Integrating RT Email with Google Mail (Gmail)

From Request Tracker Wiki
Jump to navigation Jump to search

Retrieving email from a Google Mailbox

The utility getmail version 5.6 and later comes with a script getmail-gmail-xoauth-tokens which can be used to set up the required OAuth2 configuration to fetch email. The steps for setting up this configuration are described below, starting with configuration in Google.

Set up OAuth2 client in Google

To run getmail on an RT server, set it up as a "Desktop App", one of the options noted in the Google documentation. Following instructions on that page, keeping the following notes in mind:

  • Enable the "Gmail API" as noted in the docs.
  • On the "OAuth consent screen" create, select "Internal" user type, add scope: "Gmail API .../auth/gmail.modify Read, compose, and send emails from your Gmail account"
  • On client id create, set the application type to "Desktop app"

Save the provided "Client ID" and "Client secret" values. These are needed in the next step.

Set up getmail on RT server

The following are based on Stefan Krah's notes, with a few updates.

1. Get the initial OAuth2 token

Create /home/user/.getmail/gmail.json

   {"scope": "https://mail.google.com/",
    "user": "your_account@gmail.com",
    "client_id": "xzy.apps.googleusercontent.com",
    "client_secret": "foo",
    "token_uri": "https://accounts.google.com/o/oauth2/token",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "redirect_uri": "http://localhost/",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs"}

Fill "client_id" and "client_secret" with the real values from the previous step.

Note that redirect_uri "urn:ietf:wg:oauth:2.0:oob" no longer works. You need to give it a URL, which Google will redirect to once you approve the access.

   chmod 600 /home/user/.getmail/gmail.json

Then run:

   getmail-gmail-xoauth-tokens --init /home/user/.getmail/gmail.json

This outputs a Google URL and a prompt will wait for a token. Go to that URL and approve it as "your_account@gmail.com". It will then redirect to a URL like:

   http://localhost/?code=A-VERY-LONG-STRING&scope=https://mail.google.com/

Copy the URL and extract the code value, then paste it in the getmail-gmail-xoauth-tokens prompt that is waiting. Hit Return and getmail-gmail-xoauth-tokens should quit silently.

2. Configure getmail to retrieve email

The following is similar to a standard getmail configuration.

Create /home/user/.getmail/getmailrc:

   [retriever]
   type = SimpleIMAPSSLRetriever
   server = imap.gmail.com
   username = your_account@gmail.com
   use_xoauth2 = True
   password_command = ("getmail-gmail-xoauth-tokens", "/home/user/.getmail/gmail.json")
   
   [destination]
   type = MDA_external
   path = /opt/rt5/bin/rt-mailgate
   user = root
   group = root
   arguments = ("--url", "http://localhost", "--queue", "General", "--action", "correspond",)
   
   [options]
   read_all = false

Test it:

   /usr/bin/getmail --rcfile=/home/user/.getmail/getmailrc

Then edit /etc/cron.d/rt to fetch mail regularly:

   */3 * * * * user /usr/bin/getmail --rcfile=/home/user/.getmail/getmailrc --quiet

Sending email via Google SMTP

For RT, we usually configure postfix to relay to Google via SMTP. For this to work, you need to allow the RT server to send via your Google account. See the Google documentation, along with the following notes:

  • In step 6 (Allowed senders section), choose "Only addresses in my domains"
  • In step 7 (Authentication section), choose "Only accept mail from the specified IP addresses". do not choose "Require SMTP Authentication"
  • In step 8 (Add allowed IP), add public IP address of RT server

Turn on sender envelope in RT site config:

   Set( $SetOutgoingMailFrom, 1 );