Dovecot Gmail OAuth2.0 Setting Question
Dear Sir or Madam
Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
passdb
passdb {
driver = oauth2
mechanisms = oauthbearer xoauth2
args = /etc/dovecot/dovecot-oauth2.token.conf.ext
}
passdb {
driver = oauth2
mechanisms = plain login
args = /etc/dovecot/dovecot-oauth2.plain.conf.ext
}
-
create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api2.
grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself? 3.
I use a Gmail service account, so I don’t need a client ID and secret ID, right? 4.
Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response? 5.
The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com;%{if;%s;eq;pop3;smtp .gmail.com;pop.gmail.com}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”? 6.
What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both?
I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply.
Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
On 19/01/2021 07:17 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Sir or Madam Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.
- Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
- passdb passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /etc/dovecot/dovecot-oauth2.token.conf.ext }
passdb { driver = oauth2 mechanisms = plain login args = /etc/dovecot/dovecot-oauth2.plain.conf.ext }
The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.
- create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api
- grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
- I use a Gmail service account, so I don’t need a client ID and secret ID, right?
- Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
- The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com (http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com);pop.gmail.com (http://pop.gmail.com)}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with username_format=%s
The access token is also imported as %{token} in passdb.
- What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both? I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply. Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo introspection_mode = auth username_attribute = email pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb { driver = oauth2 args = /etc/dovecot/oauth2-token.conf.ext result_success = continue-ok }
passdb { driver = passwd-file args = username_format=%s /etc/dovecot/endpoints skip = unauthenticated }
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com pop3::::::: host=pop3.gmail.com submission::::::: host=smtp.gmail.com
Aki
Thank you for your reply. But I need more help.
How do I set request parameter of https://www.googleapis.com/oauth2/v2/userinfo?
Logs:
dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host session created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Need to perform DNS lookup dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Performing asynchronous DNS lookup dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: DNS lookup successful; got 20 IPs dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (shared): Peer created dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: Peer pool created dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Peer created dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Setting up connection to 172.217.31.170:443 (SSL=www.googleapis.com) (1 requests pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Linked queue https://www.googleapis.com:443 (1 queues linked) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Started new connection to 172.217.31.170:443 (SSL=www.googleapis.com) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Making new connection 1 of 1 (0 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Connecting dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Waiting for connect (fd=22) to finish for max 0 msecs dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: HTTPS connection created (1 parallel connections exist) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Client connected (fd=22) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Connected dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Starting SSL handshake dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x10, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv2/v3 write client hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server hello A dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1 dovecot[30307]: auth: Received valid SSL certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=upload.video.google.com dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server certificate A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server key exchange A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server done A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write client key exchange A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 flush data dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x20, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: SSL handshake successful dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Ready for requests dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Using 1 idle connections to handle 1 requests (1 total connections ready) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Connection to peer 172.217.31.170:443 claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Sent header dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No more requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Got 401 response for request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46 ms + 59 ms in queue) dovecot[30307]: auth: Error: oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No username returned dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Response payload stream destroyed (0 ms after initial response) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Finished dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Dropping request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host is idle (timeout = 1799906 msecs) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: No more requests queued; going idle (timeout = 60000 msecs) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth] dovecot[30307]: imap-login: Disconnected (auth service reported temporary failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199, lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H> dovecot[30307]: lmtp(30317): Connect from 10.243.148.174 dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174: Remote closed connection (state=READY)
I would appreciate your reply.
Yours faithfully,
2021年1月19日(火) 15:34 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 19/01/2021 07:17 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Sir or Madam Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.
- Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
- passdb passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /etc/dovecot/dovecot-oauth2.token.conf.ext } passdb { driver = oauth2 mechanisms = plain login args = /etc/dovecot/dovecot-oauth2.plain.conf.ext }
The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.
- create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api
- grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
- I use a Gmail service account, so I don’t need a client ID and secret ID, right?
- Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
- The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com ( http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com); pop.gmail.com (http://pop.gmail.com)}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with username_format=%s
The access token is also imported as %{token} in passdb.
- What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both? I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply. Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo introspection_mode = auth username_attribute = email pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb { driver = oauth2 args = /etc/dovecot/oauth2-token.conf.ext result_success = continue-ok }
passdb { driver = passwd-file args = username_format=%s /etc/dovecot/endpoints skip = unauthenticated }
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com pop3::::::: host=pop3.gmail.com submission::::::: host=smtp.gmail.com
Aki
Dear Mr. Tuomi,
This is just to remind you that I haven’t received your response to my e-mail I sent you. I’m afraid my e-mail may not have reached you. If you have any questions or concerns, please let me know.
Best regards,
2021年1月19日(火) 18:52 福田泰葵 <taiki.fukuda@justsystems.com>:
Thank you for your reply. But I need more help.
How do I set request parameter of https://www.googleapis.com/oauth2/v2/userinfo?
Logs:
dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host session created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Need to perform DNS lookup dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Performing asynchronous DNS lookup dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: DNS lookup successful; got 20 IPs dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (shared): Peer created dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: Peer pool created dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Peer created dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Setting up connection to 172.217.31.170:443 (SSL=www.googleapis.com) (1 requests pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Linked queue https://www.googleapis.com:443 (1 queues linked) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Started new connection to 172.217.31.170:443 (SSL=www.googleapis.com) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Making new connection 1 of 1 (0 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Connecting dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Waiting for connect (fd=22) to finish for max 0 msecs dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: HTTPS connection created (1 parallel connections exist) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Client connected (fd=22) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Connected dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Starting SSL handshake dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x10, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv2/v3 write client hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server hello A dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1 dovecot[30307]: auth: Received valid SSL certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=upload.video.google.com dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server certificate A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server key exchange A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server done A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write client key exchange A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 flush data dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x20, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: SSL handshake successful dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Ready for requests dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Using 1 idle connections to handle 1 requests (1 total connections ready) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Connection to peer 172.217.31.170:443 claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Sent header dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No more requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Got 401 response for request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46 ms + 59 ms in queue) dovecot[30307]: auth: Error: oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No username returned dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Response payload stream destroyed (0 ms after initial response) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Finished dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Dropping request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host is idle (timeout = 1799906 msecs) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: No more requests queued; going idle (timeout = 60000 msecs) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth] dovecot[30307]: imap-login: Disconnected (auth service reported temporary failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199, lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H> dovecot[30307]: lmtp(30317): Connect from 10.243.148.174 dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174: Remote closed connection (state=READY)
I would appreciate your reply.
