search

simonrob / email-oauth2-proxy

An IMAP/POP/SMTP proxy that transparently adds OAuth 2.0 authentication for email clients that don't support this method.
Apache License 2.0
797 stars 86 forks source link

Access smtp.gmail.com #270

Closed Novgor closed 3 weeks ago

Novgor commented 4 weeks ago

Hi. I'm trying to set up a proxy to send mail via smtp gmail. I can't figure out how it works. The service is up, but the mail is not sent.

Failed to send email: (530, b'5.7.0 Authentication Required. For more information, go to\n5.7.0 https://support.google.com/mail/?p=WantAuthError a640c23a62f3a-a8383946441sm64936366b.148 - gsmtp', 'XXXXXX@gmail.com')

I checked the tokens, they are valid. Maybe there is more documentation on the configuration for gmail or an example?

[SMTP-587]
server_address = smtp.gmail.com
server_port = 587
local_address = 127.0.0.1
server_starttls = True
local_starttls = False

[oauth]
oauth2_scope = https://mail.google.com/
redirect_uri = http://localhost
access_token = "my_access"
refresh_token = "my_token"
token_uri = "https://oauth2.googleapis.com/token"
client_id = "my.id"
client_secret = "my.secret"
scopes = 
    - https://www.googleapis.com/auth/gmail.readonly
    - https://www.googleapis.com/auth/gmail.modify
    - https://www.googleapis.com/auth/gmail.send
    - https://www.googleapis.com/auth/gmail.metadata
    - https://www.googleapis.com/auth/gmail.settings.basic
    - https://www.googleapis.com/auth/gmail.settings.sharing
simonrob commented 4 weeks ago

There are Gmail examples in the sample configuration file.

For a start, you've changed the scope value and added quotation marks around some values. Remove the quotes and switch back to the scope from the example and you'll probably find things start working.

Novgor commented 4 weeks ago

There are Gmail examples in the sample configuration file.

For a start, you've changed the scope value and added quotation marks around some values. Remove the quotes and switch back to the scope from the example and you'll probably find things start working.

I brought the configuration to the form as in the documentation:

[XXXXXX@gmail.com]
permission_url = https://accounts.google.com/o/oauth2/auth
token_url = https://oauth2.googleapis.com/token
oauth2_scope = https://mail.google.com/
redirect_uri = http://localhost
client_id = ***********************.apps.googleusercontent.com
client_secret = {"web":{"client_id":"***********************.apps.googleusercontent.com","project_id":"my-procject","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_secret":"my-sec-key"}}

[SMTP-25]
server_address = smtp.gmail.com
server_port = 587
local_address = 127.0.0.1
server_starttls = True
local_starttls = False

[emailproxy]
delete_account_token_on_password_error = False
encrypt_client_secret_on_first_use = True
allow_catch_all_accounts = False

And still get 530 error. Maybe I didn't understand how client_secret should look? I wrote it down cleanly, but nothing changed.

simonrob commented 4 weeks ago

Here you've pasted a JSON configuration into the secret value rather than just the secret itself. See the end of that object for the secret value.

If you're having trouble setting things up I'd recommend starting with one of the existing public ID/secret configurations (see the readme) and only switching to your own when things are working.

Novgor commented 4 weeks ago

I inserted a regular secret key. I got error 530. I enabled smtp by user and password, and the connection started, but the letter is not sent.

2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587) <-> [ Starting TLS handshake ]
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587) [ Successfully negotiated SMTP server STARTTLS connection - re-sending greeting ]
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587)     --> b'EHLO 127.0.0.1\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587) <-> [ TLSv1.3 handshake complete ]
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-smtp.gmail.com at your service, [2a13:f980:2000:195::6dce:b228]\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-SIZE 35882577\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-8BITMIME\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-PIPELINING\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-CHUNKING\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250 SMTPUTF8\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587) <-- b'250-smtp.gmail.com at your service, [2a13:f960:2020:195::6dce:b228]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-AUTH PLAIN LOGIN\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-CHUNKING\r\n250 SMTPUTF8\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587) --> b'AUTH LOGIN\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587) <-- b'334 VXNlcm5hbWU6\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587) --> b'Y2xpZW50c0BpcC1hcy5jb20=\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587) <-- b'334 UGFzc3dvcmQ6\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587) --> b'[[ Credentials removed from proxy log ]]'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587)     --> b'AUTH XOAUTH2\r\n'
2024-08-16 11:45:25: SMTP (192.168.0.4:35619-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'334 \r\n'
2024-08-16 11:45:26: Authorisation request received for XXXXX@gmail.com (interactive mode)
Novgor commented 4 weeks ago

