Reminder Re: Dovecot Gmail OAuth2.0 Setting Question

福田泰葵 taiki.fukuda at justsystems.com
Mon Jan 25 10:12:36 EET 2021


Dear Mr. Tuomi

Google is responding to me as Unauthorized.
So I need to send my credentials such as access token in the request
parameter for authentication in google’s Get User API request.
But I don’t know how to configure dovecot to achieve that.
Could you please help me with this?

Best regards,

 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5963):
Disconnect from 10.243.148.110: Remote closed connection (state=READY)
 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5963): Connect
from 10.243.148.174
 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5963):
Disconnect from 10.243.148.174: Remote closed connection (state=READY)
 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Connect
from 10.243.148.174
 1月 25 17:06:33 ip-10-243-150-190 dovecot[5955]: lmtp(5957):
Disconnect from 10.243.148.174: Remote closed connection (state=READY)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: host www.googleapis.com: Host created
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: host www.googleapis.com: Host session created
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: host www.googleapis.com: Need to perform DNS lookup
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: host www.googleapis.com: Performing asynchronous DNS
lookup
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests
left=1)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: host www.googleapis.com: DNS lookup successful; got 20
IPs
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: peer 172.217.31.138:443 (shared): Peer created
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: peer 172.217.31.138:443: Peer pool created
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: peer 172.217.31.138:443: Peer created
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: queue https://www.googleapis.com:443: Setting up
connection to 172.217.31.138:443 (SSL=www.googleapis.com) (1 requests
pending)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: peer 172.217.31.138:443: Linked queue
https://www.googleapis.com:443 (1 queues linked)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: queue https://www.googleapis.com:443: Started new
connection to 172.217.31.138:443 (SSL=www.googleapis.com)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: peer 172.217.31.138:443: Creating 1 new connections to
handle requests (already 0 usable, connecting to 0, closing 0)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: peer 172.217.31.138:443: Making new connection 1 of 1
(0 connections exist, 0 pending)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: Connecting
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: Waiting for connect (fd=22)
to finish for max 0 msecs
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: HTTPS connection created (1
parallel connections exist)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: Client connected (fd=22)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: Connected
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: Starting SSL handshake
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x10, ret=1: before/connect
initialization
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1001, ret=1: before/connect
initialization
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1001, ret=1: SSLv2/v3 write client
hello A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server
hello A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server
hello A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server
hello A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server hello
A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Received valid
SSL certificate: /OU=GlobalSign Root CA -
R2/O=GlobalSign/CN=GlobalSign
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Received valid
SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Received valid
SSL certificate: /C=US/ST=California/L=Mountain View/O=Google
LLC/CN=upload.video.google.com
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server
certificate A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server key
exchange A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server done A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write client key
exchange A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write change
cipher spec A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write finished A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 flush data
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read finished A
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x20, ret=1: SSL negotiation finished
successfully
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
www.googleapis.com: SSL: where=0x1002, ret=1: SSL negotiation finished
successfully
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: SSL handshake successful
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: Ready for requests
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: peer 172.217.31.138:443: Successfully connected (1
connections exist, 0 pending)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: peer 172.217.31.138:443: Successfully connected (1
connections exist, 0 pending)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: peer 172.217.31.138:443: Using 1 idle connections to
handle 1 requests (1 total connections ready)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: queue https://www.googleapis.com:443: Connection to
peer 172.217.31.138:443 claimed request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: Claimed request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]: Sent header
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: peer 172.217.31.138:443: No more requests to service
for this peer (1 connections exist, 0 pending)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: Got 401 response for request
[Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]:
Unauthorized (took 50 ms + 66 ms in queue)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Error:
oauth2(fukudata,118.103.29.199,<EYgxBLW5h812Zx3H>): oauth2 failed: No
username returned
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: Response payload stream
destroyed (0 ms after initial response)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]: Finished
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: queue https://www.googleapis.com:443: Dropping request
[Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: host www.googleapis.com: Host is idle (timeout = 1799900
msecs)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: request [Req1: GET
https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client[1]: peer 172.217.31.138:443: No requests to service for
this peer (1 connections exist, 0 pending)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: auth: Debug:
http-client: conn 172.217.31.138:443 [1]: No more requests queued;
going idle (timeout = 60000 msecs)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Connect
from 10.243.148.174
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: lmtp(5957):
Disconnect from 10.243.148.174: Remote closed connection (state=READY)
 1月 25 17:06:34 ip-10-243-150-190 dovecot[5955]: lmtp(5957): Connect
from 10.243.148.174

