-
-
Notifications
You must be signed in to change notification settings - Fork 113
/
Copy pathemailproxy.config
118 lines (97 loc) · 7 KB
/
emailproxy.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
[Email OAuth 2.0 Proxy configuration file]
documentation = This is a sample Email OAuth 2.0 Proxy configuration file. Configure the proxy by adding items in the
[Server setup] and [Account setup] sections below. Documentation is provided inline, with example setups for Gmail
and Office 365 (though you will need to enter your own desktop app API client credentials in the accounts section).
[Server setup]
documentation = Local servers are specified as demonstrated below where, for example, the section heading [IMAP-1993]
gives the type (which can be IMAP or SMTP) and the local port to listen on (i.e., 1993, etc). The local port number
must be above 1023 (unless the proxy script is run via sudo), below 65536, and unique across local servers. Multiple
accounts can share the same server, however. Each server section must specify the `server_address` and `server_port`
of the remote server that it will be proxying - you can obtain these values from your email provider, or use the
details below for Office 365 and/or Gmail.
To allow the proxy to operate, your email client must be set up to use an unencrypted connection for both SMTP and
IMAP (i.e., no STARTTLS or SSL/TLS, just plain login credentials). The proxy will create a secure connection on your
behalf to the remote server from the outset by default (i.e., implicit SSL/TLS); see below if STARTTLS is required.
Server customisation:
- If your SMTP server uses the STARTTLS approach, add `starttls = True`, as shown in the [SMTP-1587] example below
(assumed to be False otherwise). With this parameter set, STARTTLS negotiation will be handled by the proxy on your
behalf (i.e., do not enable STARTTLS in your client). IMAP STARTTLS is not currently supported.
- If the property `local_address` is not specified, its value is assumed to be `localhost`. If required, this
parameter can be used to set an IP address or hostname for the proxy to listen on.
Advanced server configuration:
- In the standard configuration the channel between your email client and the proxy is unencrypted. This is not
normally of any concern since the proxy is typically a local-only service. However, if you prefer, you may provide
a `local_certificate_path` (e.g., /etc/letsencrypt/live/mail.example.net/fullchain.pem) and `local_key_path` (e.g.,
/etc/letsencrypt/live/mail.example.net/privkey.pem) for the server you are using the proxy with, and it will use
these to set up a secure connection between itself and your email client.
[IMAP-1993]
local_address = localhost
server_address = outlook.office365.com
server_port = 993
[SMTP-1587]
server_address = smtp.office365.com
server_port = 587
starttls = True
[IMAP-1995]
server_address = imap.gmail.com
server_port = 993
[SMTP-1465]
server_address = smtp.gmail.com
server_port = 465
[Account setup]
documentation = Accounts are specified using your email address as the section heading (e.g., [[email protected]],
below). Account usernames (i.e., email addresses) must be unique - only one entry per account is permitted. Each
account section must provide values for `permission_url`, `token_url`, `oauth2_scope` and `redirect_uri`. If you
are adding an account for a service other than Office 365 or Gmail then the provider's documentation should give
these details. For Gmail and Office 365 you can simply copy the values from the examples below.
You will also need to add your own `client_id` and `client_secret` values as indicated below. These can either be
copied from an existing source (such as another email client that supports OAuth 2.0), or you can register and use
your own desktop app API client credentials. See https://developers.google.com/identity/protocols/oauth2/native-app
and the Microsoft link below for details. Multiple accounts on the same server can use the same values for the
`client_id` and `client_secret` properties; just duplicate these in each account's entry below. Note that there are
also example account configurations for AOL and Yahoo Mail below, but these services are not currently accepting new
OAuth 2.0 client registrations with the mail access scope, so reusing existing credentials is the only option here.
Once the proxy is correctly configured, after the first successful use of an account its access token details will
be cached in this configuration file, encrypted with the password you use in your email client. The password set in
your email client is not used for authentication (which is done separately via a web browser), so it can be
different to your real account password, which is helpful for debugging. See the proxy's readme for more information
and further configuration options: https://github.com/simonrob/email-oauth2-proxy/blob/main/README.md.
Office 365 customisation:
- If your Office 365 configuration requires a tenant ID, place it in both `permission_url` and `token_url` in place
of `common` in the example below. For more detail about this, and guides for setting up your desktop app API client,
see the documentation at https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.
- Office 365 shared mailboxes are supported: add an account entry here using the email address of the shared
mailbox as the account name. When asked to authenticate, log in as the user that access has been delegated to.
Advanced account configuration:
- For most configurations the default `redirect_uri` value is correct, but when using the `--local-server-auth`
proxy option you will need to either run the script via sudo (to use the implicit default port 80) or specify a port
(and/or a different host) - for example, `redirect_uri = http://localhost:8080`. In addition, when using this option
each account must have a unique `redirect_uri` (normally achieved by specifying a different port for each one).
permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access
redirect_uri = http://localhost
client_id = *** your client id here ***
client_secret = *** your client secret here ***
permission_url = https://accounts.google.com/o/oauth2/auth
token_url = https://oauth2.googleapis.com/token
oauth2_scope = https://mail.google.com/
redirect_uri = http://localhost
client_id = *** your client id here ***
client_secret = *** your client secret here ***
permission_url = https://api.login.yahoo.com/oauth2/request_auth
token_url = https://api.login.yahoo.com/oauth2/get_token
oauth2_scope = mail-w
redirect_uri = http://localhost
client_id = *** your client id here ***
client_secret = *** your client secret here ***
permission_url = https://api.login.aol.com/oauth2/request_auth
token_url = https://api.login.aol.com/oauth2/get_token
oauth2_scope = mail-w
redirect_uri = http://localhost
client_id = *** your client id here ***
client_secret = *** your client secret here ***