Yours faithfully,
2021年1月19日(火) 15:34 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 19/01/2021 07:17 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Sir or Madam Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.
- Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
- passdb passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /etc/dovecot/dovecot-oauth2.token.conf.ext } passdb { driver = oauth2 mechanisms = plain login args = /etc/dovecot/dovecot-oauth2.plain.conf.ext }
The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.
- create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api
- grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
- I use a Gmail service account, so I don’t need a client ID and secret ID, right?
- Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
- The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com ( http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com );pop.gmail.com (http://pop.gmail.com)}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with username_format=%s
The access token is also imported as %{token} in passdb.
- What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both? I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply. Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo introspection_mode = auth username_attribute = email pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb { driver = oauth2 args = /etc/dovecot/oauth2-token.conf.ext result_success = continue-ok }
passdb { driver = passwd-file args = username_format=%s /etc/dovecot/endpoints skip = unauthenticated }
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com pop3::::::: host=pop3.gmail.com submission::::::: host=smtp.gmail.com
Aki
Your emails come through to the mailing list, you can verify this from https://dovecot.org/pipermail/dovecot
Try turning on rawlogs for the oauth2 requests and see what google is sending you?
You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
On 22/01/2021 02:51 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi,
This is just to remind you that I haven’t received your response to my e-mail I sent you. I’m afraid my e-mail may not have reached you. If you have any questions or concerns, please let me know.
Best regards,
2021年1月19日(火) 18:52 福田泰葵 <taiki.fukuda@justsystems.com>:
Thank you for your reply. But I need more help. How do I set request parameter of https://www.googleapis.com/oauth2/v2/userinfo? Logs: dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): Host created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): Host session created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): Need to perform DNS lookup dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): Performing asynchronous DNS lookup dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): DNS lookup successful; got 20 IPs dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (http://172.217.31.170:443) (shared): Peer created dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (http://172.217.31.170:443): Peer pool created dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Peer created dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Setting up connection to 172.217.31.170:443 (http://172.217.31.170:443) (SSL=www.googleapis.com (http://www.googleapis.com)) (1 requests pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Linked queue https://www.googleapis.com:443 (1 queues linked) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Started new connection to 172.217.31.170:443 (http://172.217.31.170:443) (SSL=www.googleapis.com (http://www.googleapis.com)) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Making new connection 1 of 1 (0 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Connecting dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Waiting for connect (fd=22) to finish for max 0 msecs dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: HTTPS connection created (1 parallel connections exist) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Client connected (fd=22) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Connected dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Starting SSL handshake dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x10, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv2/v3 write client hello A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server hello A dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1 dovecot[30307]: auth: Received valid SSL certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=upload.video.google.com (http://upload.video.google.com) dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server certificate A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server key exchange A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server done A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write client key exchange A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 flush data dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x20, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: www.googleapis.com (http://www.googleapis.com): SSL: where=0x1002, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: SSL handshake successful dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Ready for requests dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (http://172.217.31.170:443): Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): Using 1 idle connections to handle 1 requests (1 total connections ready) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Connection to peer 172.217.31.170:443 (http://172.217.31.170:443) claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Sent header dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): No more requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Got 401 response for request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46 ms + 59 ms in queue) dovecot[30307]: auth: Error: oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No username returned dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: Response payload stream destroyed (0 ms after initial response) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Finished dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Dropping request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (http://www.googleapis.com): Host is idle (timeout = 1799906 msecs) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (http://172.217.31.170:443): No requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (http://172.217.31.170:443) [1]: No more requests queued; going idle (timeout = 60000 msecs) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 (http://10.243.148.110): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 (http://10.243.148.110): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 (http://10.243.148.110): Remote closed connection (state=READY) sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth] dovecot[30307]: imap-login: Disconnected (auth service reported temporary failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199, lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H> dovecot[30307]: lmtp(30317): Connect from 10.243.148.174 dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174 (http://10.243.148.174): Remote closed connection (state=READY)
I would appreciate your reply. Yours faithfully, 2021年1月19日(火) 15:34 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 19/01/2021 07:17 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Sir or Madam Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.
- Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
- passdb passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /etc/dovecot/dovecot-oauth2.token.conf.ext } passdb { driver = oauth2 mechanisms = plain login args = /etc/dovecot/dovecot-oauth2.plain.conf.ext }
The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.
- create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api
- grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
- I use a Gmail service account, so I don’t need a client ID and secret ID, right?
- Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
- The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com (http://imap.gmail.com) (http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com) (http://gmail.com);pop.gmail.com (http://pop.gmail.com) (http://pop.gmail.com)}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with username_format=%s
The access token is also imported as %{token} in passdb.
- What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both? I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply. Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo introspection_mode = auth username_attribute = email pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb { driver = oauth2 args = /etc/dovecot/oauth2-token.conf.ext result_success = continue-ok }
passdb { driver = passwd-file args = username_format=%s /etc/dovecot/endpoints skip = unauthenticated }
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com (http://imap.gmail.com) pop3::::::: host=pop3.gmail.com (http://pop3.gmail.com) submission::::::: host=smtp.gmail.com (http://smtp.gmail.com)
Aki
Dear Mr. Tuomi
Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this?
