Support for Office 365 "Modern Authentication" (requires Exchange Web Services)

[bashfulrobot]

Hi there. Recently purchased a sub, and we use it with office 365. Now with 2FA enabled, the product no longer works as it does not support what is called "Modern Authentication" (More info here: https://support.office.com/en-us/article/Using-Office-365-modern-authentication-with-Office-clients-776c0036-66fd-41cb-8928-5495c0f9168a).

Now administrators can "downgrade" the security to allow 3rd party clients. However, some corporations may not allow that (security stance).

Are there plans to add "Modern Authentication"? I purchased to get decent exchange support on Linux. Which is a real strong point for your product (I believe there is no better)...

If you guys got calendaring, plus the above in for exchange/365, you would be the number 1 choice easily.

[bengotow]

Hey—thanks for filing this, and thanks for subscribing to Mailspring Pro! Right now, Mailspring connects to Office 365 accounts via IMAP — we're planning to add full Exchange support in the future, but it /seemed/ like it wasn't as relevant now that they provide an IMAP interface.

That said, I did some research into Modern Authentication and it looks like they're not making any effort to support using Modern Authentication with IMAP. This is the most definitive answer I could find after a bunch of Googling: https://stackoverflow.com/questions/29747477/imap-auth-in-office-365-using-oauth2.

It looks like to support Modern Authentication we'll need to switch from using Office 365's IMAP interface to Exchange Web Services. EWS is actually a pretty nice email sync API, but it'll take a lot of work to build and test. That said, this is a much higher priority if they're enabling Modern Authentication by default in Outlook 2016.

And yeah—Calendaring will be great :-) We're planning to build out some more features on the email side first, but hopefully we'll get there soon.

[bashfulrobot]

Thanks for the reply. I'll monitor this thread for future updates. Unfortunately, I'll likely have to unsub until this works. I appreciate your time. Love the app.

[jprrezende]

Hi I want to use Mailspring but I dont do this because it dont have EWS support. In company that I work, we have EWS without IMAP support. Please improve support to EWS.

[abbec]

Why not use something like graph for O365: https://developer.microsoft.com/en-us/graph/docs/concepts/overview ?

[chira001]

Is there any update on this?

[Mjolinir]

Would love to see this application include EWS support! Many organizations and universities have already phased out IMAP support in favor of EWS, so adding support would allow you to re-target those user bases.

[bashfulrobot]

If this app supported EWS/Modern Auth/Calendar/Contacts... it would be an insane player in the business space. And likely the defacto standard for Linux users on top of that.

[xentrick]

Any update on this?

[ikogan]

Hi, my company has completely disabled legacy (IMAP) authentication in our Office 365 tenant so I can't use MailSpring at all until it supports EWS.

[dukechem]

Will be testing shortly and will report back. But it seems likely MailSpring (and even thunderbird) would work for 365 using modern-auth if you setup DavMail (365-imap gateway, with modern-auth support) per: https://itsfoss.com/microsoft-exchange-linux-desktop/

Details on how to setup modern auth at davmail faq under:

Is Office 365 modern authentication / MFA supported ?
Office 365 modern authentication is available with the following modes: ...

[mbrihed]

HI! I am also a mailspring pro user and I would really need EWS support in the Office 365 client. I use DavMail today as a workaround but it is extremely slow and does not handle large mailboxes very well.

Please add EWS support instead of IMAP. Compllany I work for removed IMAP support more than a year ago.

I hope to see this soon.

[geddawi]

Would love to see this fixed. I rely on Mailspring to sync all my emails from addresses created for me from different clients so I can access their systems, and sometimes, my terrible luck is its a 365 email :(

[bviktor]

We'd like to migrate a couple dozen of our devs to Linux with a rich client for email. We tried Hiri but their support is practically nonexistent (we haven't received a single email response from them so far), their invoicing is nonexistent (no invoice, only a receipt), and shared calendars do not work.

