Re: dovecot lmtp and smtputf8
Using the changes described in this pull request https://github.com/dovecot/core/pull/190, you can add SMTPUTF8 capability to the Dovecot LMTP server. Work on the patch is still in progress, and UTF8 support is not complete. However, you can use the following trick: Enable SMTPUTF8 support in Postfix, but make emails with UTF8 characters as aliases so that the final recipient doesn't have UTF8 characters. Even in this case, on the LMTP side, you need to announce the UTF8 capability, which will be possible if you apply the changes from the pull request. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
Am 2023-10-24 15:14, schrieb Aki Tuomi:
On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot
wrote:
Am 2023-10-23 08:43, schrieb Aki Tuomi:
> Don't set tokeninfo url if you require POST query. It's not mandatory
> to set all endpoints.
If I comment out the tokeninfo_url (the rest the same as in the
qorking
config below in the quote), I get the error message "oauth2 failed:
Introspection failed: No username returned" from dovecot.
> Also if you are using jwt, you can also opt to do local validation
> instead.
How should a config look like for this? From
https://doc.dovecot.org/configuration_manual/authentication/oauth2/
I'm
not sure what to do.
Would it be:
- introspection_mode = local
- local_validation_key_dict = ...
- switching the oidc provider to jwt
- downloading the cert from the oidc server and putting it into the
key-dict
?
Yep. As in the example in docs.
Doesn't work. Not even a trace in the debug log. The webmail package
(roundcube) didn't finish the sasl auth:
---snip---
imap-login: Disconnected: Connection closed (client didn't finish SASL
auth, waited 6 secs): user=<...@...>, method=XOAUTH2,...
---snip---
In the example there is "typ":"JWT" which I don't have:
---snip---
"keys": [
{
"kid": "4ED...more...vi7umzYdS4",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"n": "pj0BLB...more...Q",
"e": "AQAB",
"x5c": [
"MIICoTCCA...much_more...o8M0a6VE="
],
"x5t": "yeW...more...z2mnh4",
"x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0"
},
---snip---
The above is from the "jwks_uri" endpoint as per the
.well-known/openid-configuration. There is no other URL which lists
"kid"s.
I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the
content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the
dovecot user.
There is a second key with:
---snip---
"alg": "RSA-OAEP",
"use": "enc",
---snip---
As this is not listed as supported, I didn't create an entry in the dict
for this.
Bye,
Alexander.
Do I still need the openid_configureation_url and introspection_url?
client_secret can go in this case I assume.
You should probably leave client_id there. But you do not need the
rest. openid_configuration_url is presented to clients as oidc
discovery url.
Aki
Bye,
Alexander.
> Aki
>
>> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot
>> wrote:
[...]
>> The working but not really up to the OIDC spec dovecot config is:
>>
>> auth-oauth2.token.conf.ext:
>> ---snip---
>> openid_configuration_url =
>> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
>> #tokeninfo_url =
>>
https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token
>> tokeninfo_url =
>>
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
>> introspection_url =
>>
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
>> introspection_mode = auth
>> #active_attribute = active
>> #active_value = true
>> client_id = myid
>> client_secret = mysecret
>> use_grant_password = no
>> #debug = yes
>> username_attribute = email
>> pass_attrs = pass=%{oauth2:access_token}
>> ---snip---
>>
>> auth-oauth2.plain.conf.ext:
>> ---snip---
>> openid_configuration_url =
>> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
>> #tokeninfo_url =
>> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
>> tokeninfo_url =
>>
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
>> introspection_url =
>>
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
>> introspection_mode = auth
>> #active_attribute = active
>> #active_value = true
>> client_id = myid
>> client_secret = mysecret
>> use_grant_password = yes
>> #debug = yes
>> username_attribute = email
>> pass_attrs = host= proxy=y proxy_mech=xoauth2
>> pass=%{oauth2:access_token}
>> ---snip---
--
http://www.Leidinger.net alexan...@leidinger.net: PGP
0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org : PGP
0x8F31830F9F2772BF
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
> On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot
> wrote:
>
>
> Am 2023-10-23 08:43, schrieb Aki Tuomi:
> > Don't set tokeninfo url if you require POST query. It's not mandatory
> > to set all endpoints.
