search

simonrob / email-oauth2-proxy

An IMAP/POP/SMTP proxy that transparently adds OAuth 2.0 authentication for email clients that don't support this method.
Apache License 2.0
822 stars 89 forks source link

outlook.office365.com not doing TLS handshake #285

Closed Lem closed 2 weeks ago

Lem commented 2 weeks ago

First, I want to thank your for your project.

Currently I try to run it to fetch all mails via IMAP, got a working Oauth-Authentication but the connection to Microsofts server seems to have a problem.

The server-config in question is like in the example:

[IMAP-1993]
server_address = outlook.office365.com
server_port = 993
local_address = 127.0.0.1

If I'm connecting to the local proxy, a TCP connection will be established on port 993. But than there is no TLS handshake attempt. Using wireshark I can see that the proxy is sending "A0001 AUTHENTICATE XOAUTH2 [...]" request in plain text on the established TCP connection.

If it metters: I'm using a venv and installed emailproxy via pip inside of it.

Do I need to add flag to the config that the proxy is doing TLS first?

simonrob commented 2 weeks ago

This is a misunderstanding - please take a look at the readme and the additional documentation in the sample configuration file.

Local connections are unencrypted unless you provide your own certificate. Remote connections are always encrypted (either from the outset, or via STARTTLS).

Lem commented 2 weeks ago

Can you please explain what the misunderstanding is? My local MUA is connection to 127.0.0.1:1993. The proxy is connecting to port 993 at outlook.office365.com.

The connection between proxy an outlook.office365.com should be TLS encrypted. As show in wireshark: it is not, and that is the current problem I'm facing.

2603:1026:c0d:73::2 is btw the resolved IPv6 of outlook.office365.com. Not other proxy or MUA was running at this time.

EDIT: Adblocker blocked upload of attachment

2024-09-22_14-48

simonrob commented 2 weeks ago

Are you sure you don't have some form of MITM setup here in order to allow Wireshark to see connection details?

O365's outlook.office365.com server does not allow unsecured connections. The proxy's connection to the remote server is secured from the start unless it is an SMTP server and you have set server_starttls, in which case it is automatically upgraded after connecting.

Lem commented 2 weeks ago

I've testet if it was working with Thunderbird. And it did. After comparing the traffic of both (Thunderbird and my MUA), I saw that my MUA was not waiting for the banner.

Putting a sleep of some seconds between establishing the connection and executing the login, the proxy worked fine