Best regards,
1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5963): Disconnect from 10.243.148.110: Remote closed connection (state=READY) 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5963): Connect from 10.243.148.174 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5963): Disconnect from 10.243.148.174: Remote closed connection (state=READY) 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Connect from 10.243.148.174 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Disconnect from 10.243.148.174: Remote closed connection (state=READY) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: Host created 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: Host session created 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: Need to perform DNS lookup 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: Performing asynchronous DNS lookup 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: DNS lookup successful; got 20 IPs 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: peer 172.217.31.138:443 (shared): Peer created 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: peer 172.217.31.138:443: Peer pool created 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Peer created 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Setting up connection to 172.217.31.138:443 (SSL=www.googleapis.com) (1 requests pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Linked queue https://www.googleapis.com:443 (1 queues linked) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Started new connection to 172.217.31.138:443 (SSL=www.googleapis.com) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Making new connection 1 of 1 (0 connections exist, 0 pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Connecting 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Waiting for connect (fd=22) to finish for max 0 msecs 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: HTTPS connection created (1 parallel connections exist) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Client connected (fd=22) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Connected 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Starting SSL handshake 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x10, ret=1: before/connect initialization 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: before/connect initialization 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv2/v3 write client hello A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server hello A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Received valid SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Received valid SSL certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=upload.video.google.com 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server certificate A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server key exchange A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server done A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write client key exchange A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 flush data 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read finished A 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x20, ret=1: SSL negotiation finished successfully 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=1: SSL negotiation finished successfully 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: SSL handshake successful 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Ready for requests 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Successfully connected (1 connections exist, 0 pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: peer 172.217.31.138:443: Successfully connected (1 connections exist, 0 pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: Using 1 idle connections to handle 1 requests (1 total connections ready) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Connection to peer 172.217.31.138:443 claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Sent header 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: No more requests to service for this peer (1 connections exist, 0 pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Got 401 response for request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 50 ms + 66 ms in queue) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Error: oauth2(fukudata,118.103.29.199,<EYgxBLW5h812Zx3H>): oauth2 failed: No username returned 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: Response payload stream destroyed (0 ms after initial response) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Finished 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Dropping request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: host www.googleapis.com: Host is idle (timeout = 1799900 msecs) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client[1]: peer 172.217.31.138:443: No requests to service for this peer (1 connections exist, 0 pending) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug: http-client: conn 172.217.31.138:443 [1]: No more requests queued; going idle (timeout = 60000 msecs) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Connect from 10.243.148.174 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Disconnect from 10.243.148.174: Remote closed connection (state=READY) 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Connect from 10.243.148.174
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月22日(金) 15:51 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
Your emails come through to the mailing list, you can verify this from
https://dovecot.org/pipermail/dovecot
Try turning on rawlogs for the oauth2 requests and see what google is sending you?
You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
- 59 ms in queue)
dovecot[30307]: auth: Error: oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No username returned dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Response payload stream destroyed (0 ms after initial response) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Finished dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Dropping request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): Host is idle (timeout = 1799906 msecs) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): No requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: No more requests queued; going idle (timeout = 60000 msecs) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 ( http://10.243.148.110): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 ( http://10.243.148.110): Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 ( http://10.243.148.110): Remote closed connection (state=READY) sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth] dovecot[30307]: imap-login: Disconnected (auth service reported temporary failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199, lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H> dovecot[30307]: lmtp(30317): Connect from 10.243.148.174 dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY)
I would appreciate your reply. Yours faithfully, 2021年1月19日(火) 15:34 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 19/01/2021 07:17 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Sir or Madam Unable to build OAuth2.0 authentication to Gmail using dovecot as
proxy.
I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.
- Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
- passdb passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /etc/dovecot/dovecot-oauth2.token.conf.ext } passdb { driver = oauth2 mechanisms = plain login args = /etc/dovecot/dovecot-oauth2.plain.conf.ext }
The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.
- create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api
- grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
- I use a Gmail service account, so I don’t need a client ID and secret ID, right?
- Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
- The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com ( http://imap.gmail.com) (http://imap.gmail.com);%{if;%s;eq;pop3;smtp . gmail.com (http://gmail.com) (http://gmail.com);pop.gmail.com ( http://pop.gmail.com) (http://pop.gmail.com)}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with username_format=%s
The access token is also imported as %{token} in passdb.
- What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both? I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply. Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo introspection_mode = auth username_attribute = email pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb { driver = oauth2 args = /etc/dovecot/oauth2-token.conf.ext result_success = continue-ok }
passdb { driver = passwd-file args = username_format=%s /etc/dovecot/endpoints skip = unauthenticated }
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com (http://imap.gmail.com) pop3::::::: host=pop3.gmail.com (http://pop3.gmail.com) submission::::::: host=smtp.gmail.com (http://smtp.gmail.com)
Aki
On 22/01/2021 02:51 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi,
This is just to remind you that I haven’t received your response to my e-mail I sent you. I’m afraid my e-mail may not have reached you. If you have any questions or concerns, please let me know.
Best regards,
2021年1月19日(火) 18:52 福田泰葵 <taiki.fukuda@justsystems.com>:
Thank you for your reply. But I need more help. How do I set request parameter of https://www.googleapis.com/oauth2/v2/userinfo? Logs: dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 ( http://10.243.148.174): Remote closed connection (state=READY) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): Host created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): Host session created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): Need to perform DNS lookup dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): Performing asynchronous DNS lookup dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com ( http://www.googleapis.com): DNS lookup successful; got 20 IPs dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 ( http://172.217.31.170:443) (shared): Peer created dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 ( http://172.217.31.170:443): Peer pool created dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Peer created dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Setting up connection to 172.217.31.170:443 (http://172.217.31.170:443) (SSL=www.googleapis.com ( http://www.googleapis.com)) (1 requests pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Linked queue https://www.googleapis.com:443 (1 queues linked) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Started new connection to 172.217.31.170:443 (http://172.217.31.170:443) (SSL=www.googleapis.com ( http://www.googleapis.com)) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Making new connection 1 of 1 (0 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Connecting dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Waiting for connect (fd=22) to finish for max 0 msecs dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: HTTPS connection created (1 parallel connections exist) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Client connected (fd=22) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Connected dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Starting SSL handshake dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x10, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv2/v3 write client hello A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server hello A dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1 dovecot[30307]: auth: Received valid SSL certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN= upload.video.google.com (http://upload.video.google.com) dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server certificate A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server key exchange A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server done A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write client key exchange A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 flush data dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x20, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: www.googleapis.com ( http://www.googleapis.com): SSL: where=0x1002, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: SSL handshake successful dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Ready for requests dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 ( http://172.217.31.170:443): Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): Using 1 idle connections to handle 1 requests (1 total connections ready) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Connection to peer 172.217.31.170:443 ( http://172.217.31.170:443) claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Sent header dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 ( http://172.217.31.170:443): No more requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 ( http://172.217.31.170:443) [1]: Got 401 response for request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46 ms
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
Logging verbosity and debugging.
