postfix and xoauth2 (for gmail authentication)

gattocarlo · 03-26-2024, 10:42 AM

Hi,

I'm facing what I think is a weird problem with postfix and xoauth2 and I'm not able to debug it.

I have two machines, my laptop and my home server, both running updated slackware 15.

Since I use different email accounts, personal ones with my domain (hosted on my home server) and some gmail accounts for work, on my laptop I set up postfix to relay messages sent from my gmail accounts through gmail and messages sent from my personal accounts through my home server. Since the authentication on gmail requires xoauth2, while my server requires a normal login (over TLS), my laptop postfix configuration uses two different transports, one with

Code:

smtp_sasl_mechanism_filter = xoauth2

and one with

Code:

smtp_sasl_mechanism_filter = login

I then use:

Code:

smtp_sender_dependent_authentication
sender_dependent_default_transport_maps
sender_dependent_relayhost_maps

The XOAUTH2 SASL mechanism is provided by the cyrus-sasl-xoauth plugin for cyrus-sasl.

I wrote a small deamon which periodically updates the access tokens of my gmail accounts and everything works perfectly fine.

I wanted to replicate this setup on my home server but postfix here is not working. When using gmail to relay the messages everything seems to be working fine: the correct SASL mechanism is used, the appropriate username is sent to the gmail stmp server, but the response it gets form gmail causes a segfault.

This is (the edited) /var/log/maillog

Code:

postfix/smtp[40578]: smtp_sasl_authenticate: smtp.gmail.com[142.250.102.109]:587: SASL mechanisms XOAUTH2
postfix/smtp[40578]: xsasl_cyrus_client_get_user: my_email_account@gmai.com
postfix/qmgr[40576]: warning: private/gmail socket: malformed response
postfix/master[40574]: warning: process /usr/libexec/postfix/smtp pid 40578 killed by signal 11
postfix/master[40574]: warning: /usr/libexec/postfix/smtp: bad command startup -- throttling

(private/gmail is the name of the transport I use to select "smtp_sasl_mechanism_filter = xoauth2")

In /var/log/messages I get:

Code:

smtp[40578]: segfault at 4044 ip 00005653e92bbe20 sp 00007ffc7af69080 error 4 in smtp[5653e92ae000+f000]
kernel: Code: 89 28 8d 53 01 48 8d 78 08 4c 89 e6 48 63 d2 e8 d6 22 ff ff 31 c0 48 83 c4 08 5b 5d 41 5c 41 5d c3 66 0f 1f 84 00 00 00 00 00 <48> 8b 56 40 48 8d 3d 71 2c 00 00 31 c0 48 8d 35 ee 51 00 00 e8 37

I spent a few hours searching the web and found someone with similar issues, usually related to the SASL mechanism or smtp_tls_fingerprint_digest. But in my case I get a similar result when I unistall cyrus-sasl-xoauth2.

It seems like the xouth2 plugin is not working properly even though the plugin seems to be loaded and working:

Code:

pluginviewer -c:
...
Plugin "xoauth2" [loaded],      API version: 4
        SASL mechanism: XOAUTH2, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION

I do not know what to do and how to debug the postfix smtp client. Any help or direction would be greatly appreciated.

I tried using a different cyrus plugin (sasl-xoauth2) but I wasn't able to get sasl to load it...

Sorry for such a long post and thanks for your kind attention.

Best,
--
andrea

gattocarlo · 03-27-2024, 09:19 AM

I was eventually able to fix my problem, sort of... but I'm not marking this thread as solved because I believe I came to hit a slackware specific issue.

Now, the fact is that slackware already comes with a sasl plugin which provides the xoauth2 mechanism: libkgapi, a KDE library implementing APIs for various google services (gmail seems not to be included).

I do not know why, but while on my laptop that plugin is loaded after cyrus-sasl-xoauth2 plugin (which thus seems to take the precedence over libkdexoauth2.so) on my sever it is the other way around: libkdexoauth2.so is loaded before cyrus-sasl-xoauth2. So postfix, through cyrus-sasl, is using it and that is causing postfix to segfault with a SIGSEGV.

I do not use KDE, except for some minor services (basically kdeconnectd), so my sort of fix on my server was to get rid of libkdexoauth2.so, and that makes it possible to correctly relay email massages through smtp.gmail.com with xoauth2.

I'm far from being an sasl expert, and I was not able to find any documented way to select which plugin to use for each service. But I think that, for a distribution like slackware, being able to use postfix to relay messages with xoauth2 through gmail is something useful. Presently it seems like this is possible only if you are lucky... I believe that further investigation of this issue would be useful.

best,
andrea