#2669 ✓fixcommitted
Stefan Seiz

Office365 Accounts with Two Factor Authentication

Reported by Stefan Seiz | October 8th, 2020 @ 06:42 AM

Hi,

creating a new ticket for this https://freron.lighthouseapp.com/projects/58672/tickets/1871-oauth2..., since the original ticket seems closed and not involve the use of 2FA.

My Employer uses exchange on office365 and has enabled 2FA, so my account in MailMate (setup as IMAP account with password auth) just stopped working. I have followed the steps in https://freron.lighthouseapp.com/projects/58672/tickets/1871-oauth2... and am very close to being able to log in.

The Problem is, that after supplying the password and 2FA-Code, the Password-Dialog pops up again after a short time. Below see the relevant entries from the activity viewer. Any ideas what's going wrong here?

09:09:53 Running action
09:09:53 Sending request (20)
09:09:53 Handling request
09:09:53 Ready to run action (retry count: 0)
09:09:53 Clearing connection to outlook.office365.com
09:09:53 Trying to connect to outlook.office365.com on port 993 (CFNetwork) without STARTTLS (required)
09:09:53 Resolved hostname (outlook.office365.com).
09:09:53 Prepare secure connection...
09:09:53 Successful connection.
09:09:53 Initiating secure connection...
09:09:53 Returned (4)...
09:09:53 Protocol version: kTLSProtocol12
09:09:53 S: * OK The Microsoft Exchange IMAP4 service is ready. [QQBNADQAUABSADAAMgAwADIAQwBBADAAMAAwADkALgBlAHUAcgBwAHIAZAAwADIALgBwAHIAbwBkAC4AbwB1AHQAbABvAG8AawAuAGMAbwBtAA==]
09:09:53 C: A0 CAPABILITY
09:09:53 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
09:09:53 S: A0 OK CAPABILITY completed.
09:09:53 Retrieving password (keychain or user request)
09:09:53 C: A1 AUTHENTICATE XOAUTH2 ••••••••••
09:10:09 S:
09:10:09 Error code: 9
09:10:09 New timeout values (8/8): 24/24
09:10:09 Failed action (1000). Reset observed read/write timeouts: 8/8

09:10:09 Handling reply
09:10:09 Running action
09:10:09 Sending request (18)
09:10:09 Handling request
09:10:09 Trying to disconnect nicely (12)...
09:10:09 C: A2 LOGOUT
09:10:11 S: A1 NO AUTHENTICATE failed.
09:10:11 S: * BYE Microsoft Exchange Server IMAP4 server signing off.
09:10:11 S: A2 OK LOGOUT completed.
09:10:11 Clearing connection to outlook.office365.com
09:10:12 Ready to run action (retry count: 1)
09:10:12 Clearing connection to outlook.office365.com
09:10:12 Trying to connect to outlook.office365.com on port 993 (CFNetwork) without STARTTLS (required)
09:10:12 Resolved hostname (outlook.office365.com).
09:10:12 Prepare secure connection...
09:10:12 Successful connection.
09:10:12 Initiating secure connection...
09:10:12 Returned (4)...
09:10:12 Protocol version: kTLSProtocol12
09:10:12 S: * OK The Microsoft Exchange IMAP4 service is ready. [QQBNADQAUABSADAANQBDAEEAMAAwADAANgAuAGUAdQByAHAAcgBkADAANQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
09:10:12 C: A0 CAPABILITY
09:10:12 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
09:10:12 S: A0 OK CAPABILITY completed.
09:10:12 Retrieving password (keychain or user request)
09:10:12 C: A1 AUTHENTICATE XOAUTH2 ••••••••••
09:10:13 S: A1 NO AUTHENTICATE failed.
09:10:13 Error: Server response: “A1 NO AUTHENTICATE failed.”. Command attempted: “A1 AUTHENTICATE XOAUTH2 ••••••••••”.
09:10:13 Retrieving password (keychain or user request)
09:10:13 Error code: 12
09:10:13 Failed action (1000). Reset observed read/write timeouts: 8/8

09:10:13 Handling reply
09:10:13 Error: Failed multiple retries (2). Final error code was 14.
09:10:13 Terminating non-running connection...
09:10:13 Running action
09:10:13 Sending request (21)
09:10:13 Handling request
09:10:13 Trying to disconnect nicely (12)...
09:10:13 C: A2 LOGOUT
09:10:13 S: * BYE Microsoft Exchange Server IMAP4 server signing off.
09:10:13 S: A2 OK LOGOUT completed.
09:10:13 Clearing connection to outlook.office365.com
09:10:13 Ready to run action (retry count: 0)
09:10:13 Clearing connection to outlook.office365.com
09:10:13 Trying to connect to outlook.office365.com on port 993 (CFNetwork) without STARTTLS (required)
09:10:13 Resolved hostname (outlook.office365.com).
09:10:13 Prepare secure connection...
09:10:13 Successful connection.
09:10:13 Initiating secure connection...
09:10:13 Returned (4)...
09:10:13 Protocol version: kTLSProtocol12
09:10:13 S: * OK The Microsoft Exchange IMAP4 service is ready. [QQBNADQAUABSADAANQBDAEEAMAAwADIAMQAuAGUAdQByAHAAcgBkADAANQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
09:10:13 C: A0 CAPABILITY
09:10:13 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
09:10:13 S: A0 OK CAPABILITY completed.
09:10:13 Retrieving password (keychain or user request)
09:10:13 C: A1 AUTHENTICATE XOAUTH2 ••••••••••
09:10:14 S: A1 NO AUTHENTICATE failed.
09:10:14 Error: Server response: “A1 NO AUTHENTICATE failed.”. Command attempted: “A1 AUTHENTICATE XOAUTH2 ••••••••••”.
09:10:14 Retrieving password (keychain or user request)
09:10:14 Error code: 12
09:10:14 Failed action (1000). Reset observed read/write timeouts: 8/8

