Question

我尝试使用offlineimap下载Outlook.com消息，但似乎无法正确获取安全性（我也成功地将offlineimap用于其他IMAP帐户）。在.offlineimaprc中，在远程存储库部分，我放了：

[Repository remoteOutlook]
type = IMAP
remotehost = imap-mail.outlook.com
ssl = yes 
cert_fingerprint = c914dd966dbd0912c36ec294f83d8d3b5a434729
remoteport = 993
remoteuser = <hidden>
remotepass = <hidden>

使用gnutls-cli捕获指纹，如下：

$ gnutls-cli -p 993 imap-mail.outlook.com
Processed 168 CA certificate(s).
Resolving 'imap-mail.outlook.com'...
Connecting to '157.56.195.250:993'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,CN=*.hotmail.com', issuer `C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization Validation CA - SHA256 - G2', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-12-15 22:26:11 UTC', expires `2016-12-15 22:26:11 UTC', SHA-1 fingerprint `c914dd966dbd0912c36ec294f83d8d3b5a434729'
        Public Key ID:
                e74e1f5a4a2656b5bbf73ae68e293e43a0846941
        Public key's random art:
                +--[ RSA 2048]----+
                |   .E            |
                |    .            |
                |     +      .    |
                |    + . .  . .   |
                |   . . .S.o .    |
                |      .  +.  .   |
                |        o.= +    |
                |       . *+= =+  |
                |         .=+==++.|
                +-----------------+

- Certificate[1] info:
 - subject `C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization Validation CA - SHA256 - G2', issuer `C=BE,O=GlobalSign nv-sa,OU=Root CA,CN=GlobalSign Root CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-02-20 10:00:00 UTC', expires `2024-02-20 10:00:00 UTC', SHA-1 fingerprint `902ef2deeb3c5b13ea4c3d5193629309e231ae55'
- Status: The certificate is trusted. 
- Description: (TLS1.0)-(ECDHE-RSA-SECP384R1)-(AES-256-CBC)-(SHA1)
- Session ID: 82:4B:00:00:4D:3C:F0:07:B9:B1:49:21:9F:95:99:A9:8B:E4:A7:44:21:6F:06:F6:15:6D:76:F5:F6:3F:4C:97
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP384R1
 - Curve size: 384 bits
- Version: TLS1.0
- Key Exchange: ECDHE-RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
- Options: extended master secret, safe renegotiation,
- Handshake was completed

- Simple Client Mode:

* OK Outlook.com IMAP4rev1 server version 17.4.0.0 ready (DUB451-IMAP396)
*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.

此输出显示两个证书（0和1），分别带有SHA1指纹

c914dd966dbd0912c36ec294f83d8d3b5a434729
902ef2deeb3c5b13ea4c3d5193629309e231ae55

如果我使用第一个（如上面的.offlineimaprc所示），则offlineimap无法正确进行身份验证，并且响应为＆＃34; BAD [＆＃39; SASL令牌参数丢失或无效。＆＃39; ]＆＃34;：

$ offlineimap -o
XOAUTH2 authentication failed: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: FBPH2 AUTHENTICATE XOAUTH2

PLAIN authentication failed: [AUTHENTICATIONFAILED] Invalid username or password.
LOGIN authentication failed: [AUTHENTICATIONFAILED] Invalid username or password.
ERROR: All authentication types failed:
        XOAUTH2: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: FBPH2 AUTHENTICATE XOAUTH2

        PLAIN: [AUTHENTICATIONFAILED] Invalid username or password.
        LOGIN: [AUTHENTICATIONFAILED] Invalid username or password.
ERROR: Exceptions occurred during the run!
ERROR: All authentication types failed:
        XOAUTH2: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: FBPH2 AUTHENTICATE XOAUTH2

        PLAIN: [AUTHENTICATIONFAILED] Invalid username or password.
        LOGIN: [AUTHENTICATIONFAILED] Invalid username or password.

Traceback:
  File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 271, in syncrunner
    self.__sync()
  File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 334, in __sync
    remoterepos.getfolders()
  File "/usr/lib64/python2.7/site-packages/offlineimap/repository/IMAP.py", line 448, in getfolders
    imapobj = self.imapserver.acquireconnection()
  File "/usr/lib64/python2.7/site-packages/offlineimap/imapserver.py", line 525, in acquireconnection
    self.__authn_helper(imapobj)
  File "/usr/lib64/python2.7/site-packages/offlineimap/imapserver.py", line 437, in __authn_helper
    "failed:\n\t%s"% msg, OfflineImapError.ERROR.REPO)

或者，如果我使用第二个，则offlineimap报告实际上第一个指纹是outlook服务器使用的指纹，但如前所示，一个指纹失败，坚持用户名/密码不好。

$ offlineimap -o
ERROR: Server SSL fingerprint 'c914dd966dbd0912c36ec294f83d8d3b5a434729' for hostname 'imap-mail.outlook.com' does not match configured fingerprint(s) ['902ef2deeb3c5b13ea4c3d5193629309e231ae55'].  Please verify and set 'cert_fingerprint' accordingly if not set yet.
ERROR: Exceptions occurred during the run!
ERROR: Server SSL fingerprint 'c914dd966dbd0912c36ec294f83d8d3b5a434729' for hostname 'imap-mail.outlook.com' does not match configured fingerprint(s) ['902ef2deeb3c5b13ea4c3d5193629309e231ae55'].  Please verify and set 'cert_fingerprint' accordingly if not set yet.

Traceback:
  File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 271, in syncrunner
    self.__sync()
  File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 334, in __sync
    remoterepos.getfolders()
  File "/usr/lib64/python2.7/site-packages/offlineimap/repository/IMAP.py", line 448, in getfolders
    imapobj = self.imapserver.acquireconnection()
  File "/usr/lib64/python2.7/site-packages/offlineimap/imapserver.py", line 511, in acquireconnection
    af=self.af,
  File "/usr/lib64/python2.7/site-packages/offlineimap/imaplibutil.py", line 194, in __init__
    super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 2135, in __init__
    IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl)
  File "/usr/lib64/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 357, in __init__
    self.open(host, port)
  File "/usr/lib64/python2.7/site-packages/offlineimap/imaplibutil.py", line 213, in open
    OfflineImapError.ERROR.REPO)

我已多次检查用户名和密码（我在mutt中使用相同的设置，这在访问outlook IMAP服务器方面工作正常）。谁能告诉我我可能做错了什么？

Answer 1

好的，我应该更加关注第一条错误消息：

XOAUTH2 authentication failed: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: BFKO2 AUTHENTICATE XOAUTH2

显然，正如所讨论的in this archlinux forum thread，offlineimap中的默认身份验证顺序是

auth_mechanisms = GSSAPI, CRAM-MD5, XOAUTH2, PLAIN, LOGIN

为了让OAUTH2正常工作，详细here需要在.offlineimaprc中提供其他设置：

oauth2_client_secret = ...
oauth2_client_id = ...
oauth2_refresh_token = ...

因此第一个证书指纹确实是正确的，错误只是XOAUTH2失败的通知，只需明确指定身份验证协议，并从列表中删除XOAUTH2即可抑制：

auth_mechanisms = GSSAPI, CRAM-MD5, PLAIN, LOGIN

我会给XOAUTH2设置一个镜头并回发。

从outlook imap服务器获取offlineimap的正确证书信息

1 个答案: