Issue with setting up redirect_uri and redirect_listen_address

[marleyjaffe]

I am attempting to setup and configure this docker container and have been having issues identifying the correct redirect values for my setup. Truncated docker and emailproxy.config are below. My docker host server IP is 10.10.10.3 and my docker container IP is 172.24.0.10 . After triggering an email auth request and pasting in the authentication URL and successfully authenticating in O365, I get the following errors: Firefox can’t establish a connection to the server at localhost:8087. or An error occurred during a connection to 10.10.10.3:8087. I've tried various redirect URL combos with my IP addresses mentioned above (and updated the O365 app Redirect URI to match) but nothing seems to be working.

Thank you for the insight and assistance!

docker-compose

networks:
  default:
    driver: bridge

services:
  emailproxy:
    image: ghcr.io/blacktirion/email-oauth2-proxy-docker
    container_name: emailproxy
    volumes:
      - ${DOCKERDIR}/email-proxy:/config
    ports:
      - ${EMAIL_PROXY_SMTP}:1587
      - ${EMAIL_PROXY_WEB}:80
    environment:
      - LOGFILE=true
      - DEBUG=true
      - CACHE_STORE=/config/credstore.config
      - LOCAL_SERVER_AUTH=true #Optional

.env

EMAIL_PROXY_SMTP=1587
EMAIL_PROXY_WEB=8087

emailproxy.config

[Email OAuth 2.0 Proxy configuration file]

[Server setup]

[SMTP-1587]
server_address = smtp.office365.com
server_port = 587
starttls = True


[Account setup]

[outbox@DOMAIN.com]
permission_url = https://login.microsoftonline.com/TENANTID/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/SMTP.Send offline_access
redirect_uri = http://localhost:8087
redirect_listen_address = https://172.24.0.10:8087
client_id = REDACT
client_secret = REDACT

[Advanced proxy configuration]

[emailproxy]
delete_account_token_on_password_error = False
encrypt_client_secret_on_first_use = False
allow_catch_all_accounts = False

In addition to the above redirect URI/Listen address, i've tried the following combo's and more:

redirect_uri = https://10.10.10.3:8087
redirect_listen_address = http://localhost:80

redirect_uri = https://10.10.10.3:8087
redirect_listen_address = http://localhost:8087

redirect_uri = https://172.24.0.10:8087
redirect_listen_address = http://localhost

[enieuwy]

I have the same problem. Did you solve it?
I'm considering assigning the container an IP via macvlan to avoid port conflicts.
I'm also wondering if a reverse proxy should be used for the redirect?

[incith]

I just felt like commenting as I spent the better part of a few hours trying to figure this out. My oauth2 proxy needed authorization again for the first time in...years... and I was really struggling with figuring out how to get it done without spinning up a copy on my windows machine and then just copying that config back to the linux machine.

I figured now would also be a good time to switch to a docker version.

So, here's the secret sauce. The clue came when my brain finally realized how the documentation is written:

parameter redirect_listen_address - for example, redirect_listen_address = http://10.0.0.0:8080.

Why, that's not a valid IP address! That looks more like an allow mask of sorts!

So I figured I'd try http://0.0.0.0:80

2024-09-28 16:20:50: Local server auth mode (0.0.0.0:80): starting server to listen for authentication response

Success!

I also setup a reverse apache proxy for my needs. So on my application ID on my tenant, I specify an https://smtp.lan.domain.com as one of the permitted URLs. That host is not routable online, only internally. On my docker compose, I mapped e.g. port 5580 to port 80 internally. Then my reverse proxy does https tunnelling to http://smtp.lan.domain.com:5580

So when you make an authentication request, you hit the apache proxy on :80, which forwards the traffic to :5580, which maps to the internal docker container running on :80. Whew!

Works great for me now.

[ClearlyDazed]

@incith Thanks for commenting on the docker install.
I also have emailproxy in docker and was able to have Azure start the authorization but stopped when it could not connect to localhost to send the code.
I was wondering if you could flesh out what you had done.
What was the redirect uri specified in Azure?
What were the redirect uri and redirect listen address specified in emailproxy config?
Did you have to alter apache to complete the registration?
If so, what config file and what was added to it for apache?

