Re: dovecot lmtp and smtputf8
Using the changes described in this pull request https://github.com/dovecot/core/pull/190, you can add SMTPUTF8 capability to the Dovecot LMTP server. Work on the patch is still in progress, and UTF8 support is not complete. However, you can use the following trick: Enable SMTPUTF8 support in Postfix, but make emails with UTF8 characters as aliases so that the final recipient doesn't have UTF8 characters. Even in this case, on the LMTP side, you need to announce the UTF8 capability, which will be possible if you apply the changes from the pull request. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
Am 2023-10-24 15:14, schrieb Aki Tuomi: On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot wrote: Am 2023-10-23 08:43, schrieb Aki Tuomi: > Don't set tokeninfo url if you require POST query. It's not mandatory > to set all endpoints. If I comment out the tokeninfo_url (the rest the same as in the qorking config below in the quote), I get the error message "oauth2 failed: Introspection failed: No username returned" from dovecot. > Also if you are using jwt, you can also opt to do local validation > instead. How should a config look like for this? From https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm not sure what to do. Would it be: - introspection_mode = local - local_validation_key_dict = ... - switching the oidc provider to jwt - downloading the cert from the oidc server and putting it into the key-dict ? Yep. As in the example in docs. Doesn't work. Not even a trace in the debug log. The webmail package (roundcube) didn't finish the sasl auth: ---snip--- imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 6 secs): user=<...@...>, method=XOAUTH2,... ---snip--- In the example there is "typ":"JWT" which I don't have: ---snip--- "keys": [ { "kid": "4ED...more...vi7umzYdS4", "kty": "RSA", "alg": "RS256", "use": "sig", "n": "pj0BLB...more...Q", "e": "AQAB", "x5c": [ "MIICoTCCA...much_more...o8M0a6VE=" ], "x5t": "yeW...more...z2mnh4", "x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0" }, ---snip--- The above is from the "jwks_uri" endpoint as per the .well-known/openid-configuration. There is no other URL which lists "kid"s. I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the dovecot user. There is a second key with: ---snip--- "alg": "RSA-OAEP", "use": "enc", ---snip--- As this is not listed as supported, I didn't create an entry in the dict for this. Bye, Alexander. Do I still need the openid_configureation_url and introspection_url? client_secret can go in this case I assume. You should probably leave client_id there. But you do not need the rest. openid_configuration_url is presented to clients as oidc discovery url. Aki Bye, Alexander. > Aki > >> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot >> wrote: [...] >> The working but not really up to the OIDC spec dovecot config is: >> >> auth-oauth2.token.conf.ext: >> ---snip--- >> openid_configuration_url = >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration >> #tokeninfo_url = >> https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token >> tokeninfo_url = >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= >> introspection_url = >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect >> introspection_mode = auth >> #active_attribute = active >> #active_value = true >> client_id = myid >> client_secret = mysecret >> use_grant_password = no >> #debug = yes >> username_attribute = email >> pass_attrs = pass=%{oauth2:access_token} >> ---snip--- >> >> auth-oauth2.plain.conf.ext: >> ---snip--- >> openid_configuration_url = >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration >> #tokeninfo_url = >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token >> tokeninfo_url = >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= >> introspection_url = >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect >> introspection_mode = auth >> #active_attribute = active >> #active_value = true >> client_id = myid >> client_secret = mysecret >> use_grant_password = yes >> #debug = yes >> username_attribute = email >> pass_attrs = host= proxy=y proxy_mech=xoauth2 >> pass=%{oauth2:access_token} >> ---snip--- -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
> On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot > wrote: > > > Am 2023-10-23 08:43, schrieb Aki Tuomi: > > Don't set tokeninfo url if you require POST query. It's not mandatory > > to set all endpoints. > > If I comment out the tokeninfo_url (the rest the same as in the qorking > config below in the quote), I get the error message "oauth2 failed: > Introspection failed: No username returned" from dovecot. > > > Also if you are using jwt, you can also opt to do local validation > > instead. > > How should a config look like for this? From > https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm > not sure what to do. > > Would it be: > - introspection_mode = local > - local_validation_key_dict = ... > - switching the oidc provider to jwt > - downloading the cert from the oidc server and putting it into the > key-dict > ? Yep. As in the example in docs. > > Do I still need the openid_configureation_url and introspection_url? > client_secret can go in this case I assume. > You should probably leave client_id there. But you do not need the rest. openid_configuration_url is presented to clients as oidc discovery url. Aki > Bye, > Alexander. > > > Aki > > > >> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot > >> wrote: > [...] > >> The working but not really up to the OIDC spec dovecot config is: > >> > >> auth-oauth2.token.conf.ext: > >> ---snip--- > >> openid_configuration_url = > >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> #tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token > >> tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> introspection_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> introspection_mode = auth > >> #active_attribute = active > >> #active_value = true > >> client_id = myid > >> client_secret = mysecret > >> use_grant_password = no > >> #debug = yes > >> username_attribute = email > >> pass_attrs = pass=%{oauth2:access_token} > >> ---snip--- > >> > >> auth-oauth2.plain.conf.ext: > >> ---snip--- > >> openid_configuration_url = > >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> #tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > >> tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> introspection_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> introspection_mode = auth > >> #active_attribute = active > >> #active_value = true > >> client_id = myid > >> client_secret = mysecret > >> use_grant_password = yes > >> #debug = yes > >> username_attribute = email > >> pass_attrs = host= proxy=y proxy_mech=xoauth2 > >> pass=%{oauth2:access_token} > >> ---snip--- > > -- > http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF > http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
Am 2023-10-23 08:43, schrieb Aki Tuomi: Don't set tokeninfo url if you require POST query. It's not mandatory to set all endpoints. If I comment out the tokeninfo_url (the rest the same as in the qorking config below in the quote), I get the error message "oauth2 failed: Introspection failed: No username returned" from dovecot. Also if you are using jwt, you can also opt to do local validation instead. How should a config look like for this? From https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm not sure what to do. Would it be: - introspection_mode = local - local_validation_key_dict = ... - switching the oidc provider to jwt - downloading the cert from the oidc server and putting it into the key-dict ? Do I still need the openid_configureation_url and introspection_url? client_secret can go in this case I assume. Bye, Alexander. Aki On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot wrote: [...] The working but not really up to the OIDC spec dovecot config is: auth-oauth2.token.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password = no #debug = yes username_attribute = email pass_attrs = pass=%{oauth2:access_token} ---snip--- auth-oauth2.plain.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password = yes #debug = yes username_attribute = email pass_attrs = host= proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} ---snip--- -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: [ext] dovecot 2.0 supports EC private key?
* Marc : > > Does dovecot 2.0 supports EC private key? Yes: # Certbot RSA ssl_cert = https://www.charite.de ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org