>
> If I comment out the tokeninfo_url (the rest the same as in the qorking
> config below in the quote), I get the error message "oauth2 failed:
> Introspection failed: No username returned" from dovecot.
>
> > Also if you are using jwt, you can also opt to do local validation
> > instead.
>
> How should a config look like for this? From
> https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm
> not sure what to do.
>
> Would it be:
> - introspection_mode = local
> - local_validation_key_dict = ...
> - switching the oidc provider to jwt
> - downloading the cert from the oidc server and putting it into the
> key-dict
> ?
Yep. As in the example in docs.
>
> Do I still need the openid_configureation_url and introspection_url?
> client_secret can go in this case I assume.
>
You should probably leave client_id there. But you do not need the rest.
openid_configuration_url is presented to clients as oidc discovery url.
Aki
> Bye,
> Alexander.
>
> > Aki
> >
> >> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot
> >> wrote:
> [...]
> >> The working but not really up to the OIDC spec dovecot config is:
> >>
> >> auth-oauth2.token.conf.ext:
> >> ---snip---
> >> openid_configuration_url =
> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
> >> #tokeninfo_url =
> >> https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token
> >> tokeninfo_url =
> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
> >> introspection_url =
> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
> >> introspection_mode = auth
> >> #active_attribute = active
> >> #active_value = true
> >> client_id = myid
> >> client_secret = mysecret
> >> use_grant_password = no
> >> #debug = yes
> >> username_attribute = email
> >> pass_attrs = pass=%{oauth2:access_token}
> >> ---snip---
> >>
> >> auth-oauth2.plain.conf.ext:
> >> ---snip---
> >> openid_configuration_url =
> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
> >> #tokeninfo_url =
> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
> >> tokeninfo_url =
> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
> >> introspection_url =
> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
> >> introspection_mode = auth
> >> #active_attribute = active
> >> #active_value = true
> >> client_id = myid
> >> client_secret = mysecret
> >> use_grant_password = yes
> >> #debug = yes
> >> username_attribute = email
> >> pass_attrs = host= proxy=y proxy_mech=xoauth2
> >> pass=%{oauth2:access_token}
> >> ---snip---
>
> --
> http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
> http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
Am 2023-10-23 08:43, schrieb Aki Tuomi:
Don't set tokeninfo url if you require POST query. It's not mandatory
to set all endpoints.
If I comment out the tokeninfo_url (the rest the same as in the qorking
config below in the quote), I get the error message "oauth2 failed:
Introspection failed: No username returned" from dovecot.
Also if you are using jwt, you can also opt to do local validation
instead.
How should a config look like for this? From
https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm
not sure what to do.
Would it be:
- introspection_mode = local
- local_validation_key_dict = ...
- switching the oidc provider to jwt
- downloading the cert from the oidc server and putting it into the
key-dict
?
Do I still need the openid_configureation_url and introspection_url?
client_secret can go in this case I assume.
Bye,
Alexander.
Aki
On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot
wrote:
[...]
The working but not really up to the OIDC spec dovecot config is:
auth-oauth2.token.conf.ext:
---snip---
openid_configuration_url =
https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
#tokeninfo_url =
https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token
tokeninfo_url =
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
introspection_url =
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
introspection_mode = auth
#active_attribute = active
#active_value = true
client_id = myid
client_secret = mysecret
use_grant_password = no
#debug = yes
username_attribute = email
pass_attrs = pass=%{oauth2:access_token}
---snip---
auth-oauth2.plain.conf.ext:
---snip---
openid_configuration_url =
https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
#tokeninfo_url =
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
tokeninfo_url =
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
introspection_url =
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
introspection_mode = auth
#active_attribute = active
#active_value = true
client_id = myid
client_secret = mysecret
use_grant_password = yes
#debug = yes
username_attribute = email
pass_attrs = host= proxy=y proxy_mech=xoauth2
pass=%{oauth2:access_token}
---snip---
--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: [ext] dovecot 2.0 supports EC private key?
* Marc : > > Does dovecot 2.0 supports EC private key? Yes: # Certbot RSA ssl_cert = https://www.charite.de ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
