On 01.07.22 20:02, Jochen Bern wrote:
*Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH), POP, and IMAP protocol definitions do not provide elbow room to make *two* rounds of authentication. (Ever pondered why the admin can require O365 users to "use 2FA", but users then are still allowed to create "application passwords", note plural and lack of standard password features like a limited lifetime for those?)
On 04.07.22 21:29, Michael Peddemors wrote:
The only problem is, having looked at several of these insurance companies forms, it is almost as if a o365 sales person wrote the requirements.
On 04.07.22 22:23, gene heskett wrote:
This seems to be a place where the ITEF (IETF?)has seriously dropped the ball. They do not well understand the chaos that will be created if THEY do nor set a cast iron std that even Redmond can follow or go home. I don't think we can scream that too loud if THEY don't get off the dime and do something toward setting a standard.
Speak of the devil ...Today, our company got hit by the 48h-unless-your-admins-abort-it-for-NOW rolling outages O365 does as an (un)friendly reminder that (what THEY call) "Basic Authentication" will be disabled on 01-Oct:
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online#re-enabling-and-opting-out-of-proactive-protectionApparently, they already wrote and published standards on how the world shall introduce "Modern Authentication" (OAuth 2.0) into protocols like POP and IMAP:
https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauthAs far as I can see from what I tested today (mainly switching my Thunderbird from "Normal Password" to "OAuth"), Clients effectively *have* to be "also a browser" (rendering the HTML for O365's login prompts, accepting and sending user input, storing the OAuth token as a HTTP cookie) to be able to do that. SMTP remains exempt from the requirement for now, on the theory that printers and the like may want to use it, and not be up to implementing the new stuff. (Otherwise, MS' position can be summarized as "our clients work great, Thunderbird succeded in implementing it, if your client doesn't, go nag the vendor".)
I wonder when our ticket systems apparently ceased handling e-mails (via SMTP *and IMAP*) outside our office hours so as *not* to qualify for a similar exception.
Please excuse me for the rest of the day, I need to incinerate a neighbor-of-Nintendo-shaped effigy at today's company BBQ ...
Regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
