msmtp with Oauth2

[marcelolaia]

Hi, found the Christian Tenllado's tutorial at here and I had a look at Luxing Huang tutorial, too.

I did my msmtprc like this:

account YZYZYZ
host smtp.gmail.com
from mylogin@YZYZYZ.edu.br
port 587
protocol smtp
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
auth oauthbearer
user mylogin@YZYZYZ.edu.br
passwordeval /home/myuser/.oauth2token mylogin@YZYZYZ.edu.br YZYZYZ

I set up the system's keyring like this:

secret-tool store --label=msmtp-oauth2 client-id client-id
Password:

I copy and paste the "OAuth client ID" in the password prompt above.

secret-tool store --label=msmtp-oauth2 client-secret client-secret
Password:

I copy and paste the "Secret" in the password prompt above.

secret-tool store --label=msmtp-oauth2 refresh refresh
Password:

I copy and paste the "Refresh Token" in the password prompt above.

The first thing is: the above approach is suitable to Christian Tenllado's tutorial?
The second ones is: the msmtprc configuration above is suitable to my system's keyring configuration above?

After did these configurations (above), I test to send a message and got this error:

sh: 1: /home/myuser/.oauth2token: Permission denied
msmtp: was not possible to read the stdout from "/home/myuser/.oauth2token
mylogin@YZYZYZ.edu.br YZYZYZ"

Here is the ls -l output:

myuser@myuser:~$ ls -l /home/myuser/.oauth2token
-rwxr-xr-x 1 myuser myuser 1957 ago 11 21:58 /home/myuser/.oauth2token
myuser@myuser:~$

myuser@myuser:~$ ls -l /home/myuser/.oauth2.py
-rwxr-xr-x 1 myuser myuser 12616 ago 11 11:15 /home/myuser/.oauth2.py
myuser@myuser:~$

I had configured the offlineimap and it is running out of the box! Love!

Please, could you help-me with msmtp?

Thank you so much!

[marcelolaia]

I found two issues:

1. I need to disable /etc/apparmor.d/usr.bin.msmtp profile temporarily by running sudo aa-disable /etc/apparmor.d/usr.bin.msmtp

2. The correct way to store the client-id, client-secret and refresh keys are:

secret-tool store --label=msmtp-oauth2 <account-name> client-id
secret-tool store --label=msmtp-oauth2 <account-name> client-secret
secret-tool store --label=msmtp-oauth2 <account-name> refresh

Now, I need to figure out how adding rules for msmtp+oauth2token+oauth2.py in /etc/apparmor.d/usr.bin.msmtp file.

[marlam]

Thank you very much for figuring this out. This is yet another example of AppArmor creating a problem that is hard to debug. I added a news entry on the msmtp web site about this in the hope that it may help others find this information.

[marcelolaia]

Finally, I figure out how to bypass AppArmor in my issue!
Here is the step-by-step to configure msmtp + OAuth2 in a Debian Testing (Linux marcelo 5.7.0-2-amd64 #1 SMP Debian 5.7.10-1 (2020-07-26) x86_64 GNU/Linux)

1. Read the Christian Tenllado's tutorial at here.
2. Download oauth2token from here and oauth2.py from here.
3. Save those files in /home/youruser/bin/OAuth2/ (my suggestion).
4. chmod u+r+x oauth2.py and chmod u+r+x oauth2token.
5. Edit the msmtprc file. This is relevant section:

account YZYZYZ
host smtp.gmail.com
from yourlogin@YZYZYZ.edu.br
port 587
protocol smtp
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
auth oauthbearer
user yourlogin@YZYZYZ.edu.br
passwordeval /home/youruser/bin/OAuth2/oauth2token yourlogin@YZYZYZ.edu.br YZYZYZ

Pay particular attention to YZYZYZ is repeated five times.

6. Proceed to Luxing Huang tutorial steps 1 to 5 and setup the Google recommended OAuth 2.0 way for Mutt, msmtp, offlineimap and so on.
7. You’ll be given an OAuth client ID and secret. Write this down somewhere.
8. Run this command:
   $ ./oauth2.py --user=yourlogin@YZYZYZ.edu.br --client_id=2345...0123.apps.googleusercontent.com --client_secret=s_ec_ret --generate_oauth2_token
9. Access the link given, authenticate yourself, login and grant permission.
10. Paste the response code back to terminal.
11. Write down the access token and refresh token in somewhere.
12. Store the client-id, client-secret and refresh keys by using secret-tool (apt install libsecret-tools):

secret-tool store --label=msmtp-oauth2 YZYZYZ client-id
Password:<copy client-id and paste it here>
secret-tool store --label=msmtp-oauth2 YZYZYZ client-secret
Password:<copy client-secret and paste it here>
secret-tool store --label=msmtp-oauth2 YZYZYZ refresh
Password:<copy refresh and paste it here>

Pay particular attention to YZYZYZ.
Open gnome-keyring (apt install gnome-keyring) and check if those tokens are correct.

13. Verify if msmtp is ruled by AppArmor by runing:

$ sudo aa-status | grep msmtp
   msmtp
   msmtp//helpers

If you see an output like the above, it is ruled.

Edit /etc/apparmor.d/usr.bin.msmtp and insert these rules:

@{HOME}/bin/OAuth2/oauth2.py     PUx,
@{HOME}/bin/OAuth2/oauth2token   PUx,

14. The end of /etc/apparmor.d/usr.bin.msmtp file will be like this:

    owner /tmp/*     rw,

    /usr/bin/secret-tool             PUx,
    /usr/bin/gpg{,2}                 PUx,
    /usr/bin/pass                    PUx,
    /usr/bin/head                    PUx,
    /usr/bin/keyring                 PUx,
    /{,usr/}bin/cat                  PUx,
    @{HOME}/bin/OAuth2/oauth2.py     PUx,
    @{HOME}/bin/OAuth2/oauth2token   PUx,

  }

  #include <local/usr.bin.msmtp>
}

15. Run:
    $ sudo aa-enforce /etc/apparmor.d/usr.bin.msmtp

To test, send me a e-mail at marcelolaia at gmail dot com

(Please, can an expert read this steps and revise it, please?)

[troyready]

I can confirm the ^ apparmor changes worked for me too; I independently arrived at the same conclusion. I couldn't figure out how to get the equivalent change in /etc/apparmor.d/local/usr.bin.msmtp to work (which would be way more ideal)

[marlam]

There is hope that the AppArmor profile will be fixed or will be opt-in, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975333