So I'd be more than happy to evaluate Mailspring, but until this issue is fixed, it's a no-go. It's 2020, MFA is simply not an option anymore, it's a must. We already had breaches via email accounts, resulting in pretty substantial financial losses, so MFA is now thankfully enforced for everyone. Please consider supporting this. Please stop relying on this 34 years old protocol that only exists in Office 365 for compatibility purposes.

[mbrihed]

Hi!

Any progress on this? DavMail is such a pain and soon I will switch away from Mailspring to another email client since this solution is not working. Thanks!

[bviktor]

FYI Basic Auth and app passwords will completely stop working this October.

Basic Auth and Exchange Online – February 2020 Update

[erik-hakansson-wcar]

This issue makes Mailspring a no go in any enterprise organization I'd say.

[xsv-root]

This is a bummer being as I have a group of subscribers that are now not functioning with our migration to 0365. We had to temp move to "Hiri" out of ireland in the mean time. I am hoping soon we can move back to mailspring.

[DoNotResuscitate]

This is a pretty big issue. Thunderbird works with my companies OAuth setup - why can't you guys get Mailspring working?

[erik-hakansson-wcar]

Evolution works too. And Hiri works.

[bashfulrobot]

The only problem with Hiri is that they are pretty much unresponsive in an capacity. Support tickets, Twitter, etc. (For quite some time now.)

Yet they are still selling licenses. So if you are ok using "as is", it's an option. But you should know what you are getting into.

On Fri., Apr. 3, 2020, 12:47 a.m. Erik Håkansson, notifications@github.com wrote:

Evolution works too. And Hiri works.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Foundry376/Mailspring/issues/258#issuecomment-608284209, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACSIRIKNBMMP66RMZ5YTRODRKWIBRANCNFSM4EBBNFLA .

[Mjolinir]

Hiri has many issues, its clunky to use, not much customization to your email display, they will gladly charge you, yet they do not respond to support issues, there is little to no development happening, and good luck if you try and cancel the yearly subscription!....

Evolution does work, yes, but it does leave something to be desired in an enterprise environment. Thunderbird used to work, but now you need to pay for the owl extension. It also leaves something to be desired as an enterprise class (Outlook replacement) tool.

[bviktor]

+1 regarding Hiri's lack of support. They are absolutely unresponsive. We couldn't even get a proper invoice from them, they respond to NOTHING, we couldn't get a single response from them. There are no updates either. At this point it's nothing more than a cash grab for them. They sell it as long as it (kinda) works and that's about it.

[yermulnik]

Wavebox is another alt option.

[bviktor]

Meh, there are several such apps like Franz and Rambox, but they're just glorified web browsers. I don't need 2 browsers, really.

[yermulnik]

@bviktor Mailspring's UI is open source (GPLv3) and written in TypeScript with Electron and React — well it does sound like a web browser for me. It kind of inherits Outlook interface though. Which is what someone would love. But having almost any modern messaging app like FB messenger, Telegram, Skype, Whatsapp, Teams, else are Electron based (esp on Linux) this is the only option we would end up with =(

[bviktor]

This is a pretty big issue. Thunderbird works with my companies OAuth setup - why can't you guys get Mailspring working?

Actually, Thunderbird does not work with calendars. There's a paid addon for that, but even then, you can only see your own calendar, but not others'.

[bviktor]

@bviktor Mailspring's UI is open source (GPLv3) and written in TypeScript with Electron and React — well it does sound like a web browser for me. It kind of inherits Outlook interface though. Which is what someone would love. But having almost any modern messaging app like FB messenger, Telegram, Skype, Whatsapp, Teams, else are Electron based (esp on Linux) this is the only option we would end up with =(

The difference is that you develop your own interface for the client. But putting the same exact web page in a different window brings zero value to the table.

