#1871 accepted
Michael Herman

Oauth2 options missing from IMAP account settings

Reported by Michael Herman | November 14th, 2017 @ 06:43 AM

The title pretty much sums it up. When I create a new account, the oauth2 option is missing. I am using Version 1.9.7 (5425) with High Sierra 10.13.1.

Thanks.

Comments and changes to this ticket

  • benny

    benny November 14th, 2017 @ 09:02 AM

    The OAuth2 option depends on the entered server hostname. It only works for *.gmail.com, *.googlemail.com and *.outlook.com if I remember correctly.

    Does that explain it?

  • Michael Herman

    Michael Herman November 14th, 2017 @ 02:21 PM

    It does. My hostname is outlook.office365.com and we are using Oauth2. Is there any hack to make it an option?

  • benny

    benny November 14th, 2017 @ 02:29 PM

    • State changed from “new” to “accepted”

    Not currently. It comes up now and then, but I haven't yet fully determined if MailMate can support it or not. It's quite easy to get lost in all of the Outlook/Office365/Azure documentation and millions of buzzwords. I'll mark the ticket as “accepted”, but don't expect it soon. It's not even certain that it can be supported by desktop email clients at all.

  • Michael Herman

    Michael Herman November 28th, 2017 @ 10:32 PM

    I tried imap.outlook.com and didn't get the oauth2 option. I did try imap.gmail.com and did get the option. Can you verify the domains that work for oauth2?

    Thanks.

  • benny

    benny November 29th, 2017 @ 10:16 AM

    It only works for imap-mail.outlook.com. I wasn't aware that imap.outlook.com was an option, but I assume it's just an alias for the same thing. I've added to MailMate that it behaves just like for the imap-mail variant in future releases. I've done the same for smtp.

  • Michael Herman

    Michael Herman November 29th, 2017 @ 05:32 PM

    Thanks. I appreciate your responses on this. I think there's one other issue for me. When I go to imap-mail.outlook.com in my browser, I'm taken to a login page at login.microsoftonline.com. After I enter my user name, I'm redirected to my organizations login page. Using imap-mail.outlook.com in Mailmate, the browser takes me to login.live.com which doesn't work for me. Any ideas or thoughts?

    Thanks very much.

  • benny

    benny November 29th, 2017 @ 07:45 PM

    Hmm, I guess it doesn't (maybe can't) work then. At least not without some different settings and MailMate somehow being registered with your organization. Or maybe that's incorrect -- as I noted further above it's easy to get lost in all of the documentation for OAuth2 and Outlook. I'll update this ticket if anything changes in MailMate.

  • Philip Kizer

    Philip Kizer January 19th, 2018 @ 04:46 PM

    My organization just turned on 2-factor thereby subjecting me to this failure as well. Like the original submitter my organization's server name that previously worked was 'outlook.office365.com'.

    When using the /owa/ web page I get redirected to another page to grant access to the token, but obviously without MailMate accepting that as a server name that should begin the OAuth2 process I no longer have access via MailMate and am left using either the /owa/ web interface or the Outlook client that feels so toy-like in comparison.

    If you reach the point of needing any other accounts to test patches with, I will be more than happy to assist from this end.

  • Philip Kizer

    Philip Kizer April 4th, 2018 @ 07:32 PM

    This is coming up for me again, have you looked to see if there is a way to treat outlook.office365.com similarly in MailMate to how it treats outlook.com for looking for XOAUTH2 support?

  • Tom Scogland

    Tom Scogland October 30th, 2018 @ 12:35 AM

    We recently had this come up as well. In fact, our IT department has made it impossible to authenticate with outlook.office365.com without oauth unless we're on VPN. This means MailMate gives me incorrect password errors whenever I connect from a different network.

    For what it's worth, both outlook for Mac and Mail.app on Mojave implement this authentication mode as desktop apps. That doesn't necessarily mean there's an easy way to get registered and/or get access, but at least its an example of some desktop app that can do it.

  • Tom Scogland

    Tom Scogland October 30th, 2018 @ 01:00 AM

    In case it is at all useful, this is apparently the specific arm of oauthv2 support that actually works when an organization turns on their new make sure MS services don't work for anyone setting. (sorry if this is just noise)

  • benny

    benny October 30th, 2018 @ 05:11 PM

    @Tom: Thanks! I had looked into it earlier on and I found the same resource. It is, unfortunately, quite easy to get lost in all of the documentation related to this and very little is directly describing what a desktop email client for IMAP/SMTP should do (I'm not even sure its clearly stated that it should work). Previously it seemed Microsoft would never support this for Office365, but it appears they might have changed that. My main problem is that I don't have a test account, but I think there is a free trial... I would just really like to avoid having to set that up :)

    Nevertheless, I tried doing what I would think is necessary for it to work and then decided to let you try it ;)

    Download this: https://updates.mailmate-app.com/archives/MailMate_r5549.tbz

    Enable this:

    defaults write com.freron.MailMate MmUseOAuth2ForOffice365 -bool YES
    

    Relaunch and setup an Office365 account with OAuth2. I haven't tested anything and it most likely won't work, but maybe it'll lead to something that works :)

  • Tom Scogland

    Tom Scogland October 30th, 2018 @ 07:03 PM

    Awesome! Thank you @benny!

    I've continued looking into this, and found something that you might find useful if that doesn't work just yet (will check shortly). It seems the most recent trunk versions of DavMail, the open source exchange->imap proxy server and a desktop app of a sort, is adding support for this, and it works with oauth2 on the office365 side and mailmate on the imap side (though running an old java server to get to my email is... frustrating). Issue for it is here.

  • benny

    benny October 30th, 2018 @ 07:05 PM

    I believe I have a test account now, but it doesn't appear to work, but I promise to spend some time debugging. Thanks for the link.

  • Philip Kizer

    Philip Kizer October 30th, 2018 @ 07:19 PM

    I can confirm you're really close...I get a popup for organizational login, perform the login and it goes to confirm 2fa, I click the "allow" on my app for the 2fa, the window goes away and there's a slight pause (the activity window shows "Retreiving password", "Error code: 12", "Failed action (1000). Reset observed read/write timeouts: 8/8") and then I get asked for auth again.

    I see you've since updated that you have a test account, let me know if any of my logs will help.

  • Tom Scogland

    Tom Scogland October 30th, 2018 @ 07:26 PM

    This looks really close actually. When I try it, I get the authentication page, with my account already logged in which seems to mean it talked kerberos (very nice!), and I can successfully pass that. It tries to redirect to my organization's login page to get the final authorization, which is under adfs.llnl.gov, and produces a console log like this (partially redacted to remove my email address and so-forth):

    [8 <private> stream, pid: 20172, url: https://adfs.llnl.gov/adfs/ls/?login_hint=<email>&client-request-id=921769ad-e8fb-4d75-a688-d2068fdfc0c8&username=<username>, tls] cancelled
        [8.1 FA94D936-F76F-4D2C-850B-AC99B1BE81D1 <private>.61378<-><private>]
        Connected Path: satisfied (Path is satisfied), interface: en0, ipv4, dns
        Duration: 0.139s, DNS @0.000s took 0.007s, TCP @0.008s took 0.004s, TLS took 0.004s
        bytes in/out: 11421/5808, packets in/out: 13/7, rtt: 0.003s, retransmitted packets: 0, out-of-order packets: 0
    

    The authorization window prompt pops up repeatedly after this but just stays blank and then clears away. The messages bounce between the above and the authentication authorization request:

    https://login.microsoftonline.com/common/oauth2/authorize?client_id=facd6cff-a294-4415-b59f-c5b01937d7bd&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&response_mode=query&resource=https://outlook.office365.com
    

    For reference, the davmail logs show these same requests when working, but it goes through the adfs request interactively, then when that succeeds it gets the usual login.microsoftonline.com response with the oauth code. Maybe just allowing an intermediate redirect?

  • benny

    benny October 30th, 2018 @ 08:52 PM

    Ok, I give up for now. I got to the point that I had a refresh token and an access token, but both IMAP and SMTP OAuth2 authentication failed.

    Davmail doesn't talk IMAP/SMTP to the Exchange server so I'm not sure that is of much help.

    It's certainly not unlikely I'm doing something wrong, but I think I need to know that something else can use OAuth2 with IMAP and/or SMTP before proceeding (with outlook.office365.com) :-)

  • Tom Scogland

    Tom Scogland November 1st, 2018 @ 05:05 PM

    I owe you an apology @benny. This is a new low for MS, but while they fully support XOAUTH2 authentication on outlook.com, and they support it for graph and activesync, and it shows up in the capabilities list for imap on office365, they don't support it on that channel, and don't intend to.

    This is, at best, frustrating. For now I'm going to be running a pre-production davmail proxy to get the job done, but if you're ever interested in adding an option to use one of the sync methods they do support, I'd be happy to chip in some money to support it.

  • benny

    benny November 2nd, 2018 @ 02:14 PM

    • State changed from “accepted” to “bluesky”

    Well, they do advertise XOAUTH2 which seems to indicate that it's not completely unlikely to change. I actually spent (wasted) some more time on the issue to make sure that I couldn't make it work. At least it should be ready for testing if they should announce support in the future...

    I'll mark it as bluesky here since it's out of my hands.

  • annak

    annak October 14th, 2019 @ 12:28 AM

    So, hello all, first post here. I'd emailed Benny about this a week or so ago. My university/employer uses Office365 and is about to activate mandatory 2FA. In addition Microsoft is about to end IMAP support.

    Benny suggested Davmail, I'm testing it now in O365 Interactive mode, seems to work okay thus far. I'm curious if anyone has had any luck with mandatory Office365 2FA lately?

    Edit 14 Oct 2019

    I got an email from my personal email provider (Fastmail) that they plan to continue support for O365 integration as soon as Microsoft provides developer documentation for their new authentication method, apparently coming soon. This would allow for a workflow along the lines of MailMate<--(IMAP)-->Fastmail<--(Exchange/ActiveSync/Whatever)-->Office365. It's hardly an ideal situation, but it is a start.

  • Tom Scogland

    Tom Scogland October 18th, 2019 @ 08:30 PM

    I’d note Microsoft actually announced that they’re ending basic auth support, not IMAP support. They actually stated that they’ll be adding OAUTH2 support to IMAP on office365, which is good news, but haven’t said how yet: https://developer.microsoft.com/en-us/office/blogs/end-of-support-f...

    Just that they’ll unveil oauth in the next few months.

  • benny

    benny October 19th, 2019 @ 06:01 AM

    @Tom: Thanks for the link. Even though I am skeptical about the use of OAuth2 for desktop email clients, this is great news for Office365 users. It is much better than if they decided to drop IMAP support completely. Note that it won't work automatically in MailMate since each application needs to be explicitly registered with Microsoft (which MailMate already is for outlook.com IMAP/SMTP).

  • David Shepherdson

    David Shepherdson February 28th, 2020 @ 12:44 AM

    Looks like this is the latest update on the situation:

    https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-aut...

    After you get past all the anti-IMAP/anti-third-party sentiment, this seems like the key paragraph:

    We’ve completed our development work and are rolling out Modern Auth support for POP and IMAP in Exchange Online now. Documentation for developers is being finalized and we’ll link to it in this blog post when it is available.

    (My work recently decided to switch from an on-site IMAP server to Office 365, and at this stage I'm still very relieved that I can continue to use MailMate -- hoping the days of that won't be numbered, though it sounds like the Davmail approach may be a viable workaround if necessary.)

  • benny

    benny February 28th, 2020 @ 10:17 AM

    • State changed from “bluesky” to “accepted”

    @David: Thanks for the link! Disregarding all the FUD about IMAP :) then this is a welcome explicit description of what the plans are for office365.com and IMAP/SMTP. Previously, I was unsure if it was already supported and it is (for me) very hard to navigate and find the relevant parts of the numerous resources available about authentication/Exchange/office365.

    But it doesn't seem like I can do anything yet: “We’ve completed our development work and are rolling out Modern Auth support for POP and IMAP in Exchange Online now. Documentation for developers is being finalized and we’ll link to it in this blog post when it is available.”

    I don't see a way to be notified when the blog post is updated, but I'm sure someone will eventually update this ticket when it happens :) I've switched the ticket to “accepted” since it appears there is a path forward for this “feature” now.

    Just for the record, my concerns about OAuth2 for IMAP/SMTP are still the same.

  • benny

    benny February 28th, 2020 @ 10:53 AM

    Clarification: Even if MailMate supports OAuth2 for Office365 accounts, it doesn't mean that it'll necessarily just work for everybody. I think each organization might have to allow it explicitly. On the other hand, this is not how Google Apps works (MailMate does work for everyone as far as I know).

  • Tom Scogland

    Tom Scogland February 28th, 2020 @ 05:28 PM

    That’s correct. I pulled the defaults setting you set up before out and tested it again, the request appeared to work, but my organization hasn’t allowed the mailmate application (all are disallowed by default) so I’ll have a chat with them about allowing it.

  • MGi

    MGi March 19th, 2020 @ 02:02 PM

    Hi,

    I started to have problems accessing my O365 account this morning. I enabled the defaults write com.freron.MailMate MmUseOAuth2ForOffice365 -bool YES, and our company admin granted me access so I can permit MailMate.

    After the OAuth login, it seems that MM starts to connect to the account, but after a few seconds, I'm asked to fill in my password again - MM is stuck in this loop. Anyone facing the same issue?

    My account settings...

    Btw, the OAuth option is not active for SMTP.

  • benny

    benny March 19th, 2020 @ 06:47 PM

    @MGi: I have no (known) users accessing office365.com accounts using OAuth2. The hidden preference is just my attempt at guessing how it might work, but (as far as I know) it might not actually be enabled for the server(s) yet -- and there is no documentation for how it should work yet.

    I'm thinking your problem might be unrelated to the authentication method. I suggest you try again with the password based approach with an application specific password.

  • MGi

    MGi March 19th, 2020 @ 07:29 PM

    @benny That's interesting. After MM stopped working for me, I switched to Mail.app, and I had to reauthorize it too. I was also forced to change my password when the OAuth method was used for the first time.

    I'll try to give it a shot with the app-specific password.

    Thanks.

  • MGi

    MGi March 20th, 2020 @ 11:45 AM

    UPDATE: MailMate works today as it did before. It seems there was a problem on the MS side, even they reported nothing.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Mac OS X email client.

Shared Ticket Bins

Pages