09:10:14 Handling reply
09:10:14 Error: Failed multiple retries (1). Final error code was 14.
09:10:14 Terminating non-running connection...
09:10:14 Running action
09:10:14 Sending request (22)
09:10:14 Handling request
09:10:14 Trying to disconnect nicely (12)...
09:10:14 C: A2 LOGOUT
09:10:14 S: * BYE Microsoft Exchange Server IMAP4 server signing off.
09:10:14 S: A2 OK LOGOUT completed.
09:10:14 Clearing connection to outlook.office365.com
09:10:14 Ready to run action (retry count: 0)
09:10:14 Clearing connection to outlook.office365.com
09:10:14 Trying to connect to outlook.office365.com on port 993 (CFNetwork) without STARTTLS (required)
09:10:14 Resolved hostname (outlook.office365.com).
09:10:14 Prepare secure connection...
09:10:14 Successful connection.
09:10:14 Initiating secure connection...
09:10:15 Returned (4)...
09:10:15 Protocol version: kTLSProtocol12
09:10:15 S: * OK The Microsoft Exchange IMAP4 service is ready. [QQBNADQAUABSADAANQBDAEEAMAAwADAAOAAuAGUAdQByAHAAcgBkADAANQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
09:10:15 C: A0 CAPABILITY
09:10:15 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
09:10:15 S: A0 OK CAPABILITY completed.
09:10:15 Retrieving password (keychain or user request)
09:10:15 C: A1 AUTHENTICATE XOAUTH2 ••••••••••
09:10:15 S: A1 NO AUTHENTICATE failed.
09:10:15 Error: Server response: “A1 NO AUTHENTICATE failed.”. Command attempted: “A1 AUTHENTICATE XOAUTH2 ••••••••••”.
09:10:15 Retrieving password (keychain or user request)
09:10:15 Error code: 12
09:10:15 Failed action (1000). Reset observed read/write timeouts: 8/8

09:10:15 Handling reply
09:10:15 Error: Failed multiple retries (1). Final error code was 14.
09:10:15 Terminating non-running connection...
09:10:16 Running action
09:10:16 Sending request (23)
09:10:16 Handling request
09:10:16 Trying to disconnect nicely (12)...
09:10:16 C: A2 LOGOUT
09:10:16 S: * BYE Microsoft Exchange Server IMAP4 server signing off.
09:10:16 S: A2 OK LOGOUT completed.
09:10:16 Clearing connection to outlook.office365.com
09:10:16 Ready to run action (retry count: 0)
09:10:16 Clearing connection to outlook.office365.com
09:10:16 Trying to connect to outlook.office365.com on port 993 (CFNetwork) without STARTTLS (required)
09:10:16 Resolved hostname (outlook.office365.com).
09:10:16 Prepare secure connection...
09:10:16 Successful connection.
09:10:16 Initiating secure connection...
09:10:16 Returned (4)...
09:10:16 Protocol version: kTLSProtocol12
09:10:16 S: * OK The Microsoft Exchange IMAP4 service is ready. [QQBNADQAUABSADAANQBDAEEAMAAwADEAOAAuAGUAdQByAHAAcgBkADAANQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
09:10:16 C: A0 CAPABILITY
09:10:16 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
09:10:16 S: A0 OK CAPABILITY completed.
09:10:16 Retrieving password (keychain or user request)
09:10:16 C: A1 AUTHENTICATE XOAUTH2 ••••••••••
09:10:16 S: A1 NO AUTHENTICATE failed.
09:10:16 Error: Server response: “A1 NO AUTHENTICATE failed.”. Command attempted: “A1 AUTHENTICATE XOAUTH2 ••••••••••”.
09:10:16 Retrieving password (keychain or user request)
09:10:16 Error code: 12
09:10:16 Failed action (1000). Reset observed read/write timeouts: 8/8

09:10:16 Handling reply
09:11:01 Running action
09:11:01 Sending request (19)
09:11:01 Handling request
09:11:01 Trying to disconnect nicely (12)...
09:11:01 C: A2 LOGOUT
09:11:01 S: * BYE Microsoft Exchange Server IMAP4 server signing off.
09:11:01 S: A2 OK LOGOUT completed.
09:11:01 Clearing connection to outlook.office365.com
09:11:02 Ready to run action (retry count: 1)
09:11:02 Clearing connection to outlook.office365.com
09:11:02 Trying to connect to outlook.office365.com on port 993 (CFNetwork) without STARTTLS (required)
09:11:02 Resolved hostname (outlook.office365.com).
09:11:02 Prepare secure connection...
09:11:02 Successful connection.
09:11:02 Initiating secure connection...
09:11:02 Returned (4)...
09:11:02 Protocol version: kTLSProtocol12
09:11:02 S: * OK The Microsoft Exchange IMAP4 service is ready. [QQBNADAAUABSADAAMgBDAEEAMAAwADkAMgAuAGUAdQByAHAAcgBkADAAMgAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
09:11:02 C: A0 CAPABILITY
09:11:02 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
09:11:02 S: A0 OK CAPABILITY completed.
09:11:02 Retrieving password (keychain or user request)
09:11:02 C: A1 AUTHENTICATE XOAUTH2 ••••••••••
09:11:02 S: A1 NO AUTHENTICATE failed.
09:11:02 Error: Server response: “A1 NO AUTHENTICATE failed.”. Command attempted: “A1 AUTHENTICATE XOAUTH2 ••••••••••”.
09:11:02 Retrieving password (keychain or user request)
09:11:02 Error code: 12
09:11:02 Failed action (1000). Reset observed read/write timeouts: 8/8

09:11:02 Handling reply
09:11:21 Running action
09:11:21 Sending request (24)
09:11:21 Handling request
09:11:21 Trying to disconnect nicely (12)...
09:11:21 C: A2 LOGOUT
09:11:21 S: * BYE Microsoft Exchange Server IMAP4 server signing off.
09:11:21 S: A2 OK LOGOUT completed.
09:11:21 Clearing connection to outlook.office365.com
09:11:23 Ready to run action (retry count: 2)
09:11:23 Clearing connection to outlook.office365.com
09:11:23 Trying to connect to outlook.office365.com on port 993 (CFNetwork) without STARTTLS (required)
09:11:23 Resolved hostname (outlook.office365.com).
09:11:23 Prepare secure connection...
09:11:23 Successful connection.
09:11:23 Initiating secure connection...
09:11:23 Returned (4)...
09:11:23 Protocol version: kTLSProtocol12
09:11:23 S: * OK The Microsoft Exchange IMAP4 service is ready. [QQBNADAAUABSADAANABDAEEAMAAxADQANAAuAGUAdQByAHAAcgBkADAANAAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
09:11:23 C: A0 CAPABILITY
09:11:23 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
09:11:23 S: A0 OK CAPABILITY completed.
09:11:23 Retrieving password (keychain or user request)
09:11:23 C: A1 AUTHENTICATE XOAUTH2 ••••••••••
09:11:23 S: A1 NO AUTHENTICATE failed.
09:11:23 Error: Server response: “A1 NO AUTHENTICATE failed.”. Command attempted: “A1 AUTHENTICATE XOAUTH2 ••••••••••”.
09:11:23 Retrieving password (keychain or user request)
09:11:23 Error code: 12
09:11:23 Failed action (1000). Reset observed read/write timeouts: 8/8

09:11:23 Handling reply
09:11:36 Running action
09:11:36 Sending request (21)
09:11:36 Handling request
09:11:36 Trying to disconnect nicely (12)...
09:11:36 C: A2 LOGOUT
09:11:36 S: * BYE Microsoft Exchange Server IMAP4 server signing off.
09:11:36 S: A2 OK LOGOUT completed.
09:11:36 Clearing connection to outlook.office365.com
09:11:39 Ready to run action (retry count: 3)
09:11:39 Clearing connection to outlook.office365.com
09:11:39 Trying to connect to outlook.office365.com on port 993 (CFNetwork) without STARTTLS (required)
09:11:39 Resolved hostname (outlook.office365.com).
09:11:39 Prepare secure connection...
09:11:39 Successful connection.
09:11:39 Initiating secure connection...
09:11:39 Returned (4)...
09:11:39 Protocol version: kTLSProtocol12
09:11:39 S: * OK The Microsoft Exchange IMAP4 service is ready. [QQBNADAAUABSADAANQBDAEEAMAAwADkAMAAuAGUAdQByAHAAcgBkADAANQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
09:11:39 C: A0 CAPABILITY
09:11:39 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
09:11:39 S: A0 OK CAPABILITY completed.
09:11:39 Retrieving password (keychain or user request)
09:11:39 C: A1 AUTHENTICATE XOAUTH2 ••••••••••
09:11:40 S: A1 NO AUTHENTICATE failed.
09:11:40 Error: Server response: “A1 NO AUTHENTICATE failed.”. Command attempted: “A1 AUTHENTICATE XOAUTH2 ••••••••••”.
09:11:40 Retrieving password (keychain or user request)
09:11:40 Error code: 12
09:11:40 Failed action (1000). Reset observed read/write timeouts: 8/8

