phesster
commented
1 year ago Please note that I have obfuscated the tokens and redacted the account name.
Closed phesster closed 1 year ago
phesster
commented
1 year ago Please note that I have obfuscated the tokens and redacted the account name.
tarickb
commented
1 year ago The only real clue there is this:
Client::TokenSentStep: from server: {"status":"400","schemes":"Bearer","scope":"https://mail.google.com/"}Can you tell me a little more about your Gmail setup? Are you using Google Workspace (formerly "Google Apps" or "GSuite")? Is the account that owns the client ID the same as the account you're trying to authenticate over SMTP?
phesster
commented
1 year ago No Google Workspace - just an old-fashioned (username@gmail.com) account. The account that owns the client_id is the same as the account I'm attempting to authenticate over SMTP. Additionally, the credentials I'm using are "In Production" and I've checked and re-checked to ensure the ID and Secret are accurate. In my efforts to troubleshoot, I have also confirmed via myaccount.google.com Security Settings that the Third-Party App credentials were granted access October 4, 7:35 PM and they're allowed to "Read, compose, send, and permanently delete all your email from Gmail. Send email on your behalf" (which is excessive - all I want is "send email on behalf"). I've attempted to create tokens with scope="https://www.googleapis.com/auth/gmail.send" but that was similarly fruitless.
phesster
commented
1 year ago Okay. Problem solved. The issue was actually in the "/etc/postfix/sasl_passwd" (which was hashed into a map). I used "username@gmail" when I should have used "username@gmail.com". The clue came from rereading the output and seeing " Client::SendToken: response: user=username@gmail#001auth=Bearer ya29...#001#001". I wondered why it wasn't sending the full account name. Oops. Mea Culpa!
tarickb
commented
1 year ago Nice catch! I totally missed that looking through the logs. Glad you got it figured out and yes, I too would like a more-restricted scope for just sending mail...
I am having difficulty authenticating with GMail. I have what I believe are valid access and refresh tokens but I am receiving the following (forgive the big paste, but I am hoping to provide sufficient information):
2022-10-06T17:16:19.798803+00:00 3f37bdb13e5a postfix/relay/smtp[522]: 1284417F5B3: SASL authentication failed; cannot authenticate to server smtp.gmail.com[74.125.136.108]: transient failure (e.g., weak key) 2022-10-06T17:16:19.799852+00:00 3f37bdb13e5a sasl-xoauth2: auth failed: 2022-10-06T17:16:19.799952+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: Client: created 2022-10-06T17:16:19.800008+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: Client::DoStep: called with state 0 2022-10-06T17:16:19.800057+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: Client::InitialStep: TriggerAuthNameCallback err=0 2022-10-06T17:16:19.800108+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: Client::InitialStep: TriggerPasswordCallback err=0 2022-10-06T17:16:19.800177+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: TokenStore::Read: file=/etc/tokens/sender.tokens.json 2022-10-06T17:16:19.800227+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: TokenStore::Read: refresh=1//0650qt9AnOIExCgYIARAAGAYSNwF-L9Ir35b1Ii_08nO54X-fCgJLBL9bkqPjK2vGu601J9X1iiWtrIR6zi-OHBXIKrN8kB70Gri, access=ya29.a0Aa4xrXMd7jEZ1hshZe7hDlpFAVXVQCCeBjFTTqK4qoUoNeVAMmJaapRO8NW-s1zzvAUx5CcMvDEM0MsQYNkAE_HZjm4Hsm8debzHCydf9s-vEPe1D5ton6xuF6RIGrZt6fRjCA06q93yJlmWlTyJzy52eJ1zAwaCgYKATASARASFQEjDvL9FIQPp3JmUkCIwDwMkoWZzq0165 2022-10-06T17:16:19.800284+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: Client::SendToken: response: user=@gmail#001auth=Bearer ya29.a0Aa4xrXMd7jEZ1hshZe7hDlpFAVXVQCCeBjFTTqK4qoUoNeVAMmJaapRO8NW-s1zzvAUx5CcMvDEM0MsQYNkAE_HZjm4Hsm8debzHCydf9s-vEPe1D5ton6xuF6RIGrZt6fRjCA06q93yJlmWlTyJzy52eJ1zAwaCgYKATASARASFQEjDvL9FIQPp3JmUkCIwDwMkoWZzq0165#001#001
2022-10-06T17:16:19.800378+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: Client::DoStep: new state 1 and err 0
2022-10-06T17:16:19.800425+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: Client::DoStep: called with state 1
2022-10-06T17:16:19.800468+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: Client::TokenSentStep: from server: {"status":"400","schemes":"Bearer","scope":"https://mail.google.com/"}
2022-10-06T17:16:19.800517+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: TokenStore::Refresh: attempt 1
2022-10-06T17:16:19.800562+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: TokenStore::Refresh: token_endpoint: https://accounts.google.com/o/oauth2/token
2022-10-06T17:16:19.800607+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: TokenStore::Refresh: request: client_id=558598160676-pl8h78kqddeehtrfs6nqn6h8roose4bn.apps.googleusercontent.com&client_secret=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&grant_type=refresh_token&refresh_token=1//0650qt9AnOIExCgYIARAAGAYSNwF-L9Ir35b1Ii_08nO54X-fCgJLBL9bkqPjK2vGu601J9X1iiWtrIR6zi-OHBXIKrN8kB70Gri
2022-10-06T17:16:19.800650+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: TokenStore::Refresh: code=200, response={#012 "access_token": "ya29.a0Aa4xrXM7293LEND51RT_I2vBFOhoxl3pPAzSX_fknYzhTlsk0xNxuVv44KADeh_Ze-_61s-w8V0ZRT-eU35vw2Tlbxfz_W-ZgeZTKvMKjRlTX8zTDXKjvt1VUgfLrJO3gpKFsr-4UDFqrLnydeAkgaCE5JqvcAaCgYKATASARMSFQEjDvL9qKwjudds-Tx6tS9LTrKz2q0165",#012 "expires_in": 3599,#012 "scope": "https://mail.google.com/",#012 "token_type": "Bearer"#012}
2022-10-06T17:16:19.800700+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: Client::DoStep: new state 1 and err -8
2022-10-06T17:16:19.800748+00:00 3f37bdb13e5a sasl-xoauth2: 2022-10-06 17:16:19: Client: destroyed
2022-10-06T17:16:49.824533+00:00 3f37bdb13e5a smtp: connect to smtp.gmail.com[2607:f8b0:4002:c00::6d]:587: Connection timed out