[bengotow]

Hey folks! Just wanted to give a quick update on this one—my understanding is that DavMail /kinda/ works with Mailspring, but it's not ideal. I've kicked ActiveSync / EWS / Exchange support down the road for years because it seemed like Microsoft was moving to a unified Office365 which would support IMAP, but they seem to have landed in a semi-permanent state of very confusing marketing. Basic / consumer versions of Office365 come with the Outlook web app (outlook.office365.com) which is actually a rebranded Live.com (I think?) and supports IMAP, but the business versions of Office365 still use Exchange and do not support IMAP.

Unfortunately, Exchange is a whole parallel set of concepts to SMTP+IMAP and I'll essentially need to write the sync portion of Mailspring from scratch. It looks like Thunderbird's Exchange plugin is open source which might inform the networking part of the implementation and help avoid bugs (https://github.com/stonewell/exchange-ews-thunderbird).

The plan for this year is to get calendar out of it's current read-only "beta" in Mailspring this summer, and then shift focus to Exchange this fall if there's enough interest. Stay tuned!

Linking to #34 for housekeeping

[bashfulrobot]

@bengotow One other consideration when it comes to Office365/Exchange access - being in a corporate environment - we sometimes do not always have access to all the protocols based on the companies security stance. Some will only allow OWA externally, others only Active Sync, many disable IMAP, etc.

My hope is that you will support all of them to give us the most flexibility to connect based on our companies security practice.

(for example, my current employer only allows Active Sync external to the network - not even OWA).

I appreciate your looking back around to this issue.

[Vinay-052]

@bengotow if it helps, evolution mail asks me to allow EWS clients on Azure admin center for it to work properly using oath2 as a token will be generated for access.

More info can be found here: https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#register-your-application

https://wiki.gnome.org/Apps/Evolution/EWS/OAuth2

This should help. I had to make these changes in my org account to allow Evolution for my users.

[im007]

The plan for this year is to get calendar out of it's current read-only "beta" in Mailspring this summer, and then shift focus to Exchange this fall if there's enough interest. Stay tuned!

Please prioritize EWS. I personally couldn't care about the calendar because I have my phone and other places to manage that, but the fact that my org too has now joined the many orgs that have enforced the use of EWS only means I'm going to have to leave Mailspring.

[bashfulrobot]

My current job forces active sync only for external network connections. I genuinely hope active sync is a part of this and not just ews. 👍

[linuxiaobai]

Hey folks! Just wanted to give a quick update on this one—my understanding is that DavMail /kinda/ works with Mailspring, but it's not ideal. I've kicked ActiveSync / EWS / Exchange support down the road for years because it seemed like Microsoft was moving to a unified Office365 which would support IMAP, but they seem to have landed in a semi-permanent state of very confusing marketing. Basic / consumer versions of Office365 come with the Outlook web app (outlook.office365.com) which is actually a rebranded Live.com (I think?) and supports IMAP, but the business versions of Office365 still use Exchange and do not support IMAP.

Unfortunately, Exchange is a whole parallel set of concepts to SMTP+IMAP and I'll essentially need to write the sync portion of Mailspring from scratch. It looks like Thunderbird's Exchange plugin is open source which might inform the networking part of the implementation and help avoid bugs (https://github.com/stonewell/exchange-ews-thunderbird).

The plan for this year is to get calendar out of it's current read-only "beta" in Mailspring this summer, and then shift focus to Exchange this fall if there's enough interest. Stay tuned!

Linking to #34 for housekeeping

I saw some people have suggested to use microsoft graph api. I think it will be a good choice. I have used it to get the email info. using python, and it works well.

[githubnavigator]

Whatever the end result is, I really think that users shouldn’t need to go to Azure for anything. In my opinion, it would be best if it worked just like Google’s 2FA process—you should be prompted to go to the web form to log in. I don’t know what protocols are used for macOS Mail, iPhone Mail, or Windows 10 Mail/Calendar, but those all seem bulletproof. My favorite feature for all of those—beyond simply being able to log in to my account!—is that I can pick which services to sync with any of them. So, I disable calendar and contacts sync on my Google accounts and have a nice de-confused calendar and address book from one Exchange account only. Or you can just use the calendar from one service and not sync the mail or address book. I seriously love that feature because it lets me keep all my addresses and calendaring in a single place without accidentally adding contacts or calendar events in an address book or calendar I never use...and thus losing or forgetting about the address or appointment. (Never a good thing to miss a meeting because you accidentally stored it in some empty calendar you never use.)

Unfortunately, that’s about the only thing I like about the Windows 10 Mail app. It’s so clunky. It’s beyond words. But I have to keep using it anyhow because I need to get to my Microsoft-hosted accounts. Mailspring is otherwise the best email client for Windows, in my mind, hands down, case closed. Unfortunately, only for non-O365 accounts, I guess. Actually, I can’t get into my Outlook.com accounts either because there’s no support for 2FA. Ay yay yay.

My guess is that tons of people are just going to skip over Mailspring when they try to set up their school or work accounts and discover they can’t log in. I would prioritize O365/Outlook.com email and address books above calendaring at this point so people don’t skip this beautiful app entirely.

Sorry man. I know this is a ton of work for you and am hoping for the best. I wish I knew more and was able to help! Thank you for your amazing work!

[buehler]

@githubnavigator This perfectly summarizes my current situation. Just today, I got my login from the school I'm attending to. O365 with 2fa. Bummer.

[remiburet]

Same problem here and only thing holding me back... I get that this is a lot of work but this should really be prioritized as it really make the app a no go for students and professionals.

[bhachech]

That said, I did some research into Modern Authentication and it looks like they're not making any effort to support using Modern Authentication with IMAP. This is the most definitive answer I could find after a bunch of Googling: https://stackoverflow.com/questions/29747477/imap-auth-in-office-365-using-oauth2.

It looks like to support Modern Authentication we'll need to switch from using Office 365's IMAP interface to Exchange Web Services. EWS is actually a pretty nice email sync API, but it'll take a lot of work to build and test. That said, this is a much higher priority if they're enabling Modern Authentication by default in Outlook 2016.

@bengotow looks like Microsoft how supports OAuth2 for IMAP and SMTP:

• https://developer.microsoft.com/en-us/office/blogs/announcing-oauth-2-0-support-for-imap-smtp-client-protocols-in-exchange-online/
• https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

Hopefully, this negates the need to switch to EWS, and with some additional work, Mailspring can start supporting Office 365 Modern Authentication again.

[juancho9303]

I am one of those who absolutely love Mailspring, so much that I am using the paid version (I use it in both Mac and Linux). However, my organization now requires this "modern authentication" and so I can't really use Mailspring because my organization email is my most important one. Unfortunately, if this issue isn't fixed soon or at least we get some sort of assurance, I'll have to stop paying for it, even though I like the idea of supporting Ben on this great app.

[foundry376-bot]

This issue has been mentioned on Mailspring Community. There might be relevant details there:

https://community.getmailspring.com/t/institutional-office365-not-working/48/3

[CodeMouse92]

Thank you for your patience on this issue! I know it's frustrating when you cannot connect to your email with Mailspring.

2020 prevented much development work on Mailspring, but rest assured, development has resumed!

We are in the process of migrating issues to Discourse, which can better facilitate discussion and discovery, and so GitHub Issues can focus on issues that are confirmed and slated for resolution in the near term. Learn more about the changes here.

This issue appears to be a duplicate of one we've already migrated to Discourse:

https://community.getmailspring.com/t/institutional-office365-not-working/48

Please consider joining that community and continuing the discussion there.

We're closing and locking the issue here as part of this migration. Rest assured, this doesn't mean the issue is being discarded or ignored.

We hope to see you on Discourse soon!

-The Mailspring Team

P.S. @bhachech, we'd especially appreciate if you'd repost your findings on that thread.