« GraphicsMagick in Fil… | Home | GraphicsMagick in Fil… »

Follow up on SMTP with OAuth for Office 365 in FileMaker

After the SMTP with OAuth for Office 365 in FileMaker article we got some feedback from you guys.

Scope

First there is the question about the scope of the token and how to use this for IMAP. So the scope string lists various identifiers separated by a space character and a few of those identifiers are URLs. You can lookup them in the documentation from Microsoft, but we have a few common ones:

Only SMTP:
Set Variable [ $scope ; Value: "https://outlook.office365.com/SMTP.Send"

Only IMAP:
Set Variable [ $scope ; Value: "https://outlook.office365.com/IMAP.AccessAsUser.All"

IMAP and SMTP:
Set Variable [ $scope ; Value: "https://outlook.office365.com/SMTP.Send https://outlook.office365.com/IMAP.AccessAsUser.All"

More with POP3 and profile data and offline access:
Set Variable [ $scope ; Value: "openid profile offline_access https://outlook.office365.com/SMTP.Send https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/IMAP.AccessAsUser.All"

It may be good to keep this narrow and maybe only ask for SMTP most times so the user is not frightened that for sending emails you also need to read all their existing emails.

SmtpClientAuthentication disabled

Sending a test email, we may get an error:

535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit https://aka.ms/smtp_auth_disabled for more information. [FR2P281CA0043.DEUP281.PROD.OUTLOOK.COM]

The admin may need to enable SMTP for this account.

Authenticated but not connected

For IMAP, we saw this kind of error:

A003 BAD User is authenticated but not connected.

The Exchange and Office365 servers will accept connections and authenticate users by their username and password when the user doesn't have IMAP permissions. No error is given until the first IMAP command is issued, at which point it gives "User is authenticated but not connected".

To correct this, open the permissions for the user on the server and ensure that IMAP is selected.

Encryption trouble

Some people don't get the TLS connection due to old plugin with older SSL versions. Please use recent versions of MBS Plugins to get a recent OpenSSL with support for TLS 1.3. Please note that it is imaps://outlook.office365.com with an s attached to imap, so the port is 993 and the first data packet is encrypted. With smtp, it is without the extra s: smtp://smtp.office365.com as this uses STARTTLS, so connection starts unencrypted and then enables encryption later before sending the authentication.

Authentication unsuccessful

We saw errors like this:

535 5.7.3 Authentication unsuccessful

The token we just got is not accepted. Please check whether SMTP service is enabled for the account used.

Open Firewall

Since the Outlook application can connect to the mail server via HTTPS and their REST APIs, some clients seems to have the firewall configured to block the outlook.office365.com and smtp.office365.com domains. This can be at DNS level, so no IP is resolved. Or it can be on connection level, so the attempt to connect times out. Or it can be that the connection is happening, but then terminated within a second.

Successful request

There is an example of a CURL request, that works:

Trying 52.97.232.194:587...
Connected to smtp.office365.com (52.97.232.194) port 587 (#0)
220 ZR0P278CA0026.outlook.office365.com Microsoft ESMTP MAIL Service ready at Wed, 23 Nov 2022 09:12:07 +0000
EHLO test-mbp-3
250-ZR0P278CA0026.outlook.office365.com Hello [31.11.3.242]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
STARTTLS
220 2.0.0 SMTP server ready
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Request CERT (13):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
Server certificate:
subject: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; CN=outlook.com
start date: Jul 26 00:00:00 2022 GMT
expire date: Jul 25 23:59:59 2023 GMT
issuer: C=US; O=DigiCert Inc; CN=DigiCert Cloud Services CA-1
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
EHLO test-mbp-3
250-ZR0P278CA0026.outlook.office365.com Hello [31.11.3.242]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN XOAUTH2
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
AUTH XOAUTH2
334
dXNlcj1tYXJ....RMTlERkM3S0xlVmRIQQEB
235 2.7.0 Authentication successful
MAIL FROM:<user@domain.com>
250 2.1.0 Sender OK
RCPT TO:<other@domain.com>
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
250 2.0.0 OK <315CA87F-XXXX-4EFA-XXX-D209056F067F@domain.com> [Hostname=ZR0XXXXMB0XX3.CHEP278.PROD.OUTLOOK.COM]
Connection #0 to host smtp.office365.com left intact

Of course all identifying information got removed, so you won't see the true user name above.

Let us know if you have questions so far.

Continued here: More follow up on oAuth for Office 365
06 12 22 - 12:05