search

simonrob / email-oauth2-proxy

An IMAP/POP/SMTP proxy that transparently adds OAuth 2.0 authentication for email clients that don't support this method.
Apache License 2.0
785 stars 84 forks source link

Stuck at " Accepting new connection from..." #256

Closed valentinomariotto closed 2 months ago

valentinomariotto commented 2 months ago

Hi, thank you for this amazingly useful piece of software! I'm struggling to get it to run properly.

I'm using the containerized version, but I don't think that's the issue:

docker run \
  --rm \
  -it \
  -p 1993:1993 \
  -v /my-mount-point/config:/config \
  blacktirion/email-oauth2-proxy-docker \
    python emailproxy.py \
    --no-gui \
    --external-auth \
    --debug \
    --cache-store /config/credstore.config \
    --config-file /config/emailproxy.config \
    --log-file /config/emailproxy.log

This is my emailproxy.config

[IMAP-1993]
server_address = outlook.office365.com
server_port = 993

[dmarc@mydomain.com]
permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/IMAP.AccessAsUser.All offline_access
redirect_uri = http://localhost
client_id = my app id
client_secret = my secret

I'm trying to use thunderbird to get the token. This is what I get in the logs:

2024-06-17 14:31:24: Initialising Email OAuth 2.0 Proxy (version 2024-06-04) in debug mode from config file /config/emailproxy.config
2024-06-17 14:31:24: Starting IMAP server at [::]:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-06-17 14:31:24: Initialised Email OAuth 2.0 Proxy - listening for authentication requests. Connect your email client to begin
2024-06-17 14:31:28: New incoming connection to IMAP server at [::]:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-06-17 14:31:28: Accepting new connection from [::ffff.MY.IPv4]:61853 to IMAP server at [::]:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-06-17 14:33:08: IMAP ([::ffff:MY.IPv4]:61853-{[::ffff:172.17.0.3]:1993}-outlook.office365.com:993) --> [ Client disconnected ]
2024-06-17 14:33:08: IMAP ([::ffff:MY.IPv4]:61853-{[::ffff:172.17.0.3]:1993}-outlook.office365.com:993) <-- [ Server disconnected ]

It just time outs because nothing happens after accepting the new connection

simonrob commented 2 months ago

Thanks for the kind words!

I'd start by using telnet or similar to test the connection – see the troubleshooting section of the readme.

Thunderbird (which supports OAuth 2.0 natively, by the way) is often not a good choice for testing because it tries very hard to avoid unencrypted connections, often giving the impression it is using them when in fact it is not. Because the proxy by default uses an unencrypted local connection, if you do want to use Thunderbird you'll probably need to set up a certificate, and then explicitly mark this as trusted in the Thunderbird preferences.

valentinomariotto commented 2 months ago

Hi Simon, thank you for your advice. I'll be damned! I tried that telnet login command and it worked immediately! Now I can see I have a token in the credstore.config file I'm still struggling to find a client that will work without ssl so I'm not sure it's working 100%, but the issue I presented in this topic is solved. The application I want to use is the dmarc-exporter for prometheus, seem to be requiring an SSL connection now, so it looks like I'll have to set up a certificate after all. Thank you for your help

simonrob commented 2 months ago

Thanks for following up - glad this was a simple change.

I'm not familiar with that tool, but it looks to have use_ssl option that could be disabled?

valentinomariotto commented 2 months ago

unfortunately using those ssl options (set to either true or false) cause the program to crash.. so I opened an issue with them.

