从outlook imap服务器获取offlineimap的正确证书信息
问题描述:
我试图使用offlineimap下载Outlook.com邮件,但似乎无法获得安全正确(我也成功地为其他IMAP帐户使用offlineimap)。在.offlineimaprc,在远程存储库部分,我已经把:从outlook imap服务器获取offlineimap的正确证书信息
[Repository remoteOutlook]
type = IMAP
remotehost = imap-mail.outlook.com
ssl = yes
cert_fingerprint = c914dd966dbd0912c36ec294f83d8d3b5a434729
remoteport = 993
remoteuser = <hidden>
remotepass = <hidden>
指纹使用GNUTLS-CLI捕获,如下所示:
$ gnutls-cli -p 993 imap-mail.outlook.com
Processed 168 CA certificate(s).
Resolving 'imap-mail.outlook.com'...
Connecting to '157.56.195.250:993'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,CN=*.hotmail.com', issuer `C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization Validation CA - SHA256 - G2', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-12-15 22:26:11 UTC', expires `2016-12-15 22:26:11 UTC', SHA-1 fingerprint `c914dd966dbd0912c36ec294f83d8d3b5a434729'
Public Key ID:
e74e1f5a4a2656b5bbf73ae68e293e43a0846941
Public key's random art:
+--[ RSA 2048]----+
| .E |
| . |
| + . |
| + . . . . |
| . . .S.o . |
| . +. . |
| o.= + |
| . *+= =+ |
| .=+==++.|
+-----------------+
- Certificate[1] info:
- subject `C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization Validation CA - SHA256 - G2', issuer `C=BE,O=GlobalSign nv-sa,OU=Root CA,CN=GlobalSign Root CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-02-20 10:00:00 UTC', expires `2024-02-20 10:00:00 UTC', SHA-1 fingerprint `902ef2deeb3c5b13ea4c3d5193629309e231ae55'
- Status: The certificate is trusted.
- Description: (TLS1.0)-(ECDHE-RSA-SECP384R1)-(AES-256-CBC)-(SHA1)
- Session ID: 82:4B:00:00:4D:3C:F0:07:B9:B1:49:21:9F:95:99:A9:8B:E4:A7:44:21:6F:06:F6:15:6D:76:F5:F6:3F:4C:97
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP384R1
- Curve size: 384 bits
- Version: TLS1.0
- Key Exchange: ECDHE-RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
- Options: extended master secret, safe renegotiation,
- Handshake was completed
- Simple Client Mode:
* OK Outlook.com IMAP4rev1 server version 17.4.0.0 ready (DUB451-IMAP396)
*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.
此输出显示两个证书(0和1 ),与相应的SHA1指纹,
c914dd966dbd0912c36ec294f83d8d3b5a434729
902ef2deeb3c5b13ea4c3d5193629309e231ae55
如果我使用的第一个(如在上述.offlineimaprc示出),offlineimap未能正确地认证,并且响应是“BAD ['SASL令牌参数是误唱或无效']“:
$ offlineimap -o
XOAUTH2 authentication failed: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: FBPH2 AUTHENTICATE XOAUTH2
PLAIN authentication failed: [AUTHENTICATIONFAILED] Invalid username or password.
LOGIN authentication failed: [AUTHENTICATIONFAILED] Invalid username or password.
ERROR: All authentication types failed:
XOAUTH2: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: FBPH2 AUTHENTICATE XOAUTH2
PLAIN: [AUTHENTICATIONFAILED] Invalid username or password.
LOGIN: [AUTHENTICATIONFAILED] Invalid username or password.
ERROR: Exceptions occurred during the run!
ERROR: All authentication types failed:
XOAUTH2: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: FBPH2 AUTHENTICATE XOAUTH2
PLAIN: [AUTHENTICATIONFAILED] Invalid username or password.
LOGIN: [AUTHENTICATIONFAILED] Invalid username or password.
Traceback:
File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 271, in syncrunner
self.__sync()
File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 334, in __sync
remoterepos.getfolders()
File "/usr/lib64/python2.7/site-packages/offlineimap/repository/IMAP.py", line 448, in getfolders
imapobj = self.imapserver.acquireconnection()
File "/usr/lib64/python2.7/site-packages/offlineimap/imapserver.py", line 525, in acquireconnection
self.__authn_helper(imapobj)
File "/usr/lib64/python2.7/site-packages/offlineimap/imapserver.py", line 437, in __authn_helper
"failed:\n\t%s"% msg, OfflineImapError.ERROR.REPO)
可替代地,如果使用第二个,offlineimap报道,实际上所述第一指纹的是,前景服务器使用一个,但如前面的一个失败所示,坚持认为用户名/密码不好。
$ offlineimap -o
ERROR: Server SSL fingerprint 'c914dd966dbd0912c36ec294f83d8d3b5a434729' for hostname 'imap-mail.outlook.com' does not match configured fingerprint(s) ['902ef2deeb3c5b13ea4c3d5193629309e231ae55']. Please verify and set 'cert_fingerprint' accordingly if not set yet.
ERROR: Exceptions occurred during the run!
ERROR: Server SSL fingerprint 'c914dd966dbd0912c36ec294f83d8d3b5a434729' for hostname 'imap-mail.outlook.com' does not match configured fingerprint(s) ['902ef2deeb3c5b13ea4c3d5193629309e231ae55']. Please verify and set 'cert_fingerprint' accordingly if not set yet.
Traceback:
File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 271, in syncrunner
self.__sync()
File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 334, in __sync
remoterepos.getfolders()
File "/usr/lib64/python2.7/site-packages/offlineimap/repository/IMAP.py", line 448, in getfolders
imapobj = self.imapserver.acquireconnection()
File "/usr/lib64/python2.7/site-packages/offlineimap/imapserver.py", line 511, in acquireconnection
af=self.af,
File "/usr/lib64/python2.7/site-packages/offlineimap/imaplibutil.py", line 194, in __init__
super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 2135, in __init__
IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl)
File "/usr/lib64/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 357, in __init__
self.open(host, port)
File "/usr/lib64/python2.7/site-packages/offlineimap/imaplibutil.py", line 213, in open
OfflineImapError.ERROR.REPO)
我检查用户名和密码几次(我用Mutt中相同的设置,并能正常工作在访问的前景IMAP服务器而言)。谁能告诉我我可能会做错吗?
答
OK,我应该更加关注的第一个错误信息:
XOAUTH2 authentication failed: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: BFKO2 AUTHENTICATE XOAUTH2
显然,作为讨论in this archlinux forum thread,在offlineimap默认的认证顺序是
auth_mechanisms = GSSAPI, CRAM-MD5, XOAUTH2, PLAIN, LOGIN
为了的oauth2详细here附加设置需要存在于.offlineimaprc中:
oauth2_client_secret = ...
oauth2_client_id = ...
oauth2_refresh_token = ...
所以第一个证书指纹是确实是正确的,错误只是一个通知,XOAUTH2失败,这可以简单地通过指定认证协议明确,并从列表中删除XOAUTH2抑制:
auth_mechanisms = GSSAPI, CRAM-MD5, PLAIN, LOGIN
我会设置XOAUTH2一个镜头并发回。