Log filter is a space-separated list conditions. If any of the conditions
match, the log filter matches (i.e. they're ORed together). Parenthesis
are supported if multiple conditions need to be matched together.
Supported conditions are:
event:<name wildcard> - Match event name. '*' and '?' wildcards supported.
source:<filename>[:<line number>] - Match source code filename [and line]
field:<key>=<value wildcard> - Match field key to a value. Can be specified
multiple times to match multiple keys.
cat[egory]:<value> - Match a category. Can be specified multiple times to
match multiple categories.
For example: event:http_request_* (cat:error cat:storage)
Filter to specify what debug logging to enable. This will eventually replace
mail_debug and auth_debug settings.
log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. /etc/dovecot/conf.d/10-logging.conf:
Logging verbosity and debugging.
Log filter is a space-separated list conditions. If any of the conditions
match, the log filter matches (i.e. they're ORed together). Parenthesis
are supported if multiple conditions need to be matched together.
Supported conditions are:
event:<name wildcard> - Match event name. '*' and '?' wildcards supported.
source:<filename>[:<line number>] - Match source code filename [and line]
field:<key>=<value wildcard> - Match field key to a value. Can be specified
multiple times to match multiple keys.
cat[egory]:<value> - Match a category. Can be specified multiple times to
match multiple categories.
For example: event:http_request_* (cat:error cat:storage)
Filter to specify what debug logging to enable. This will eventually replace
mail_debug and auth_debug settings.
log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. /etc/dovecot/conf.d/10-logging.conf:
Logging verbosity and debugging.
Log filter is a space-separated list conditions. If any of the
conditions
match, the log filter matches (i.e. they're ORed together). Parenthesis
are supported if multiple conditions need to be matched together.
Supported conditions are:
event:<name wildcard> - Match event name. '*' and '?' wildcards
supported.
source:<filename>[:<line number>] - Match source code filename [and
line]
field:<key>=<value wildcard> - Match field key to a value. Can be
specified
multiple times to match multiple keys.
cat[egory]:<value> - Match a category. Can be specified multiple
times to
match multiple categories.
For example: event:http_request_* (cat:error cat:storage)
Filter to specify what debug logging to enable. This will eventually
replace
mail_debug and auth_debug settings.
log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the
request parameter for authentication in google’s Get User API request.
But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
That is because you are using systemd, where the unit file, by default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. /etc/dovecot/conf.d/10-logging.conf:
Logging verbosity and debugging.
Log filter is a space-separated list conditions. If any of the conditions
match, the log filter matches (i.e. they're ORed together). Parenthesis
are supported if multiple conditions need to be matched together.
Supported conditions are:
event:<name wildcard> - Match event name. '*' and '?' wildcards supported.
source:<filename>[:<line number>] - Match source code filename [and line]
field:<key>=<value wildcard> - Match field key to a value. Can be specified
multiple times to match multiple keys.
cat[egory]:<value> - Match a category. Can be specified multiple times to
match multiple categories.
For example: event:http_request_* (cat:error cat:storage)
Filter to specify what debug logging to enable. This will eventually replace
mail_debug and auth_debug settings.
log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running
with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
Logging verbosity and debugging.
Log filter is a space-separated list conditions. If any of the
conditions
match, the log filter matches (i.e. they're ORed together).
Parenthesis
are supported if multiple conditions need to be matched together.
Supported conditions are:
event:<name wildcard> - Match event name. '*' and '?' wildcards
supported.
source:<filename>[:<line number>] - Match source code filename
[and line]
field:<key>=<value wildcard> - Match field key to a value. Can be
specified
multiple times to match multiple keys.
cat[egory]:<value> - Match a category. Can be specified multiple
times to
match multiple categories.
For example: event:http_request_* (cat:error cat:storage)
Filter to specify what debug logging to enable. This will
eventually replace
mail_debug and auth_debug settings.
log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
> On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com>
wrote:
> > > Dear Mr. Tuomi > Google is responding to me as Unauthorized. > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > But I don’t know how to configure dovecot to achieve that. > Could you please help me with this? > Best regards, > > ------------------------------ > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > e-mail: taiki.fukuda@justsystems.com > 内線: 5158 > TEL: 03-5324-7900 > > mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
No, the directory must exist. I'm sorry I wasn't clear enough when I replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. /etc/dovecot/conf.d/10-logging.conf:
Logging verbosity and debugging.
Log filter is a space-separated list conditions. If any of the conditions
match, the log filter matches (i.e. they're ORed together). Parenthesis
are supported if multiple conditions need to be matched together.
Supported conditions are:
event:<name wildcard> - Match event name. '*' and '?' wildcards supported.
source:<filename>[:<line number>] - Match source code filename [and line]
field:<key>=<value wildcard> - Match field key to a value. Can be specified
multiple times to match multiple keys.
cat[egory]:<value> - Match a category. Can be specified multiple times to
match multiple categories.
For example: event:http_request_* (cat:error cat:storage)
Filter to specify what debug logging to enable. This will eventually replace
mail_debug and auth_debug settings.
log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > Dear Mr. Tuomi > > Google is responding to me as Unauthorized. > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > But I don’t know how to configure dovecot to achieve that. > > Could you please help me with this? > > Best regards, > > > > ------------------------------ > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > e-mail: taiki.fukuda@justsystems.com > > 内線: 5158 > > TEL: 03-5324-7900 > > > > mobile: 080-6198-7328 > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > So, > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > Aki >
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by
default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and create
the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to
/etc/dovecot/dovecot-oauth2.conf.ext
However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of
running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
Logging verbosity and debugging.
