Re: [S-mailx] Forcing attachments to base64 encoding
Hello John. Steffen Nurpmeso wrote in <20220929164300.bw8t5%stef...@sdaoden.eu>: |JHolder wrote in | : ... ||Recently, I have run into a problem where CSV files with CRLF line ||endings are getting mangled and arrive at the the recipient with the ||0x0D, 0x0A changed to three 0x0A characters. I thought the easiest way ||to solve this would be to force the attachments to base64, but I have ||not been able to find the correct settings to make this happen. I today have implemented such a thing, but it will require v14.10 (_hopefully_ around christmas). base64 can be enforced by prefixing ! to a character set specification: -a file[=[!]input-charset[#[!]output-charset]], --attach=.. (Send mode) Attach file, subject to tilde expansion (see Filename transformations and folder). In Compose mode the COMMAND ESCAPES ~@ and especially the scriptable ~^ provide alternatives for attaching files. If file is not accessible but contains an equal-sign `=' a character set specification is split off. If only an input one is given it is fixated and no conversion is applied; an empty, or the special string hyphen-minus `-' means ttycharset. If an output one is given the conversion is performed on-the-fly, not considering file type nor content; however, empty string or hyphen-minus `-' enforce the default Character sets conversion (`-a file', `-a file=#', and `-a file=-#-' are identical), later applied after MIME- classifying file (HTML mail and MIME attachments, The mime.types files). Without `,+iconv,' in features only this mode is available. The character set names may be prefixed with exclamation mark `!' to enforce base64 mime-encoding of the attachment. ... || ||Could anyone point me in the direction I need to look to figure this out? | |This is an interesting point, John. |It is actually feature, and we take quite some steps to get there! This applies only to the saving side it seems. When writing a test for the new feature i recognized that storing the attachment in the message does, actually, not convert the terminal newline sequence to the UNIX/POSIX one, i falsely remembered this. (But, it is rather by accident.) When we then write the part out, however, we normalize. |Thanks for the suggestion, i will try to find a solution for it! Even more cryptic magic. |Until then there is not much you can do, unfortunately, except |maybe packing these files with ZIP or anything else that is |understood on the Windows receiver side?[.] I have to think about what more can or should be done. But the above will do it, regardless the outcome. You have been credited with the above mail, please complain if this is not a good thing to do. Thanks for the suggestion, John! --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth 2.0 password helper for Google, Microsoft, Yandex
Stephen Isard wrote in <16061-1664826242-422...@sneakemail.com>: | | |On Mon, 3 Oct 2022, Stephen Isard wrote: |... |> 'invalid_client', 'error_description': "AADSTS70002: The provided \ |> client |> is not supported for this feature. The client application must be |> marked as 'mobile. |> |> I can't see how to mark the client registration as mobile. Did "mobile" \ |> come |> up when you registered your client? | |Never mind. I've found it. At the bottom of the "Authentication" menu |page, there is | | Allow public client flows | Enable the following mobile and desktop flows: | No keyboard (Device Code Flow) | |and you have to change the default "no" to "yes" Yes! But "Enable the following mobile and desktop flows:" i think i have not read yet. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth 2.0 password helper for Google, Microsoft, Yandex
Hello Stephen. Stephen Isard wrote in <15529-1664822950-583...@sneakemail.com>: |On Mon, 3 Oct 2022, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: |... |>|For all I know, that might be a problem specific to office365 accounts |>|tied to organizations and someone with a personal Microsoft account |>|could be ok. If any s-nail user has chosen on their own to use |>|Microsoft as their email provider, as opposed to being outsourced to |>|them by an organization, it would be interesting if they could check. |> |> I have two free accounts on outlook.com, and i can access without |> any problem with either. | |Good. So far yes. |> So likely it is that your organization tries to avoid getting |> third party code behind some walls. That however makes me wonder |> why your own id works without such trouble, then? | |Well, I set up the id when logged in to my organization account, so |maybe that makes it ok? I do not know, Stephen. First real contact with Microsoft since Windows 95B. (Except that this laptop does have a Windows partition, but merely five minutes therein.) I would find it surprising that you then cannot set free the application