-
-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kdepim-runtime: use XOAUTH2 SASL plugin from libkgapi #177410
Conversation
Some mail servers like Gmail [use SASL XOAUTH2 mechanism][1] to authenticate clients with OAuth token instead of password. Unfortunately, Cyrus SASL does not have authentication plugin for this mechanism out of the box, so clients that use this library and want to authenticate at such mail servers should bring their own plugin for XOAUTH2. KMail (or KDE PIM in general) have such plugin as [part of LibKGAPI][2], and on FHS systems LibKGAPI puts its plugin right next to other Cyrus SASL plugins, so it can be picked up by library automatically. In NixOS, this plugin end up in other directory, which has no references to it, so `akonadi_imap_resource` fails with next error message when tries to authenticate at such mail servers: org.kde.pim.kimap: sasl_client_start failed with: -4 "SASL(-4): no mechanism available: No worthy mechs found" In result, no mail is fetched (progress bar in KMail is stuck at 0%), and user after reading logs is left wondering why no worthy mechs were found. This commit sets `SASL_PATH` environment variable, so Cyrus SASL can find both its own plugins and one provided by LibKGAPI. With this change, KMail can successfully fetch mail from Gmail. [1]: https://developers.google.com/gmail/imap/xoauth2-protocol#the_sasl_xoauth2_mechanism [2]: https://github.com/KDE/libkgapi/tree/master/src/saslplugin
I guess this could be backported to release-22.05 without any problems, works for me on nixos-22.05 channel. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works for me locally.
@ttuegel, hello, can you review this PR please? |
4cc9710
to
b145771
Compare
Double checked with new commit: fix still work, both from |
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
b145771
to
2ce44be
Compare
@@ -23,4 +23,7 @@ mkDerivation { | |||
pimcommon libkgapi libsecret | |||
qca-qt5 qtkeychain qtnetworkauth qtspeech qtxmlpatterns | |||
]; | |||
qtWrapperArgs = [ | |||
"--prefix SASL_PATH : ${lib.makeSearchPath "lib/sasl2" [ cyrus_sasl libkgapi ]}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you probably want cyrus_sasl.out
here, cyrus_sasl
uses the bin output (there's no lib/sasl2 there), which makes all plugins unavailable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, you are right. Will fix it now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In NixOS#177410 `SASL_PATH` was set for kdepim-runtime binaries to allow usage of plugin for XOAUTH2, which is required for some mail servers like Gmail. Unfortunately in that PR wrong output of cyrus_sasl was chosen, fixing it in this PR.
Applies the changes from NixOS#177410 and NixOS#190502 to Plasma 6.
Description of changes
Some mail servers like Gmail use SASL XOAUTH2 mechanism to authenticate clients with OAuth token instead of password. Unfortunately, Cyrus SASL does not have authentication plugin for this mechanism out of the box, so clients that use this library and want to authenticate at such mail servers should bring their own plugin for XOAUTH2. KMail (or KDE PIM in general) have such plugin as part of LibKGAPI, and on FHS systems LibKGAPI puts its plugin right next to other Cyrus SASL plugins, so it can be picked up by library automatically. In NixOS, this plugin end up in other directory, which has no references to it, so
akonadi_imap_resource
fails with next error message when tries to authenticate at such mail servers:In result, no mail is fetched (progress bar in KMail is stuck at 0%), and user after reading logs is left wondering why no worthy mechs were found.
This commit sets
SASL_PATH
environment variable, so Cyrus SASL can find both its own plugins and one provided by LibKGAPI. With this change, KMail can successfully fetch mail from Gmail.This fix is based on discussion in #108480 about means for merging SASL plugins folders from different packages. I think setting
SASL_PATH
is the most straightforward way of doing this in Nix, but maybe it should be automated somehow, like it is done withXDG_DATA_DIRS
inwrapQtAppsHook
. However, I do not know easy way to do so in non-breaking manner, so lets leave it to package maintainers for now.Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usageNB:
nixpkgs-review
tries to build packages that are marked as broken. All non-broken packages build successfully with this changes../result/bin/
)nixos/doc/manual/md-to-db.sh
to update generated release notes