Dovecot Gmail OAuth2.0 Setting Question

Aki Tuomi aki.tuomi at open-xchange.com
Tue Jan 19 08:34:50 EET 2021 

> On 19/01/2021 07:17 福田泰葵 <taiki.fukuda at justsystems.com> wrote:
> 
> 
> Dear Sir or Madam
> Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy.
> I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.

Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.

>   1. Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
>   * passdb
>   passdb {
>   driver = oauth2
>   mechanisms = oauthbearer xoauth2
>   args = /etc/dovecot/dovecot-oauth2.token.conf.ext
>   }  
>   passdb {
>   driver = oauth2
>   mechanisms = plain login
>   args = /etc/dovecot/dovecot-oauth2.plain.conf.ext
>   }
>   

The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.

>   * create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
>   * create gmail service account api
>   2. grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
>   3. I use a Gmail service account, so I don’t need a client ID and secret ID, right?
>   4. Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?

No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint 

For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo

>   5. The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use
>   “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com (http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com);pop.gmail.com (http://pop.gmail.com)}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?

I would use something more readable, like passwd-file driver with username_format=%s

The access token is also imported as %{token} in passdb.

>   6. What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both?
> I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference.
> I would appreciate your reply.
> Yours faithfully,
> ------------------------------
> e-mail: taiki.fukuda at justsystems.com
> TEL: 03-5324-7900
> mobile: 080-6198-7328
> ------------------------------

So this might work

/etc/dovecot/oauth2-token.conf.ext

introspection_url = https://www.googleapis.com/oauth2/v2/userinfo
introspection_mode = auth
username_attribute = email
pass_attrs = proxy=y proxy_mech=xoauth2

/etc/dovecot/dovecot.conf

auth_mechanisms = xoauth2 oauthbearer

passdb {
  driver = oauth2
  args = /etc/dovecot/oauth2-token.conf.ext
  result_success = continue-ok
}

passdb {
  driver = passwd-file
  args = username_format=%s /etc/dovecot/endpoints
  skip = unauthenticated
}

/etc/dovecot/endpoints

imap::::::: host=imap.gmail.com
pop3::::::: host=pop3.gmail.com
submission::::::: host=smtp.gmail.com

Aki

More information about the dovecot mailing list