Log filter is a space-separated list conditions. If any of
the conditions
match, the log filter matches (i.e. they're ORed together).
Parenthesis
are supported if multiple conditions need to be matched
together.
Supported conditions are:
event:<name wildcard> - Match event name. '*' and '?'
wildcards supported.
source:<filename>[:<line number>] - Match source code
filename [and line]
field:<key>=<value wildcard> - Match field key to a value.
Can be specified
multiple times to match multiple keys.
cat[egory]:<value> - Match a category. Can be specified
multiple times to
match multiple categories.
For example: event:http_request_* (cat:error cat:storage)
Filter to specify what debug logging to enable. This will
eventually replace
mail_debug and auth_debug settings.
log_debug=category=oauth2
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > /etc/dovecot/conf.d/10-logging.conf: > >
>> > > >
> 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > e-mail: taiki.fukuda@justsystems.com > 内線: 5158 > TEL: 03-5324-7900 > mobile: 080-6198-7328 >
> > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > Dear Mr. Tuomi > > > Google is responding to me as Unauthorized. > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > But I don’t know how to configure dovecot to achieve that. > > > Could you please help me with this? > > > Best regards, > > > > > > ------------------------------ > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > e-mail: taiki.fukuda@justsystems.com > > > 内線: 5158 > > > TEL: 03-5324-7900 > > > > > > mobile: 080-6198-7328 > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > So, > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > Aki > >
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by
default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and create
the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to
/etc/dovecot/dovecot-oauth2.conf.ext
However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>:
Yes, however I still cannot see rawlogs.
Aki
> On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > Yes. In my last email, I sent you the log of the result of
running with oauth debug logging enabled.
> /etc/dovecot/conf.d/10-logging.conf: > ## > ## Logging verbosity and debugging. > ## > > # Log filter is a space-separated list conditions. If any of the conditions > # match, the log filter matches (i.e. they're ORed together). Parenthesis > # are supported if multiple conditions need to be matched together. > # Supported conditions are: > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > # source:<filename>[:<line number>] - Match source code filename [and line] > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > # multiple times to match multiple keys. > # cat[egory]:<value> - Match a category. Can be specified multiple times to > # match multiple categories. > # For example: event:http_request_* (cat:error cat:storage) > > # Filter to specify what debug logging to enable. This will eventually replace > # mail_debug and auth_debug settings. > log_debug=category=oauth2 > > ------------------------------ > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > e-mail: taiki.fukuda@justsystems.com > 内線: 5158 > TEL: 03-5324-7900 > mobile: 080-6198-7328 > ------------------------------ > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > /etc/dovecot/conf.d/10-logging.conf: > > > >
> >> > > > > > > >
> > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > e-mail: taiki.fukuda@justsystems.com > > 内線: 5158 > > TEL: 03-5324-7900 > > mobile: 080-6198-7328 > >
> > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > Dear Mr. Tuomi > > > > Google is responding to me as Unauthorized. > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > But I don’t know how to configure dovecot to achieve that. > > > > Could you please help me with this? > > > > Best regards, > > > > > > > > ------------------------------ > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > e-mail: taiki.fukuda@justsystems.com > > > > 内線: 5158 > > > > TEL: 03-5324-7900 > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > So, > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > Aki > > >
Your clue is in the log:
1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 }
On Thu, 28 Jan 2021 at 09:25, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by
default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and
create the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I have added the setting rawlog_dir = /tmp/oauth2 to
/etc/dovecot/dovecot-oauth2.conf.ext
However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>: > Yes, however I still cannot see rawlogs. > > Aki > > > On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com>
wrote:
> > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > /etc/dovecot/conf.d/10-logging.conf: > > ## > > ## Logging verbosity and debugging. > > ## > > > > # Log filter is a space-separated list conditions. If any of the conditions > > # match, the log filter matches (i.e. they're ORed together). Parenthesis > > # are supported if multiple conditions need to be matched together. > > # Supported conditions are: > > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > > # source:<filename>[:<line number>] - Match source code filename [and line] > > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > > # multiple times to match multiple keys. > > # cat[egory]:<value> - Match a category. Can be specified multiple times to > > # match multiple categories. > > # For example: event:http_request_* (cat:error cat:storage) > > > > # Filter to specify what debug logging to enable. This will eventually replace > > # mail_debug and auth_debug settings. > > log_debug=category=oauth2 > > > > ------------------------------ > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > e-mail: taiki.fukuda@justsystems.com > > 内線: 5158 > > TEL: 03-5324-7900 > > mobile: 080-6198-7328 > > ------------------------------ > > > > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > >
> > >> > > > > > > > > > > >
> > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > e-mail: taiki.fukuda@justsystems.com > > > 内線: 5158 > > > TEL: 03-5324-7900 > > > mobile: 080-6198-7328 > > >
> > > > > > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > > > > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > Dear Mr. Tuomi > > > > > Google is responding to me as Unauthorized. > > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > > But I don’t know how to configure dovecot to achieve that. > > > > > Could you please help me with this? > > > > > Best regards, > > > > > > > > > > ------------------------------ > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > 内線: 5158 > > > > > TEL: 03-5324-7900 > > > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > > > So, > > > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > > > Aki > > > > >
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 3:30 Odhiambo Washington <odhiambo@gmail.com>:
Your clue is in the log:
1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 }
On Thu, 28 Jan 2021 at 09:25, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>:
That is because you are using systemd, where the unit file, by
default, has PrivateTmp=yes.