What needs to be added to the configuration to send mail via smtp.gmail.com without login and password?

simonrob commented 3 weeks ago

In your first message you're receiving an authorisation request that you need to respond to (see the readme – this is explained in depth). I'm not quite sure what you mean in your second message – the proxy doesn't remove the need to log in, only the OAuth 2.0 part of this.

Novgor commented 3 weeks ago

In your first message you're receiving an authorisation request that you need to respond to (see the readme – this is explained in depth). I'm not quite sure what you mean in your second message – the proxy doesn't remove the need to log in, only the OAuth 2.0 part of this.

Sorry for the confusion. I will describe my problem again. The server configuration is as follows:

[clients@gmail.com]
permission_url = https://accounts.google.com/o/oauth2/auth
token_url = https://oauth2.googleapis.com/token
oauth2_scope = https://mail.google.com/
redirect_uri = http://localhost
client_id = *******************.apps.googleusercontent.com
client_secret = GOC******************rS

[SMTP-25]
server_address = smtp.gmail.com
server_port = 587
local_address = 127.0.0.1
server_starttls = True
local_starttls = False

[emailproxy]
encrypt_client_secret_on_first_use = True
allow_catch_all_accounts = False
delete_account_token_on_password_error = False

I start the server with the following parameters:

python3 emailproxy.py --config-file gmail.config --no-gui --debug

And when sending mail via smtp using user/pass I get error 524 after 3 minutes. I set a longer time, it didn't help.

Снимок экрана от 2024-08-19 12-34-15

Logs:

2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587) <-> [ Starting TLS handshake ]
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587) [ Successfully negotiated SMTP server STARTTLS connection - re-sending greeting ]
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587)     --> b'EHLO 127.0.0.1\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587) <-> [ TLSv1.3 handshake complete ]
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-smtp.gmail.com at your service, [2a13:f980:2000:195::6dce:b228]\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-SIZE 35882577\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-8BITMIME\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-PIPELINING\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250-CHUNKING\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'250 SMTPUTF8\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587) <-- b'250-smtp.gmail.com at your service, [2a13:f980:2023:195::6dce:b228]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-AUTH PLAIN LOGIN\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-CHUNKING\r\n250 SMTPUTF8\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587) --> b'AUTH LOGIN\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587) <-- b'334 VXNlcm5hbWU6\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587) --> b'Y2xpZW50c0BpcC1hcy5jb20=\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587) <-- b'334 UGFzc3dvcmQ6\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587) --> b'[[ Credentials removed from proxy log ]]'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587)     --> b'AUTH XOAUTH2\r\n'
2024-08-19 09:32:14: SMTP (192.168.0.2:44604-{127.0.0.1:25}-smtp.gmail.com:587)     <-- b'334 \r\n'
2024-08-19 09:32:15: Authorisation request received for clients@gmail.com (interactive mode)

I have looked through the documentation but I don't understand why I have this problem.

simonrob commented 3 weeks ago

This is explained in the Getting started section of the readme. See the paragraph beginning The first time your email client makes a request [...].

Novgor commented 3 weeks ago

This is explained in the Getting started section of the readme. See the paragraph beginning The first time your email client makes a request [...].

My mistake is that I didn't start the proxy via --external-auth first. After starting, I passed authorization and smtp and pop3 started working. After that, this key was not needed. Thank you very much. Another question, a little off topic, can the proxy somehow remove X-Mailer? I would like to get rid of it, because my client sends it.

simonrob commented 3 weeks ago

Thanks for following up – I'm glad you were able to figure things out.

Re: X-Mailer – there is a demo for this in the plugins branch which should do what you require (see SMTPRemoveClientIdentifiers). I don't have capacity to provide any support for this aspect of the proxy, however.