[pfx] Re: XOAUTH2 client

Mon, 23 Dec 2024 07:05:10 -0800 

Am 2024-12-22 16:25, schrieb Wietse Venema via Postfix-users:

Alexander Leidinger via Postfix-users:

Am 2024-12-22 01:39, schrieb Peter via Postfix-users:
> On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote:
>>
>> However, there are other mechanisms being developed, for example
>> OAUTH2,
>> which, in terms of Cyrus SASL, does not work with saslauthd at all,
>
> I don't see why it wouldn't.
>
>> so
>> needs direct integration within postfix in a form of plugin.
>
> I don't see why we would need such plugins in Postfix, but if the need
> arises I suppose libgsasl might be an option, if someone wants to put
> the work into it.
>
>> Should such mechanisms be avoided in Postfix?
>
> When it comes to OAUTH the actual SASL interface simply needs to accept
> a bearer token and then works pretty much the same as PLAIN would work.
> Dovecot supports this, I can't speak for whether Cyrus does but I don't
> see why it wouldn't, or why it would be particularly difficult.
>
> That said, OAUTH requires a whole other supporting interface which is
> used to generate the token to begin with, and this is likely beyond the
> scope of the SASL interface (and should remain so).  It likely requires
> a web server interface to authenticate the user and either directly
> supply the token or possibly supply the token to a third-party app via
> an API (after authenticating the user via the web interface).  Neither
> Postfix nor the SASL backend should have to worry about this aspect of
> OAUTH, though.
I haven't followed the entire discussion, I just have seen this messages 
and the ones after it. As a data point, I use OAUTH2 with postfix /
dovecot since a long time (a year or two/three). The webmail interface I use is authenticating against dovecot and uses the same user/oauth token for it's authentication against postfix. Works like a charm and neither 
postfix nor dovecot need to worry about how to generate the token,
that's up to the client which talks to them (unfortunately I haven't
found a client for android which supports OAUTH for mail reading/sending 
yet... Aqua Mail is supposed to be able to do that for GMail and
Outlook, but with my own IMAP/SMTP/OIDC servers I do not see/find how to 
achieve this).

The corresponding postfix login looks like this:
Dec 22 15:33:43 xxx postfix/smtpd[34391]: 55E958DF6:
client=xxx[1.2.3.4], sasl_method=XOAUTH2, sasl_username=xxx


That is good news. Do you have essential examples for configuration
that I can include in Postfix documentation?
It's been a while that I did this... I think I got everything listed here. 

This is what I have for postfix (very easy):
---snip---
# grep -i sasl * | grep -v default | grep -v sample | grep smtpd
main.cf:smtpd_sasl_local_domain = $myhostname
main.cf:#smtpd_sasl_auth_enable = yes
main.cf:smtpd_sasl_type = dovecot
main.cf:smtpd_sasl_path = inet:dovecot.server.fqdn:4711
main.cf:smtpd_sasl_security_options = noanonymous, noplaintext
main.cf:smtpd_sasl_tls_security_options = noanonymous
main.cf:smtpd_sasl_authenticated_header = yes
master.cf:  -o smtpd_sasl_auth_enable=yes
master.cf:  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
master.cf:  -o smtpd_sasl_auth_enable=yes
master.cf:  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
---snip---

The master.cf entries are for submission and smtps.

For completeness I include the non-postfix parts here too...
The dovecot part is a bit more tricky (a lot of trial and error on the OIDC URLs until it worked) and also depends on the OAUTH / OIDC provider. In my case the OIDC provider is keycloak: 

dovecot conf.d/10-master.conf (excerpt):
---snip---
service auth {
# auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have # full permissions to this socket are able to get a list of all usernames and 
  # get the results of everyone's userdb lookups.
  #
# The default 0666 mode allows anyone to connect to the socket, but the # userdb lookups will succeed only if the userdb returns an "uid" field that # matches the caller process's UID. Also if caller's uid or gid matches the # socket's uid or gid the lookup succeeds. Anything else causes a failure. 
  #
# To give the caller full permissions to lookup all users, set the mode to 
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
    #user =
    #group =
  }

  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}

  inet_listener {
    port = 4711
  }

  # Auth process is run as this user.
  #user = $default_internal_user
}

---snip---

conf.d/10-auth.conf (excerpt):
---snip---
auth_mechanisms = plain oauthbearer xoauth2
!include auth-oauth2.conf.ext
---snip---

conf.d/auth-oauth2.conf.ext (full):
---snip---
passdb {
  driver = oauth2
  mechanisms = oauthbearer xoauth2
  args = /usr/local/etc/dovecot/auth-oauth2.token.conf.ext
}

passdb {
  driver = oauth2
  mechanisms = plain
  args = /usr/local/etc/dovecot/auth-oauth2.plain.conf.ext
}
---snip---

auth-oauth2.token.conf.ext (full):
---snip---
openid_configuration_url = https://your_oidc_provider/realms/your_realm/.well-known/openid-configuration tokeninfo_url = https://your_oidc_provider/realms/your_realm/protocol/openid-connect/userinfo?trash= introspection_url = https://your_oidc_provider/realms/your_realm/protocol/openid-connect/token/introspect 
introspection_mode = auth
client_id = your_client_id_as_in_the_OIDC_provider
client_secret = your_secret
use_grant_password = no
username_attribute = email
pass_attrs = pass=%{oauth2:access_token}
---snip---

auth-oauth2.plain.conf.ext (full):
---snip---
openid_configuration_url = https://your_oidc_provider/realms/your_realm/.well-known/openid-configuration tokeninfo_url = https://your_oidc_provider/realms/your_realm/protocol/openid-connect/userinfo?trash= introspection_url = https://your_oidc_provider/realms/your_realm/protocol/openid-connect/token/introspect 
introspection_mode = auth
client_id = your_client_id_as_in_the_OIDC_provider
client_secret = your_dovecot_client_secret
use_grant_password = yes
username_attribute = email
pass_attrs = host=your_oidc_provider_I_have_the_IP_here proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} 
---snip---
Roundcube webmail config (not as hard as hard as the dovecot config, but it could have been way more easy if it would support https://your_oidc_provider/realms/your_realm/.well-known/openid-configuration): 
---snip---
$config['oauth_debug'] = false;
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'What you want to have on screen';
$config['oauth_client_id'] = "your roundcube client id as in the OIDC provider"; 
$config['oauth_client_secret'] = "your roundcube client secret";
$config['oauth_auth_uri'] = "https://your_oidc_provider/realms/your_realm/protocol/openid-connect/auth";; $config['oauth_token_uri'] = "https://your_oidc_provider/realms/your_realm/protocol/openid-connect/token";; $config['oauth_identity_uri'] = "https://your_oidc_provider/realms/your_realm/protocol/openid-connect/userinfo";; 
$config['oauth_verify_peer'] = true;
$config['oauth_scope'] = "email profile roles openid";
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['email'];
$config['oauth_login_redirect'] = true;
---snip---

Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netch...@freebsd.org  : PGP 0x8F31830F9F2772BF

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to