09:11:40 Handling reply
09:11:53 Terminating non-running connection...
09:13:53 Running action
09:13:53 Sending request (25)
09:13:53 Handling request
09:13:53 Trying to disconnect nicely (30)...
09:13:53 C: R2 LOGOUT
09:13:53 Error: Connection error (Broken pipe).
09:13:53 Clearing connection to outlook.office365.com
09:13:53 Ready to run action (retry count: 0)
09:13:53 Disconnecting
09:13:53 Clearing connection to outlook.office365.com
09:13:53 Completed action (3). Observed read/write timeouts: 8/8

09:13:53 Handling reply

Comments and changes to this ticket

  • Stefan Seiz

    Stefan Seiz October 22nd, 2020 @ 12:38 PM

    It is very silent here. Am i the only one which "has" to use such an account with 2FA-Auth, or what is going on?

    I am currently also using "DavMail" as a workaround, but that shouldn't be a permanent solution.

    Thanks for any feedback, even if it is a "not on our priority list" or such.

  • Klay

    Klay October 25th, 2020 @ 09:52 PM

    I am using 2FA (Authenticator app) with Office365 for work and never had an issue.

    Have you changed your password lately? If you have not tried this already, close MM, go into your Mac keychain and delete all your O365 related details. Then open MM and try logging in again. O and make sure you delete every single Microsoft related details - there are lots of them!

    Are you using an app specific password or your main password for the account? If your main password, have you tried using an app specific password? I never bothered using the main username/password but instead created an application specific password for Mailmate. Never had a single issue.

    From your logs, it appears to be a local issue but I can't be 100% certain.

  • Stefan Seiz

    Stefan Seiz October 26th, 2020 @ 09:58 AM

    Thanks a lot for the reply @Klay. I guess i am not completely following you.
    You say, that you are using an app specific password, which is the substitute if one can NOT use 2FA. You also say, that you are using 2FA though.

    I am using the regular account password and 2FA. This method works fine in all my other Apps – Fantastical, Apple Mail (Exchange Account), just not in MM. That said, i can't believe any Keychain Entries are the cause of the Problem, since it should then also affect the other apps.

  • Klay

    Klay October 26th, 2020 @ 11:31 AM

    ok, try this first:

    1. MM - File-> edit IMAP account -> choose your O365 account.
    2. In the dialog box for IMAP ensure that port 993 is set, "Require SSL" is ticked, "Oauth2" is ticked.
    3. In the dialog box for SMTP ensure that port 587 is set, "required SSL" is ticked, "OAuth2" is ticked.

    Then retry. What happens?

  • Stefan Seiz

    Stefan Seiz October 26th, 2020 @ 11:41 AM

    That is/was the exact setting i had in place, when i posted the above entries from activity viewer.

    When i do that, i get the usual webview asking me for my password and after submitting, it asks me for the OTP-Code. Once i submit that, the webview closes and after a second of two opens again, asking me for my password. Endless loop.

    If i enter an app-specific password instead ot the real account password, i get an error in the webview "wrong password", which seems logical, as MS says that App Specific Passwords aren't valid for IMAP accounts.

  • Mike

    Mike October 26th, 2020 @ 12:41 PM

    I have been using DavMail for a few years now to connect to our company exchange. It really works excellently.

    What makes this solution more than a workaround is that DavMail translates the Exchange categories and IMAP keywords in both directions.Exchange-IMAP does not do this. I use quite a lot of tagging to structure my tasks.

    DavMail has only one small catch: the GUI version is very crash prone. But if you use it in server mode, it is very stable.

  • benny

    benny October 26th, 2020 @ 01:46 PM

    @Stefan: Sorry about the late reply. OAuth2 issues are generally very hard to debug, because the error messages do not really tell anything about what fails. I know it works for several users which means that it's not a general issue in MailMate, but I'm naturally not ruling out a bug in MailMate. One way to learn more would be to try connecting to the account using Thunderbird (which is also able to use OAuth2 via IMAP).

  • Stefan Seiz

    Stefan Seiz October 26th, 2020 @ 03:29 PM

    @benny i'll set the account up in thunderbird. Anything specific i should test except just seeing if it works there?

  • Stefan Seiz

    Stefan Seiz October 26th, 2020 @ 03:57 PM

    Thunderbird is now configured with my account an downloading my inbox as we speak.
    I'd attach a screenshot of my settings, but "Upload Quota Reached"

  • benny

    benny October 26th, 2020 @ 08:44 PM

    @Stefan: The connection output you provided looks fine and therefore I don't think it's a settings issue. The issue might be that Thunderbird is allowed by your organization, but MailMate isn't. You can try asking your IT department about that.

  • Klay

    Klay October 26th, 2020 @ 11:32 PM

    I doubt the IT dept are blocking the app. I personally thought the issue was something to do with your authentication via Keychain or IT blocking SMTP access. Since you can use Thunderbird, that rules out the IT dept blocking SMTP access.

    There are three things I can suggest but no guarantee. I am using both Outlook and Fantastical and not seen this issue.

    1. Keychain - The reason I am saying check Keychain is more of a hunch. Is there any harm in searching Keychain and deleting all the com.feron.MailMate.Office365 entries and retrying?

    2. I use both app specific passwords and the main password. Back to the original suggestion. App specific passwords only work if your IT dept allow this, if not, then no go. But if you go to the url pasted below and select "add method" and set an app specific password. Then edit or create a new IMAP account in MM and use the same username, but this time the app specific password. It is a long shot, but it may just help. https://mysignins.microsoft.com/security-info.

    3. What browser are you using? Possibly some cache issue? As a last resort, clear your browser cache OR set a different default browser temporarily so that when you are asked to authenticate, you can use a different browser.

  • Stefan Seiz

    Stefan Seiz October 27th, 2020 @ 07:22 AM

    @benny we are a pretty small company without an IT-Department (we all work in IT). When i started to deal with this, MM was indeed not "allowed". My boss made me an Admin for 2 Hours so i could try myself to get up and running. I did the explicitly allow MM myself. Since then it is definitively allowed.

    @klay i appreciate all your help, but sometimes really don't get what you say. When i authenticate an office account in MM, there is no browser being opened. The Authentication happens right in a little window inside MM. So there is no browser that can be switched or such. I did delete all related MailMate-Entries in Keychain but that didn't help.

  • Klay

    Klay October 27th, 2020 @ 08:03 AM

    @Stefan, my apologies for not being clearer - Does this describe what you are seeing on MM?

    https://answers.microsoft.com/en-us/msoffice/forum/msoffice_outlook...

  • benny

    benny October 27th, 2020 @ 03:21 PM

    @Stefan: I've asked followers of ticket #1871 to see if they can help debug this issue. I do see a timeout in the beginning of the output you provided. A wild guess is that authentication is slow and when this has failed a few times then the server simply rejects immediately as some kind of DOS-defence. You can increase the default timeout (which is pretty low) like this:

    defaults write com.freron.MailMate MmMinimumConnectionTimeout -integer 60
    

    It would also help if you can find some kind of server log which provides more information than just A1 NO AUTHENTICATE failed. I'm hoping other Office365 users know where to locate that if possible.

  • Stefan Seiz

    Stefan Seiz October 27th, 2020 @ 04:21 PM

    Funny enough, when i login to my MS Account, i see the logins from MM as "successful". This is totally weird.

    Would it help if i record the SSL-Traffic between MM and Microsoft? I use the "Proxyman" App which does capture even SSL Traffic in clear, readable form (and looking at that, it also seems the Auth is successful).
    I would not want to post that here though, as it contains sensitive information.

  • Stefan Seiz

    Stefan Seiz October 27th, 2020 @ 04:25 PM

    "when i login to my MS Account" meant, logging into the Web-Interfce of my account, where i can check security, access etc. The successful logins can be seen here: https://mysignins.microsoft.com

  • benny

    benny October 27th, 2020 @ 06:53 PM

    @Stefan: With regard to “successful” then that probably just means that the authentication process providing the tokens works well. It's when using the token via IMAP that authentication is rejected. I'm sure the “raw” traffic will not show more than we can see in the Activity Viewer of MailMate. I'll see if I can come up with some other way to debug and/or learn more...

  • Tom Scogland

    Tom Scogland October 27th, 2020 @ 08:45 PM

    I came over here from the general OAuth issue after finally getting an admin to sit down with me and allow MailMate on our system today (getting apps approved for fedramp accounts is a bit of an exercise). When the o365 side is blocking an app, you get a webview that specifically says it needs admin approval. If an admin then logs in, it asks for permission to provide that application with keys for the organization, and if that's accepted gets into a loop that looks a bit like this where it's using the admin's credentials to try to log into the user's account.

    At least for me, switching back to plain auth and deleting the oauth keys, then switching back to oauth and logging in solved the issue. I can't be sure it's the same problem, but if it's going straight to a login prompt it's almost certainly not an app restriction on your organization.

  • Patrick

    Patrick October 29th, 2020 @ 07:27 PM

    Still not working for me. Just working with 5672 version without any issue.

  • Klay

    Klay October 29th, 2020 @ 11:07 PM

    @Stefan - Have you tried to use an app specific password for Mailmate on your O365 account? Please have a read of this and if you can try this to see if it works at least?

    https://docs.microsoft.com/en-us/azure/active-directory/user-help/m...

    I have 2FA and use this often.

  • Patrick

    Patrick October 30th, 2020 @ 09:27 AM

    @Klay - I tried and it is not working. I used it before they turn on the Oauth2. Still is going in a loop with the latest version. Instead with Mailmate 5672 I am not able to reproduce the issue.

  • Stefan Seiz

    Stefan Seiz October 30th, 2020 @ 09:29 AM

    AFAIK Microsoft does not Support App-Passwords for IMAP.

  • Klay

    Klay October 30th, 2020 @ 10:48 AM

    AFAIK Microsoft does not Support App-Passwords for IMAP.

    It does. I am using it right now. If you have this link in your O365 account https://mysignins.microsoft.com/security-info select "Add method" and from the dropdown choose "App password". If it is not there, then you're IT dept have not enabled it.

  • Klay

    Klay October 31st, 2020 @ 04:13 PM

    @Patrik and @Stefan - what is imap server address you are using? Is it outlook.office365.com?

    I am wondering if the recent announcement by MS is the cause of this - https://developer.microsoft.com/en-us/office/blogs/end-of-support-f...

    One thing worth checking in your O365 Admin area - Go to Admin->Active users-> -> Mail -> Manage email apps.

    Are apps "Authenticated SMTP" and "IMAP" permissions ticked?

  • Patrick

    Patrick November 2nd, 2020 @ 06:35 AM

    Hi @Klay,

    unfortunately I can't access the admin section. It is not under my control. I'll ask the office IT to double check.

    Btw, I am using the outlook.office365.com. Anyhow, it does not explain why with mailmate version 5672 is working.

    ciao ciao
    Patrick

  • Klay

    Klay November 2nd, 2020 @ 07:47 PM

    Anyhow, it does not explain why with mailmate version 5672 is working.

    Agree. That I am afraid, suggests something local rather than at the server. I am using 5726 without any issues. If you are using the following:

    • IMAP Port 993 and "require SSL" and "Oauth2" options are ticked
    • SMTP port 587 and "require SSL" and "Oauth2" options are ticked

    Then I'm out of ideas! Sorry I can't help more.

  • Patrick

    Patrick November 3rd, 2020 @ 07:33 AM

    @Klay, thx

    not sure because it is working also for google and fastmail. Only Office365. Waiting the answer from OfficeIt.

    If I found something I'll update the ticket.

    Thanks
    Patrick

  • Patrick

    Patrick November 3rd, 2020 @ 08:38 AM

    I managed to check it out and the options (Authenticated SMTP" and "IMAP" permissions ticked) mentioned by @klay were set up correctly.

    So I am out of ideas.

  • benny

    benny November 3rd, 2020 @ 02:14 PM

    Thanks for everyone chiming in. I'm still not sure if there's anything I can do at my end...

    Just to make one thing clear: If the public release of MailMate is working (r5673) or anything before that then MailMate uses regular password access. There's no OAuth2 in play for accounts connecting to outlook.office365.com. This also means that the particular account can access email without OAuth2. By disabling OAuth2 in the test releases of MailMate then it should still work like before.

  • Klay

    Klay November 3rd, 2020 @ 07:27 PM

    My final go.......I would, if you haven't already, read and try this https://docs.microsoft.com/en-us/azure/active-directory/user-help/m... if you have 2FA on O365. It only works if your admins allow app specific passwords.

  • Patrick

    Patrick November 6th, 2020 @ 06:58 AM

    Hi Kay,

    I tried but our admin disabled it. :(

  • Chris Newman

    Chris Newman January 20th, 2021 @ 11:33 PM

    FYI, I just got migrated to Outlook365 with 2FA and am working to get approval to access the system via MailMate. I've downloaded the pre-release version of Mailmate, and attempting to use that to login led me to an approval form where I gave my justification for requesting MailMate access. I did some research and it looks like the Outlook365 Azure administrator for the Outlook365 domain has to do this:

    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps...

    I did get an email (via Outlook365 web interface) saying "MailMate access request received". I'm now trying to chase down someone in my company who can approve that request. I'm not happy with this; it shouldn't be necessary to play "mother-may-I" games with open standards, but I'll post an update when I get results.

    I've been meaning to design an IETF 2-factor SASL mechanism that's friendlier to interoperability/freedom/non-web clients than OAuth, guess I have extra incentive now. My last attempt at a better email auth mechanism (SCRAM) succeeded in the Kafka community but failed elsewhere since 2-factor became too popular.

  • benny

    benny January 22nd, 2021 @ 11:26 AM

    • State changed from “new” to “fixcommitted”

    @Chris: Thanks for your notes. I'll see if your link leads to something I can/should change in the MailMate registration at Microsoft.

    Note my comment in this ticket. There seems to be a lot of confusion with various ways these things can be handled on the IT admin side and I don't really want to become an expert on that :-) I'm just going to try to follow what Microsoft tells me to do and then let any security discussion continue between IT departments and Microsoft.

    A SASL mechanism would be very interesting and I might be interested in adding client support if you find an IMAP provider willing to add server support, for example, FastMail. They have a token system for their own apps (webmail and mobile app), but third party applications have to use application specific passwords which is a hassle for users.

    Ranting below...

    Web-based applications work well with OAuth2, but for a desktop application I think it's a confusing mix of 2FA and application registration/verification. Right now, MailMate has to be registered with every service supporting OAuth2 (only Microsoft and Google for now). Each service has the power to cut support for MailMate at any time for any reason for any organization/user. At the same time any application on any platform can pretend to be MailMate by stealing its credentials. This makes no sense to me. It's security through obscurity.

    Apple and only Apple should take care of protecting users against malware on macOS and they are also the only ones that can reliably determine if something has been released by me or not.

    (Ironically, Apple has no way for third party applications to avoid application specific passwords.)

    End of rant :-)

    (I'm switching this ticket to “fixcommitted” for the original request, but comments can still be added.)

  • Eric Sharakan

    Eric Sharakan January 22nd, 2021 @ 12:24 PM

    Hi Benny, just so you know, Chris and I work for the same company, and we're both trying to get approval for MailMate within our IT organization. I tried using the DavMail gateway as a workaround, but after configuring it, I just ended up dealing with the same popup, stating that DavMail needs to be approved, and asking me for justification, that I did with MM configured to use Exchange directly via OAuth2.

    I don't know whether I'm using DavMail incorrectly, or if it's not meant to help with this particular problem. But if it's the latter, then given I got the same result with DavMail and configuring MM directly, I'm not sure what can be done on the MM side to address this.

  • benny

    benny January 22nd, 2021 @ 12:42 PM

    @Eric: Ok. Thanks for letting me know. Just for the record, does Thunderbird work?

  • Eric Sharakan

    Eric Sharakan January 22nd, 2021 @ 12:50 PM

    Yes, Thunderbird works. I haven't tried it personally, but the current guidance for Mac users is to use Apple Mail or Thunderbird.

  • benny

    benny January 22nd, 2021 @ 01:54 PM

    @Eric: Ok, I'm no expert on DavMail configuration, but I would assume that you can just configure it using Thunderbird credentials (its client id). There's no real security here given that desktop apps cannot hide a client id/secret (Microsoft knows this and explicitly notes to not use the client secret in their documentation).

    An interesting open question is: Does Apple Mail also use OAuth2 (or something similar) with whatever non-IMAP protocol is used for Office365? Does it have the same problem? (No way to hide a shared secret and therefore no way for the server to know if it's really talking with Apple Mail or not.)

    I feel like I'm spending too much time on this ;-)

  • Eric Sharakan

    Eric Sharakan January 22nd, 2021 @ 02:28 PM

    Thanks Benny, configuring the client ID in DavMail got me further. Now Exchange is complaining about an incorrect reply URL being sent:

    AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '08162f7c-0fd2-4200-a84a-f25a4db0b584'

    But this is not really your problem, so I'll ask elsewhere if this is a viable approach.

    I know nothing about how Apple Mail handles this. I do know I had no problems connecting to Exchange using it. Maybe it's just because our IT dept. has already approved the use of Apple Mail?

    Thanks.

  • Stefan Seiz

    Stefan Seiz January 22nd, 2021 @ 03:59 PM

    FYI: i had success configuring 2 IMAP accounts (outlook.office365.com) with 2FA in Version 1.14 (5757) which i was previously not able to do. Everything seems to run smoothly now (since about 5 days).

  • benny

    benny January 22nd, 2021 @ 04:16 PM

    @Eric: I didn't expect you to know anything about Apple Mail and OAuth2. I'm just putting it out there for any experts out there which might have an answer :-)

    @Stefan: Thanks for letting us know. At least we know the implementation in MailMate does work for some users.

  • Klay

    Klay January 23rd, 2021 @ 03:02 PM

    • Assigned user cleared.

    Stefan Seiz said: FYI: i had success configuring 2 IMAP accounts (outlook.office365.com) with 2FA in Version 1.14 (5757) which i was previously not able to do. Everything seems to run smoothly now (since about 5 days).

    In the interests of learning, may I ask what you did (if anything) to get it working?

    Thanks.

  • Chris Newman

    Chris Newman January 27th, 2021 @ 12:40 AM

    My employer has approved use of MailMate for 2FA and version 1.14 (5757) is working fine. Only weird issue I notice is the "Calendar" folder ends up with messages that have subject:

    "Retrieval using the IMAP4 protocol failed for the following message: 252"

    with a bunch of server-generated X.500 gobbledygook. This is pretty obviously not a MailMate problem, but you might want to consider a way to just hide the "Calendar" folder on Exchange servers (so these messages aren't included in the overall-server message list).

    My employer has a policy that they don't want company confidential emails stored on a third-party cloud service, so they want to vet which clients are allowed to connect and disallow clients that copy mail to a third party cloud. I agree with your rant, but I'm sympathetic to my employer's position on that issue (particularly since they approved MailMate use relatively quickly).

    I'm told the Outlook 365 admin can configure OAuth to "allow" registered clients or to require review and approval.

  • Stefan Seiz

    Stefan Seiz January 27th, 2021 @ 09:51 AM

    • Assigned user set to “benny”

    In the interests of learning, may I ask what you did (if anything) to get it working?

