-
Notifications
You must be signed in to change notification settings - Fork 469
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JAMES-3680 SMTP enable OAUTHBEARER authentication #810
Conversation
openssl client test:
✘ hp@hp-quanth ~ openssl s_client -starttls smtp -crlf -connect localhost:39983 CONNECTED(00000003) Can't use SSL_get_servername depth=0 C = FR, ST = Unknown, L = Puteaux, O = James, OU = Linagora, CN = Benoit Tellier verify error:num=18:self signed certificate verify return:1 depth=0 C = FR, ST = Unknown, L = Puteaux, O = James, OU = Linagora, CN = Benoit Tellier verify error:num=10:certificate has expired notAfter=Nov 24 07:32:55 2015 GMT verify return:1 depth=0 C = FR, ST = Unknown, L = Puteaux, O = James, OU = Linagora, CN = Benoit Tellier notAfter=Nov 24 07:32:55 2015 GMT verify return:1 --- Certificate chain 0 s:C = FR, ST = Unknown, L = Puteaux, O = James, OU = Linagora, CN = Benoit Tellier i:C = FR, ST = Unknown, L = Puteaux, O = James, OU = Linagora, CN = Benoit Tellier --- Server certificate -----BEGIN CERTIFICATE----- MIIDeTCCAmGgAwIBAgIEXaLC/zANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJG UjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHUHV0ZWF1eDEOMAwGA1UEChMF SmFtZXMxETAPBgNVBAsTCExpbmFnb3JhMRcwFQYDVQQDEw5CZW5vaXQgVGVsbGll cjAeFw0xNTA4MjYwNzMyNTVaFw0xNTExMjQwNzMyNTVaMG0xCzAJBgNVBAYTAkZS MRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdQdXRlYXV4MQ4wDAYDVQQKEwVK YW1lczERMA8GA1UECxMITGluYWdvcmExFzAVBgNVBAMTDkJlbm9pdCBUZWxsaWVy MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhW0GWSgkK44XQpwLn8KX q9kJ3zgDYllEX7W8p+3sBYMAP0JC+lzh42mX/8XHti0vkmv/vjk0paAsB9s5uYhv /W94sdqjexi3L213+OD5Kcy+2tTgXN1ucF65d/dDeqGHAyBs1rm6LgyRwQ5ye8Cl OtXbSkz5qujmnFDDzrDIgzefxFsTHHIBTsdyttq2Atqzgdg2LHaFbIntwr6lfl9v puXr8p+CY6PfehX8mdmaJ7J/gfAll3zzdgeNUoAW0eDvcsphJ06elsDahieo0n/o XVhy+TGWtAQRDZQDjeK2BX/vVSPAlGOW7hVTv7WycAolzKlXZyiJMnwTWJl6YoUP vQIDAQABoyEwHzAdBgNVHQ4EFgQU7tDLswRlOJqoX4aVgrXRQbmOYbIwDQYJKoZI hvcNAQELBQADggEBAGmzK2i2H5D6xITyN1iNQhXbABQ/3rz9K5dEvy0ZLgYOUqyw 1WD43Do/A3eZuEZbuuYAlbvDEUNgS7rJ5HCrwIKFbPHWmfRX2j59UX+R8fI6G9wB qqcRYWpert347rGT/7MFLHk55LL6Tf//fwoWu6GWRj3wTvosVuunUiiC6zTS4MN9 moJp+IF03Q6JOPWu7/tfaKfXQHxG/hK492oV2vBG2r29UUJW6YO1S0DK+/cU0cCu +jqbY1ZOIAk906onRUFoPGuypOm3vmbE6mo5o49rNtp+VmZagZ7GsjJ4KWJB1c6d SFNIFlH2VlS8Lywr2tesClWO5tqtMswRsoA9GeU= -----END CERTIFICATE----- subject=C = FR, ST = Unknown, L = Puteaux, O = James, OU = Linagora, CN = Benoit Tellier issuer=C = FR, ST = Unknown, L = Puteaux, O = James, OU = Linagora, CN = Benoit Tellier --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1613 bytes and written 396 bytes Verification error: certificate has expired --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 10 (certificate has expired) --- 250 STARTTLS --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: F9B28D6A7E1BD26A6F5781FC63A042C884917BF323202D126A332CEF94820310 Session-ID-ctx: Resumption PSK: 6BBC0ACE586E5DF5328C23F7E5FFE602FEB4B0AD9175A1A80E670A5F24001A354676D2B275BC1874541F2AF0199F60C3 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - 30 8d f3 6d b9 e8 72 3a-56 f1 6b bf 0b 2f 6d e6 0..m..r:V.k../m. 0010 - 8d 3a 27 1d c8 06 8f d8-79 1b a1 bf 49 90 d0 f7 .:'.....y...I... Start Time: 1640752217 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) Extended master secret: no Max Early Data: 0 --- read R BLOCK EHLO localhost 250-hp-quanth Hello localhost [127.0.0.1]) 250-AUTH OAUTHBEARER 250-AUTH=OAUTHBEARER 250-PIPELINING 250-ENHANCEDSTATUSCODES 250 8BITMIME AUTH OAUTHBEARER bixhPXVzZXJAZG9tYWluLm9yZwFhdXRoPWV5SmhiR2NpT2lKU1V6STFOaUlzSW5SNWNDSTZJa3BYVkNJc0ltdHBaQ0k2SW5jNE1GQnpOVWxoYzI0dFlVZFhiWGN5VkhKNFJHbE9ZMkZvY0VneWMxaDZOWEJ4WkdoQmJEbElXR01pZlEuZXlKbGVIQWlPak01TXprMU1EWXhOamNzSW1saGRDSTZNVFl6T1RVd05UZzJOeXdpWVhWMGFGOTBhVzFsSWpvek5qTTVOVEExT0RReExDSnFkR2tpT2lKak1qUTVaVEJrTmkxalkySmlMVFJtWkRBdE9ESTVZaTA0T1RNMU1qY3pOMll6WkdJaUxDSnBjM01pT2lKb2RIUndPaTh2Ykc5allXeG9iM04wT2pnd09EQXZZWFYwYUM5eVpXRnNiWE12Y21WaGJHMHhJaXdpWVhWa0lqb2lZV05qYjNWdWRDSXNJbk4xWWlJNklqSXdORFV5TnpGaUxXTXhZbUl0TkRKaU9DMWhNVGt3TFRobFlXSTFNbVl6WW1Fd09TSXNJblI1Y0NJNklrSmxZWEpsY2lJc0ltRjZjQ0k2SW1GalkyOTFiblF0WTI5dWMyOXNaU0lzSW01dmJtTmxJam9pTldVeU9HSmpOVEF0T0RFNU5TMDBOak0zTFRobU1XRXRZV1V6TldGbFlUazBOVGMxSWl3aWMyVnpjMmx2Ymw5emRHRjBaU0k2SW1NeFl6STNNbVl3TFdNd01qQXROR1ptTUMxaE16WXdMVFEzTUdKbFlXVmxOV1V3TUNJc0ltRmpjaUk2SWpBaUxDSnlaWE52ZFhKalpWOWhZMk5sYzNNaU9uc2lZV05qYjNWdWRDSTZleUp5YjJ4bGN5STZXeUp0WVc1aFoyVXRZV05qYjNWdWRDSXNJbTFoYm1GblpTMWhZMk52ZFc1MExXeHBibXR6SWwxOWZTd2ljMk52Y0dVaU9pSnZjR1Z1YVdRZ1pXMWhhV3dnY0hKdlptbHNaU0lzSW5OcFpDSTZJbU14WXpJM01tWXdMV013TWpBdE5HWm1NQzFoTXpZd0xUUTNNR0psWVdWbE5XVXdNQ0lzSW1WdFlXbHNYM1psY21sbWFXVmtJanBtWVd4elpTd2ljSEpsWm1WeWNtVmtYM1Z6WlhKdVlXMWxJam9pYW1GdFpYTWlMQ0psYldGcGJGOWhaR1J5WlhOeklqb2lkWE5sY2tCa2IyMWhhVzR1YjNKbkluMC5icUhzWDN5bmdYd1h5Vlc3TGVuS3pIYmRxWnkxQW1DakUzUVdycDdZMXNkX3pjUUV1NVdBQndMSU9BenJYaU5GZUd3eXd3OHRhR0pCZFlhMEtUQkNZNk1Za0FIQUVhMXZ5eU8xTGZKZ3IzY0lmUVQ2V0NmM2cyQkpxSFJqVXNxTmdUX1NpdDlkcnVNUmtlMDFtMVYwRW16cUlkTExIcDhWbC11NFIzSlNEeDFic1ExdzNXQ1JsY2dyX2szRUo3ak5pdU5ua2xDSDhfbzU5eTRjN1J6ZHBsLVk4dGNBMDduR2plSl83cVBnTlpYNmxnd3ZyMEVocFFwYlZESFh3UWxwMk5EemtXd0JMSlIwLVY1MFEwYS1MMFFENjl3cWVFYXFpMXhhUkFmeDJHd24yRmdDZ01VV3pLZVdfcWtFQlAwdG5OLXB6bDdqMzFFT25tS2hzaGxPdHcBAQ== 235 Authentication successful.
hp@hp-quanth ~ openssl s_client -starttls smtp -crlf -connect localhost:39983 CONNECTED(00000003) ... EHLO localhost 250-hp-quanth Hello localhost [127.0.0.1]) 250-AUTH OAUTHBEARER 250-AUTH=OAUTHBEARER 250-PIPELINING 250-ENHANCEDSTATUSCODES 250 8BITMIME AUTH OAUTHBEARER invalidtoken 334 eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwic2NvcGUiOiJzY29wZSIsInNjaGVtZXMiOiJodHRwczovL2V4YW1wbGUuY29tL2p3a3MifQ== AQ== 535 Authentication Failed
hp@hp-quanth ~ telnet localhost 39983 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 Apache JAMES awesome SMTP Server EHLO localhost 250-hp-quanth Hello localhost [127.0.0.1]) 250-PIPELINING 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS AUTH OAUTHBEARER bixhPXVzZXJAZG9tYWluLm9yZwFhdXRoPWV5SmhiR2NpT2lKU1V6STFOaUlzSW5SNWNDSTZJa3BYVkNJc0ltdHBaQ0k2SW5jNE1GQnpOVWxoYzI0dFlVZFhiWGN5VkhKNFJHbE9ZMkZvY0VneWMxaDZOWEJ4WkdoQmJEbElXR01pZlEuZXlKbGVIQWlPak01TXprMU1EWXhOamNzSW1saGRDSTZNVFl6T1RVd05UZzJOeXdpWVhWMGFGOTBhVzFsSWpvek5qTTVOVEExT0RReExDSnFkR2tpT2lKak1qUTVaVEJrTmkxalkySmlMVFJtWkRBdE9ESTVZaTA0T1RNMU1qY3pOMll6WkdJaUxDSnBjM01pT2lKb2RIUndPaTh2Ykc5allXeG9iM04wT2pnd09EQXZZWFYwYUM5eVpXRnNiWE12Y21WaGJHMHhJaXdpWVhWa0lqb2lZV05qYjNWdWRDSXNJbk4xWWlJNklqSXdORFV5TnpGaUxXTXhZbUl0TkRKaU9DMWhNVGt3TFRobFlXSTFNbVl6WW1Fd09TSXNJblI1Y0NJNklrSmxZWEpsY2lJc0ltRjZjQ0k2SW1GalkyOTFiblF0WTI5dWMyOXNaU0lzSW01dmJtTmxJam9pTldVeU9HSmpOVEF0T0RFNU5TMDBOak0zTFRobU1XRXRZV1V6TldGbFlUazBOVGMxSWl3aWMyVnpjMmx2Ymw5emRHRjBaU0k2SW1NeFl6STNNbVl3TFdNd01qQXROR1ptTUMxaE16WXdMVFEzTUdKbFlXVmxOV1V3TUNJc0ltRmpjaUk2SWpBaUxDSnlaWE52ZFhKalpWOWhZMk5sYzNNaU9uc2lZV05qYjNWdWRDSTZleUp5YjJ4bGN5STZXeUp0WVc1aFoyVXRZV05qYjNWdWRDSXNJbTFoYm1GblpTMWhZMk52ZFc1MExXeHBibXR6SWwxOWZTd2ljMk52Y0dVaU9pSnZjR1Z1YVdRZ1pXMWhhV3dnY0hKdlptbHNaU0lzSW5OcFpDSTZJbU14WXpJM01tWXdMV013TWpBdE5HWm1NQzFoTXpZd0xUUTNNR0psWVdWbE5XVXdNQ0lzSW1WdFlXbHNYM1psY21sbWFXVmtJanBtWVd4elpTd2ljSEpsWm1WeWNtVmtYM1Z6WlhKdVlXMWxJam9pYW1GdFpYTWlMQ0psYldGcGJGOWhaR1J5WlhOeklqb2lkWE5sY2tCa2IyMWhhVzR1YjNKbkluMC5icUhzWDN5bmdYd1h5Vlc3TGVuS3pIYmRxWnkxQW1DakUzUVdycDdZMXNkX3pjUUV1NVdBQndMSU9BenJYaU5GZUd3eXd3OHRhR0pCZFlhMEtUQkNZNk1Za0FIQUVhMXZ5eU8xTGZKZ3IzY0lmUVQ2V0NmM2cyQkpxSFJqVXNxTmdUX1NpdDlkcnVNUmtlMDFtMVYwRW16cUlkTExIcDhWbC11NFIzSlNEeDFic1ExdzNXQ1JsY2dyX2szRUo3ak5pdU5ua2xDSDhfbzU5eTRjN1J6ZHBsLVk4dGNBMDduR2plSl83cVBnTlpYNmxnd3ZyMEVocFFwYlZESFh3UWxwMk5EemtXd0JMSlIwLVY1MFEwYS1MMFFENjl3cWVFYXFpMXhhUkFmeDJHd24yRmdDZ01VV3pLZVdfcWtFQlAwdG5OLXB6bDdqMzFFT25tS2hzaGxPdHcBAQ== 504 Unrecognized Authentication Type |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
Thanks for putting this together.
Smells related. Could you have a look? |
& rebase needed, which might solve the aforementionned issues. I will do the rebase. |
IMO we need |
return ESMTP_FEATURES; | ||
authTypesBuilder.add(AUTH_TYPE_LOGIN, AUTH_TYPE_PLAIN); | ||
} | ||
if (session.getConfiguration().saslConfiguration().isPresent()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO session.getConfiguration().enableOAuth()
is better.
Example: org.apache.james.smtpserver.SMTPSaslTest#oauthWithNoTLSConnectShouldFail
I will resolve it |
|
Resolved! |
Ok. Can we try this thing with TB ? :-P |
@@ -55,9 +55,9 @@ | |||
</smtpserver> | |||
<smtpserver enabled="true"> | |||
<jmxName>smtpserver-TLS</jmxName> | |||
<bind>0.0.0.0:0</bind> | |||
<bind>0.0.0.0:465</bind> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change makes some integration tests fail.
java.net.SocketException: Permission denied
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reverted
revert smtp config file
Should support XOAUTH2 type
POC - Demo Video with Thunderbird
OAUTH_SMTP_JAMES_DEMO.mp4 |
WIP: reconsider logic and improve code quality (reduce some if else if it can be,...), documentation
As the code stands now, when client does not using TLS connect (server requireSSL) the sever does not advertise any AUTH types:
And only return available auth when client executeTLS:
Is this a correct behavior? Should we return Auth even when client does not use TLS?
RFC4954:
Modern implementations SHOULD NOT advertise mechanisms that are not permitted due to lack of encryption, unless an encryption layer of sufficient strength is currently being employed
=> I suppose this is correct behavior.