Gmail的OfflineIMAP XOAUTH2认证

Gmail现在似乎不再允许IMAP的AUTHENTICATE PLAIN了。2016年1月的OfflineIMAP 6.7.0-rc1对XOAUTH2支持较好,仍可访问Gmail IMAP。

Gmail网页版启用IMAP

https://mail.google.com中Settings->Forwarding and POP/IMAP,开启IMAP Access,When a message is marked as deleted and expunged from the last visible IMAP folder:最好选择默认的Archive the message,被删除的邮件在网页版中会丢失所有标签,但仍能在“[Gmail]/All Mail”中找到。

Gmail的label大致被映射成IMAP的folder,以下是一些默认label的IMAP folder名称:

1
2
3
4
5
6
7
8
INBOX
[Gmail]/Trash
[Gmail]/Important
[Gmail]/Sent Mail
[Gmail]/Starred
[Gmail]/Spam
[Gmail]/All Mail
[Gmail]/Personal

OfflineIMAP XOAUTH2配置

编辑~/.offlineimaprc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
[general]
ui = ttyui
accounts = Ray
fsync = False
[Account Ray]
localrepository = Ray-Local
remoterepository = Ray-Remote
status_backend = sqlite
#要用代理的话得pip install pysocks
#proxy = HTTP:127.0.0.1:1111
#proxy = SOCKS5:127.0.0.1:1112
[Repository Ray-Local]
type = Maildir
localfolders = ~/Maildir
[Repository Ray-Remote]
type = Gmail
ssl = yes
sslcacertfile = /etc/ssl/certs/ca-certificates.crt
remoteuser = youremail@example.com
auth_mechanisms = XOAUTH2
oauth2_client_id = 7738xxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
oauth2_client_secret = xxxxxx-xxxxxxxxxxxxxxxxx
oauth2_refresh_token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#oauth2_access_token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
nametrans = lambda folder: {'[Gmail]/Drafts': 'Drafts',
'[Gmail]/Sent Mail': 'Sent',
'[Gmail]/Starred': 'Starred',
'[Gmail]/Trash': 'Trash',
'[Gmail]/All Mail': 'Archive',
}.get(folder, folder)
folderfilter = lambda folder: folder in ['INBOX', 'Label1', 'Label2', 'Work']

默认配置文件https://github.com/OfflineIMAP/offlineimap/blob/master/offlineimap.conf有详细的描述。

1
2
3
4
5
6
cd /tmp
git clone https://github.com/google/gmail-oauth2-tools
cd gmail-oauth2-tools
# 获取refresh token,填入~/.offlineimaprc的oauth2_refresh_token
# 这一步需要借由各种代理途径,比如proxychains等
python2 python/oauth2.py --generate_oauth2_token --client_id=xxx --client_secret=xxx

systemd user

OfflineIMAP的quick sync很不靠谱,SIGINT后也不能有效退出,往往要停滞很长时间,因此我用systemd user每个一段时间运行一次offlineimap,并设置较短的TimeoutStopSec(man 5 systemd.service)。编辑~/.config/systemd/user/offlineimap@.service

1
2
3
4
5
6
7
8
9
10
11
12
[Unit]
Description=OfflineIMAP IMAP/Maildir Synchronization
Documentation=man:offlineimap
[Service]
ExecStart=/usr/bin/offlineimap -o -u quiet -a %i
Restart=always
RestartSec=600
TimeoutStopSec=10
[Install]
WantedBy=default.target

1
2
3
# Ray为~/.offlineimaprc中配置的账户名
systemctl --user enable offlineimap@Ray
systemctl --user start offlineimap@Ray

SMTP client

没找到支持XOAUTH2、可用作Mail Submission Agent的SMTP client,暂时仍用msmtp的SMTP AUTH PLAIN,用pass记录Gmail密码,用gpg的passphrase保护。编辑~/.msmtprc

1
2
3
4
5
6
7
8
9
10
11
12
13
defaults
auth on
#proxy_host 127.0.0.1
#proxy_port 1111
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account Gmail
host smtp.gmail.com
port 587
from youremail@example.com
user youremail@example.com
passwordeval pass show Gmail

易犯错误

如果没有用全局代理,使用offlineimaprc中的proxy选项,得确保安装Python 2的PySocks包,不然代理设置会被忽略。

imapserver.py__xoauth2handlerurllib.urlopen获取access token,2016年1月的实现没有用上proxy选项设置。offlineimap-6.7.0已经集成了该补丁。