search

simonrob / email-oauth2-proxy

An IMAP/POP/SMTP proxy that transparently adds OAuth 2.0 authentication for email clients that don't support this method.
Apache License 2.0
786 stars 84 forks source link

Microsoft 365 no authenticate failed #255

Closed rqi14 closed 2 months ago

rqi14 commented 2 months ago

Hi. I struggle with setting up with microsoft 365 (business) accounts. Could you please help me?

The error I am encountering is No Authenticate failed after web authentication.

This this the error log

2024-06-04 03:29:05,273: New incoming connection to IMAP server at [::]:1993 (unsecured) proxying partner.outlook.cn:993 (SSL/TLS)
2024-06-04 03:29:05,274: Accepting new connection from [::ffff:172.23.0.3]:53806 to IMAP server at [::]:1993 (unsecured) proxying partner.outlook.cn:993 (SSL/TLS)
2024-06-04 03:29:05,308: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993) --> [ Client connected ]
2024-06-04 03:29:05,309: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993) <-> [ Starting TLS handshake ]
2024-06-04 03:29:05,430: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993) <-> [ TLSv1.2 handshake complete ]
2024-06-04 03:29:05,491: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993)     <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [WgBRADAAUABSADAAMQBDAEEAMAAwADEAMAAuAEMASABOAFAAUgAwADEALgBwAHIAbwBkAC4AcABhAHIAdABuAGUAcgAuAG8AdQB0AGwAbwBvAGsALgBjAG4A]\r\n'
2024-06-04 03:29:05,491: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993) <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [WgBRADAAUABSADAAMQBDAEEAMAAwADEAMAAuAEMASABOAFAAUgAwADEALgBwAHIAbwBkAC4AcABhAHIAdABuAGUAcgAuAG8AdQB0AGwAbwBvAGsALgBjAG4A]\r\n'
2024-06-04 03:29:17,561: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993) --> b'a1 login [[ Credentials removed from proxy log ]]\r\n'
2024-06-04 03:29:18,886: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993)     --> b'a1 AUTHENTICATE XOAUTH2 '
2024-06-04 03:29:18,887: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993)     --> b'[[ Credentials removed from proxy log ]]\r\n'
2024-06-04 03:29:19,057: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993; user@example.com)     <-- b'a1 NO AUTHENTICATE failed.\r\n'
2024-06-04 03:29:19,058: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993; user@example.com) <-- b'a1 NO AUTHENTICATE failed.\r\n'
2024-06-04 03:29:19,058: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993) <-- [ Server disconnected ]
2024-06-04 03:29:19,058: IMAP ([::ffff:172.23.0.3]:53806-{[::ffff:172.23.0.13]:1993}-partner.outlook.cn:993; user@example.com) --> [ Client disconnected ]

The config file (without the documentation)

[IMAP-1993]
server_address = partner.outlook.cn
server_port = 993

[POP-1995]
server_address = partner.outlook.cn
server_port = 995

[SMTP-1587]
server_address = smtp.partner.outlook.cn
server_port = 587
server_starttls = True

[user@example.com]
permission_url = https://login.partner.microsoftonline.cn/organizations/oauth2/v2.0/authorize
token_url = https://login.partner.microsoftonline.cn/organizations/oauth2/v2.0/token
oauth2_scope = https://microsoftgraph.chinacloudapi.cn/IMAP.AccessAsUser.All https://microsoftgraph.chinacloudapi.cn/POP.AccessAsUser.All https://microsoftgraph.chinacloudapi.cn/SMTP.Send offline_access
redirect_uri = http://localhost:8080
client_id = <client-id>
client_secret = <client-secret>

[emailproxy]
delete_account_token_on_password_error = True
encrypt_client_secret_on_first_use = False
allow_catch_all_accounts = False

The EntraID permissions have been set according to tutorial image

simonrob commented 2 months ago

You've changed the oauth2_scope values – are you sure these are correct?

rqi14 commented 2 months ago

You've changed the oauth2_scope values – are you sure these are correct?

Yes. I copied from the admin centre. I used microsoft 365 operated by 21vianet. This service has different endpoints

simonrob commented 2 months ago

Still, have you tried other scope values here? From the name, it sounds like these are Graph permissions, which are different to IMAP etc. Same with the other URLs - worth experimenting here. From a quick search it seems like there are lots of options that are in use in the China region.

The other thing is that these permissions are set as Delegated rather than Application. Worth taking another look at this too.

rqi14 commented 2 months ago

Still, have you tried other scope values here? From the name, it sounds like these are Graph permissions, which are different to IMAP etc. Same with the other URLs - worth experimenting here. From a quick search it seems like there are lots of options that are in use in the China region.

The other thing is that these permissions are set as Delegated rather than Application. Worth taking another look at this too.

Hi. Thanks for looking into this.

The problem is indeed the scope. I was informed by the microsoft 365 tech support that the correct scope to use is https://partner.outlook.cn/.default for 21vianet, and for microsoft microsoft 365 it is https://outlook.office365.com/.default. It is specified in the document

simonrob commented 2 months ago

Thanks for following up – I'm glad you were able to resolve this. I'll add a note to the configuration file mentioning different values for different regions and referring to this issue.

One other thing: you probably still want to add offline_access to ensure you don't need to reauthenticate each time the token needs renewing.