HTTP Error 401: Unauthorized - SMTP - Outlook

[KodakMaciel]

Hello, I'm trying to configure Xoauth on my Linux server, I followed the readme as informed, after running the command below and returning the URL presented to the server, I get the 401 error described below

[root@ip-172-31-66-222 ~]# sasl-xoauth2-tool get-token outlook --client-id= --tenant=
Please visit the following link in a web browser, then paste the resulting URL:

https://login.microsoftonline.com/xxxxxxxxx-xxxxx-xxxx-xxxxxxxx-xxxxxxx/oauth2/v2.0/authorize...

Iam return:
Resulting URL: https://login.microsoftonline.com/common/oauth2/nativeclient.....xxxxxxxxx/xxxx/xx

Error:

Traceback (most recent call last):
File "/usr/bin/sasl-xoauth2-tool", line 301, in
main()
File "/usr/bin/sasl-xoauth2-tool", line 294, in main
args.func(args)
File "/usr/bin/sasl-xoauth2-tool", line 200, in subcommand_get_token
args.output_file,
File "/usr/bin/sasl-xoauth2-tool", line 183, in get_token_outlook
tokens = outlook_get_initial_tokens(client_id, tenant, code)
File "/usr/bin/sasl-xoauth2-tool", line 167, in outlook_get_initial_tokens
headers={ "Content-Type": "application/x-www-form-urlencoded" }))
File "/usr/lib64/python3.6/urllib/request.py", line 223, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib64/python3.6/urllib/request.py", line 532, in open
response = meth(req, response)
File "/usr/lib64/python3.6/urllib/request.py", line 642, in http_response
'http', request, response, code, msg, hdrs)
File "/usr/lib64/python3.6/urllib/request.py", line 570, in error
return self._call_chain(*args)
File "/usr/lib64/python3.6/urllib/request.py", line 504, in _call_chain
result = func(*args)
File "/usr/lib64/python3.6/urllib/request.py", line 650, in http_error_default
raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 401: Unauthorized

[tarickb]

Did you enable API permissions for SMTP.Send in the Azure portal?

[KodakMaciel]

Yes!

Você habilitou permissões de API SMTP.Sendno portal do Azure?

[krzsztf1]

Hello,
I've had the similar problem recently. The problem was that the sasl-xoauth2-tool tool is not sending the secret to the Microsoft endpoint. The whole message behind my 401 error was "The request body must contain the following parameter: 'client_assertion' or 'client_secret'". I've made necessary changes in the code and it worked.
I've opened a new pull request (#62)

[KodakMaciel]

Hello, I've had the similar problem recently. The problem was that the sasl-xoauth2-tool tool is not sending the secret to the Microsoft endpoint. The whole message behind my 401 error was "The request body must contain the following parameter: 'client_assertion' or 'client_secret'". I've made necessary changes in the code and it worked. I've opened a new pull request (#62)

Hello, I tested your change and managed to ask for the secret token, but now the access_token is thrown on my screen and is not saved anywhere, can you tell me where it should be saved and what the syntax of the content inside the file should be ?

[tarickb]

Copying my comment from #62:

The token tool will write the resulting access token to a file if you specify a path on the command line. See the example usage here (look for PATH_TO_TOKENS_FILE).

And thanks @krzsztf1 for the fix! I can only assume something changed with Microsoft's OAuth 2 flow, because I've gone through the setup flow with this tooling in the past and it worked (or maybe the secret is required only for folks specifying a tenant?).

[KodakMaciel]

Copying my comment from #62:

The token tool will write the resulting access token to a file if you specify a path on the command line. See the example usage here (look for PATH_TO_TOKENS_FILE).

And thanks @krzsztf1 for the fix! I can only assume something changed with Microsoft's OAuth 2 flow, because I've gone through the setup flow with this tooling in the past and it worked (or maybe the secret is required only for folks specifying a tenant?).

Hi!! @tarickb @krzsztf1
I made some adjustments and it was possible to send the response token to the /etc/token/abc@abc.com file

I'm still getting some errors, I collected the data and settings to see if you can help me, follow below.

Note: I changed the sensitive words/tokens, but where they are described they are related.

S.O

[root@ postfix]# cat /etc/redhat-release
AlmaLinux release 8.4 (Electric Cheetah)

Command to get the token

sasl-xoauth2-tool get-token outlook /etc/tokens/abc@abc.com --client-id=coffe --tenant=juice

File permissions tokens

[root@ tokens]# ll /etc/tokens
total 4
-rwx------ 1 postfix postfix 2784 Apr 19 18:48 abc@abc.com

Tokens Folder

[root@ etc]# ll | grep tokens
drwxr-xr-x   2 postfix postfix     38 Apr 19 18:48 tokens

Token Content File

[root@ tokens]# cat abc@abc.com
{
    "access_token": "newspaper123",
    "refresh_token": "money999",
    "expiry": 0
}

CHROOT

[root@ postfix]# grep -E '^(smtp|.*chroot)' /etc/postfix/master.cf
# service type  private unpriv  chroot  wakeup  maxproc command + args
smtp      inet  n       -       n       -       -       smtpd
smtp      unix  -       -       n       -       -       smtp

sasl-xoauth2.conf

[root@ tokens]# cat /etc/sasl-xoauth2.conf
{
  "client_id": "coffe",
  "client_secret": "",
  "log_full_trace_on_failure": "yes",
  "log_to_syslog_on_failure": "yes",
  "token_endpoint": "https://login.microsoftonline.com/juice/oauth2/v2.0/token"
}

