080-6198-7328 > > > >
> > > > > > > > > > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com : > > > > > > > > > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > > > > Dear Mr. Tuomi > > > > > > Google is responding to me as Unauthorized. > > > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > > > But I don’t know how to configure dovecot to achieve that. > > > > > > Could you please help me with this? > > > > > > Best regards, > > > > > > > > > > > > ------------------------------ > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > 内線: 5158 > > > > > > TEL: 03-5324-7900 > > > > > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > > > > > So, > > > > > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > > > > > Aki > > > > > > >
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
You broke this thread. In the original thread, I remember seeing Aki gave you the configuration which he believed might work. The next thing I thought was for you to go to https://developers.google.com/identity/sign-in/web/devconsole-project and get an access token.
PS: I have never configured this kind of thing so I was only following the thread to try and understand what it entails.
On Fri, 29 Jan 2021 at 04:00, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 3:30 Odhiambo Washington <odhiambo@gmail.com>:
Your clue is in the log:
1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 }
On Thu, 28 Jan 2021 at 09:25, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>: > That is because you are using systemd, where the unit file, by
default, has PrivateTmp=yes.
> > You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure. > > systemctl edit dovecot > > [Service] > PrivateTmp=no > > systemctl daemon-reload > systemctl restart dovecot > > Aki > > > On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > Dear Mr. Tuomi > > > > I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext > > However, /tmp/oauth2 was not created. > > > > Best regards, > > > > > >
> > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > e-mail: taiki.fukuda@justsystems.com > > 内線: 5158 > > TEL: 03-5324-7900 > > mobile: 080-6198-7328 > >
> > > > > > > > 2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > Yes, however I still cannot see rawlogs. > > > > > > Aki > > > > > > > On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > ## > > > > ## Logging verbosity and debugging. > > > > ## > > > > > > > > # Log filter is a space-separated list conditions. If any of the conditions > > > > # match, the log filter matches (i.e. they're ORed together). Parenthesis > > > > # are supported if multiple conditions need to be matched together. > > > > # Supported conditions are: > > > > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > > > > # source:<filename>[:<line number>] - Match source code filename [and line] > > > > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > > > > # multiple times to match multiple keys. > > > > # cat[egory]:<value> - Match a category. Can be specified multiple times to > > > > # match multiple categories. > > > > # For example: event:http_request_* (cat:error cat:storage) > > > > > > > > # Filter to specify what debug logging to enable. This will eventually replace > > > > # mail_debug and auth_debug settings. > > > > log_debug=category=oauth2 > > > > > > > > ------------------------------ > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > e-mail: taiki.fukuda@justsystems.com > > > > 内線: 5158 > > > > TEL: 03-5324-7900 > > > > mobile: 080-6198-7328 > > > > ------------------------------ > > > > > > > > > > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > > > > > >
> > > > >> > > > > > > > > > > > > > > > > > > >
> > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > 内線: 5158 > > > > > TEL: 03-5324-7900 > > > > > mobile: 080-6198-7328 > > > > >
> > > > > > > > > > > > > > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com : > > > > > > > > > > > > > On 25/01/2021 10:12 福田泰葵 < taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > > > > > > > Dear Mr. Tuomi > > > > > > > Google is responding to me as Unauthorized. > > > > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > > > > But I don’t know how to configure dovecot to achieve that. > > > > > > > Could you please help me with this? > > > > > > > Best regards, > > > > > > > > > > > > > > ------------------------------ > > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > > 内線: 5158 > > > > > > > TEL: 03-5324-7900 > > > > > > > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > > > > > > > So, > > > > > > > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > > > > > > > Aki > > > > > > > > > >
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
Dear Mr. Tuomi
I created a gmail service account. and I have implemented the process of getting an access token using a gmail service account.
https://developers.google.com/identity/protocols/oauth2/service-account
I think I then need to set the grant_url to a URL that returns an access token and send that access token to the introspection_url, is that correct?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 17:58 Odhiambo Washington <odhiambo@gmail.com>:
You broke this thread. In the original thread, I remember seeing Aki gave you the configuration which he believed might work. The next thing I thought was for you to go to https://developers.google.com/identity/sign-in/web/devconsole-project and get an access token.
PS: I have never configured this kind of thing so I was only following the thread to try and understand what it entails.
On Fri, 29 Jan 2021 at 04:00, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 3:30 Odhiambo Washington <odhiambo@gmail.com>:
Your clue is in the log:
1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 }
On Thu, 28 Jan 2021 at 09:25, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
> On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > Dear Mr. Tuomi > > Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf > However, /tmp/oauth2 was not created. > > Best regards, > >
> 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > e-mail: taiki.fukuda@justsystems.com > 内線: 5158 > TEL: 03-5324-7900 > mobile: 080-6198-7328 >
> > > > 2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>: > > That is because you are using systemd, where the unit file, by default, has PrivateTmp=yes. > > > > You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure. > > > > systemctl edit dovecot > > > > [Service] > > PrivateTmp=no > > > > systemctl daemon-reload > > systemctl restart dovecot > > > > Aki > > > > > On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > Dear Mr. Tuomi > > > > > > I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext > > > However, /tmp/oauth2 was not created. > > > > > > Best regards, > > > > > > > > >
> > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > e-mail: taiki.fukuda@justsystems.com > > > 内線: 5158 > > > TEL: 03-5324-7900 > > > mobile: 080-6198-7328 > > >
> > > > > > > > > > > > 2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > Yes, however I still cannot see rawlogs. > > > > > > > > Aki > > > > > > > > > On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > ## > > > > > ## Logging verbosity and debugging. > > > > > ## > > > > > > > > > > # Log filter is a space-separated list conditions. If any of the conditions > > > > > # match, the log filter matches (i.e. they're ORed together). Parenthesis > > > > > # are supported if multiple conditions need to be matched together. > > > > > # Supported conditions are: > > > > > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > > > > > # source:<filename>[:<line number>] - Match source code filename [and line] > > > > > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > > > > > # multiple times to match multiple keys. > > > > > # cat[egory]:<value> - Match a category. Can be specified multiple times to > > > > > # match multiple categories. > > > > > # For example: event:http_request_* (cat:error cat:storage) > > > > > > > > > > # Filter to specify what debug logging to enable. This will eventually replace > > > > > # mail_debug and auth_debug settings. > > > > > log_debug=category=oauth2 > > > > > > > > > > ------------------------------ > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > 内線: 5158 > > > > > TEL: 03-5324-7900 > > > > > mobile: 080-6198-7328 > > > > > ------------------------------ > > > > > > > > > > > > > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > > > > > > > >
> > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > 内線: 5158 > > > > > > TEL: 03-5324-7900 > > > > > > mobile: 080-6198-7328 > > > > > >
> > > > > > > > > > > > > > > > > > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi < aki.tuomi@open-xchange.com>: > > > > > > > > > > > > > > > On 25/01/2021 10:12 福田泰葵 < taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > > > > > > > > > > Dear Mr. Tuomi > > > > > > > > Google is responding to me as Unauthorized. > > > > > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > > > > > But I don’t know how to configure dovecot to achieve that. > > > > > > > > Could you please help me with this? > > > > > > > > Best regards, > > > > > > > > > > > > > > > > ------------------------------ > > > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > > > 内線: 5158 > > > > > > > > TEL: 03-5324-7900 > > > > > > > > > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > > > > > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > > > > > > > > > So, > > > > > > > > > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > > > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > > > > > > > > > Aki > > > > > > > > > > > > >
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
Possibly, not sure. Give it a try?
Aki
On 01/02/2021 13:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I created a gmail service account. and I have implemented the process of getting an access token using a gmail service account.
https://developers.google.com/identity/protocols/oauth2/service-account
I think I then need to set the grant_url to a URL that returns an access token and send that access token to the introspection_url, is that correct?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 17:58 Odhiambo Washington <odhiambo@gmail.com>:
You broke this thread. In the original thread, I remember seeing Aki gave you the configuration which he believed might work. The next thing I thought was for you to go to https://developers.google.com/identity/sign-in/web/devconsole-project and get an access token.
PS: I have never configured this kind of thing so I was only following the thread to try and understand what it entails.
