Thank you for your reply. But I need more help. How do I set request parameter of https://www.googleapis.com/oauth2/v2/userinfo?
Logs: dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host session created dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Need to perform DNS lookup dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Performing asynchronous DNS lookup dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Submitted (requests left=1) dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: DNS lookup successful; got 20 IPs dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443 (shared): Peer created dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: Peer pool created dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Peer created dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Setting up connection to 172.217.31.170:443 (SSL=www.googleapis.com) (1 requests pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Linked queue https://www.googleapis.com:443 (1 queues linked) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Started new connection to 172.217.31.170:443 (SSL=www.googleapis.com) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Making new connection 1 of 1 (0 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Connecting dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Waiting for connect (fd=22) to finish for max 0 msecs dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: HTTPS connection created (1 parallel connections exist) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Client connected (fd=22) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Connected dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Starting SSL handshake dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x10, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: before/connect initialization dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv2/v3 write client hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv2/v3 read server hello A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server hello A dovecot[30307]: auth: Received valid SSL certificate: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign dovecot[30307]: auth: Received valid SSL certificate: /C=US/O=Google Trust Services/CN=GTS CA 1O1 dovecot[30307]: auth: Received valid SSL certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=upload.video.google.com dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server certificate A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server key exchange A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read server done A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write client key exchange A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 write finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 flush data dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=-1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1001, ret=1: SSLv3 read finished A dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x20, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: www.googleapis.com: SSL: where=0x1002, ret=1: SSL negotiation finished successfully dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: SSL handshake successful dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Ready for requests dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: peer 172.217.31.170:443: Successfully connected (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: Using 1 idle connections to handle 1 requests (1 total connections ready) dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Connection to peer 172.217.31.170:443 claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Claimed request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Sent header dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No more requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Got 401 response for request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Unauthorized (took 46 ms + 59 ms in queue) dovecot[30307]: auth: Error: oauth2(fukudata,118.103.29.199,<mgm9vz25BTZ2Zx3H>): oauth2 failed: No username returned dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: Response payload stream destroyed (0 ms after initial response) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Finished dovecot[30307]: auth: Debug: http-client[1]: queue https://www.googleapis.com:443: Dropping request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo] dovecot[30307]: auth: Debug: http-client: host www.googleapis.com: Host is idle (timeout = 1799906 msecs) dovecot[30307]: auth: Debug: http-client[1]: request [Req1: GET https://www.googleapis.com/oauth2/v2/userinfo]: Free (requests left=1) dovecot[30307]: auth: Debug: http-client[1]: peer 172.217.31.170:443: No requests to service for this peer (1 connections exist, 0 pending) dovecot[30307]: auth: Debug: http-client: conn 172.217.31.170:443 [1]: No more requests queued; going idle (timeout = 60000 msecs) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30320): Connect from 10.243.148.174 dovecot[30307]: lmtp(30320): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.174 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.174: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) dovecot[30307]: lmtp(30309): Connect from 10.243.148.110 dovecot[30307]: lmtp(30309): Disconnect from 10.243.148.110: Remote closed connection (state=READY) sshd[30475]: Connection closed by 10.243.150.20 port 48174 [preauth] dovecot[30307]: imap-login: Disconnected (auth service reported temporary failure): user=<fukudata>, method=PLAIN, rip=118.103.29.199, lip=10.243.150.190, session=<mgm9vz25BTZ2Zx3H> dovecot[30307]: lmtp(30317): Connect from 10.243.148.174 dovecot[30307]: lmtp(30317): Disconnect from 10.243.148.174: Remote closed connection (state=READY) I would appreciate your reply. Yours faithfully, 2021年1月19日(火) 15:34 Aki Tuomi <aki.tu...@open-xchange.com>: > > On 19/01/2021 07:17 福田泰葵 <taiki.fuk...@justsystems.com> wrote: > > > > > > Dear Sir or Madam > > Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. > > I have a question about how to use dovecot as a proxy to perform OAuth > 2.0 authentication to Gmail using a mail client. > > Mail client is required, in this case, to provide valid oauth2 bearer > token. I don't think google supports other ways. > > > 1. Is the following all I need to do to authenticate to Gmail using > dovecot as a proxy? > > * passdb > > passdb { > > driver = oauth2 > > mechanisms = oauthbearer xoauth2 > > args = /etc/dovecot/dovecot-oauth2.token.conf.ext > > } > > passdb { > > driver = oauth2 > > mechanisms = plain login > > args = /etc/dovecot/dovecot-oauth2.plain.conf.ext > > } > > > > The plain config is a way to do 'password grant' authentication. This is > when username and password is used to acquire a bearer token. > > > * create dovecot-oauth2.token.conf.ext and > dovecot-oauth2.plain.conf.ext > > * create gmail service account api > > 2. grant_url in dovecot-oauth2.token.conf.ext and > dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token > for a web server that I have built myself? > > 3. I use a Gmail service account, so I don’t need a client ID and > secret ID, right? > > 4. Do I set introspection_url to the URL of my own web server with the > access token used for authentication to Google as the response? > > No. The introspection URL needs to point to a location where dovecot can > figure out more information about the user with token. If I recall > correctly, the token endpoint > > For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo > > > 5. The documentation says “pass_attrs = host=127.0.0.1”, but if you > are authenticating to Gmail, I should use > > “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com ( > http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com); > pop.gmail.com (http://pop.gmail.com)}} > port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 > pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”? > > I would use something more readable, like passwd-file driver with > username_format=%s > > The access token is also imported as %{token} in passdb. > > > 6. What is the difference between dovecot-oauth2.token.conf.ext and > dovecot-oauth2.plain.conf.ext ? Do I need to configure both? > > I used > https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy > as a reference. > > I would appreciate your reply. > > Yours faithfully, > > ------------------------------ > > e-mail: taiki.fuk...@justsystems.com > > TEL: 03-5324-7900 > > mobile: 080-6198-7328 > > ------------------------------ > > So this might work > > /etc/dovecot/oauth2-token.conf.ext > > introspection_url = https://www.googleapis.com/oauth2/v2/userinfo > introspection_mode = auth > username_attribute = email > pass_attrs = proxy=y proxy_mech=xoauth2 > > /etc/dovecot/dovecot.conf > > auth_mechanisms = xoauth2 oauthbearer > > passdb { > driver = oauth2 > args = /etc/dovecot/oauth2-token.conf.ext > result_success = continue-ok > } > > passdb { > driver = passwd-file > args = username_format=%s /etc/dovecot/endpoints > skip = unauthenticated > } > > /etc/dovecot/endpoints > > imap::::::: host=imap.gmail.com > pop3::::::: host=pop3.gmail.com > submission::::::: host=smtp.gmail.com > > Aki >