From 89d9f1c8682ed04315c57e63b33a9947460ac63d Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 12 Apr 2022 12:18:50 -0700 Subject: [PATCH 1/4] README: be clearer about debian installation of pluginviewer --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index adcad40..7345a99 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ same "SSF" setting of "0". This made SASL's automatic detection of which plug-in to use non-deterministic. Now, with the higher SSF of "60" for "xoauth2", providers offering OAUTH2 will be handled via the xoauth2 plug-in. -You can check the effective value by calling `pluginviewer -c` (on Debian/Ubuntu it’s called `saslpluginviewer`); look for +You can check the effective value by calling `pluginviewer -c` (on Debian/Ubuntu it’s installed as `/usr/sbin/saslpluginviewer` in the `sasl2-bin` package); look for the "SSF" value: ``` Plugin "sasl-xoauth2" [loaded], API version: 4 From 97c8e832c5b4a1870cc9c79e0e89c37a0bd9831a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 12 Apr 2022 12:19:44 -0700 Subject: [PATCH 2/4] SSL has been formally deprecated for years. The modern protocol used everywhere is TLS. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7345a99..ff804f2 100644 --- a/README.md +++ b/README.md @@ -131,7 +131,7 @@ This means that **even though the path in `/etc/postfix/sasl_passwd` is attempt to read from `/var/spool/postfix/etc/tokens/username@domain.com`. Additionally, if you see an error message similar to the following, you may need -to copy over root CA certificates for SSL to work within sasl-xoauth2: +to copy over root CA certificates for the TLS handshake to work within sasl-xoauth2: ``` TokenStore::Refresh: http error: error setting certificate verify locations: ... From 8548583753804896abf1eb3a3b16465140432956 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 12 Apr 2022 13:24:38 -0700 Subject: [PATCH 3/4] Update notes about Google Cloud Platform console It is no longer called the "Google API Console", and it requires that you identify a "Project", in addition to an "Application" that is a "Desktop app" I note that the credentials for the "test app" i made appear to be likely to expire, but i don't really understand the scope of their duration. --- README.md | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ff804f2..e7073e2 100644 --- a/README.md +++ b/README.md @@ -159,12 +159,27 @@ on setting up `postmulti` with sasl-xoauth2. ### Gmail Configuration +From a new account, Google requires several steps to enable access. +Once you are logged into your Gmail account in the browser, all these steps happen at the [Google Cloud Platform console](https://console.cloud.google.com/). + +#### Basic Account Setup + +- Select an exisitng project, or add a Project if you don't have one yet (it can be any name) + +- Set up "OAuth Consent Screen" for the project + + - If this is an "External" and "Testing" app, be sure to add add your own e-mail address to the "test users" + #### Client Credentials -Visit the [Google API Console](https://console.developers.google.com/) to obtain -OAuth 2 credentials (a client ID and client secret) for a "Desktop app" -application type. +From the [Google Cloud Platform console](https://console.cloud.google.com/), + +- Credentials: Create Credentials: OAuth client ID + - Application type: Desktop app + + - Choose a memorable name + Store the client ID and secret in `/etc/sasl-xoauth2.conf`: ```json From 5f734d56fc93b719a7dcac2784cd8caded792d3a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 12 Apr 2022 14:20:25 -0700 Subject: [PATCH 4/4] README: clarify what is pointing to gmail by default --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index e7073e2..d36c749 100644 --- a/README.md +++ b/README.md @@ -266,8 +266,7 @@ Then, add API permissions for `SMTP.Send`. Store the "application (client) ID" (which you'll find in the "Overview" page for the application you registered with Azure) in `/etc/sasl-xoauth2.conf`. -Leave `client_secret` blank. Additionally, override the token endpoint (which -points to Gmail by default): +Leave `client_secret` blank. Additionally, explicitly set the token endpoint (`sasl-xoauth2` points to Gmail's token endpoint by default): ```json {