On Fri, 29 Jan 2021 at 04:00, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 3:30 Odhiambo Washington <odhiambo@gmail.com>:
Your clue is in the log:
1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. Seehttps://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 }
On Thu, 28 Jan 2021 at 09:25, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi Thank you for the instruction. I was able to output rawlogs. The following is the result. 20210126-184744.22221.1.in (http://20210126-184744.22221.1.in): 1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out: 1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com (http://www.googleapis.com) 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com (http://mailto:aki.tuomi@open-xchange.com):
> No, the directory must exist. I'm sorry I wasn't clear enough when I replied last time, but dovecot will not create the directory. You need to create it and make it writable. >
> Aki >
> > On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > Dear Mr. Tuomi > > > > Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf > > However, /tmp/oauth2 was not created. > > > > Best regards, > > > > --------------------------------------------------------------------------------------------------------------------------------- > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > e-mail: taiki.fukuda@justsystems.com > > 内線: 5158 > > TEL: 03-5324-7900 > > mobile: 080-6198-7328 > > --------------------------------------------------------------------------------------------------------------------------------- > > > > > > > > 2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > That is because you are using systemd, where the unit file, by default, has PrivateTmp=yes. > > > > > > You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure. > > > > > > systemctl edit dovecot > > > > > > [Service] > > > PrivateTmp=no > > > > > > systemctl daemon-reload > > > systemctl restart dovecot > > > > > > Aki > > > > > > > On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > Dear Mr. Tuomi > > > > > > > > I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext > > > > However, /tmp/oauth2 was not created. > > > > > > > > Best regards, > > > > > > > > > > > > --------------------------------------------------------------------------------------------------------------------------------- > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > e-mail: taiki.fukuda@justsystems.com > > > > 内線: 5158 > > > > TEL: 03-5324-7900 > > > > mobile: 080-6198-7328 > > > > --------------------------------------------------------------------------------------------------------------------------------- > > > > > > > > > > > > > > > > 2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > > Yes, however I still cannot see rawlogs. > > > > > > > > > > Aki > > > > > > > > > > > On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > > ## > > > > > > ## Logging verbosity and debugging. > > > > > > ## > > > > > > > > > > > > # Log filter is a space-separated list conditions. If any of the conditions > > > > > > # match, the log filter matches (i.e. they're ORed together). Parenthesis > > > > > > # are supported if multiple conditions need to be matched together. > > > > > > # Supported conditions are: > > > > > > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > > > > > > # source:<filename>[:<line number>] - Match source code filename [and line] > > > > > > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > > > > > > # multiple times to match multiple keys. > > > > > > # cat[egory]:<value> - Match a category. Can be specified multiple times to > > > > > > # match multiple categories. > > > > > > # For example: event:http_request_* (cat:error cat:storage) > > > > > > > > > > > > # Filter to specify what debug logging to enable. This will eventually replace > > > > > > # mail_debug and auth_debug settings. > > > > > > log_debug=category=oauth2 > > > > > > > > > > > > ------------------------------ > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > 内線: 5158 > > > > > > TEL: 03-5324-7900 > > > > > > mobile: 080-6198-7328 > > > > > > ------------------------------ > > > > > > > > > > > > > > > > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > > > > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------------------------------------------------------------------- > > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > > 内線: 5158 > > > > > > > TEL: 03-5324-7900 > > > > > > > mobile: 080-6198-7328 > > > > > > > --------------------------------------------------------------------------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > > > > > > > > > > > > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > Dear Mr. Tuomi > > > > > > > > > Google is responding to me as Unauthorized. > > > > > > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > > > > > > But I don’t know how to configure dovecot to achieve that. > > > > > > > > > Could you please help me with this? > > > > > > > > > Best regards, > > > > > > > > > > > > > > > > > > ------------------------------ > > > > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > > > > 内線: 5158 > > > > > > > > > TEL: 03-5324-7900 > > > > > > > > > > > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > > > > > > > > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > > > > > > > > > > > So, > > > > > > > > > > > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > > > > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > > > > > > > > > > > Aki > > > > > > > > > > > > > > > > >--
Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.",grep ^[^#] :-)
--
Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.",grep ^[^#] :-)
There was also the point about rawlogs. Did you try that?
Aki
On 25/01/2021 10:24 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
participants (3)
-
Aki Tuomi
-
Odhiambo Washington
-
福田泰葵