search

simonrob / email-oauth2-proxy

An IMAP/POP/SMTP proxy that transparently adds OAuth 2.0 authentication for email clients that don't support this method.
Apache License 2.0
785 stars 84 forks source link

Assistance with Docker and Microsoft 365 shared account #243

Closed acseven closed 4 months ago

acseven commented 4 months ago

Hi, Many thanks for this proxy. I'm looking into making use of it to access a Microsoft 365 shared account via IMAP, on a windows app client, but I'm finding an issue after successfully logging in and getting a success message using the login redirection url.

The base setup is using blacktirion/email-oauth2-proxy-docker. On that part, I have that container with the settings below as well as a temporary firefox (via VNC) browser to handle the login on the headless machine (full docker compose file in the bottom):

    environment:
      - DEBUG=false
      - CACHE_STORE=/config/credstore.config
      - LOGFILE=true
      - LOCAL_SERVER_AUTH=true

Considering that the user credentials user1@mydomain.com and shared inbox address sharedinbox1@mydomain.com, I have the following in emailproxy.config:

[sharedinbox1@mydomain.com]
permission_url = https://login.microsoftonline.com/(MICROSOFT365-TENANT-ID-REDACTED)/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/(MICROSOFT365-TENANT-ID-REDACTED)/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access
redirect_uri = http://localhost:20901
client_id = (REDACTED)
client_secret = (REDACTED)

So I configure the IMAP client app to use sharedinbox1@mydomain.com as the email address and I can get the login URL from the proxy logs (first line below). I paste the link on the firefox browser that is on the same host and network as the email proxy, and can move on with the GUI authentication (using user1@mydomain.com as credentials of course, given there are no credentials to give the shared inbox directed access):

2024-04-25 12:50:15: Please visit the following URL to authenticate account sharedinbox1@mydomain.com: https://login.microsoftonline.com/(REDACTED)

After I paste 

Email OAuth 2.0 Proxy successfully authenticated account sharedinbox1@mydomain.com.
You can close this window.

However, the IMAP client still doesn't have access and the email proxy log follows up with:

2024-04-25 12:50:45: Local server auth mode (localhost:20901): unable to start local server. Please check that `redirect_uri` for sharedinbox1@mydomain.com is unique across accounts, specifies a port number, and is not already in use. See the documentation in the proxy's sample configuration file. OSError(98, 'Address in use')

What am I doing wrong here? Thanks in advance

ps 1: does it have anything to do with using redirect_listen_address = http://10.0.0.0:8080? I really didn't understand this part in the documentation.

ps 2: I case anyone else is interested, here's the docker compose: ```version: "3.7" services: proxy1: network_mode: host environment: - DEBUG=false - CACHE_STORE=/config/credstore.config - LOGFILE=true - LOCAL_SERVER_AUTH=true volumes: - /volume1/docker/it-tools-emailproxy/v/config:/config image: blacktirion/email-oauth2-proxy-docker firefox-temp: image: lscr.io/linuxserver/firefox:latest container_name: firefox-temp security_opt: - seccomp:unconfined environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC - CUSTOM_PORT=3200 - CUSTOM_HTTPS_PORT=3201 network_mode: host volumes: - vol_browser_firefox:/config - /var/run/docker.sock:/var/run/docker.sock shm_size: 1gb volumes: vol_browser_firefox: null networks: {} ```
simonrob commented 4 months ago

I can't help with the Docker part (I don't use that setup), but from what you've said that doesn't seem to be an issue here. Please post the log from the proxy in --debug mode (see the Troubleshooting section of the readme).

Another thing that might help is to first try getting things working whilst running the proxy locally (i.e., as simple a setup as possible). Once this is configured and authenticated, you can reuse the same pre-authorised configuration file in your Docker setup

acseven commented 4 months ago

Here's the log with debug enabled:

2024-04-25 23:07:33: Authorisation request received for sharedinbox1@mydomain.com (local server auth mode)
2024-04-25 23:07:33: Email OAuth 2.0 Proxy Local server auth mode: please authorise a request for account sharedinbox1@mydomain.com
2024-04-25 23:07:33: Local server auth mode (localhost:20901): starting server to listen for authentication response
2024-04-25 23:07:33: Local server auth mode (localhost:20901): unable to start local server. Please check that `redirect_uri` for sharedinbox1@mydomain.com is unique across accounts, specifies a port number, and is not already in use. See the documentation in the proxy's sample configuration file. OSError(98, 'Address in use')
2024-04-25 23:07:33: Authorisation result error for sharedinbox1@mydomain.com - aborting login. No-GUI authorisation request failed or timed out
2024-04-25 23:07:33: IMAP ([::ffff:192.168.3.157]:49775-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) <-- b'MBN00000002 NO AUTHENTICATE Email OAuth 2.0 Proxy: Login failed for account sharedinbox1@mydomain.com: No-GUI authorisation request failed or timed out\r\n'
2024-04-25 23:07:33: IMAP ([::ffff:192.168.3.157]:49775-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) --> b'MBN00000003 LOGIN [[ Credentials removed from proxy log ]]\r\n'
2024-04-25 23:07:34: Authorisation request received for sharedinbox1@mydomain.com (local server auth mode)
2024-04-25 23:07:34: Email OAuth 2.0 Proxy Local server auth mode: please authorise a request for account sharedinbox1@mydomain.com
2024-04-25 23:07:34: Local server auth mode (localhost:20901): starting server to listen for authentication response
2024-04-25 23:07:34: Local server auth mode (localhost:20901): unable to start local server. Please check that `redirect_uri` for sharedinbox1@mydomain.com is unique across accounts, specifies a port number, and is not already in use. See the documentation in the proxy's sample configuration file. OSError(98, 'Address in use')
2024-04-25 23:07:34: Authorisation result error for sharedinbox1@mydomain.com - aborting login. No-GUI authorisation request failed or timed out
2024-04-25 23:07:34: IMAP ([::ffff:192.168.3.157]:49775-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) <-- b'MBN00000003 NO LOGIN Email OAuth 2.0 Proxy: Login failed for account sharedinbox1@mydomain.com: No-GUI authorisation request failed or timed out\r\n'
2024-04-25 23:07:40: IMAP ([::ffff:192.168.3.157]:49757-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993)     <-- b'* BYE Connection is closed. 13\r\n'
2024-04-25 23:07:40: IMAP ([::ffff:192.168.3.157]:49757-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) <-- b'* BYE Connection is closed. 13\r\n'
2024-04-25 23:07:40: IMAP ([::ffff:192.168.3.157]:49757-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) <-- [ Server disconnected ]
2024-04-25 23:07:40: IMAP ([::ffff:192.168.3.157]:49757-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) --> [ Client disconnected ]
2024-04-25 23:07:46: New incoming connection to IMAP server at [::]:20993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-04-25 23:07:46: Accepting new connection from [::ffff:192.168.3.157]:49776 to IMAP server at [::]:20993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-04-25 23:07:46: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) --> [ Client connected ]
2024-04-25 23:07:46: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) <-> [ Starting TLS handshake ]
2024-04-25 23:07:46: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) <-> [ TLSv1.2 handshake complete ]
2024-04-25 23:07:46: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993)     <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [TQBBADIAUAAyADkAMgBDAEEAMAAwADAAOQAuAEUAUwBQAFAAMgA5ADIALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2024-04-25 23:07:46: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [TQBBADIAUAAyADkAMgBDAEEAMAAwADAAOQAuAEUAUwBQAFAAMgA5ADIALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2024-04-25 23:07:46: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) --> b'MBN00000001 CAPABILITY\r\n'
2024-04-25 23:07:46: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993)     --> b'MBN00000001 CAPABILITY\r\n'
2024-04-25 23:07:46: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993)     <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2024-04-25 23:07:46: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2024-04-25 23:07:46: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993)     <-- b'MBN00000001 OK CAPABILITY completed.\r\n'
2024-04-25 23:07:46: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) <-- b'MBN00000001 OK CAPABILITY completed.\r\n'
2024-04-25 23:07:47: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) --> b'MBN00000002 AUTHENTICATE PLAIN\r\n'
2024-04-25 23:07:47: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) <-- b'+ \r\n'
2024-04-25 23:07:47: IMAP ([::ffff:192.168.3.157]:49776-{[::ffff:192.168.3.10]:20993}-outlook.office365.com:993) --> b'[[ Credentials removed from proxy log ]]'

And thanks for the alternate solution , I'll give it a go as soon as I can.

simonrob commented 4 months ago

This log doesn't include a successful request as outlined in your original report, but it does show the proxy repeatedly trying to start its local web server (which it requires to pick up the authentication response) and failing to do so. This could be caused by something in your Docker setup, but I'm not sure what that might be since this does work for others.

Please could you post the full log, including the part where you do actually get the authentication prompt, and also the bit where this subsequently fails.

acseven commented 4 months ago

My apologies, found the culprit. In emailproxy.config this setting had to be set to false. I was finding it weird not seeing any data on the credstore.config. This particular client is constantly trying to login and given the password filled in is always wrong (as it is a shared inbox, with no direct credentials), I guess the proxy deletes the token.

[emailproxy]
delete_account_token_on_password_error = False
simonrob commented 4 months ago

Thanks for following up – glad you were able to resolve this.