Re: in search of OAuth2 tokens for Microsoft Office 365
Greg Marks wrote: >Unfortunately, a grep search through the ~/.thunderbird directory >for "client_id," "client_secret," and "redirect_uri" yielded nothing. https://www.vanormondt.net/~peter/blog/2021-03-16-mutt-office365-mfa.html http://pnijjar.freeshell.org/2022/mutt-uw-duo/ On a related note, I just noticed that, when looking at the login.microsoftonline.com entry in the Thunderbird source code file https://hg.mozilla.org/comm-central/file/tip/mailnews/base/src/OAuth2Providers.jsm it looks like the client_id has changed and the client_secret is gone, compared to what's indicated in the two web pages above. I'm not sure what that means for the future for people like me who use Thunderbird's Azure app registration with Mutt. Maybe it's time for Mutt to get its own Azure client_id and client_secret? >I raised this issue with my university IT department (see below) and >received a singularly unhelpful response (see below). I opened a ticket with my own IT department about a year ago and I'm still waiting for a resolution... Contacting IT departments seems to be a dead end. Philippe
Re: in search of OAuth2 tokens for Microsoft Office 365
On Wed, Oct 26, 2022 at 08:36:49PM -0600, Jon Brinkmann via Mutt-users wrote: > [...] I configured my university account to send copies of all my > email to my Apple iCloud mail, which does support app passwords. > > https://support.apple.com/en-us/HT202304 > https://forums.freebsd.org/threads/mutt-with-icloud-mail.44264/ > > It works well. I had a bit of work to extract mail messages that > Microsoft Exchange rejects with error status codes, e.g., SPF > validation error, to many hops, sender's DMARC policy. I wrote a > short Perl script to extract and restore the attachment containing the > original message. It's processed thousands of rejected messages with > no problems. Is your Perl script published anywhere? If so, would you mind replying to this thread with a link to it? Alternatively, if it isn't published, please could you reply to the list with a copy of the script as an attachment (or, if this list doesn't allow attachments, then in the body of the email). (Office365/etc problems arise frequently enough, as a topic on this mailing list, that it would be good for the list archive to contain comprehensive pointers to resources to help those poor souls unfortunate enough to have to battle this particular abomination from Microsoft's long line of abominations...) Thanks! Sam
Re: in search of OAuth2 tokens for Microsoft Office 365
I too have a university email account that uses Office 365 (Microsoft Exchange) with OAuth2. Nor do they allow any client but Outlook. I asked IT to allow app passwords, which would allow both my existing mutt and fetchmail+procmail clients access to the email, https://support.microsoft.com/en-us/account-billing/using-app-passwords-with-apps-that-don-t-support-two-step-verification-5896ed9b-4263-e681-128a-a6f2979a7944 but they refused. My solution: Since I'm a long-time Mac user, I configured my university account to send copies of all my email to my Apple iCloud mail, which does support app passwords. https://support.apple.com/en-us/HT202304 https://forums.freebsd.org/threads/mutt-with-icloud-mail.44264/ It works well. I had a bit of work to extract mail messages that Microsoft Exchange rejects with error status codes, e.g., SPF validation error, to many hops, sender's DMARC policy. I wrote a short Perl script to extract and restore the attachment containing the original message. It's processed thousands of rejected messages with no problems. As an aside, check out the book https://www.amazon.com/Hacking-Multifactor-Authentication-Roger-Grimes/dp/1119650798 Most 2FA isn't nearly as secure as many think! Jon On Tue, Oct 25, 2022 at 06:13:42PM -0500, Greg Marks wrote: >Dear Mutt Developers, > >This is not exactly a question about Mutt--more about OAuth2 >authentication with Microsoft Office 365--but I wonder if anyone >can advise. > >I've been trying to configure Mutt for continued access to my university >e-mail account, which uses the IMAP/SMTP server outlook.office365.com. >I have successfully configured Mutt for my G-Mail account using one >of the official gitlab.com Python scripts to generate OAuth2 tokens. >But when I tried to do the same for my university e-mail account, I >found that I lacked permissions to create an "app registration" after >logging in to my account through a Web browser. When I created an "app >registration" by setting up a private Outlook account, the credentials >were not accepted. > >I was able to get Thunderbird to access my university e-mail account with >OAuth2 authentication, and I had some hopes that as a workaround I could >paste the credentials generated by Thunderbird into the Mutt script. >Unfortunately, a grep search through the ~/.thunderbird directory >for "client_id," "client_secret," and "redirect_uri" yielded nothing. >(I presume Thunderbird is storing the relevant credentials in encrypted >form, making them appropriately hard to access.) This might not work >anyway; it seems possible that the Office 365 only recognizes Thunderbird >as an authorized "application." My recollection is that Thunderbird >initially created OAuth2 tokens with a call to a Web browser to log >in to my e-mail account and grant access; since then, any necessary >refreshed tokens are apparently generated automatically. > >Having now used Thunderbird in lieu of Mutt for this account over the >past couple weeks, I am reminded of the considerable superiority of Mutt, >because of the security of text-only access, because when composing >e-mails with Mutt I can use countless vi macros that I've created over >the years, and because I can easily move IMAP e-mail into local mbox >files on my computer. > >I raised this issue with my university IT department (see below) and >received a singularly unhelpful response (see below). My impression is >that I need to make a very clear and specific request for appropriate >permissions to create OAuth2 tokens. Is the least intrusive way to >proceed to request that my Azure account associated with my university >e-mail be granted permission in the Azure Active Directory in the Azure >AD role of "Application developer"? > >Any other ideas or suggestions would be most welcome. > >Sincerely, >Greg Marks > >- > >My message to university IT department: > > I have been using the e-mail client Mutt to access my > SLU e-mail account, and this stopped working on Oct. 12; > apparently, the office365 accounts that SLU uses now require > OAuth2 authentication. I am trying to configure Mutt to > authenticate using OAuth2 following the instructions here: > > > https://gitlab.com/muttmua/mutt/-/blob/master/contrib/mutt_oauth2.py.README > > I followed their instructions: "End users who aren't able to > get to the app registration screen within portal.azure.com for > their work/school account can temporarily use an incognito > browser window to create a free outlook.com account and use > that to create the app registration." At the stage when I > ran the command > > ./mutt_oauth2.py [redacted].tokens --verbose --authorize > > on my local machine and pasted the localhostauthcode URL into > a browser, I received this error message: > > Sorry, but we’re having trouble signing you in. > AADSTS700016: Application with identifier [redacted]
Re: in search of OAuth2 tokens for Microsoft Office 365
On Tue, Oct 25, 2022 at 06:13:42PM -0500, Greg Marks wrote: > Is the least intrusive way to proceed to request that my Azure account > associated with my university e-mail be granted permission in the > Azure Active Directory in the Azure AD role of "Application > developer"? So, I went through some similar thing (only in a corp vs. EDU type environment), and I think that creating an "app" in AD would indeed be the first step towards getting this working (whether that needs to be within their AD or whether you can make your own account and create the app I can't say; probably the former). After that, I believe they'll also have to approve it for use. Since Thunderbird works, I'm _assuming_ they haven't dropped "legacy" (i.e., standard) protocols, but you may want to verify that _before_ going through the process. w
in search of OAuth2 tokens for Microsoft Office 365
Dear Mutt Developers, This is not exactly a question about Mutt--more about OAuth2 authentication with Microsoft Office 365--but I wonder if anyone can advise. I've been trying to configure Mutt for continued access to my university e-mail account, which uses the IMAP/SMTP server outlook.office365.com. I have successfully configured Mutt for my G-Mail account using one of the official gitlab.com Python scripts to generate OAuth2 tokens. But when I tried to do the same for my university e-mail account, I found that I lacked permissions to create an "app registration" after logging in to my account through a Web browser. When I created an "app registration" by setting up a private Outlook account, the credentials were not accepted. I was able to get Thunderbird to access my university e-mail account with OAuth2 authentication, and I had some hopes that as a workaround I could paste the credentials generated by Thunderbird into the Mutt script. Unfortunately, a grep search through the ~/.thunderbird directory for "client_id," "client_secret," and "redirect_uri" yielded nothing. (I presume Thunderbird is storing the relevant credentials in encrypted form, making them appropriately hard to access.) This might not work anyway; it seems possible that the Office 365 only recognizes Thunderbird as an authorized "application." My recollection is that Thunderbird initially created OAuth2 tokens with a call to a Web browser to log in to my e-mail account and grant access; since then, any necessary refreshed tokens are apparently generated automatically. Having now used Thunderbird in lieu of Mutt for this account over the past couple weeks, I am reminded of the considerable superiority of Mutt, because of the security of text-only access, because when composing e-mails with Mutt I can use countless vi macros that I've created over the years, and because I can easily move IMAP e-mail into local mbox files on my computer. I raised this issue with my university IT department (see below) and received a singularly unhelpful response (see below). My impression is that I need to make a very clear and specific request for appropriate permissions to create OAuth2 tokens. Is the least intrusive way to proceed to request that my Azure account associated with my university e-mail be granted permission in the Azure Active Directory in the Azure AD role of "Application developer"? Any other ideas or suggestions would be most welcome. Sincerely, Greg Marks - My message to university IT department: I have been using the e-mail client Mutt to access my SLU e-mail account, and this stopped working on Oct. 12; apparently, the office365 accounts that SLU uses now require OAuth2 authentication. I am trying to configure Mutt to authenticate using OAuth2 following the instructions here: https://gitlab.com/muttmua/mutt/-/blob/master/contrib/mutt_oauth2.py.README I followed their instructions: "End users who aren't able to get to the app registration screen within portal.azure.com for their work/school account can temporarily use an incognito browser window to create a free outlook.com account and use that to create the app registration." At the stage when I ran the command ./mutt_oauth2.py [redacted].tokens --verbose --authorize on my local machine and pasted the localhostauthcode URL into a browser, I received this error message: Sorry, but we’re having trouble signing you in. AADSTS700016: Application with identifier [redacted] was not found in the directory 'Saint Louis University'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Troubleshooting details If you contact your administrator, send this info to them. Copy info to clipboard Request Id: 05f6c734-86f2-4457-b153-9b21afd8 Correlation Id: c59462fa-68dc-4068-b0fa-2943b56545db Timestamp: 2022-10-13T22:55:50Z Message: AADSTS700016: Application with identifier [redacted] was not found in the directory 'Saint Louis University'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. I have been able to configure Mozilla Thunderbird to access my SLU e-mail account with OAuth2 authentication but greatly prefer Mutt for a number of reasons, including security reasons. Could you please provide a method for obtaining a usable client_id, client_secret, and redirect_uri to generate the necessary tokens for OAuth2 authentication in order to have IMAP and SMTP access to my SLU e-mail account?