Dovecot Gmail OAuth2.0 Setting Question

[福田泰葵]

Thank you for your reply.
But I need more help.

How do I set request parameter of
https://www.googleapis.com/oauth2/v2/userinfo？

Logs：

dovecot[30307]: lmtp(30320): Connect from 10.243.148.174
dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote
closed connection (state=READY)
dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host created
dovecot[30307]: auth: Debug: http-client: host www.googleapis.com:
Host session created
dovecot[30307]: auth: Debug: http-client: host www.googleapis.com:
Need to perform DNS lookup
dovecot[30307]: auth: Debug: http-client: host www.googleapis.com:
Performing asynchronous DNS lookup
dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests
left=1)
dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: DNS
lookup successful; got 20 IPs
dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443
(shared): Peer created
dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443:
Peer pool created
dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443:
Peer created
dovecot[30307]: auth: Debug: http-client[1]: queue
https://www.googleapis.com:443: Setting up connection to
172.217.31.170:443 (SSL=www.googleapis.com) (1 requests pending)
dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443:
Linked queue https://www.googleapis.com:443 (1 queues linked)
dovecot[30307]: auth: Debug: http-client[1]: queue
https://www.googleapis.com:443: Started new connection to
172.217.31.170:443 (SSL=www.googleapis.com)
dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443:
Creating 1 new connections to handle requests (already 0 usable,
connecting to 0, closing 0)
dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443:
Making new connection 1 of 1 (0 connections exist, 0 pending)
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]:
Connecting
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]:
Waiting for connect (fd=22) to finish for max 0 msecs
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]:
HTTPS connection created (1 parallel connections exist)
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]:
Client connected (fd=22)
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Connected
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]:
Starting SSL handshake
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x10,
ret=1: before/connect initialization
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001,
ret=1: before/connect initialization
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001,
ret=1: SSLv2/v3 write client hello A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002,
ret=-1: SSLv2/v3 read server hello A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002,
ret=-1: SSLv2/v3 read server hello A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002,
ret=-1: SSLv2/v3 read server hello A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001,
ret=1: SSLv3 read server hello A
dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign
Root CA - R2/O=GlobalSign/CN=GlobalSign
dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google
Trust Services/CN=GTS CA 1O1
dovecot[30307]: auth: Received valid SSL certificate:
/C=US/ST=California/L=Mountain View/O=Google
LLC/CN=upload.video.google.com
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001,
ret=1: SSLv3 read server certificate A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001,
ret=1: SSLv3 read server key exchange A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001,
ret=1: SSLv3 read server done A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001,
ret=1: SSLv3 write client key exchange A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001,
ret=1: SSLv3 write change cipher spec A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001,
ret=1: SSLv3 write finished A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001,
ret=1: SSLv3 flush data
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002,
ret=-1: SSLv3 read finished A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002,
ret=-1: SSLv3 read finished A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002,
ret=-1: SSLv3 read finished A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002,
ret=-1: SSLv3 read finished A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001,
ret=1: SSLv3 read finished A
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x20,
ret=1: SSL negotiation finished successfully
dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002,
ret=1: SSL negotiation finished successfully
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]:
SSL handshake successful
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]:
Ready for requests
dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443:
Successfully connected (1 connections exist, 0 pending)
dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443:
Successfully connected (1 connections exist, 0 pending)
dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443:
Using 1 idle connections to handle 1 requests (1 total connections
ready)
dovecot[30307]: auth: Debug: http-client[1]: queue
https://www.googleapis.com:443: Connection to peer 172.217.31.170:443
claimed request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]:
Claimed request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]
dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]: Sent header
dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443:
No more requests to service for this peer (1 connections exist, 0
pending)
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]:
Got 401 response for request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46
ms + 59 ms in queue)
dovecot[30307]: auth: Error:
oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No
username returned
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]:
Response payload stream destroyed (0 ms after initial response)
dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]: Finished
dovecot[30307]: auth: Debug: http-client[1]: queue
https://www.googleapis.com:443: Dropping request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]
dovecot[30307]: auth: Debug: http-client: host www.googleapis.com:
Host is idle (timeout = 1799906 msecs)
dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1)
dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443:
No requests to service for this peer (1 connections exist, 0 pending)
dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]:
No more requests queued; going idle (timeout = 60000 msecs)
dovecot[30307]: lmtp(30309): Connect from 10.243.148.174
dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote
closed connection (state=READY)
dovecot[30307]: lmtp(30320): Connect from 10.243.148.174
dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote
closed connection (state=READY)
dovecot[30307]: lmtp(30320): Connect from 10.243.148.174
dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote
closed connection (state=READY)
dovecot[30307]: lmtp(30309): Connect from 10.243.148.174
dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote
closed connection (state=READY)
dovecot[30307]: lmtp(30309): Connect from 10.243.148.110
dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote
closed connection (state=READY)
dovecot[30307]: lmtp(30309): Connect from 10.243.148.110
dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote
closed connection (state=READY)
dovecot[30307]: lmtp(30309): Connect from 10.243.148.110
dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote
closed connection (state=READY)
sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth]
dovecot[30307]: imap-login: Disconnected (auth service reported
temporary failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199,
lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H>
dovecot[30307]: lmtp(30317): Connect from 10.243.148.174
dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174: Remote
closed connection (state=READY)

I would appreciate your reply.

Yours faithfully,

2021年1月19日(火) 15:34 Aki Tuomi <aki.tuomi at open-xchange.com>:


> > On 19/01/2021 07:17 福田泰葵 <taiki.fukuda at justsystems.com> wrote:
> >
> >
> > Dear Sir or Madam
> > Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy.
> > I have a question about how to use dovecot as a proxy to perform OAuth
> 2.0 authentication to Gmail using a mail client.
>
> Mail client is required, in this case, to provide valid oauth2 bearer
> token. I don't think google supports other ways.
>
> >   1. Is the following all I need to do to authenticate to Gmail using
> dovecot as a proxy?
> >   * passdb
> >   passdb {
> >   driver = oauth2
> >   mechanisms = oauthbearer xoauth2
> >   args = /etc/dovecot/dovecot-oauth2.token.conf.ext
> >   }
> >   passdb {
> >   driver = oauth2
> >   mechanisms = plain login
> >   args = /etc/dovecot/dovecot-oauth2.plain.conf.ext
> >   }
> >
>
> The plain config is a way to do 'password grant' authentication. This is
> when username and password is used to acquire a bearer token.
>
> >   * create dovecot-oauth2.token.conf.ext and
> dovecot-oauth2.plain.conf.ext
> >   * create gmail service account api
> >   2. grant_url in dovecot-oauth2.token.conf.ext and
> dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token
> for a web server that I have built myself?
> >   3. I use a Gmail service account, so I don’t need a client ID and
> secret ID, right?
> >   4. Do I set introspection_url to the URL of my own web server with the
> access token used for authentication to Google as the response?
>
> No. The introspection URL needs to point to a location where dovecot can
> figure out more information about the user with token. If I recall
> correctly, the token endpoint
>
> For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
>
> >   5. The documentation says “pass_attrs = host=127.0.0.1”, but if you
> are authenticating to Gmail, I should use
> >   “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com (
> http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com);
> pop.gmail.com (http://pop.gmail.com)}}
> port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2
> pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
>
> I would use something more readable, like passwd-file driver with
> username_format=%s
>
> The access token is also imported as %{token} in passdb.
>
> >   6. What is the difference between dovecot-oauth2.token.conf.ext and
> dovecot-oauth2.plain.conf.ext ? Do I need to configure both?
> > I used
> https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy
> as a reference.
> > I would appreciate your reply.
> > Yours faithfully,
> > ------------------------------
> > e-mail: taiki.fukuda at justsystems.com
> > TEL: 03-5324-7900
> > mobile: 080-6198-7328
> > ------------------------------
>
> So this might work
>
> /etc/dovecot/oauth2-token.conf.ext
>
> introspection_url = https://www.googleapis.com/oauth2/v2/userinfo
> introspection_mode = auth
> username_attribute = email
> pass_attrs = proxy=y proxy_mech=xoauth2
>
> /etc/dovecot/dovecot.conf
>
> auth_mechanisms = xoauth2 oauthbearer
>
> passdb {
>   driver = oauth2
>   args = /etc/dovecot/oauth2-token.conf.ext
>   result_success = continue-ok
> }
>
> passdb {
>   driver = passwd-file
>   args = username_format=%s /etc/dovecot/endpoints
>   skip = unauthenticated
> }
>
> /etc/dovecot/endpoints
>
> imap::::::: host=imap.gmail.com
> pop3::::::: host=pop3.gmail.com
> submission::::::: host=smtp.gmail.com
>
> Aki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210119/59f5e1e4/attachment-0001.html>