moriyoshi / cyrus-sasl-xoauth2 Goto Github PK

View Code? Open in Web Editor NEW

74.0 7.0 14.0 52 KB

XOAUTH2 mechanism plugin for cyrus-sasl

License: MIT License

Makefile 1.08% M4 5.82% C 92.88% Shell 0.22%

xoauth2 gmail postfix sasl cyrus-sasl

cyrus-sasl-xoauth2's Introduction

cyrus-sasl-xoauth2

This is a plugin implementation of XOAUTH2.

FYI: if you are forced to use XOAUTH2-enabled SMTP / IMAP servers by your employer and want to keep using your favorite *nix MUA locally, the following detailed document should help a lot: http://mmogilvi.users.sourceforge.net/software/oauthbearer.html (DISCLAIMER: in contrast to the document's author, I'd rather read and write emails on my browser a lot. I haven't tested it personally)

Releases

Building and installation

./autogen.sh
./configure
sudo make install

Server-side configuration

auxprops

oauth2BearerTokens

Stores the token values for the specified authentication ID.

SASL2 settings

xoauth2_scope

The name of the authorization scope that will appear in the error response.

Example: Postfix server (smtpd) / client (smtp) authentication configuration

main.cf:

# ... OTHER SETTINGS GO HERE ...

# SERVER
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_relay_restrictions = permit_sasl_authenticated, reject

# CLIENT
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd
smtp_sasl_mechanism_filter = xoauth2
smtp_sasl_security_options =
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

/etc/postfix/saslpasswd:

[smtp.gmail.com]:587    [email protected]:OAUTH2-TOKEN-RETRIEVED-BY-GMAIL-OAUTH2-TOOLS

/etc/postfix/saslpasswd.db needs to be generated with postmap:
```
# postmap /etc/postfix/saslpasswd
```
Gmail OAuth2 Tools can be found here.

/etc/postfix/tls_policy:
```
[smtp.gmail.com]:587    encrypt
```
- /etc/postfix/tls_policy.db needs to be generated with postmap:
```
# postmap /etc/postfix/tls_policy
```

${sasl_plugin_dir}/smtpd.conf:

log_level: DEBUG
sql_engine: sqlite3
sql_database: /etc/sasldb2.sqlite3
sql_select: SELECT props.value FROM users JOIN props ON users.id=props.user_id WHERE users.name='%u' AND users.realm='%r' AND props.name='%p'
xoauth2_scope: https://mail.example.com/
auxprop_plugin: sql
mech_list: xoauth2

/etc/sasldb2.sqlite3:

Generated from the following DDL and SQL statements:

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE users (id INTEGER PRIMARY KEY, name VARCHAR, password VARCHAR, realm VARCHAR);
INSERT INTO "users" VALUES(1,'test','test','example.com');
CREATE TABLE props (id INTEGER PRIMARY KEY, user_id INTEGER, name VARCHAR, value VARCHAR, FOREIGN KEY (user_id) REFERENCES users (id));
INSERT INTO "props" VALUES(1,1,'userPassword','*');
INSERT INTO "props" VALUES(2,1,'oauth2BearerTokens','token');
COMMIT;

cyrus-sasl-xoauth2's People

Contributors

Stargazers

Watchers

Forkers

mikalv craiginches stbischof nurmukhamed hkato abbra dirkmueller gooichi mclancy10006 inknos rhgg2 atsushi0804 oss-tsukuba

cyrus-sasl-xoauth2's Issues

IMAP

I'm interested in using this to add XOAUTH2 support to the mutt mailer. Have you tried using it with IMAP? Thanks for the work here. Is there any more documentation?

No Dependencies Listed

No dependencies are listed in the README.

As an example I was missing:

libtools
automake
autoconf

Though I'd imagine others might be missing more.

Install to /usr/lib64/sasl2 instead of /usr/lib/sasl2

I just spent a good 4 hours trying to figure out why mbsync couldn't detect XOAUTH2 as an authentication method - turns out it's because my distro's cyrus-sasl package installs to /usr/lib64/sasl2, so it wasn't detecting the plugins installed in /usr/lib/sasl2. Changing the pkglibdir variable in the makefile to "${CYRUS_SASL_PREFIX}/lib64/sasl2" fixed it. Might be worth mentioning in the README that this might be an issue.

FYI: Instructions for combining OAUTH2, fetchmail and postfix with gmail

My $DAYJOB switched to using Google "G Suite" (hosted gmail for businesses), and it was configured to require the use of OAUTH2 authentication to send and receive email. Webmail is terribly annoying, so I eventually put together a set of patches, scripts, this (cyrus-sasl-xoauth2) plugin, configuration options, etc to be able to both send and receive mail from my company gmail account with minimal manual effort (after it is setup).

In case it might benefit anyone else, I've documented it all at the following URL:
http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

(This probably doesn't count as an "Issue", but I couldn't find a better place to mention this documentation.)

Using with sendmail

Not an issue but a question. Is it possible to use this plugin with sendmail?

Thanks

Hangs when used over IMAP (mbsync)

Hi.
I tried to use the plugin with mbsync, to connect over IMAP using xoauth2 mechanism.
Unfortunately, it hangs when trying to use the plugin, apparently

Connection is now encrypted
M: * OK Gimap ready for requests from 88.142.48.6 186mb276973608wmc
M: >>> 1 CAPABILITY
M: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH
M: 1 OK Thats all she wrote! 186mb276973608wmc
Logging in...
Authenticating with SASL mechanism XOAUTH2...

After that, it just stay there.
I don't think it is related to mbsync, the imap connection seems to work with another implementation
(https://github.com/robn/sasl2-oauth)

M: * OK Gimap ready for requests from 88.142.48.6 o8mb163401485wme
M: >>> 1 CAPABILITY
M: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH
M: 1 OK Thats all she wrote! o8mb163401485wme
Logging in...
Authenticating with SASL mechanism XOAUTH2...
M: >>> 2 AUTHENTICATE XOAUTH2 <token-redacted>
M: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 UIDPLUS COMPRESS=DEFLATE ENABLE MOVE CONDSTORE ESEARCH UTF8=ACCEPT LIST-EXTENDED LIST-STATUS LITERAL- SPECIAL-USE APPENDLIMIT=35651584
M: 2 OK <email-redacted> authenticated (Success)
Error: SASL(-13): authentication failure: server rejected XOAUTH2: 
Warning: SASL reported failure despite successful IMAP authentication. Ignoring...

Well, there is also an error but it does work.

As the linked repo does not seem active, I'd reather user yours.

Would you have any pointers on what could cause that or on how I could debug it further ?
Thanks a lot :)

using with Office365

Hello, is it possible to use this with Office 365 (and with tokens generated using OKTA)? How? Thanks!

Contribute to cyrusimap/cyrus-sasl

Hi @moriyoshi,

would you may add an PR of your cyrus-sasl-xoauth2-plugin to
https://github.com/cyrusimap/cyrus-sasl

ref: cyrusimap/cyrus-sasl#522

Using on Mac OS X

Hi!

When I use this on Mac OS, I get the following error with mbsync

Error performing SASL authentication step: SASL(-1): generic failure: Unable to find a callback: 18948

I know this is probably an issue with mbsync, but perhaps there's a way to avoid it without changing isync code?

Thanks!