I'm not sure the proxy is working properly either. If I try to login again with telnet, I get this:

2024-06-18 07:14:06,744: New incoming connection to IMAP server at [::]:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-06-18 07:14:06,745: Accepting new connection from [::ffff:192.168.16.1]:50188 to IMAP server at [::]:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-06-18 07:14:13,064: IMAP ([::ffff:192.168.16.1]:50188-{[::ffff:192.168.16.2]:1993}-outlook.office365.com:993) --> b'a1 login [[ Credentials removed from proxy log ]]\r\n'
2024-06-18 07:14:14,640: IMAP ([::ffff:192.168.16.1]:50188-{[::ffff:192.168.16.2]:1993}-outlook.office365.com:993)     --> b'a1 AUTHENTICATE XOAUTH2 '
2024-06-18 07:14:14,641: IMAP ([::ffff:192.168.16.1]:50188-{[::ffff:192.168.16.2]:1993}-outlook.office365.com:993)     --> b'[[ Credentials removed from proxy log ]]\r\n'

Does this mean it's working?

Instead if I add a key pair to the proxy configuration, when a client (not telnet) tries to connect this happens:

[IMAP-1993]
server_address = outlook.office365.com
server_port = 993
local_certificate_path=/config/cert.pem
local_key_path=/config/key.pem
2024-06-18 07:07:42,977: New incoming connection to IMAP server at [::]:1993 (SSL/TLS) proxying outlook.office365.com:993 (SSL/TLS)
2024-06-18 07:07:42,979: Accepting new connection from [::ffff:192.168.16.3]:56350 to IMAP server at [::]:1993 (SSL/TLS) proxying outlook.office365.com:993 (SSL/TLS)
2024-06-18 07:07:42,994: IMAP ([::ffff:192.168.16.3]:56350-{[::ffff:192.168.16.2]:1993}-outlook.office365.com:993) <-> [ Starting TLS handshake ]
2024-06-18 07:07:43,011: IMAP ([::ffff:192.168.16.3]:56350-{[::ffff:192.168.16.2]:1993}-outlook.office365.com:993) <-> [ TLSv1.3 handshake complete ]
2024-06-18 07:07:53,175: IMAP ([::ffff:192.168.16.3]:40772-{[::ffff:192.168.16.2]:1993}-outlook.office365.com:993) Caught network error (server) - is there a network connection? Error type <class 'TimeoutError'> with message: [Errno 110] Operation timed out
2024-06-18 07:07:53,175: IMAP ([::ffff:192.168.16.3]:40772-{[::ffff:192.168.16.2]:1993}-outlook.office365.com:993) <-- [ Server disconnected ]
2024-06-18 07:07:53,176: IMAP ([::ffff:192.168.16.3]:40772-{[::ffff:192.168.16.2]:1993}-outlook.office365.com:993) --> [ Client disconnected ]

I think something still is not quite right

simonrob commented 2 months ago

The telnet log looks to be working, but you've cut it off a little early to be sure. What are the next few lines?

Is the other one again from Thunderbird? That client doesn't trust self-signed certificates by default, and just times out the connection instead. You need to add an explicit exception for this to work. Again, I'd recommend not using it for testing; instead, use OpenSSL as explained in the proxy's troubleshooting section.

valentinomariotto commented 2 months ago

there were no other lines, it stopped there, I waited for 5 minutes. Does it mean that the authentication is refused on the Microsoft side? Or that there's some issue with the authenticator app?

thanks for the advice on Thunderbird and Openssl

valentinomariotto commented 2 months ago

the same thing happened when getting the initial token. I cleared the credstore.config file and tried again. I confirm that the connection times out after getting the token. It looks like the proxy can't login? The authentication app has this authorization Office 365 Exchange Online (1) >> IMAP.AccessAsApp (authorized by the admin)

simonrob commented 2 months ago

It sounds like maybe your docker environment isn't able to connect to the Office 365 server?

When you initially connect, there should be a greeting message from the remote server. I had assumed you were leaving this out of the log, but if it's not there at all then there's an issue with the connection.

valentinomariotto commented 2 months ago

Found the issue. I thought that the proxy would communicate with microsoft on the 443 port, and instead it needs port 993 to be open. I fixed that and now it works. Thank you for the help, and again for this program