search

simonrob / email-oauth2-proxy

An IMAP/POP/SMTP proxy that transparently adds OAuth 2.0 authentication for email clients that don't support this method.
Apache License 2.0
850 stars 95 forks source link

Gmail access_token_expiry #277

Closed Novgor closed 2 months ago

Novgor commented 2 months ago

Hello again. Continuation of the case #273 I start the proxy with keys first:

python3 emailproxy.py --config-file my.config --no-gui --debug  --external-auth

I go through the initial authorization (I go to the provided URL and enter the code in the command line), and smtp and pop3 work. And I continue to work as a proxy without the --external-auth key The configuration looks like this, I do not make any more changes:

[clients@mymail.com]
permission_url = https://accounts.google.com/o/oauth2/auth
token_url = https://oauth2.googleapis.com/token
oauth2_scope = https://mail.google.com/
redirect_uri = http://localhost
client_id = *******************.apps.googleusercontent.com
client_secret_encrypted = ***************8SFM-OKEOB-****************GL74g_LskrePjQ2jWOmqx2fK4zoGsiLCnwnibc2CI
token_salt = 4DTN***********dcvA==
token_iterations = 870000
access_token = gAAAA****************************************************************************************************************2iiNTsqKNm1GPPmuiUTMwORZmkIOs6NOQBV8bUmrF0_L5yU_cVW3Yao1SyVUNpvlADZ2MJGIUbSE3gsLk25_yebZAmeirJDJmPFHeRpJGSLJr6-H7AGvXLGwzM9WPiBra29Jes9OuzogopDDHyXv5LmLXT61BVYMQ=
access_token_expiry = 1724308962
last_activity = 1724305393

[SMTP-25]
server_address = smtp.gmail.com
server_port = 587
local_address = 127.0.0.1
server_starttls = True
local_starttls = False

[POP-995]
server_address = pop.gmail.com
server_port = 995
local_address = 127.0.0.1
server_starttls = False
local_starttls = False

[emailproxy]
encrypt_client_secret_on_first_use = True
allow_catch_all_accounts = False
delete_account_token_on_password_error = False

A little less than an hour later, the letters stop coming. There is an error in the logs:

2024-08-22 06:46:03,430: Authorisation request received for clients@mymail.com (interactive mode)
2024-08-22 06:46:04,298: Authorisation result error for account clients@mymail.com - aborting login. Authorisation request timed out

More detailed log with the beginning of the error:

2024-08-22 06:36:02,047: New incoming connection to POP server at 127.0.0.1:995 (unsecured) proxying pop.gmail.com:995 (SSL/TLS)
2024-08-22 06:36:02,047: Accepting new connection from 192.168.1.2:53902 to POP server at 127.0.0.1:995 (unsecured) proxying pop.gmail.com:995 (SSL/TLS)
2024-08-22 06:36:02,072: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) --> [ Client connected ]
2024-08-22 06:36:02,072: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-> [ Starting TLS handshake ]
2024-08-22 06:36:02,142: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-> [ TLSv1.3 handshake complete ]
2024-08-22 06:36:02,161: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'+OK Gpop ready for requests from 127.0.0.1 dz12mb12880686edb\r\n'
2024-08-22 06:36:02,161: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'+OK Gpop ready for requests from 127.0.0.1 dz12mb12880686edb\r\n'
2024-08-22 06:36:02,162: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) --> b'CAPA\r\n'
2024-08-22 06:36:02,162: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     --> b'CAPA\r\n'
2024-08-22 06:36:02,182: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'+OK Capability list follows\r\n'
2024-08-22 06:36:02,182: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'USER\r\n'
2024-08-22 06:36:02,182: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'RESP-CODES\r\n'
2024-08-22 06:36:02,182: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'EXPIRE 0\r\n'
2024-08-22 06:36:02,183: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'LOGIN-DELAY 300\r\n'
2024-08-22 06:36:02,183: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'TOP\r\n'
2024-08-22 06:36:02,183: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'UIDL\r\n'
2024-08-22 06:36:02,184: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'X-GOOGLE-RICO\r\n'
2024-08-22 06:36:02,184: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'SASL PLAIN XOAUTH2 OAUTHBEARER\r\n'
2024-08-22 06:36:02,184: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'.\r\n'
2024-08-22 06:36:02,184: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'+OK Capability list follows\r\n'
2024-08-22 06:36:02,185: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'USER\r\n'
2024-08-22 06:36:02,185: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'RESP-CODES\r\n'
2024-08-22 06:36:02,185: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'EXPIRE 0\r\n'
2024-08-22 06:36:02,186: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'LOGIN-DELAY 300\r\n'
2024-08-22 06:36:02,186: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'TOP\r\n'
2024-08-22 06:36:02,186: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'UIDL\r\n'
2024-08-22 06:36:02,186: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'X-GOOGLE-RICO\r\n'
2024-08-22 06:36:02,187: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'SASL PLAIN\r\n'
2024-08-22 06:36:02,187: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'.\r\n'
2024-08-22 06:36:02,322: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) --> b'AUTH PLAIN\r\n'
2024-08-22 06:36:02,323: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- b'+ \r\n'
2024-08-22 06:36:02,324: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) --> b'[[ Credentials removed from proxy log ]]'
2024-08-22 06:36:02,324: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     --> b'AUTH XOAUTH2\r\n'
2024-08-22 06:36:02,343: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'+ \r\n'
2024-08-22 06:36:03,553: Authorisation request received for clients@mymail.com (interactive mode)
2024-08-22 06:46:02,016: New incoming connection to POP server at 127.0.0.1:995 (unsecured) proxying pop.gmail.com:995 (SSL/TLS)
2024-08-22 06:46:02,017: Accepting new connection from 192.168.1.2:53922 to POP server at 127.0.0.1:995 (unsecured) proxying pop.gmail.com:995 (SSL/TLS)
2024-08-22 06:46:02,043: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) --> [ Client connected ]
2024-08-22 06:46:02,043: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-> [ Starting TLS handshake ]
2024-08-22 06:46:02,125: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-> [ TLSv1.3 handshake complete ]
2024-08-22 06:46:02,145: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'+OK Gpop ready for requests from 127.0.0.1 a19mb12868205edx\r\n'
2024-08-22 06:46:02,145: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'+OK Gpop ready for requests from 127.0.0.1 a19mb12868205edx\r\n'
2024-08-22 06:46:02,146: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) --> b'CAPA\r\n'
2024-08-22 06:46:02,147: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     --> b'CAPA\r\n'
2024-08-22 06:46:02,166: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'+OK Capability list follows\r\n'
2024-08-22 06:46:02,166: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'USER\r\n'
2024-08-22 06:46:02,167: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'RESP-CODES\r\n'
2024-08-22 06:46:02,167: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'EXPIRE 0\r\n'
2024-08-22 06:46:02,167: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'LOGIN-DELAY 300\r\n'
2024-08-22 06:46:02,168: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'TOP\r\n'
2024-08-22 06:46:02,168: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'UIDL\r\n'
2024-08-22 06:46:02,168: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'X-GOOGLE-RICO\r\n'
2024-08-22 06:46:02,168: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'SASL PLAIN XOAUTH2 OAUTHBEARER\r\n'
2024-08-22 06:46:02,169: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'.\r\n'
2024-08-22 06:46:02,169: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'+OK Capability list follows\r\n'
2024-08-22 06:46:02,169: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'USER\r\n'
2024-08-22 06:46:02,170: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'RESP-CODES\r\n'
2024-08-22 06:46:02,170: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'EXPIRE 0\r\n'
2024-08-22 06:46:02,170: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'LOGIN-DELAY 300\r\n'
2024-08-22 06:46:02,170: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'TOP\r\n'
2024-08-22 06:46:02,171: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'UIDL\r\n'
2024-08-22 06:46:02,171: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'X-GOOGLE-RICO\r\n'
2024-08-22 06:46:02,171: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'SASL PLAIN\r\n'
2024-08-22 06:46:02,172: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'.\r\n'
2024-08-22 06:46:02,208: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) --> b'AUTH PLAIN\r\n'
2024-08-22 06:46:02,209: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) <-- b'+ \r\n'
2024-08-22 06:46:02,210: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995) --> b'[[ Credentials removed from proxy log ]]'
2024-08-22 06:46:02,210: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     --> b'AUTH XOAUTH2\r\n'
2024-08-22 06:46:02,229: POP (192.168.1.2:53922-{127.0.0.1:995}-pop.gmail.com:995)     <-- b'+ \r\n'
2024-08-22 06:46:03,430: Authorisation request received for clients@mymail.com (interactive mode)
2024-08-22 06:46:04,298: Authorisation result error for account clients@mymail.com - aborting login. Authorisation request timed out
2024-08-22 06:46:04,299: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995)     --> b'*\r\n'
2024-08-22 06:46:04,299: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) <-- [ Server disconnected ]
2024-08-22 06:46:04,299: POP (192.168.1.2:53902-{127.0.0.1:995}-pop.gmail.com:995) --> [ Client disconnected ]

I switched the settings in production to google cloud console. But the access token is still given for 1 hour and does not update. I have no idea why this happens( Снимок экрана от 2024-08-30 08-54-03

simonrob commented 2 months ago

I'm afraid the response is still the same: this is nothing to do with the proxy. If the switch to a production client hasn't resolved this, you may need to go down the verification route as suggested in your screenshot ($15,000 - $75,000, I believe).

Alternatively, as recommended previously, you can also try one of the available ID/secret pairs from an open source client that has already been verified.