------------------------------

〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー
株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵
e-mail: taiki.fukuda at justsystems.com
内線: 5158
TEL: 03-5324-7900
mobile: 080-6198-7328

2021年1月22日(金) 15:51 Aki Tuomi aki.tuomi at open-xchange.com
<http://mailto:aki.tuomi@open-xchange.com>:

Your emails come through to the mailing list, you can verify this from
> https://dovecot.org/pipermail/dovecot
>
> Try turning on rawlogs for the oauth2 requests and see what google is
> sending you?
>
> You can also try log_debug=category=oauth2 (2.3.13) to get more debug logs
> from oauth2.
>
> Aki
>
> > On 22/01/2021 02:51 福田泰葵 <taiki.fukuda at justsystems.com> wrote:
> >
> >
> > Dear Mr. Tuomi,
> >
> > This is just to remind you that I haven’t received your response to my
> e-mail I sent you. I’m afraid my e-mail may not have reached you.
> > If you have any questions or concerns, please let me know.
> >
> > Best regards,
> >
> >
> > 2021年1月19日(火) 18:52 福田泰葵 <taiki.fukuda at justsystems.com>:
> > > Thank you for your reply.
> > > But I need more help.
> > > How do I set request parameter of
> https://www.googleapis.com/oauth2/v2/userinfo?
> > > Logs:
> > > dovecot[30307]: lmtp(30320): Connect from 10.243.148.174
> > > dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 (
> http://10.243.148.174): Remote closed connection (state=READY)
> > > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (
> http://www.googleapis.com): Host created
> > > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (
> http://www.googleapis.com): Host session created
> > > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (
> http://www.googleapis.com): Need to perform DNS lookup
> > > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (
> http://www.googleapis.com): Performing asynchronous DNS lookup
> > > dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET
> https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests
> left=1)
> > > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (
> http://www.googleapis.com): DNS lookup successful; got 20 IPs
> > > dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (
> http://172.217.31.170:443) (shared): Peer created
> > > dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (
> http://172.217.31.170:443): Peer pool created
> > > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (
> http://172.217.31.170:443): Peer created
> > > dovecot[30307]: auth: Debug: http-client[1]: queue
> https://www.googleapis.com:443: Setting up connection to
> 172.217.31.170:443 (http://172.217.31.170:443) (SSL=www.googleapis.com (
> http://www.googleapis.com)) (1 requests pending)
> > > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (
> http://172.217.31.170:443): Linked queue https://www.googleapis.com:443
> (1 queues linked)
> > > dovecot[30307]: auth: Debug: http-client[1]: queue
> https://www.googleapis.com:443: Started new connection to
> 172.217.31.170:443 (http://172.217.31.170:443) (SSL=www.googleapis.com (
> http://www.googleapis.com))
> > > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (
> http://172.217.31.170:443): Creating 1 new connections to handle requests
> (already 0 usable, connecting to 0, closing 0)
> > > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (
> http://172.217.31.170:443): Making new connection 1 of 1 (0 connections
> exist, 0 pending)
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: Connecting
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: Waiting for connect (fd=22) to finish for
> max 0 msecs
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: HTTPS connection created (1 parallel
> connections exist)
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: Client connected (fd=22)
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: Connected
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: Starting SSL handshake
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x10, ret=1: before/connect
> initialization
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1001, ret=1: before/connect
> initialization
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv2/v3 write
> client hello A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read
> server hello A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read
> server hello A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv2/v3 read
> server hello A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server
> hello A
> > > dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign
> Root CA - R2/O=GlobalSign/CN=GlobalSign
> > > dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google
> Trust Services/CN=GTS CA 1O1
> > > dovecot[30307]: auth: Received valid SSL certificate:
> /C=US/ST=California/L=Mountain View/O=Google LLC/CN=
> upload.video.google.com (http://upload.video.google.com)
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server
