chore: update OAUTH2 configuration & tests

Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2026-05-05 04:06:26 +02:00 · 2026-04-03 13:44:44 +02:00 · 2026-04-03 13:44:44 +02:00 · 252f0dc3f6
commit 252f0dc3f6
parent 58f1f70cad
5 changed files with 27 additions and 27 deletions
--- a/1
+++ b/1
@ -94,7 +94,6 @@ COPY target/rspamd/local.d/ /etc/rspamd/local.d/
 # --- OAUTH2 ------------------------------------
 # -----------------------------------------------

-COPY target/dovecot/dovecot-oauth2.conf.ext /etc/dovecot
 COPY target/dovecot/auth-oauth2.conf.ext /etc/dovecot/conf.d

 # -----------------------------------------------
--- a/target/dovecot/auth-oauth2.conf.ext
+++ b/target/dovecot/auth-oauth2.conf.ext
@ -1,14 +1,26 @@
-# Allow clients to use these additional mechanisms:
-auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
-
-# Dovecot docs consider the oauth2 driver as a "success/failure" type PassDB:
-# https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/#success-failure-database
-# Which implies it cannot be configured for the non-plaintext SASL mechanisms listed here:
-# https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/#dovecot-supports-the-following-non-plaintext-mechanisms
+# The OAuth2 driver is a so-called "Success/Failure Database".
+# These databases simply verify if the given password is correct
+# for the user. Dovecot doesn't get the correct password from the
+# database, it only gets a success or a failure reply. This means
+# that these databases can't be used with non-cleartext
+# authentication mechanisms.
+#
+# This implies it cannot be configured for the non-plaintext SASL
+# mechanisms listed here: https://doc.dovecot.org/2.4.3/developers/design/auth_process.html#password-databases
+#
+# TODO check if still valid
 # However that is not the case, these mechanisms are still valid to prevent trying other incompatible mechanisms (like `plain`).
+#
+# REF https://doc.dovecot.org/2.4.3/core/config/auth/passdb.html#success-failure-database
+#     https://doc.dovecot.org/2.4.3/core/config/auth/databases/oauth2.html#open-authentication-v2-0-database-oauth2

-passdb {
-    driver = oauth2
-    mechanisms = xoauth2 oauthbearer
-    args = /etc/dovecot/dovecot-oauth2.conf.ext
+auth_mechanisms {
+  oauthbearer = yes
+  xoauth2 = yes
+}
+
+oauth2 {
+    introspection_url =
+    introspection_mode = auth
+    username_attribute = email
 }
--- a/target/dovecot/dovecot-oauth2.conf.ext
+++ b/target/dovecot/dovecot-oauth2.conf.ext
@ -1,4 +0,0 @@
-introspection_url =
-# Dovecot defaults:
-introspection_mode = auth
-username_attribute = email
--- a/target/scripts/startup/setup.d/oauth2.sh
+++ b/target/scripts/startup/setup.d/oauth2.sh
@ -5,7 +5,9 @@ function _setup_oauth2() {

  # Enable OAuth2 PassDB (Authentication):
  sedfile -i -e '/\!include auth-oauth2\.conf\.ext/s/^#//' /etc/dovecot/conf.d/10-auth.conf
-  _replace_by_env_in_file 'OAUTH2_' '/etc/dovecot/dovecot-oauth2.conf.ext'
+  sedfile -i -E \
+    "s|( *introspection_url =)|\1 ${OAUTH2_INTROSPECTION_URL}|" \
+    /etc/dovecot/conf.d/auth-oauth2.conf.ext

  return 0
 }
--- a/test/tests/serial/mail_with_oauth2.bats
+++ b/test/tests/serial/mail_with_oauth2.bats
@ -59,15 +59,6 @@ function teardown_file() {
 }

@test "should authenticate with XOAUTH2" {
-  # curl 7.80.0 (Nov 2021) broke XOAUTH2 support (DMS v14 release with Debian 12 packages curl 7.88.1)
-  # https://github.com/docker-mailserver/docker-mailserver/pull/3403#issuecomment-1907100624
-  #
-  # Fixed in curl 8.6.0 (Jan 31 2024):
-  # - https://github.com/curl/curl/issues/10259
-  # - https://github.com/curl/curl/commit/7b2d98dfadf209108aa7772ee21ae42e3dab219f (referenced in release changelog by commit title)
-  # - https://github.com/curl/curl/releases/tag/curl-8_6_0
-  skip 'unable to test XOAUTH2 mechanism due to bug in curl versions 7.80.0 --> 8.5.0'
-
  __should_login_successfully_with 'XOAUTH2'
 }

@ -117,7 +108,7 @@ function __dovecot_logs_should_verify_success() {
  # Inspect the relevant Dovecot logs to catch failure / success:
  _service_log_should_contain_string 'mail' 'dovecot:'
  refute_output --partial 'oauth2 failed: Introspection failed'
-  assert_output --partial "dovecot: imap-login: Login: user=<${USER_ACCOUNT}>, method=${AUTH_METHOD}"
+  assert_output --partial "dovecot: imap-login: Logged in: user=<${USER_ACCOUNT}>, method=${AUTH_METHOD}"

  # If another PassDB is enabled, it should not have been attempted with the XOAUTH2 / OAUTHBEARER mechanisms:
  # dovecot: auth: passwd-file(${USER_ACCOUNT},127.0.0.1): Password mismatch (SHA1 of given password: d390c1) - trying the next passdb