-
-
Notifications
You must be signed in to change notification settings - Fork 360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automagically fetch Gmail certificates #132
Comments
My configuration looks like this
I think you need at least configure I use Archlinux. If you also use it, you can just copy my config. |
I think Google is taking the XOAUTH way. This latest authentication method supports fetching of tokens. |
I had the same problem here with OfflineIMAP 7.0.8 on Arch Linux. Adding this line from the @yang-ling config was enough:
There's no |
It appears that XOAUTH2 with refresh token looks incompatible with starttls. |
This is expected behaviour. The reason is that the Gmail type enables ssl so it must be configured correctly.
Also, XOAUTH2 does not prevent from having SSL working. IOW, the original request to automatically download the certificate is valid. |
@nicolas33 I think you'll be very interested in this page because it contains all of the troubleshooting steps for sending mail, in one place, including the full details on the best ways to get Gmail working and encryption. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting |
Thanks! I did not add XOAUTH2 in offlineimap and I'm not much concerned by this protocol (for now, at least). I'm having hard times with this thing. The port 993 (SSL) is hardcoded for the Gmail type. This was done @aroig (if I'm right) way before XOAUTH2 was provided by Google. This might be why STARTTLS won't work. I didn't check what imaplib2 does and how we use it in the STARTTLS case but I wouldn't be suprised we are trying the wrong port. |
Exactly, port 587 is for sending mail out thru SMTP such as how phpmailer does it. Port 993 is the right port for secure reading IMAPS with SSL or STARTTLS. |
I'm landing here only now due to @nicolas33 mention. I'm not sure what this issue is about anymore... Regarding the certificate problem originally reported, yes, with ssl, we need to configure the list of Certificate Authority certificates (the sslcacertfile). I've just discovered that you can also use The SSL protocol fetches the certificate for the imap server, which is signed by a certification authority. Then fetches the certificate of the certification authority, which is signed by another certification authority, and keeps going up the tree until it finds a certification authority in the local list of trusted certification authorities you have provided. This scheme protects you against someone in your network pretending to be gmail's imap server and spying on your email. You trust that every CA is legal, and only signs a certificate for which it has checked the identity, etc. A local spy on your network will have a hard time finding a CA to sign his fake gmail server. Without this chain of trust, you would instead be trusting a local DNS server giving you back the IP of gmail. Getting gmail's certificate over the wire, or any of the CA's needed to validate it, from an untrusted server, is a bad idea. It kind of defeats the purpose of the chain of trust. If you want to use the chain of trust, there is no way around it, you need a local file with a handful of trusted CA's, obtained via a package manager with signed packages, etc. What offlineimap can do is try to find the local file in the usual places (which apparently it can do). Alternatively, we could hard-code the path at installation time. Then distros can package offlineimap with the cacerts file properly configured. Regarding the XOAUTH discussion, I have not tried XOAUTH yet (it is somewhere on my list). I'm not sure I understood what is being discussed here. Is there a problem with gmail's backend hard-coding port 993? When I touched the gmail code, this port was already hard-coded, but of course it can be made configurable if necessary. |
Ok, thanks. I was wrong, we are fine with port 993.
Thank you. I'm not sure we want to support automagically fetching the certificate. Though, I would not be opposed to a configuration option like "automagically_fetch_certificate" as long as we explain this is less secured than certificate checks. Now, about STARTTLS.
STARTTLS allows to enable SSL/TLS tunnels while starting in clear text mode. IOW, this elevates the security from clear text. Here, I wonder XOAUTH2 and STARTTLS are exclusive or not in the first place. The reason I want to check this is because STARTTLS does NOT requires checking the certificate. IOW, this would be another way to "bypass" the certificate checks and not having the BUT in imapserver.py, we have:
where tryTLS is about STARTTLS. I'm not sure trying STARTTLS with XOAUTH2 is correct in the first place. Perhaps the XOAUTH2 authors can help, here. @cscorley @Frizlab @Roguelazer could you confirm that trying STARTTLS with XOAUTH2 is intended? Would this work? |
Again, while this would be surprising (both are meant for different use cases) this limitation might not apply for all the IMAP servers out there. If Gmail (correctly, IMHO) does not allow STARTTLS with XOAUTH2 we might like to try STARTTLS with XOAUTH2 for other IMAP servers. |
Here's the official gmail python code sample for XOAUTH2 IMAP4 login. Note how the login is 4 simple lines of code. There's no mention of STARTTLS for the IMAP login.
We should consider adding this |
Github-ref: #132 Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
Hi, probably this patch from offlineimap (python 3) could help here: Regards, |
There's the special
type = Gmail
and the documentation says:Specify the Gmail user name. This is the only mandatory parameter.
But having configured so it complains:$ offlineimap
Is it possible to fetch certificates automatically?
The text was updated successfully, but these errors were encountered: