-
-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Support SASL XOAUTH2 for relay traffic #1062
Comments
Obtaining an OAuth token is almost certainly out of scope for this project. |
Yes, @DemiMarie is right, there's no chance OAuth makes it into the daemon. However, it may be interesting to consider how this could be implemented outside of the daemon, in a filter for instance. |
From what I can tell, the only change needed to OpenSMTPD is allowing the complete authentication command to be overridden. Edit: This works not just for OAuth2, but also for most other forms of authentication. The main exception I can think of is Kerberos/NTLMv2 with channel binding, which needs access to the TLS session to compute the auth command. |
Having SASL support as an option would be definitely amazing, because just tables at filesystem is not enough unfortunately. |
Authentication only needs to happen when a new session is opened, which is likely to be infrequent. Therefore, I suggest allowing a filter (run as a separate, non-privileged user) to handle the entire authentication sequence itself. |
Dovecot supports OAuth2 authentication, so if Dovecot SASL support was implemented, this could be a way to indirectly support OAuth2 in OpenSMTPD (if you use Dovecot as your MDA). |
I just blindly tried to authenticate with XOAUTH2 and this generated this kind of logs:
I can see that the error message is raised by this piece of code: OpenSMTPD/usr.sbin/smtpd/smtp_session.c Lines 1832 to 1840 in 3e594d4
So, the only available auth methods are |
It would not be enough; my proposal was to change the C source so as to make this possible. Dovecot SASL would be a good way to start. |
This code is for incoming connections, yes? This issue was opened for outgoing relay connections. |
since quite some years ago I am able to use postfix to authenticate to gmail as an outgoing relay, with 2FA enabled. This requires getting one of their "App passwords" - one you can use instead of the regular password + 2FA token. It seems this should work with OpenSMTPD, cf. smtpd.conf(5). |
This issue was opened specifically for support when app passwords were disabled (e.g. by an organization's IT policy). Please see the original request.
|
Excuse my ignorance, but isn't this authentication mechanism still needing a password (thus, an app password) anyway? |
Anyway, the following might be helpful (it's postfix-specific, though): https://github.com/tarickb/sasl-xoauth2 |
Would this really be possible with filters? I have experimented with them a little just now and it seems they are able to intercept parts of the exchange between the client and It would be relatively easy to accomplish
Where
In the case of an actual XOAUTH2 auth script, it could start with I don’t know how robust it would be like this. I am just brainstorming, kind of. Also wondering if I am missing something and this (or something close) is achievable by filters. |
So Microsoft has disabled ALL basic auth. Thanks to a helpful https://twitter.com/laurencetratt/status/1630669159343304704 tweet, I now have mbsync retrieving and smtpd sending mail via oauth2. Side note:
In my case I only match for mail to a client or from the clients domain (me sending as an emailid on their server needs to relay through their server) .. so mine looks more like this:
IMAPAccount ms-johndoe IMAPStore ms-johndoe-remote MaildirStore ms-johndoe-local Channel ms-johndoe While its not native smtpd oauth2 support, it "works" ;-) |
Please consider support for outgoing SASL XOAUTH2 authentication for relay traffic. This seems required for gmail auth where password auth and "app passwords" are disabled. More here about gmail-specific implementation:
https://developers.google.com/gmail/imap/xoauth2-protocol#smtp_protocol_exchange
Thank you.
The text was updated successfully, but these errors were encountered: