Git Product home page Git Product logo

Comments (5)

marcelolaia avatar marcelolaia commented on August 15, 2024 1

Finally, I figure out how to bypass AppArmor in my issue!
Here is the step-by-step to configure msmtp + OAuth2 in a Debian Testing (Linux marcelo 5.7.0-2-amd64 #1 SMP Debian 5.7.10-1 (2020-07-26) x86_64 GNU/Linux)

  1. Read the Christian Tenllado's tutorial at here.
  2. Download oauth2token from here and oauth2.py from here.
  3. Save those files in /home/youruser/bin/OAuth2/ (my suggestion).
  4. chmod u+r+x oauth2.py and chmod u+r+x oauth2token.
  5. Edit the msmtprc file. This is relevant section:
account YZYZYZ
host smtp.gmail.com
from [email protected]
port 587
protocol smtp
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
auth oauthbearer
user [email protected]
passwordeval /home/youruser/bin/OAuth2/oauth2token [email protected] YZYZYZ

Pay particular attention to YZYZYZ is repeated five times.

  1. Proceed to Luxing Huang tutorial steps 1 to 5 and setup the Google recommended OAuth 2.0 way for Mutt, msmtp, offlineimap and so on.
  2. You’ll be given an OAuth client ID and secret. Write this down somewhere.
  3. Run this command:
    $ ./oauth2.py [email protected] --client_id=2345...0123.apps.googleusercontent.com --client_secret=s_ec_ret --generate_oauth2_token
  4. Access the link given, authenticate yourself, login and grant permission.
  5. Paste the response code back to terminal.
  6. Write down the access token and refresh token in somewhere.
  7. Store the client-id, client-secret and refresh keys by using secret-tool (apt install libsecret-tools):
secret-tool store --label=msmtp-oauth2 YZYZYZ client-id
Password:<copy client-id and paste it here>
secret-tool store --label=msmtp-oauth2 YZYZYZ client-secret
Password:<copy client-secret and paste it here>
secret-tool store --label=msmtp-oauth2 YZYZYZ refresh
Password:<copy refresh and paste it here>

Pay particular attention to YZYZYZ.
Open gnome-keyring (apt install gnome-keyring) and check if those tokens are correct.

  1. Verify if msmtp is ruled by AppArmor by runing:
$ sudo aa-status | grep msmtp
   msmtp
   msmtp//helpers

If you see an output like the above, it is ruled.

Edit /etc/apparmor.d/usr.bin.msmtp and insert these rules:

@{HOME}/bin/OAuth2/oauth2.py     PUx,
@{HOME}/bin/OAuth2/oauth2token   PUx,
  1. The end of /etc/apparmor.d/usr.bin.msmtp file will be like this:
    owner /tmp/*     rw,

    /usr/bin/secret-tool             PUx,
    /usr/bin/gpg{,2}                 PUx,
    /usr/bin/pass                    PUx,
    /usr/bin/head                    PUx,
    /usr/bin/keyring                 PUx,
    /{,usr/}bin/cat                  PUx,
    @{HOME}/bin/OAuth2/oauth2.py     PUx,
    @{HOME}/bin/OAuth2/oauth2token   PUx,

  }

  #include <local/usr.bin.msmtp>
}
  1. Run:
    $ sudo aa-enforce /etc/apparmor.d/usr.bin.msmtp

To test, send me a e-mail at marcelolaia at gmail dot com

(Please, can an expert read this steps and revise it, please?)

from msmtp.

marcelolaia avatar marcelolaia commented on August 15, 2024

I found two issues:

  1. I need to disable /etc/apparmor.d/usr.bin.msmtp profile temporarily by running sudo aa-disable /etc/apparmor.d/usr.bin.msmtp

  2. The correct way to store the client-id, client-secret and refresh keys are:

secret-tool store --label=msmtp-oauth2 <account-name> client-id
secret-tool store --label=msmtp-oauth2 <account-name> client-secret
secret-tool store --label=msmtp-oauth2 <account-name> refresh

Now, I need to figure out how adding rules for msmtp+oauth2token+oauth2.py in /etc/apparmor.d/usr.bin.msmtp file.

from msmtp.

marlam avatar marlam commented on August 15, 2024

Thank you very much for figuring this out. This is yet another example of AppArmor creating a problem that is hard to debug. I added a news entry on the msmtp web site about this in the hope that it may help others find this information.

from msmtp.

troyready avatar troyready commented on August 15, 2024

I can confirm the ^ apparmor changes worked for me too; I independently arrived at the same conclusion. I couldn't figure out how to get the equivalent change in /etc/apparmor.d/local/usr.bin.msmtp to work (which would be way more ideal)

from msmtp.

marlam avatar marlam commented on August 15, 2024

There is hope that the AppArmor profile will be fixed or will be opt-in, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975333

from msmtp.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.