    @Klay

    i just tried again in the newer MailMate Build. Same settings as i have tried before:

    • IMAP Server: outlook.office365.com
    • Port: 993
    • Require SSL
    • Oauth2

    What might have made a difference, maybe:
    My E-Mail ist actually user@example.com but my login ("User Name" in MM) ist user@office.example.com (subdomain).
    This time, i made sure, that i use the exact same Username (incl. Subdomain) in the text-fields which pop up for the MS-Login Authehtication (Web-View)… I believe i had tried this before too, but am not sure anymore, i might have always logged in without the subdomain.

  • benny

    benny January 27th, 2021 @ 01:16 PM

    Just to clarify, Office365 OAuth2 only works in test releases of MailMate labelled 1.14 or later. Due to a bug, some of these test releases do not correctly open a browser window for the authentication process. This should be fixed now. Test releases are currently available here: https://updates.mailmate-app.com/x86_64/archives/

    @Chris: Yes, I should unsubscribe Calendar and some other folders by default. The reason I haven't done so earlier on is because I was hoping to find a better fix or that the server bug would be fixed. A strict match on “Calendar” doesn't help if the folder names have been localized (I'm not actually sure Office365 does that, but I know Gmail does -- but their folders are also marked by type -- and they also don't wrongly expose calendars/contacts via IMAP).

  • Eric Sharakan

    Eric Sharakan January 27th, 2021 @ 01:57 PM

    @Chris, I went into the "edit subscriptions..." section of the account settings pane, deselected the "Ignore server subscriptions state for private namespaces" option, and unsubscribed from a bunch of folders unrelated to Mail, including Calendar.

  • Klay

    Klay January 27th, 2021 @ 07:40 PM

    • Assigned user cleared.

    @Stefan

    My E-Mail ist actually user@example.com but my login ("User Name" in MM) ist user@office.example.com (subdomain). This time, i made sure, that i use the exact same Username (incl. Subdomain) in the text-fields which pop up for the MS-Login Authehtication (Web-View)… I >believe i had tried this before too, but am not sure anymore, i might have always logged in without the subdomain.

    Ok, that explains it. The email adderess you use in MM is unrelated (in your case) to the O365 multifactor pop up which requires your actual O365 domain username, not an alias. Glad to see you got it sorted and thank you for clarifying.

  • mmuser

    mmuser February 22nd, 2021 @ 05:26 PM

    I have a similar problem to Stefan's in the first post, that has persisted for a while (I think before this issue was created). Previously the authentication popup would come up in a window and authenticate successfully through 2FA, but it would just get stuck in a loop of asking for authentication.

    I stopped using Mailmate because of this, but coming back to it now, it behaves slightly differently. An authentication message pops up prompting me to open a browser, and I can sign in via 2FA and it opens a page with a Mailmate icon saying "Authorization flow completed." However after this Mailmate again pops up the message asking me to authenticate in a browser, and this continues in a never ending loop.

    I can see Mailmate in my authorised applications on the web version of Office 365, (along with fantastical, which is working fine), and the logins show up in the office 365 web interface as having been successful.

    I tried downloading Mailmate 5769, and this doesn't appear to make any difference.

    Is there anything I could do to try and debug this? It sounds like it is something specific to my work's Office 365 setup unfortunately, but Apple Mail, Fantastical and Spark all seem to work with it.

  • Klay

    Klay February 22nd, 2021 @ 07:22 PM

    • Assigned user set to “benny”

    One suggestion, without opening this up too much is to clear out all your Mac keychain - remove anything in there related to Mailmate and restart the process again. Also, flush your browser cache too. Good luck!

  • mmuser

    mmuser February 23rd, 2021 @ 02:49 PM

    Thanks, I have tried removing the Mailmate entries in the Mac keychain, and clearing the browser cache, but the problem persists.

  • Norman Gray

    Norman Gray February 23rd, 2021 @ 07:22 PM

    This is to log that MailMate 1.14 (5769) has worked fine for me. Thank you!

    When I tried to authenticate, MailMate opened a web page, and I was able to follow that through to log in successfully. I've enrolled a second factor with a 2FA app, and that appears to work OK (though it's sometimes difficult to know when Outlook* deems a browser to be actually logged out, so I'm not 100% sure I've actually exercised this at this point).

    When I did so, I was asked to give MailMate various permissions to access my Outlook account, but I don't seem to have needed any pre-authorisation of the app, server-side (but ours is a pretty open BYOD-happy environment, but not, I believe, particularly weird otherwise).

    So this is merely a +1 -- this version, at least, works OK against a reasonably standard Outlook setup.

    Best wishes,

    Norman

    *...or whatever combination of Outlook/Office365/MS magic it is server-side.

  • Nick

    Nick March 19th, 2021 @ 06:16 AM

    do you list out/control what is being requested?
    when i look at my authorized applications, i see different requests for mailmate (which fails) than spark (which succeeds).

    mailmate shows:
    Access to sending emails from your mailbox.
    Read and write access to your mail.
    Maintain access to data you have given it access to

    spark shows:
    Maintain access to data you have given it access to
    Sign in as you
    View your email address
    View your basic profile
    Access your mailboxes
    Have full access to your calendars

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Mac OS X email client.

Shared Ticket Bins

Referenced by

Pages