yourself, too. As a normal user. |Unsurprisingly, I get the same unverified app message if I try to |authorize with your account using flow=devicecode from an ssh login, |where running a browser on the same machine is not practical. However, |when I try with my own client id and device id, I get a different error |message: | | 'invalid_client', 'error_description': "AADSTS70002: The provided client | is not supported for this feature. The client application must be | marked as 'mobile. | |I can't see how to mark the client registration as mobile. Did "mobile" |come up when you registered your client? This is a "Mobile and desktop applications", with "Allow public client flows" enabled. I have no publisher domain, that makes it not verifiable, but i think i do not want to go further down this road, it was which made Google say something between 15K$ and 75K$ will be needed... One thing i noticed is that the application i created with the fozzi-baer (the false) account had the very same tenant as the one you gave me in private, whereas this now (the sugar.in.the.morning one) has a different one. But i have _no_ idea of tenants, and stumbling over the German variant of the Microsoft manual i stopped reading because of dozens of occurrences of the word "Mandanten", a total buzz. (To me this would have been "client", but even dict.cc hammers this one through, specifically for software user groups. Whatever.) I am a bit out of ideas Stephen. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth 2.0 password helper for Google, Microsoft, Yandex
On Mon, 3 Oct 2022, Stephen Isard wrote: ... 'invalid_client', 'error_description': "AADSTS70002: The provided client is not supported for this feature. The client application must be marked as 'mobile. I can't see how to mark the client registration as mobile. Did "mobile" come up when you registered your client? Never mind. I've found it. At the bottom of the "Authentication" menu page, there is Allow public client flows Enable the following mobile and desktop flows: No keyboard (Device Code Flow) and you have to change the default "no" to "yes" Stephen Isard
Re: [S-mailx] OAuth 2.0 password helper for Google, Microsoft, Yandex
On Mon, 3 Oct 2022, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: ... |For all I know, that might be a problem specific to office365 accounts |tied to organizations and someone with a personal Microsoft account |could be ok. If any s-nail user has chosen on their own to use |Microsoft as their email provider, as opposed to being outsourced to |them by an organization, it would be interesting if they could check. I have two free accounts on outlook.com, and i can access without any problem with either. Good. So likely it is that your organization tries to avoid getting third party code behind some walls. That however makes me wonder why your own id works without such trouble, then? Well, I set up the id when logged in to my organization account, so maybe that makes it ok? Unsurprisingly, I get the same unverified app message if I try to authorize with your account using flow=devicecode from an ssh login, where running a browser on the same machine is not practical. However, when I try with my own client id and device id, I get a different error message: 'invalid_client', 'error_description': "AADSTS70002: The provided client is not supported for this feature. The client application must be marked as 'mobile. I can't see how to mark the client registration as mobile. Did "mobile" come up when you registered your client? Stephen Isard
Re: [S-mailx] OAuth 2.0 password helper for Google, Microsoft, Yandex
Hello.
[Josef, i Cc: you again, since Stephen found a test leftover that
makes the script essentially useless.]
Stephen Isard wrote in
<3876-1664733894-101...@sneakemail.com>:
|A couple of snags:
|
|On Sun, 2 Oct 2022, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote:
|
|> _If_ you only have one account at a service provider, say,
|> Google, then all you need to do to get yourself going is:
|>
|># s-nail-oauth-helper.y --resource CONFIG-PATH --provider Yandex
|
|Typo: s-nail-oauth-helper.py --resource CONFIG-PATH --provider Google
|:-)
Now too late.
|More seriously, in the definition of act_authorize in the python script
|
|def act_authorize(args, cfg, dt): #{{{
|global auth_code
|print('* OAuth 2.0 RFC 6749, 4.1.1. Authorization Request', file=sys.st\
|derr)
|e = False
|for k in client.keys():
| if k != 'refresh_token' and k != 'access_token' \
| and not cfg.get(k) and client.get(k, '.') == '':
| print('! Missing client key: %s' % k, file=sys.stderr)
| e = True
|if e:
| print('PANIC: configuration incomplete or invalid', file=sys.stderr)
| return EX_DATAERR
|
|return EX_OK
ouch!!
|The return line occurs too early. It causes the script to finish
|without doing anything. Commenting it out lets authorization go ahead.
