Sorry but I disagree, as someone who manages multiple 365 tenants, including one with 150k users, and one for a small nonprofit, this should not have been a surprise for any administrator of the service. As previously mentioned this was announced years ago and repeatedly communicated. If you care about security, compromised accounts, etc it is pretty good thing as it allows well managed tenants to deploy MFA and reduce the risks of everyone else being attacked via compromised accounts. We can't be mad at the big vendors for being not blocking abuse and then be mad at them when they try to prevent abuse, there are plenty of other better reasons to be mad at them .
They have made their implementation of OAUTH based imap available to developers quite a while ago and offered to help with supporting it. Few third party clients have chosen to support it, but that is on the third party clients, for example Thunderbird was updated to support it quite a while ago. Similarly, on the mobile devices that want to use activesync, Apple updated their client to support it, Google decided they only want to support modern authentication for their own services. Also please note that SMTP itself is not affected by this change, they plan to support that a lot longer for exactly the reasons you outlined. I hate to tell you this but on this one the fault can only be attributed to whoever manages your tenant for not preparing for this change over the last 3 years or so. ________________________________ From: mailop <[email protected]> on behalf of Stuart Henderson via mailop <[email protected]> Sent: Friday, August 19, 2022 6:03 AM To: Gellner, Oliver <[email protected]> Cc: [email protected] <[email protected]>; Benoît Panizzon <[email protected]> Subject: Re: [mailop] Microsoft Office365 blocking non Oauth2 authentication on IMAP and SMTP. On 2022/08/19 09:08, Gellner, Oliver via mailop wrote: > Hello, > IMAP, SMTP etc are still being supported with Office365. What gets > disabled is Basic Auth for some services. Microsoft announced the > decomission of Basic Authentication three years ago and all tenant > administrators have been notified several times in the meantime about > this change. Originally the change was planned for 2020, but due to > interoperability issues it got postponed until 2022. So while I'm no > Microsoft fellow I don't think anyone should be caught unprepared. The interoperability issues have not been fixed though. > If you need POP3 or IMAP4 access with Basic Auth, then you can either > put a proxy or other email server in between which speaks Basic Auth > on one side and OAuth on the other. That proxy will have the same issue as seen by other tools accessing the OAuth2-only services. Hideously complicated configuration, having to keep tokens refreshed, etc. It would seem sensible for operators who want to require something stronger than basic authentication to have a way to use TLS with client certificates as an alternative to OAuth2, it would be a lot more straightforward to handle on the client side. Unless they have other motives. It's not really surprising to see this exact thing mentioned on https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguish _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