You can look under /tmp for dovecot private tmp directory and
create the directory there, or you can temporarily disable this security measure.
systemctl edit dovecot
[Service] PrivateTmp=no
systemctl daemon-reload systemctl restart dovecot
Aki
> On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > Dear Mr. Tuomi > > I have added the setting rawlog_dir = /tmp/oauth2 to
/etc/dovecot/dovecot-oauth2.conf.ext
> However, /tmp/oauth2 was not created. > > Best regards, > > >
> 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > e-mail: taiki.fukuda@justsystems.com > 内線: 5158 > TEL: 03-5324-7900 > mobile: 080-6198-7328 >
> > > > 2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>: > > Yes, however I still cannot see rawlogs. > > > > Aki > > > > > On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > /etc/dovecot/conf.d/10-logging.conf: > > > ## > > > ## Logging verbosity and debugging. > > > ## > > > > > > # Log filter is a space-separated list conditions. If any of the conditions > > > # match, the log filter matches (i.e. they're ORed together). Parenthesis > > > # are supported if multiple conditions need to be matched together. > > > # Supported conditions are: > > > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > > > # source:<filename>[:<line number>] - Match source code filename [and line] > > > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > > > # multiple times to match multiple keys. > > > # cat[egory]:<value> - Match a category. Can be specified multiple times to > > > # match multiple categories. > > > # For example: event:http_request_* (cat:error cat:storage) > > > > > > # Filter to specify what debug logging to enable. This will eventually replace > > > # mail_debug and auth_debug settings. > > > log_debug=category=oauth2 > > > > > > ------------------------------ > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > e-mail: taiki.fukuda@justsystems.com > > > 内線: 5158 > > > TEL: 03-5324-7900 > > > mobile: 080-6198-7328 > > > ------------------------------ > > > > > > > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > > > >
> > > >> > > > > > > > > > > > > > > >
> > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > e-mail: taiki.fukuda@justsystems.com > > > > 内線: 5158 > > > > TEL: 03-5324-7900 > > > > mobile: 080-6198-7328 > > > >
> > > > > > > > > > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com : > > > > > > > > > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > > > > Dear Mr. Tuomi > > > > > > Google is responding to me as Unauthorized. > > > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > > > But I don’t know how to configure dovecot to achieve that. > > > > > > Could you please help me with this? > > > > > > Best regards, > > > > > > > > > > > > ------------------------------ > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > 内線: 5158 > > > > > > TEL: 03-5324-7900 > > > > > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > > > > > So, > > > > > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > > > > > Aki > > > > > > >
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
You broke this thread. In the original thread, I remember seeing Aki gave you the configuration which he believed might work. The next thing I thought was for you to go to https://developers.google.com/identity/sign-in/web/devconsole-project and get an access token.
PS: I have never configured this kind of thing so I was only following the thread to try and understand what it entails.
On Fri, 29 Jan 2021 at 04:00, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 3:30 Odhiambo Washington <odhiambo@gmail.com>:
Your clue is in the log:
1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 }
On Thu, 28 Jan 2021 at 09:25, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf However, /tmp/oauth2 was not created.
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>: > That is because you are using systemd, where the unit file, by
default, has PrivateTmp=yes.
> > You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure. > > systemctl edit dovecot > > [Service] > PrivateTmp=no > > systemctl daemon-reload > systemctl restart dovecot > > Aki > > > On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > Dear Mr. Tuomi > > > > I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext > > However, /tmp/oauth2 was not created. > > > > Best regards, > > > > > >
> > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > e-mail: taiki.fukuda@justsystems.com > > 内線: 5158 > > TEL: 03-5324-7900 > > mobile: 080-6198-7328 > >
> > > > > > > > 2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > Yes, however I still cannot see rawlogs. > > > > > > Aki > > > > > > > On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > ## > > > > ## Logging verbosity and debugging. > > > > ## > > > > > > > > # Log filter is a space-separated list conditions. If any of the conditions > > > > # match, the log filter matches (i.e. they're ORed together). Parenthesis > > > > # are supported if multiple conditions need to be matched together. > > > > # Supported conditions are: > > > > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > > > > # source:<filename>[:<line number>] - Match source code filename [and line] > > > > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > > > > # multiple times to match multiple keys. > > > > # cat[egory]:<value> - Match a category. Can be specified multiple times to > > > > # match multiple categories. > > > > # For example: event:http_request_* (cat:error cat:storage) > > > > > > > > # Filter to specify what debug logging to enable. This will eventually replace > > > > # mail_debug and auth_debug settings. > > > > log_debug=category=oauth2 > > > > > > > > ------------------------------ > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > e-mail: taiki.fukuda@justsystems.com > > > > 内線: 5158 > > > > TEL: 03-5324-7900 > > > > mobile: 080-6198-7328 > > > > ------------------------------ > > > > > > > > > > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > > > > > >
> > > > >> > > > > > > > > > > > > > > > > > > >
> > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > 内線: 5158 > > > > > TEL: 03-5324-7900 > > > > > mobile: 080-6198-7328 > > > > >
> > > > > > > > > > > > > > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com : > > > > > > > > > > > > > On 25/01/2021 10:12 福田泰葵 < taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > > > > > > > Dear Mr. Tuomi > > > > > > > Google is responding to me as Unauthorized. > > > > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > > > > But I don’t know how to configure dovecot to achieve that. > > > > > > > Could you please help me with this? > > > > > > > Best regards, > > > > > > > > > > > > > > ------------------------------ > > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > > 内線: 5158 > > > > > > > TEL: 03-5324-7900 > > > > > > > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > > > > > > > So, > > > > > > > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > > > > > > > Aki > > > > > > > > > >
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
Dear Mr. Tuomi
I created a gmail service account. and I have implemented the process of getting an access token using a gmail service account.
https://developers.google.com/identity/protocols/oauth2/service-account
I think I then need to set the grant_url to a URL that returns an access token and send that access token to the introspection_url, is that correct?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 17:58 Odhiambo Washington <odhiambo@gmail.com>:
You broke this thread. In the original thread, I remember seeing Aki gave you the configuration which he believed might work. The next thing I thought was for you to go to https://developers.google.com/identity/sign-in/web/devconsole-project and get an access token.
