aboutsummaryrefslogtreecommitdiffstats

Outbound mail through SMTP

The cloud services now all support OAUTH2 as an authentication method for SMTP, and CMS provides an internal broker service to acquire and expose the OAUTH access token needed for SMTP.

This allows the use of several normal SMTP tools without having to revert to BASIC authentication.

CMS Configuration

CMS uses a UNIX domain socket to expose the access token. CMS must be running to maintain a fresh token.

This feature is enabled in the configuration file:

Python account = Office365_Account(user="user@domain.com") Office365("inbox", account) CredentialServer("/var/run/user/XXX/cms.sock", accounts=[account])

Upon restart CMS will acquire and maintain a OAUTH token with the SMTP scope for the specified accounts, and serve token requests on the specified path.

Configuration Test

CMS provides the cms-auth tool to get tokens out of the daemon. It has a test mode which should be used to verify that the SMTP server is working correctly:

sh $ cms-oauth --user=user@domain.com --cms_sock=/var/run/user/XXX/cms.sock --test-smtp=smtp.office365.com

On success the last log line will report something like:

reply: retcode (235); Msg: b'2.7.0 Authentication successful'

exim 4

Exim is a long standing UNIX mail system that is fully featured. exim's flexible authentication can support the use of OAUTH tokens:

``` begin authenticators

xoauth2smart: driver = plaintext clientcondition = ${if !eq{$tlsoutcipher}{}} publicname = XOAUTH2 clientignoreinvalidbase64 = true client_send = : ${readsocket{/home/XX/mail/.cms/exim/cms.sock}{SMTP user@domain}} ```

Since exim runs as a system daemon, permissions must be set to allow access to the socket:

sh cd /home/XX/mail/.cms mkdir exim chmod 0750 exim sudo chgrp Debian-exim cms

And the CMS configuration must specify a umask:

Python CredentialServer("/home/XX/mail/.cms/exim/cms.sock", accounts=[account], umask=0o666)

A fully functional exim4.conf is provided. This minimal, relay only config can replace the entire configuration from the distro, after making the adjustments noted. In this mode /usr/bin/sendmail will be fully functional for outbound mail and if multiple accounts are required, it will automatically choose the account to send mail through based on the Envelope From header.

msmtp

msmtp is a small program that pretends to be sendmail and immeditately sends the message to the configured server. Newer versions have the ability to call out to an external program to get an OAUTH token. An example configuration is provided showing how to connect it to CMS.

Support for gmail requires msmtp 1.8.4, and support for O365 requires a patch.

git send-email

There is currently no native support for XOAUTH2. When one of the above two methods is used to setup a local sendmail, then use this .git_config:

[sendemail] smtpserver = /usr/bin/msmtp from = User Name <user@domain.com> envelopeSender = User Name <user@domain.com> assume8bitEncoding = UTF-8 transferEncoding = auto

generated by cgit v1.2.3 (git 2.25.1) at 2024-05-21 19:53:15 +0000