> certificate A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server
> key exchange A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read server
> done A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write client
> key exchange A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write change
> cipher spec A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 write
> finished A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 flush data
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read
> finished A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read
> finished A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read
> finished A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1002, ret=-1: SSLv3 read
> finished A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1001, ret=1: SSLv3 read finished
> A
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x20, ret=1: SSL negotiation
> finished successfully
> > > dovecot[30307]: auth: Debug: www.googleapis.com (
> http://www.googleapis.com): SSL: where=0x1002, ret=1: SSL negotiation
> finished successfully
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: SSL handshake successful
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: Ready for requests
> > > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (
> http://172.217.31.170:443): Successfully connected (1 connections exist,
> 0 pending)
> > > dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (
> http://172.217.31.170:443): Successfully connected (1 connections exist,
> 0 pending)
> > > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (
> http://172.217.31.170:443): Using 1 idle connections to handle 1 requests
> (1 total connections ready)
> > > dovecot[30307]: auth: Debug: http-client[1]: queue
> https://www.googleapis.com:443: Connection to peer 172.217.31.170:443 (
> http://172.217.31.170:443) claimed request [Req1: GET
> https://www.googleapis.com/oauth2/v2/userinfo]
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: Claimed request [Req1: GET
> https://www.googleapis.com/oauth2/v2/userinfo]
> > > dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET
> https://www.googleapis.com/oauth2/v2/userinfo]: Sent header
> > > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (
> http://172.217.31.170:443): No more requests to service for this peer (1
> connections exist, 0 pending)
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: Got 401 response for request [Req1: GET
> https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46 ms
> + 59 ms in queue)
> > > dovecot[30307]: auth: Error:
> oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No
> username returned
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: Response payload stream destroyed (0 ms
> after initial response)
> > > dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET
> https://www.googleapis.com/oauth2/v2/userinfo]: Finished
> > > dovecot[30307]: auth: Debug: http-client[1]: queue
> https://www.googleapis.com:443: Dropping request [Req1: GET
> https://www.googleapis.com/oauth2/v2/userinfo]
> > > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com (
> http://www.googleapis.com): Host is idle (timeout = 1799906 msecs)
> > > dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET
> https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1)
> > > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443 (
> http://172.217.31.170:443): No requests to service for this peer (1
> connections exist, 0 pending)
> > > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 (
> http://172.217.31.170:443) [1]: No more requests queued; going idle
> (timeout = 60000 msecs)
> > > dovecot[30307]: lmtp(30309): Connect from 10.243.148.174
> > > dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174 (
> http://10.243.148.174): Remote closed connection (state=READY)
> > > dovecot[30307]: lmtp(30320): Connect from 10.243.148.174
> > > dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 (
> http://10.243.148.174): Remote closed connection (state=READY)
> > > dovecot[30307]: lmtp(30320): Connect from 10.243.148.174
> > > dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174 (
> http://10.243.148.174): Remote closed connection (state=READY)
> > > dovecot[30307]: lmtp(30309): Connect from 10.243.148.174
> > > dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174 (
> http://10.243.148.174): Remote closed connection (state=READY)
> > > dovecot[30307]: lmtp(30309): Connect from 10.243.148.110
> > > dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 (
> http://10.243.148.110): Remote closed connection (state=READY)
> > > dovecot[30307]: lmtp(30309): Connect from 10.243.148.110
> > > dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 (
> http://10.243.148.110): Remote closed connection (state=READY)
> > > dovecot[30307]: lmtp(30309): Connect from 10.243.148.110
> > > dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110 (