PS: I have never configured this kind of thing so I was only following the thread to try and understand what it entails.
On Fri, 29 Jan 2021 at 04:00, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 3:30 Odhiambo Washington <odhiambo@gmail.com>:
Your clue is in the log:
1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 }
On Thu, 28 Jan 2021 at 09:25, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi
Thank you for the instruction. I was able to output rawlogs. The following is the result.
20210126-184744.22221.1.in:
1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out:
1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com <http://mailto:aki.tuomi@open-xchange.com>:
No, the directory must exist. I'm sorry I wasn't clear enough when I
replied last time, but dovecot will not create the directory. You need to create it and make it writable.
Aki
> On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > Dear Mr. Tuomi > > Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf > However, /tmp/oauth2 was not created. > > Best regards, > >
> 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > e-mail: taiki.fukuda@justsystems.com > 内線: 5158 > TEL: 03-5324-7900 > mobile: 080-6198-7328 >
> > > > 2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>: > > That is because you are using systemd, where the unit file, by default, has PrivateTmp=yes. > > > > You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure. > > > > systemctl edit dovecot > > > > [Service] > > PrivateTmp=no > > > > systemctl daemon-reload > > systemctl restart dovecot > > > > Aki > > > > > On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > Dear Mr. Tuomi > > > > > > I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext > > > However, /tmp/oauth2 was not created. > > > > > > Best regards, > > > > > > > > >
> > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > e-mail: taiki.fukuda@justsystems.com > > > 内線: 5158 > > > TEL: 03-5324-7900 > > > mobile: 080-6198-7328 > > >
> > > > > > > > > > > > 2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > Yes, however I still cannot see rawlogs. > > > > > > > > Aki > > > > > > > > > On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > ## > > > > > ## Logging verbosity and debugging. > > > > > ## > > > > > > > > > > # Log filter is a space-separated list conditions. If any of the conditions > > > > > # match, the log filter matches (i.e. they're ORed together). Parenthesis > > > > > # are supported if multiple conditions need to be matched together. > > > > > # Supported conditions are: > > > > > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > > > > > # source:<filename>[:<line number>] - Match source code filename [and line] > > > > > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > > > > > # multiple times to match multiple keys. > > > > > # cat[egory]:<value> - Match a category. Can be specified multiple times to > > > > > # match multiple categories. > > > > > # For example: event:http_request_* (cat:error cat:storage) > > > > > > > > > > # Filter to specify what debug logging to enable. This will eventually replace > > > > > # mail_debug and auth_debug settings. > > > > > log_debug=category=oauth2 > > > > > > > > > > ------------------------------ > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > 内線: 5158 > > > > > TEL: 03-5324-7900 > > > > > mobile: 080-6198-7328 > > > > > ------------------------------ > > > > > > > > > > > > > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > > > > > > > >
> > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > 内線: 5158 > > > > > > TEL: 03-5324-7900 > > > > > > mobile: 080-6198-7328 > > > > > >
> > > > > > > > > > > > > > > > > > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi < aki.tuomi@open-xchange.com>: > > > > > > > > > > > > > > > On 25/01/2021 10:12 福田泰葵 < taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > > > > > > > > > > Dear Mr. Tuomi > > > > > > > > Google is responding to me as Unauthorized. > > > > > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > > > > > But I don’t know how to configure dovecot to achieve that. > > > > > > > > Could you please help me with this? > > > > > > > > Best regards, > > > > > > > > > > > > > > > > ------------------------------ > > > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > > > 内線: 5158 > > > > > > > > TEL: 03-5324-7900 > > > > > > > > > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > > > > > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > > > > > > > > > So, > > > > > > > > > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > > > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > > > > > > > > > Aki > > > > > > > > > > > > >
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
Possibly, not sure. Give it a try?
Aki
On 01/02/2021 13:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
I created a gmail service account. and I have implemented the process of getting an access token using a gmail service account.
https://developers.google.com/identity/protocols/oauth2/service-account
I think I then need to set the grant_url to a URL that returns an access token and send that access token to the introspection_url, is that correct?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 17:58 Odhiambo Washington <odhiambo@gmail.com>:
You broke this thread. In the original thread, I remember seeing Aki gave you the configuration which he believed might work. The next thing I thought was for you to go to https://developers.google.com/identity/sign-in/web/devconsole-project and get an access token.
PS: I have never configured this kind of thing so I was only following the thread to try and understand what it entails.
On Fri, 29 Jan 2021 at 04:00, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月29日(金) 3:30 Odhiambo Washington <odhiambo@gmail.com>:
Your clue is in the log:
1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. Seehttps://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 }
On Thu, 28 Jan 2021 at 09:25, 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi
Do you have any idea how to solve this problem?
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda@justsystems.com>:
Dear Mr. Tuomi Thank you for the instruction. I was able to output rawlogs. The following is the result. 20210126-184744.22221.1.in (http://20210126-184744.22221.1.in): 1611654464.207331 HTTP/1.1 401 Unauthorized 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate 1611654464.207331 Pragma: no-cache 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.207331 Vary: X-Origin 1611654464.207331 Vary: Referer 1611654464.207331 Content-Type: application/json; charset=UTF-8 1611654464.207331 Server: ESF 1611654464.207331 X-XSS-Protection: 0 1611654464.207331 X-Frame-Options: SAMEORIGIN 1611654464.207331 X-Content-Type-Options: nosniff 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" 1611654464.207331 Accept-Ranges: none 1611654464.207331 Vary: Origin,Accept-Encoding 1611654464.207331 Transfer-Encoding: chunked 1611654464.207331 1611654464.207331 130 1611654464.207331 { 1611654464.207331 "error": { 1611654464.207331 "code": 401, 1611654464.207331 "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 } 1611654464.207331 } 1611654464.207331 1611654464.207737 0 1611654464.207737
20210126-184744.22221.1.out: 1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1 1611654464.165704 Host: www.googleapis.com (http://www.googleapis.com) 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13 1611654464.165704 Connection: Keep-Alive 1611654464.165727 Authorization: Bearer ?????? 1611654464.165730
Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi@open-xchange.com (http://mailto:aki.tuomi@open-xchange.com):
> No, the directory must exist. I'm sorry I wasn't clear enough when I replied last time, but dovecot will not create the directory. You need to create it and make it writable. >
> Aki >
> > On 26/01/2021 11:09 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > Dear Mr. Tuomi > > > > Sorry, I have added the setting PrivateTmp=no to /etc/systemd/system/dovecot.service.d/override.conf > > However, /tmp/oauth2 was not created. > > > > Best regards, > > > > --------------------------------------------------------------------------------------------------------------------------------- > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > e-mail: taiki.fukuda@justsystems.com > > 内線: 5158 > > TEL: 03-5324-7900 > > mobile: 080-6198-7328 > > --------------------------------------------------------------------------------------------------------------------------------- > > > > > > > > 2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > That is because you are using systemd, where the unit file, by default, has PrivateTmp=yes. > > > > > > You can look under /tmp for dovecot private tmp directory and create the directory there, or you can temporarily disable this security measure. > > > > > > systemctl edit dovecot > > > > > > [Service] > > > PrivateTmp=no > > > > > > systemctl daemon-reload > > > systemctl restart dovecot > > > > > > Aki > > > > > > > On 26/01/2021 10:57 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > Dear Mr. Tuomi > > > > > > > > I have added the setting rawlog_dir = /tmp/oauth2 to /etc/dovecot/dovecot-oauth2.conf.ext > > > > However, /tmp/oauth2 was not created. > > > > > > > > Best regards, > > > > > > > > > > > > --------------------------------------------------------------------------------------------------------------------------------- > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > e-mail: taiki.fukuda@justsystems.com > > > > 内線: 5158 > > > > TEL: 03-5324-7900 > > > > mobile: 080-6198-7328 > > > > --------------------------------------------------------------------------------------------------------------------------------- > > > > > > > > > > > > > > > > 2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > > Yes, however I still cannot see rawlogs. > > > > > > > > > > Aki > > > > > > > > > > > On 25/01/2021 10:25 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > > ## > > > > > > ## Logging verbosity and debugging. > > > > > > ## > > > > > > > > > > > > # Log filter is a space-separated list conditions. If any of the conditions > > > > > > # match, the log filter matches (i.e. they're ORed together). Parenthesis > > > > > > # are supported if multiple conditions need to be matched together. > > > > > > # Supported conditions are: > > > > > > # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. > > > > > > # source:<filename>[:<line number>] - Match source code filename [and line] > > > > > > # field:<key>=<value wildcard> - Match field key to a value. Can be specified > > > > > > # multiple times to match multiple keys. > > > > > > # cat[egory]:<value> - Match a category. Can be specified multiple times to > > > > > > # match multiple categories. > > > > > > # For example: event:http_request_* (cat:error cat:storage) > > > > > > > > > > > > # Filter to specify what debug logging to enable. This will eventually replace > > > > > > # mail_debug and auth_debug settings. > > > > > > log_debug=category=oauth2 > > > > > > > > > > > > ------------------------------ > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > 内線: 5158 > > > > > > TEL: 03-5324-7900 > > > > > > mobile: 080-6198-7328 > > > > > > ------------------------------ > > > > > > > > > > > > > > > > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda@justsystems.com>: > > > > > > > Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled. > > > > > > > > > > > > > > /etc/dovecot/conf.d/10-logging.conf: > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------------------------------------------------------------------- > > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > > 内線: 5158 > > > > > > > TEL: 03-5324-7900 > > > > > > > mobile: 080-6198-7328 > > > > > > > --------------------------------------------------------------------------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > 2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>: > > > > > > > > > > > > > > > > > On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > Dear Mr. Tuomi > > > > > > > > > Google is responding to me as Unauthorized. > > > > > > > > > So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. > > > > > > > > > But I don’t know how to configure dovecot to achieve that. > > > > > > > > > Could you please help me with this? > > > > > > > > > Best regards, > > > > > > > > > > > > > > > > > > ------------------------------ > > > > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー > > > > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 > > > > > > > > > e-mail: taiki.fukuda@justsystems.com > > > > > > > > > 内線: 5158 > > > > > > > > > TEL: 03-5324-7900 > > > > > > > > > > > > > > > > > > mobile: 080-6198-7328 > > > > > > > > > > > > > > > > > > > > > > > > Did you try the debugging things I mentioned? Your logs do not indicate that you did. > > > > > > > > > > > > > > > > So, > > > > > > > > > > > > > > > > - Try turning on rawlogs for the oauth2 requests and see what google is sending you? > > > > > > > > - You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2. > > > > > > > > > > > > > > > > Aki > > > > > > > > > > > > > > > > >--
Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.",grep ^[^#] :-)
--
Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.",grep ^[^#] :-)
There was also the point about rawlogs. Did you try that?
Aki
On 25/01/2021 10:24 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Yes. In my last email, I sent you the log of the result of running with oauth debug logging enabled.
/etc/dovecot/conf.d/10-logging.conf:
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900 mobile: 080-6198-7328
2021年1月25日(月) 17:16 Aki Tuomi <aki.tuomi@open-xchange.com>:
On 25/01/2021 10:12 福田泰葵 <taiki.fukuda@justsystems.com> wrote:
Dear Mr. Tuomi Google is responding to me as Unauthorized. So I need to send my credentials such as access token in the request parameter for authentication in google’s Get User API request. But I don’t know how to configure dovecot to achieve that. Could you please help me with this? Best regards,
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵 e-mail: taiki.fukuda@justsystems.com 内線: 5158 TEL: 03-5324-7900
mobile: 080-6198-7328
Did you try the debugging things I mentioned? Your logs do not indicate that you did.
So,
- Try turning on rawlogs for the oauth2 requests and see what google is sending you?
- You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs from oauth2.
Aki
participants (3)
-
Aki Tuomi
-
Odhiambo Washington
-
福田泰葵