Yes. One last testing round with the new --hook thing was not
completely undone! The updated version is attached.
Thanks for noticing!
|Also, when I try to authorize using the Microsoft client id that the
|script puts into the config file during --action=template, I get an
|error page from Microsoft with the text:
|
|myname@myorganization
|Need admin approval
|unverified
|This app may be risky. If you trust this app, please ask your admin to
|grant you access. Learn more
|Have an admin account? Sign in with that account
|Return to the application without granting consent
|
|If I edit in my own client_id, obtained by following the Mutt advice
|that you quote, then all is well and I get authorized successfully.
Hm.
|For all I know, that might be a problem specific to office365 accounts
|tied to organizations and someone with a personal Microsoft account
|could be ok. If any s-nail user has chosen on their own to use
|Microsoft as their email provider, as opposed to being outsourced to
|them by an organization, it would be interesting if they could check.
I have two free accounts on outlook.com, and i can access without
any problem with either.
So likely it is that your organization tries to avoid getting
third party code behind some walls. That however makes me wonder
why your own id works without such trouble, then? Does not make
much sense since most attacks come from the inside do they?
I have _no_ idea on what to do.
Thanks for the above. Please find the corrected script attached.
Ciao!
--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
#!/usr/bin/env python3
#@ Create and update OAuth2 access tokens (for S-nail).
#
# 2022 Steffen Nurpmeso
# Public Domain
# Empty and no builtin configs
VAL_NAME = 'S-nail'
import argparse
import base64
from datetime import datetime as dati
import http.server
import json
import os
import pickle
import socket
import subprocess
import sys
import time
from urllib.error import HTTPError
from urllib.parse import urlencode, urlparse, parse_qs
from urllib.request import urlopen
EX_OK = 0
EX_USAGE = 64
EX_DATAERR= 65
EX_NOINPUT = 66
EX_SOFTWARE = 70
EX_CANTCREAT = 73
EX_TEMPFAIL = 75
# Note: we use .keys() for configuration checks: all providers need _all_ keys.
providers = { #{{{
'Google': {
'authorize_endpoint': 'https://accounts.google.com/o/oauth2/auth',
'devicecode_endpoint': 'https://oauth2.googleapis.com/device/code',
'devicecode_grant_type': None,
'token_endpoint': 'https://accounts.google.com/o/oauth2/token',
'redirect_uri': 'urn:ietf:wg:oauth:2.0:oob',
'tenant': None,
'scope': 'https://mail.google.com/',
'flow': 'redirect',
'flow_redirect_uri_port_fixed': None
},
'Microsoft': {
'authorize_endpoint':
'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
'devicecode_endpoint':
'https://login.microsoftonline.com/common/oauth2/v2.0/devicecode',
'devicecode_grant_type': None,
'token_endpoint':
'https://login.microsoftonline.com/common/oauth2/v2.0/token',
'redirect_uri':
'https://login.microsoftonline.com/common/oauth2/nativeclient',
'tenant': 'common',
'scope': (
'offline_access https://outlook.office.com/IMAP.AccessAsUser.All '
'https://outlook.office.com/POP.AccessAsUser.All '
'https://outlook.office.com/SMTP.Send'
),
'flow':
Re: [S-mailx] OAuth 2.0 password helper for Google, Microsoft, Yandex
Steffen Nurpmeso wrote in <20221002001524.umx8j%stef...@sdaoden.eu>: ... |Due to week long prodding of Stephen Isard in private i moved my |stupid ass to get the stuff done, at least a bit. P.S.: he also tested and gave feedback. And he convinced me that it is really possible to create a Microsoft client_id that is usable by everyone, i was just doing it wrong. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