Postfix Folder

[root@ tokens]# ll /etc/postfix
total 256
-rw-r--r-- 1 root    root    21111 Sep  7  2019 access
drwxr-xr-x 2 root    root      144 Apr 19 17:09 backup
-rw-r--r-- 1 root    root    13194 Jun  3  2018 canonical
-rw-r--r-- 1 root    root       60 Oct  8  2021 dynamicmaps.cf
drwxr-xr-x 2 root    root        6 Oct  8  2021 dynamicmaps.cf.d
-rw-r--r-- 1 root    root    10221 Sep 17  2016 generic
-rw-r--r-- 1 root    root    23882 Dec 10  2021 header_checks
-rw-r--r-- 1 root    root    12288 Dec 10  2021 header_checks.db
-rw-r--r-- 1 root    root    29864 Feb  7 17:05 main.cf
-rw-r--r-- 1 root    root    29130 Oct  8  2021 main.cf.proto
-rw-r--r-- 1 root    root     6372 Oct  8  2021 master.cf
-rw-r--r-- 1 root    root     6372 Oct  8  2021 master.cf.proto
-rw-r--r-- 1 root    root    20163 Oct  8  2021 postfix-files
drwxr-xr-x 2 root    root        6 Oct  8  2021 postfix-files.d
-rw-r--r-- 1 root    root     6929 Feb 13  2016 relocated
-rw-r--r-- 1 root    root       85 Apr 19 17:21 sasl-passwords
-rw-r--r-- 1 root    root    12288 Apr 19 17:38 sasl-passwords.db
-rw-r--r-- 1 root    root       30 Dec 10  2021 sender_canonical_maps
-rw-r--r-- 1 root    root    12288 Dec 10  2021 sender_canonical_maps.db
-rw-r--r-- 1 root    root    13436 Jan 11  2020 transport
-rw-r--r-- 1 root    root    13963 Jun  3  2018 virtual

Postfix sasl-passwords

[root@ postfix]# cat sasl-passwords
smtp.office365.com:587 abc@abc.com:/etc/tokens/abc@abc.com

Postfix Main

smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtp_tls_CApath = /etc/pki/tls/certs
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix

smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps=hash:/etc/postfix/sasl-passwords
smtp_sasl_security_options=noanonymous
smtp_sasl_mechanism_filter = xoauth2

smtp_header_checks = regexp:/etc/postfix/header_checks
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps

Messages - /var/log/messages

[root@ tokens]# tail -5 /var/log/messages
Apr 20 09:46:18  systemd[1]: Stopping Postfix Mail Transport Agent...
Apr 20 09:46:18  systemd[1]: postfix.service: Succeeded.
Apr 20 09:46:18  systemd[1]: Stopped Postfix Mail Transport Agent.
Apr 20 09:46:18  systemd[1]: Starting Postfix Mail Transport Agent...
Apr 20 09:46:18  systemd[1]: Started Postfix Mail Transport Agent.

Mail log - /var/log/maillog

[root@hosname-Example ~]# tail -n0 -f /var/log/maillog

Apr 20 09:46:42 hosname-Example postfix/pickup[2956016]: 17C5496FCB: uid=0 from=<root>
Apr 20 09:46:42 hosname-Example postfix/cleanup[2956023]: 17C5496FCB: message-id=<20230420124642.17C5496FCB@hosname-Example.localdomain>
Apr 20 09:46:42 hosname-Example postfix/qmgr[2956017]: 17C5496FCB: from=<abc@abc.com>, size=483, nrcpt=1 (queue active)
Apr 20 09:46:46 hosname-Example postfix/smtp[2956025]: 17C5496FCB: SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.34.xxx]: bad protocol / cancel
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]: auth failed:
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: Client: created
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: Client::DoStep: called with state 0
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: Client::InitialStep: TriggerAuthNameCallback err=0
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: Client::InitialStep: TriggerPasswordCallback err=0
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: TokenStore::Read: file=/etc/tokens/abc@abc.com
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: TokenStore::Read: refresh=money999, access=newspaper123
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: TokenStore::GetAccessToken: token expired. refreshing.
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: TokenStore::Refresh: attempt 1
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: TokenStore::Refresh: token_endpoint: https://login.microsoftonline.com/juice/oauth2/v2.0/token
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: TokenStore::Refresh: request: client_id=coffe&client_secret=&grant_type=refresh_token&refresh_token=money999
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: TokenStore::Refresh: code=401, response={"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: xxxxx-00ad-xxxxx-a41a-xxxxxxxx\r\nCorrelation ID: xxxxxx-4c99-424b-xxxx-xxxxxxxx\r\nTimestamp: 2023-04-20 12:46:46Z","error_codes":[7000218],"timestamp":"2023-04-20 12:46:46Z","trace_id":"xxxxx-00ad-xxxxx-a41a-xxxxxxxx","correlation_id":"xxxxxx-4c99-424b-xxxx-xxxxxxxx","error_uri":"https://login.microsoftonline.com/error?code=7000218"}
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: TokenStore::Refresh: request failed
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: Client::DoStep: new state 0 and err -5
Apr 20 09:46:46 hosname-Example sasl-xoauth2[2956025]:  2023-04-20 09:46:46: Client: destroyed

Packages

[root@ postfix]# rpm -qa | grep sasl
cyrus-sasl-plain-2.1.27-5.el8.x86_64
cyrus-sasl-xoauth2-0.2-3.el8.x86_64
cyrus-sasl-lib-2.1.27-5.el8.x86_64

I cut some of the maillot, as the error was the same and repetitive.

Again if you look for "juice" in the x-file you will find the same "juice" where it should be.

[tarickb]

Can you try adding your client secret to /etc/sasl-xoauth2.conf, in the client_secret field?

[KodakMaciel]

Can you try adding your client secret to /etc/sasl-xoauth2.conf, in the client_secret field?

After tuning, it worked perfectly.

Thanks!