I too have a university email account that uses Office 365 (Microsoft Exchange) with OAuth2. Nor do they allow any client but Outlook. I asked IT to allow app passwords, which would allow both my existing mutt and fetchmail+procmail clients access to the email,
https://support.microsoft.com/en-us/account-billing/using-app-passwords-with-apps-that-don-t-support-two-step-verification-5896ed9b-4263-e681-128a-a6f2979a7944 but they refused. My solution: Since I'm a long-time Mac user, I configured my university account to send copies of all my email to my Apple iCloud mail, which does support app passwords. https://support.apple.com/en-us/HT202304 https://forums.freebsd.org/threads/mutt-with-icloud-mail.44264/ It works well. I had a bit of work to extract mail messages that Microsoft Exchange rejects with error status codes, e.g., SPF validation error, to many hops, sender's DMARC policy. I wrote a short Perl script to extract and restore the attachment containing the original message. It's processed thousands of rejected messages with no problems. As an aside, check out the book https://www.amazon.com/Hacking-Multifactor-Authentication-Roger-Grimes/dp/1119650798 Most 2FA isn't nearly as secure as many think! Jon On Tue, Oct 25, 2022 at 06:13:42PM -0500, Greg Marks wrote: >Dear Mutt Developers, > >This is not exactly a question about Mutt--more about OAuth2 >authentication with Microsoft Office 365--but I wonder if anyone >can advise. > >I've been trying to configure Mutt for continued access to my university >e-mail account, which uses the IMAP/SMTP server outlook.office365.com. >I have successfully configured Mutt for my G-Mail account using one >of the official gitlab.com Python scripts to generate OAuth2 tokens. >But when I tried to do the same for my university e-mail account, I >found that I lacked permissions to create an "app registration" after >logging in to my account through a Web browser. When I created an "app >registration" by setting up a private Outlook account, the credentials >were not accepted. > >I was able to get Thunderbird to access my university e-mail account with >OAuth2 authentication, and I had some hopes that as a workaround I could >paste the credentials generated by Thunderbird into the Mutt script. >Unfortunately, a grep search through the ~/.thunderbird directory >for "client_id," "client_secret," and "redirect_uri" yielded nothing. >(I presume Thunderbird is storing the relevant credentials in encrypted >form, making them appropriately hard to access.) This might not work >anyway; it seems possible that the Office 365 only recognizes Thunderbird >as an authorized "application." My recollection is that Thunderbird >initially created OAuth2 tokens with a call to a Web browser to log >in to my e-mail account and grant access; since then, any necessary >refreshed tokens are apparently generated automatically. > >Having now used Thunderbird in lieu of Mutt for this account over the >past couple weeks, I am reminded of the considerable superiority of Mutt, >because of the security of text-only access, because when composing >e-mails with Mutt I can use countless vi macros that I've created over >the years, and because I can easily move IMAP e-mail into local mbox >files on my computer. > >I raised this issue with my university IT department (see below) and >received a singularly unhelpful response (see below). My impression is >that I need to make a very clear and specific request for appropriate >permissions to create OAuth2 tokens. Is the least intrusive way to >proceed to request that my Azure account associated with my university >e-mail be granted permission in the Azure Active Directory in the Azure >AD role of "Application developer"? > >Any other ideas or suggestions would be most welcome. > >Sincerely, >Greg Marks > >------------------------------------------------------------- > >My message to university IT department: > > I have been using the e-mail client Mutt to access my > SLU e-mail account, and this stopped working on Oct. 12; > apparently, the office365 accounts that SLU uses now require > OAuth2 authentication. I am trying to configure Mutt to > authenticate using OAuth2 following the instructions here: > > > https://gitlab.com/muttmua/mutt/-/blob/master/contrib/mutt_oauth2.py.README > > I followed their instructions: "End users who aren't able to > get to the app registration screen within portal.azure.com for > their work/school account can temporarily use an incognito > browser window to create a free outlook.com account and use > that to create the app registration." At the stage when I > ran the command > > ./mutt_oauth2.py [redacted].tokens --verbose --authorize > > on my local machine and pasted the localhostauthcode URL into > a browser, I received this error message: > > Sorry, but we’re having trouble signing you in. > AADSTS700016: Application with identifier [redacted] was > not found in the directory 'Saint Louis University'. This > can happen if the application has not been installed by > the administrator of the tenant or consented to by any > user in the tenant. You may have sent your authentication > request to the wrong tenant. > > Troubleshooting details > If you contact your administrator, send this info > to them. Copy info to clipboard > Request Id: 05f6c734-86f2-4457-b153-9b21afd80000 > Correlation Id: c59462fa-68dc-4068-b0fa-2943b56545db > Timestamp: 2022-10-13T22:55:50Z > Message: AADSTS700016: Application with identifier > [redacted] was not found in the directory 'Saint Louis > University'. This can happen if the application has not > been installed by the administrator of the tenant or > consented to by any user in the tenant. You may have sent > your authentication request to the wrong tenant. > > I have been able to configure Mozilla Thunderbird to access > my SLU e-mail account with OAuth2 authentication but greatly > prefer Mutt for a number of reasons, including security reasons. > > Could you please provide a method for obtaining a usable > client_id, client_secret, and redirect_uri to generate the > necessary tokens for OAuth2 authentication in order to have > IMAP and SMTP access to my SLU e-mail account? > >University IT department's reply to me: > > We have received a response from our messaging team. > Unfortunately, as a third-party application, Mutt is not a > service that is supported by SLU ITS. As such we are not able > to offer any assistance with bringing it online. Outlook is > the university standard applications for email and is the > only one we can support in-depth. If Mozilla Thunderbird is > still working as you stated earlier, that can also be used. > If you have any further questions or concerns, please feel > free to reach back out to us at [phone number redacted]. On Tue, Oct 25, 2022 at 06:43:26PM -0700, Will Yardley wrote: > >On Tue, Oct 25, 2022 at 06:13:42PM -0500, Greg Marks wrote: >> Is the least intrusive way to proceed to request that my Azure account >> associated with my university e-mail be granted permission in the >> Azure Active Directory in the Azure AD role of "Application >> developer"? > >So, I went through some similar thing (only in a corp vs. EDU type >environment), and I think that creating an "app" in AD would indeed be >the first step towards getting this working (whether that needs to be >within their AD or whether you can make your own account and create the >app I can't say; probably the former). After that, I believe >they'll also have to approve it for use. > >Since Thunderbird works, I'm _assuming_ they haven't dropped "legacy" >(i.e., standard) protocols, but you may want to verify that _before_ >going through the process. > >w
