Dear Mr. Tuomi, This is just to remind you that I haven’t received your response to my e-mail I sent you. I’m afraid my e-mail may not have reached you. If you have any questions or concerns, please let me know.
Best regards, 2021年1月19日(火) 18:52 福田泰葵 <taiki.fuk...@justsystems.com>: > Thank you for your reply. > But I need more help. > > How do I set request parameter of > https://www.googleapis.com/oauth2/v2/userinfo? > > Logs: > > dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 > dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed > connection (state=READY) > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host > created > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host > session created > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Need to > perform DNS lookup > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Performing > asynchronous DNS lookup > dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET > https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: DNS lookup > successful; got 20 IPs > dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (shared): > Peer created > dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: Peer pool > created > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Peer > created > dovecot[30307]: auth: Debug: http-client[1]: queue > https://www.googleapis.com:443: Setting up connection to 172.217.31.170:443 > (SSL=www.googleapis.com) (1 requests pending) > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Linked > queue https://www.googleapis.com:443 (1 queues linked) > dovecot[30307]: auth: Debug: http-client[1]: queue > https://www.googleapis.com:443: Started new connection to 172.217.31.170:443 > (SSL=www.googleapis.com) > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: > Creating 1 new connections to handle requests (already 0 usable, connecting > to 0, closing 0) > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Making > new connection 1 of 1 (0 connections exist, 0 pending) > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: > Connecting > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: > Waiting for connect (fd=22) to finish for max 0 msecs > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: HTTPS > connection created (1 parallel connections exist) > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Client > connected (fd=22) > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: > Connected > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: > Starting SSL handshake > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x10, ret=1: > before/connect initialization > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: > before/connect initialization > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: > SSLv2/v3 write client hello A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: > SSLv2/v3 read server hello A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: > SSLv2/v3 read server hello A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: > SSLv2/v3 read server hello A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: > SSLv3 read server hello A > dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA > - R2/O=GlobalSign/CN=GlobalSign > dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google Trust > Services/CN=GTS CA 1O1 > dovecot[30307]: auth: Received valid SSL certificate: > /C=US/ST=California/L=Mountain View/O=Google LLC/CN=upload.video.google.com > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: > SSLv3 read server certificate A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: > SSLv3 read server key exchange A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: > SSLv3 read server done A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: > SSLv3 write client key exchange A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: > SSLv3 write change cipher spec A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: > SSLv3 write finished A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: > SSLv3 flush data > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: > SSLv3 read finished A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: > SSLv3 read finished A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: > SSLv3 read finished A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: > SSLv3 read finished A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: > SSLv3 read finished A > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x20, ret=1: SSL > negotiation finished successfully > dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=1: > SSL negotiation finished successfully > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: SSL > handshake successful > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Ready > for requests > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: > Successfully connected (1 connections exist, 0 pending) > dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: > Successfully connected (1 connections exist, 0 pending) > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Using 1 > idle connections to handle 1 requests (1 total connections ready) > dovecot[30307]: auth: Debug: http-client[1]: queue > https://www.googleapis.com:443: Connection to peer 172.217.31.170:443 claimed > request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: > Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] > dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET > https://www.googleapis.com/oauth2/v2/userinfo]: Sent header > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No more > requests to service for this peer (1 connections exist, 0 pending) > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Got > 401 response for request [Req1: GET > https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46 ms + 59 > ms in queue) > dovecot[30307]: auth: Error: > oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No > username returned > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: > Response payload stream destroyed (0 ms after initial response) > dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET > https://www.googleapis.com/oauth2/v2/userinfo]: Finished > dovecot[30307]: auth: Debug: http-client[1]: queue > https://www.googleapis.com:443: Dropping request [Req1: GET > https://www.googleapis.com/oauth2/v2/userinfo] > dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host is > idle (timeout = 1799906 msecs) > dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET > https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) > dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No > requests to service for this peer (1 connections exist, 0 pending) > dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: No > more requests queued; going idle (timeout = 60000 msecs) > dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 > dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed > connection (state=READY) > dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 > dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed > connection (state=READY) > dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 > dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed > connection (state=READY) > dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 > dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed > connection (state=READY) > dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 > dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed > connection (state=READY) > dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 > dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed > connection (state=READY) > dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 > dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed > connection (state=READY) > sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth] > dovecot[30307]: imap-login: Disconnected (auth service reported temporary > failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199, > lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H> > dovecot[30307]: lmtp(30317): Connect from 10.243.148.174 > dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174: Remote closed > connection (state=READY) > > I would appreciate your reply. > > Yours faithfully, > > 2021年1月19日(火) 15:34 Aki Tuomi <aki.tu...@open-xchange.com>: > > >> > On 19/01/2021 07:17 福田泰葵 <taiki.fuk...@justsystems.com> wrote: >> > >> > >> > Dear Sir or Madam >> > Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. >> > I have a question about how to use dovecot as a proxy to perform OAuth >> 2.0 authentication to Gmail using a mail client. >> >> Mail client is required, in this case, to provide valid oauth2 bearer >> token. I don't think google supports other ways. >> >> > 1. Is the following all I need to do to authenticate to Gmail using >> dovecot as a proxy? >> > * passdb >> > passdb { >> > driver = oauth2 >> > mechanisms = oauthbearer xoauth2 >> > args = /etc/dovecot/dovecot-oauth2.token.conf.ext >> > } >> > passdb { >> > driver = oauth2 >> > mechanisms = plain login >> > args = /etc/dovecot/dovecot-oauth2.plain.conf.ext >> > } >> > >> >> The plain config is a way to do 'password grant' authentication. This is >> when username and password is used to acquire a bearer token. >> >> > * create dovecot-oauth2.token.conf.ext and >> dovecot-oauth2.plain.conf.ext >> > * create gmail service account api >> > 2. grant_url in dovecot-oauth2.token.conf.ext and >> dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token >> for a web server that I have built myself? >> > 3. I use a Gmail service account, so I don’t need a client ID and >> secret ID, right? >> > 4. Do I set introspection_url to the URL of my own web server with >> the access token used for authentication to Google as the response? >> >> No. The introspection URL needs to point to a location where dovecot can >> figure out more information about the user with token. If I recall >> correctly, the token endpoint >> >> For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo >> >> > 5. The documentation says “pass_attrs = host=127.0.0.1”, but if you >> are authenticating to Gmail, I should use >> > “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com ( >> http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com >> );pop.gmail.com (http://pop.gmail.com)}} >> port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 >> pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”? >> >> I would use something more readable, like passwd-file driver with >> username_format=%s >> >> The access token is also imported as %{token} in passdb. >> >> > 6. What is the difference between dovecot-oauth2.token.conf.ext and >> dovecot-oauth2.plain.conf.ext ? Do I need to configure both? >> > I used >> https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy >> as a reference. >> > I would appreciate your reply. >> > Yours faithfully, >> > ------------------------------ >> > e-mail: taiki.fuk...@justsystems.com >> > TEL: 03-5324-7900 >> > mobile: 080-6198-7328 >> > ------------------------------ >> >> So this might work >> >> /etc/dovecot/oauth2-token.conf.ext >> >> introspection_url = https://www.googleapis.com/oauth2/v2/userinfo >> introspection_mode = auth >> username_attribute = email >> pass_attrs = proxy=y proxy_mech=xoauth2 >> >> /etc/dovecot/dovecot.conf >> >> auth_mechanisms = xoauth2 oauthbearer >> >> passdb { >> driver = oauth2 >> args = /etc/dovecot/oauth2-token.conf.ext >> result_success = continue-ok >> } >> >> passdb { >> driver = passwd-file >> args = username_format=%s /etc/dovecot/endpoints >> skip = unauthenticated >> } >> >> /etc/dovecot/endpoints >> >> imap::::::: host=imap.gmail.com >> pop3::::::: host=pop3.gmail.com >> submission::::::: host=smtp.gmail.com >> >> Aki >> >
