Integrating RT Email with Google Mail (Gmail)
Retrieving email from a Google Mailbox
The utility getmail version 5.6 and later comes with a script getmail-gmail-xoauth-tokens
which can be used to set up the required OAuth2 configuration to fetch email. The steps for setting up this configuration are described below, starting with configuration in Google.
Set up OAuth2 client in Google
To run getmail on an RT server, set it up as a "Desktop App", one of the options noted in the Google documentation. Following instructions on that page, keeping the following notes in mind:
- Enable the "Gmail API" as noted in the docs.
- On the "OAuth consent screen" create, select "Internal" user type, add scope: "Gmail API .../auth/gmail.modify Read, compose, and send emails from your Gmail account"
- On client id create, set the application type to "Desktop app"
Save the provided "Client ID" and "Client secret" values. These are needed in the next step.
Set up getmail on RT server
The following are based on Stefan Krah's notes, with a few updates.
1. Get the initial OAuth2 token
Create /home/user/.getmail/gmail.json
{"scope": "https://mail.google.com/", "user": "your_account@gmail.com", "client_id": "xzy.apps.googleusercontent.com", "client_secret": "foo", "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "redirect_uri": "http://localhost/", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs"}
Fill "client_id" and "client_secret" with the real values from the previous step.
Note that redirect_uri "urn:ietf:wg:oauth:2.0:oob" no longer works. You need to give it a URL, which Google will redirect to once you approve the access.
chmod 600 /home/user/.getmail/gmail.json
Then run:
getmail-gmail-xoauth-tokens --init /home/user/.getmail/gmail.json
This outputs a Google URL and a prompt will wait for a token. Go to that URL and approve it as "your_account@gmail.com". It will then redirect to a URL like:
http://localhost/?code=A-VERY-LONG-STRING&scope=https://mail.google.com/
Copy the URL and extract the code value, then paste it in the getmail-gmail-xoauth-tokens
prompt that is waiting. Hit Return and getmail-gmail-xoauth-tokens
should quit silently.
2. Configure getmail to retrieve email
The following is similar to a standard getmail configuration.
Create /home/user/.getmail/getmailrc:
[retriever] type = SimpleIMAPSSLRetriever server = imap.gmail.com username = your_account@gmail.com use_xoauth2 = True password_command = ("getmail-gmail-xoauth-tokens", "/home/user/.getmail/gmail.json") [destination] type = MDA_external path = /opt/rt5/bin/rt-mailgate user = root group = root arguments = ("--url", "http://localhost", "--queue", "General", "--action", "correspond",) [options] read_all = false
Test it:
/usr/bin/getmail --rcfile=/home/user/.getmail/getmailrc
Then edit /etc/cron.d/rt to fetch mail regularly:
*/3 * * * * user /usr/bin/getmail --rcfile=/home/user/.getmail/getmailrc --quiet
Sending email via Google SMTP
For RT, we usually configure postfix to relay to Google via SMTP. For this to work, you need to allow the RT server to send via your Google account. See the Google documentation, along with the following notes:
- In step 6 (Allowed senders section), choose "Only addresses in my domains"
- In step 7 (Authentication section), choose "Only accept mail from the specified IP addresses". do not choose "Require SMTP Authentication"
- In step 8 (Add allowed IP), add public IP address of RT server
Turn on sender envelope in RT site config:
Set( $SetOutgoingMailFrom, 1 );