Thanks

[incith]

@ClearlyDazed
Hey, sorry for the late reply.

My redirect URI is https://smtp.internal.domain.com essentially. There are some layers to that alone -- I use a DNS server (pfSense) at home to resolve that to an internal IP address, of the docker container running oauth2-proxy. pfSense also runs acme certs which renews my domain certificate, of which I have a wildcard for *.internal.yourdomain.com. This address does not resolve externally, it is not in public DNS.

I only specify redirect_uri in my [email@domain.com] config, which is https://smtp.internal.domain.com -- I believe I had also used something initially for redirect_listen_address as mentioned above, but it appears commenting it out accomplished the same thing (I actually don't remember testing that... but that's what my current config shows)

I do also run apache on the host machine that runs the docker container, and so I have a virtualhost config for smtp.internal.yourdomain.com. Pretty basic config to redirect to the http port I've assigned to the docker container.

Docker Compose/Portainer:

    ports:
      - 0.0.0.0:1580:80/tcp

Apache:

<VirtualHost *:443>
        ServerName smtp.internal.domain.com
        DocumentRoot "/some/path/www/smtp" # this doesn't matter much

        SSLProxyEngine On
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        ProxyPreserveHost On
        ProxyPass "/" "http://smtp.internal.domain.com:1580/"
        ProxyPassReverse "/" "http://smtp.internal.domain.com:1580/"

        SSLEngine on
        SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLCipherSuite HIGH:!aNULL:!MD5
        SSLHonorCipherOrder On
        SSLCompression Off
        SSLSessionTickets Off

        SSLCertificateFile /certs/domain.com.fullchain
        SSLCertificateKeyFile /certs/domain.com.key
</VirtualHost>

Good luck!

[aaronspruit]

@incith, thank you so much!

Just looking to clear up the actual emailproxy.config part, as you didn't put in your actual config.

I have a similar-ish setup:

• I'm running this in K3s instead of portainer - shouldn't matter
• I have an internal-only accessible domain domain that I'm using for the redirect url - same as you
• I'm attempting to get this working with a Outlook.com account, I've created a new App Registration in an EntraID tenant I run per Hotmail/Free Outlook accounts simonrob/email-oauth2-proxy#301. So I can specify a different redirect_url. That means I have to update the client_id away from the Thunderbird one and specify my own.
• Also, I'm only using this as an internal SMTP relay, and so I don't need all the other perms.

with that said, my config:

[email@outlook.com - or in my case email@customdomain.com]
permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office.com/SMTP.Send offline_access
redirect_uri = https://<myInternalDomainName>
client_id = <myCustomClientID>
redirect_listen_address = http://0.0.0.0:80

[deLuXe83]

hi, i am facing an similiar issue.

@aaronspruit
i am stuck at follwoing error message:

2025-03-02 07:57:04,464: Local server auth mode (0.0.0.0:80): unable to start local server. Please check that redirect_listen_addressfor xxx is unique across accounts, specifies a port number, and is not already in use. See the documentation in the proxy's sample configuration file. OSError(98, 'Address in use')
any ideas on this?
because- for sure - port is in use.. but not inside the docker, but outside.

but my thougths were, the local server needs to listen to 80 insde the docker, because of the docker mapping 1580:80 ??

[aaronspruit]

@deLuXe83

The port that the smtp proxy should be listening on is something OTHER than port 80. For example, in my configuration below shows the port that the container is listening on (and what things looking to send SMTP messages will connect to). As you're using docker, you will either expose port 1587 (1587:1587) and have your clients connect to that, or use some other port that is not port 80.

This expose port has NOTHING to do with the redirect_listen_address port, other than they cannot be the same.

ports:
- name: smtp
  containerPort: 1587
  protocol: TCP

[deLuXe83]

hi, thx for your reply...

I solved the issue.

=> the server comes up, opens up the according port, specified in redirect_listen_address.
Then it starts the first authorization attempt.
IF this fails (which it did in my case)... it "retries" on somehow bringing up the server again... BUT it is already up and awaits the authorization token...

I had a unclear revers proxy config; after solving this, everything went smoothly.