> http://10.243.148.110): Remote closed connection (state=READY)
> > > sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth]
> > > dovecot[30307]: imap-login: Disconnected (auth service reported
> temporary failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199,
> lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H>
> > > dovecot[30307]: lmtp(30317): Connect from 10.243.148.174
> > > dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174 (
> http://10.243.148.174): Remote closed connection (state=READY)
> > >
> > > I would appreciate your reply.
> > > Yours faithfully,
> > > 2021年1月19日(火) 15:34 Aki Tuomi <aki.tuomi at open-xchange.com>:
> > >
> > > >
> > > >  > On 19/01/2021 07:17 福田泰葵 <taiki.fukuda at justsystems.com> wrote:
> > > >  >
> > > >  >
> > > >  > Dear Sir or Madam
> > > >  > Unable to build OAuth2.0 authentication to Gmail using dovecot as
> proxy.
> > > >  > I have a question about how to use dovecot as a proxy to perform
> OAuth 2.0 authentication to Gmail using a mail client.
> > > >
> > > >  Mail client is required, in this case, to provide valid oauth2
> bearer token. I don't think google supports other ways.
> > > >
> > > >  > 1. Is the following all I need to do to authenticate to Gmail
> using dovecot as a proxy?
> > > >  > * passdb
> > > >  > passdb {
> > > >  > driver = oauth2
> > > >  > mechanisms = oauthbearer xoauth2
> > > >  > args = /etc/dovecot/dovecot-oauth2.token.conf.ext
> > > >  > }
> > > >  > passdb {
> > > >  > driver = oauth2
> > > >  > mechanisms = plain login
> > > >  > args = /etc/dovecot/dovecot-oauth2.plain.conf.ext
> > > >  > }
> > > >  >
> > > >
> > > >  The plain config is a way to do 'password grant' authentication.
> This is when username and password is used to acquire a bearer token.
> > > >
> > > >  > * create dovecot-oauth2.token.conf.ext and
> dovecot-oauth2.plain.conf.ext
> > > >  > * create gmail service account api
> > > >  > 2. grant_url in dovecot-oauth2.token.conf.ext and
> dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token
> for a web server that I have built myself?
> > > >  > 3. I use a Gmail service account, so I don’t need a client ID and
> secret ID, right?
> > > >  > 4. Do I set introspection_url to the URL of my own web server
> with the access token used for authentication to Google as the response?
> > > >
> > > >  No. The introspection URL needs to point to a location where
> dovecot can figure out more information about the user with token. If I
> recall correctly, the token endpoint
> > > >
> > > >  For gmail, you need to use
> https://www.googleapis.com/oauth2/v2/userinfo
> > > >
> > > >  > 5. The documentation says “pass_attrs = host=127.0.0.1”, but if
> you are authenticating to Gmail, I should use
> > > >  > “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com (
> http://imap.gmail.com) (http://imap.gmail.com);%{if;%s;eq;pop3;smtp .
> gmail.com (http://gmail.com) (http://gmail.com);pop.gmail.com (
> http://pop.gmail.com) (http://pop.gmail.com)}}
> port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2
> pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
> > > >
> > > >  I would use something more readable, like passwd-file driver with
> username_format=%s
> > > >
> > > >  The access token is also imported as %{token} in passdb.
> > > >
> > > >  > 6. What is the difference between dovecot-oauth2.token.conf.ext
> and dovecot-oauth2.plain.conf.ext ? Do I need to configure both?
> > > >  > I used
> https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy
> as a reference.
> > > >  > I would appreciate your reply.
> > > >  > Yours faithfully,
> > > >  > ------------------------------
> > > >  > e-mail: taiki.fukuda at justsystems.com
> > > >  > TEL: 03-5324-7900
> > > >  > mobile: 080-6198-7328
> > > >  > ------------------------------
> > > >
> > > >  So this might work
> > > >
> > > >  /etc/dovecot/oauth2-token.conf.ext
> > > >
> > > >  introspection_url = https://www.googleapis.com/oauth2/v2/userinfo
> > > >  introspection_mode = auth
> > > >  username_attribute = email
> > > >  pass_attrs = proxy=y proxy_mech=xoauth2
> > > >
> > > >  /etc/dovecot/dovecot.conf
> > > >
> > > >  auth_mechanisms = xoauth2 oauthbearer
> > > >
> > > >  passdb {
> > > >  driver = oauth2
> > > >  args = /etc/dovecot/oauth2-token.conf.ext
> > > >  result_success = continue-ok
> > > >  }
> > > >
> > > >  passdb {
> > > >  driver = passwd-file
> > > >  args = username_format=%s /etc/dovecot/endpoints
> > > >  skip = unauthenticated
> > > >  }
> > > >
> > > >  /etc/dovecot/endpoints
> > > >
> > > >  imap::::::: host=imap.gmail.com (http://imap.gmail.com)
> > > >  pop3::::::: host=pop3.gmail.com (http://pop3.gmail.com)
> > > >  submission::::::: host=smtp.gmail.com (http://smtp.gmail.com)
> > > >
> > > >  Aki
> > > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210125/224b7e43/attachment-0001.html>


More information about the dovecot mailing list