Sendmail + OAuth2 - possible?

[jwdevel]

For a long time, I have my Sendmail configured to relay some messages through Gmail.
This worked fine, using Cyrus-SASL, `SMART_HOST` and an `authinfo` file.

However, today it stopped working, and from research I learn that Google is turning off that method of authentication — no more plain SMTP authentication for Gmail.
Now, I need to use OAuth2, it seems ):

Let me just get ahead of some likely responses:

• I realize that various specific programs and email clients, such as `mutt`, have support for OAuth2. They typically have special-case handling for it built in, and require interactive login with a browser. That is not what I'm looking for.
  
  
• I am interested in configuring Sendmail to do this as automatically as possible. The best guide on this sort of thing I have seen so far has been for Postfix (link), but I'm hoping to hear from people with Sendmail experience.
  
  
• I am primarily interested in sending mail (relay, SMTP). I don't care as much about receiving (IMAP).

The most straightforward path I've seen is to try to use this plugin for Cyrus-SASL to support OAuth2. Has anyone been able to use that on FreeBSD?

Or have any other ideas or experiences?

Thanks for any help!

 

[kpedersen]

One approach is to run a proxy:

http://davmail.sourceforge.net/

This (Java based) service will authenticate via the non-standard webby oauth2 stuff once (a bit of a faff). Store the token thingy but then proxy the standard protocols (SMTP, POP3, IMAP) across.

 

[gpw928]

From September 30, 2024, Google are finally doing what they threatened prior to COVID, and never did. They are turning off LSAs (Less Secure Apps). Authentication by user ID and password will no longer work. Authentication for Google Apps by OAuth is required.

My situation is pretty much identical to jwdevel. I use sendmail with Cyrus-SASL, "SMART_HOST" and an "authinfo" file (user ID and password) to deliver outgoing email from my domain to the google email servers (google hosts my MX records as part of what is now G Suite).

I have no interest in using a GUI that talks OAuth2. I want a daemon to act as the outgoing relay for my domains. I am aware that postfix, or a relay service, probably present the best options if I can't fix sendmail.

I would like to configure sendmail to use OAuth2, but can't find any guides, and would appreciate any pointers.

 

[laurentis]

AFAIK, you will still be able to authenticate with an App Password after September 30. But this requires that you enable two-factor authentication on your Google account.

 

[gpw928]

authenticate with an App Password

App Passwords require 2-Step Verification. I'm not sure how that would work with a sendmail daemon, but I'd be happy to know if and how it might be possible. i.e. without the requirement for sendmail to autonomously read a code from a cell phone text message. I'm not being facetious here -- just ignorant of the options.

My primary focus remains to configure sendmail to use OAuth2.

 

[laurentis]

App Passwords require 2-Step Verification. I'm not sure how that would work with a sendmail daemon, but I'd be happy to know if and how it might be possible. i.e. without the requirement for sendmail to autonomously read a code from a cell phone text message. I'm not being facetious here -- just ignorant of the options.

My primary focus remains to configure sendmail to use OAuth2.

I don't see why it wouldn't work. I have it working with opensmtpd and mbsync. Once you have 2FA enabled, you just use an app password instead of the one you use for login.

 

[gpw928]

Like many others before me, I assumed that 2FA requires an interactive exchange -- you try to login, google sends you a key out of band (typically via cell phone of email), you then enter the key, and login completes. It seems I am mistaken, and that 2FA is not universally applied when Application Passwords are used. But I still don't understand how and when a 2FA challenge may occur.

In any event, I have now found these, which support your suggestion:

• https://www.tutorialspoint.com/configure-sendmail-with-gmail-on-ubuntu
• https://www.linuxtopic.com/2021/05/-configure-gmail-as-sendmail-SMTP-Relay.html

I'll try them soon, and report back. Thanks.

 

[hruodr]

Like many others before me, I assumed that 2FA requires an interactive exchange -- you try to login, google sends you a key out of band (typically via cell phone of email), you then enter the key, and login completes. It seems I am mistaken, and that 2FA is not universally applied when Application Passwords are used. But I still don't understand how and when a 2FA challenge may occur.

Do not confuse xoauth2, 2FA and App Passwords. They a three different things.

For App Passwords you need 2FA and that has a disadvantage:

Advice on sending email from command line via Gmail...

I'd like to send one-line emails from the command line[1], via my Gmail account. I have searched here and on line but most of the search results are from before Google changed the interface to Gmail around 2022. Does anyone have any advice? Thanks. [1] or at least from the text mode...

forums.freebsd.org

 

[kpedersen]

Do not confuse xoauth2, 2FA and App Passwords. They a three different things.

Indeed. Three different things that should all be avoided.

 

[gpw928]

Just to tidy up, for those who arrive via a search engine...

I have discovered that Google's Application Passwords are designed to avoid Google's 2-Step Verification. I took me a while to work that out, since Google's documentation is, at best, obtuse.

If you currently use "Less Secure Apps" with your regular Google login and password (gmail or gsuite) to authenticate to a Google SMTP server with sendmail, all you have to do to comply with the new regime (commencing October 2024) is:

1. enable 2-Step Verification for your interactive Google login;
2. generate an Application Password;
3. replace your regular password with the Application Password when authenticating (change the password in /etc/mail/authinfo and remake authinfo.db); and
4. restart sendmail.

 

[kisscool-fr]

Hi,

I am also looking for solutions to let sendmail work with oauth2 mail provider, not for gmail but for outlook.

My current situation is that I am blocked because of sendmail/outlook incompatibility.

After searching a lot, I was able to have sendmail communicate with outlooks' servers and somehow exchange xoauth2 informations.

I say somehow, because, the incompatibility, is here. Outlook gives very long access tokens, and that led to more than 1024 characters long passed string, and sendmails' authinfo, limits lines' length to 1024.

I tried with the sasl plugin mentionned at first post.

I don't know how that may work with gmail as I don't have account there.

K.

 

[cmoerz]

Not sure about Google - for Office 365, I've used https://davmail.sourceforge.net/ with success in the past. It proxies the OAuth2 flow and allows you to keep using plain login access for the (local) client.
I expect there is similar software out there that works with Gmail?

You might be able to put something like that in front of sendmail to keep sending via regular SMTP. Also, there may be other options like using application authentication based secrets, as pointed out by gpw928.

 

[kisscool-fr]

In addition to the fact that it depends on java, I read when searching, that it may have some limitations and slowness. I thought I saw this information on the projects' page, but it is not there, and I can't find the information any more.

In the mean time, I was sucessful, with the combination of, procmail as a mailer for sendmail, and msmtp, as a forwarder for procmail, and mutt_oauth2 for managing the tokens.

I am not very satisfied as it adds too many components in the chain (need to be noted that mutt_auth2 depends on python3, and maybe others), and I would prefer to keep this host a slim as possible.

If I am not wrong, outlook does not allow any more app passwords.