Closed Bug 1775077 Opened 2 years ago Closed 7 months ago

Can't authenticate with Microsoft SMTP using OAuth

Categories

(Thunderbird :: Security, defect, P3)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 91
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: robrwo, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0

Steps to reproduce:

I configured a new outgoing server that uses Office 365, using the same credentials for receiving email via IMAP:

Server Name: smtp.office365.com
Pot: 587
Authentication Method: OAuth2
Security: STARTTLS

Actual results:

When sending a mail, I get a dialogue stating that the login failed. But I've not configured a password yet. When I click "Enter a new password" button, no dialogue comes up asking for a new password. It just says "Sending message..." and after a while the same dialogue will return.

Expected results:

An Oauth2 dialog similar to the one for IMAP should have come up.

There should also be a place in the account settings to configure a password.

Blocks: tb-enterprise
Severity: -- → S3
Component: Untriaged → Security
Priority: -- → P3

Jules, are you still using o365, and see this bug in version 91?

Flags: needinfo?(Jules)

I'm using 103beta and don't see this bug. But I don't think I did back in pre-102 days either.
My initial advice to Robert Rothenberg would be to delete all the OAuth2 tokens in "Saved passwords" in TB, restart TB and thereby force it to re-authenticate via OAuth2 and a MS login box for both IMAP and SMTP.
Cheers,
Jules.

Flags: needinfo?(Jules)

Robert, did comment 2 help? And if not how did you resolve your problem? Or, does the problem still exist?

Flags: needinfo?(robrwo)
Whiteboard: [closeme 2022-11-01]

No, it did help.

Flags: needinfo?(robrwo)

To confirm, my working settings (in 103 onwards) are
Server Name: smtp.office365.com
Port: 587
Connection Security: STARTTLS
Authentication method: OAuth2
User Name: your-username@your-domain.com

Always quit and restart TB after changing this sort of stuff, it seems to keep it happier.
You might want to try removing all your saved passwords, certainly anything to do with either SMTP or Office365.
Also double check that the IMAP account you are using is actually set to use the SMTP server settings you think it is. It's at the bottom of the main page of the account settings.

(In reply to Robert Rothenberg from comment #4)

No, it did help.

With what version? (Please always cite your full version when updating a bug)
Did comment 5 help?

No longer blocks: tb-enterprise
Flags: needinfo?(robrwo)
Whiteboard: [closeme 2022-11-01]

I am using 102.4.2

It now asked for a password and gets no errors, but now sending an email seems to lock up. So I don't know if there's an authorization problem or something else.

Flags: needinfo?(robrwo)

Actually no, the password is not accepted, and it keeps asking for a new password. I know that this is the correct password because I use it to receive mail and log in via the web interface.

an outside chance, could this be the subtle "Authenticated but not connected" issue? It got me...
https://www.reddit.com/r/Thunderbird/comments/zxelqn/came_back_to_thunderbird_after_christmas_and_now/

Microsoft disabled SMTP auth by default some time ago. Please make sure it's actually enabled at https://admin.exchange.microsoft.com/#/settings by unchecking the box shown in this screenshot at Settings -> Mail Flow.

Note: It may take a few minutes for the SMTP server to reflect the change. It did for me.

If you have this box unchecked already, and still can't send, an error from the error console in Tools -> Developer Tools -> Error Console would be very helpful.

copy from bug 1799259 comment 8 (my post)

Environment: Win 10 22H2 x64, M365 personal account
IMAP: outlook.office365.com, TLS/SSL (993), OAuth2
SMTP: smtp.office365.com, STARTTLS (587), OAuth2

Tb 102.7.1 x64 + brand new profile
Tb 110.0b3 x64 + brand new profile
Tb 111.0a1 (20230201095127) x64 + brand new profile

In all cases, IMAP is good. The scope used for OAuth2 is outlook.office.com, not outlook.office365.com.
On the other hand, SMTP is bad. As same as bug 1775077, login failed dialog appears, but neither "Retry" nor "Enter New Password" works, endless loop...

(In reply to Andrei Hajdukewycz [:sancus] from comment #10)

Microsoft disabled SMTP auth by default some time ago. Please make sure it's actually enabled at https://admin.exchange.microsoft.com/#/settings by unchecking the box shown in this screenshot at Settings -> Mail Flow.

Note: It may take a few minutes for the SMTP server to reflect the change. It did for me.

It is not applicable for M365 personal account.

If you have this box unchecked already, and still can't send, an error from the error console in Tools -> Developer Tools -> Error Console would be very helpful.

Error console log 102.7.1 :

(login fail dialog)

mailnews.smtp: Command failed: 535 Authentication unsuccessful [TY2PR02CA0002.apcprd02.prod.outlook.com 2023-02-02T03:03:56.225Z 08DB048C484F1486]; currentAction=_actionAUTH_XOAUTH2 SmtpClient.jsm:515:19
mailnews.smtp: Error during AUTH XOAUTH2, sending empty response SmtpClient.jsm:1038:19

(click "Retry")

mailnews.smtp: Command failed: 500 Unrecognized command 'unknown' [TY2PR02CA0002.apcprd02.prod.outlook.com 2023-02-02T03:04:01.287Z 08DB048C484F1486]; currentAction=_actionAUTHComplete SmtpClient.jsm:515:19
mailnews.smtp: Authentication failed: Unrecognized command 'unknown' [TY2PR02CA0002.apcprd02.prod.outlook.com 2023-02-02T03:04:01.287Z 08DB048C484F1486] SmtpClient.jsm:701:17
mailnews.smtp: Command failed: 535 Authentication unsuccessful [TY2PR02CA0002.apcprd02.prod.outlook.com 2023-02-02T03:04:23.004Z 08DB048C484F1486]; currentAction=_actionAUTH_XOAUTH2 SmtpClient.jsm:515:19
mailnews.smtp: Error during AUTH XOAUTH2, sending empty response SmtpClient.jsm:1038:19

(click "Enter New Password")

mailnews.smtp: Command failed: 500 Unrecognized command 'unknown' [TY2PR02CA0002.apcprd02.prod.outlook.com 2023-02-02T03:04:28.050Z 08DB048C484F1486]; currentAction=_actionAUTHComplete SmtpClient.jsm:515:19
mailnews.smtp: Authentication failed: Unrecognized command 'unknown' [TY2PR02CA0002.apcprd02.prod.outlook.com 2023-02-02T03:04:28.050Z 08DB048C484F1486] SmtpClient.jsm:701:17
mailnews.smtp: Command failed: 535 Authentication unsuccessful [TY2PR02CA0002.apcprd02.prod.outlook.com 2023-02-02T03:04:43.533Z 08DB048C484F1486]; currentAction=_actionAUTH_XOAUTH2 SmtpClient.jsm:515:19
mailnews.smtp: Error during AUTH XOAUTH2, sending empty response SmtpClient.jsm:1038:19

(click "Cancel")

mailnews.smtp: Command failed: 500 Unrecognized command 'unknown' [TY2PR02CA0002.apcprd02.prod.outlook.com 2023-02-02T03:04:48.564Z 08DB048C484F1486]; currentAction=_actionAUTHComplete SmtpClient.jsm:515:19
mailnews.smtp: Authentication failed: Unrecognized command 'unknown' [TY2PR02CA0002.apcprd02.prod.outlook.com 2023-02-02T03:04:48.564Z 08DB048C484F1486] SmtpClient.jsm:701:17
mailnews.smtp: Authentication failed: Unrecognized command 'unknown' [TY2PR02CA0002.apcprd02.prod.outlook.com 2023-02-02T03:04:48.564Z 08DB048C484F1486] SmtpClient.jsm:742:19
mailnews.send: Sending failed; Unable to authenticate to Outgoing server (SMTP) smtp.office365.com. Please check the password and verify the 'Authentication method' in 'Account Settings | Outgoing server (SMTP)'., exitCode=2153066805, originalMsgURI= MessageSend.jsm:335:27

Additional information: Error console log in comment #11 is by 102.7.1.

Then I restarted Thunderbird (110.0b3 (64-bit)) and tried it again, and got the MS OAUTH pop up which was good progress, and signed in, then on the Thunderbird Account Setup page "Account successfully created" was displayed also good progress.

Now it is downloading 293 of 5444 emails -- a good start! I get a lot of emails, and have lots of Thunderbird filters to deal with them. I'll have to see in the morning if it completed.

It also seems like SMTP Auth may simply be disabled with some types of accounts, Microsoft states "Oauth 2.0 client credential flow with non-interactive sign in".

If basic auth for SMTP only works for you(using user/password) I think that's what you should use for now, even if you're using oAuth for IMAP. This is completely nuts, but it seems to be what Microsoft wants in at least some cases...

It's completely unclear to me why SMTP appears to work sometimes but not others, even when SMTP AUTH is enabled for a tenant.

(In reply to Andrei Hajdukewycz [:sancus] from comment #14)

It also seems like SMTP Auth may simply be disabled with some types of accounts, Microsoft states "Oauth 2.0 client credential flow with non-interactive sign in".

If basic auth for SMTP only works for you(using user/password) I think that's what you should use for now, even if you're using oAuth for IMAP. This is completely nuts, but it seems to be what Microsoft wants in at least some cases...

It's completely unclear to me why SMTP appears to work sometimes but not others, even when SMTP AUTH is enabled for a tenant.

I agree your opinion.

I realized that SMTP with OAuth2 is now impossible with K-9 Mail (IMAP with OAuth2 is possible, of course).
(It WAS POSSIBLE when I reported bug 1799259, 3 month ago)

Error message of K-9 is almost same as that of Tb.
https://i.imgur.com/JMupoSq.png

MS seems to have changed something...

(In reply to Andrei Hajdukewycz [:sancus] from comment #14)

It also seems like SMTP Auth may simply be disabled with some types of accounts, Microsoft states "Oauth 2.0 client credential flow with non-interactive sign in".

If basic auth for SMTP only works for you(using user/password) I think that's what you should use for now, even if you're using oAuth for IMAP. This is completely nuts, but it seems to be what Microsoft wants in at least some cases...

It's completely unclear to me why SMTP appears to work sometimes but not others, even when SMTP AUTH is enabled for a tenant.

You're right, my bad. For my account SMTP OAuth does not work with TB 102.6.1 as well now, so it must be something on MS side not related to bug 1810760.

(In reply to Andrey Kiryanov from comment #16)

(In reply to Andrei Hajdukewycz [:sancus] from comment #14)

It also seems like SMTP Auth may simply be disabled with some types of accounts, Microsoft states "Oauth 2.0 client credential flow with non-interactive sign in".

If basic auth for SMTP only works for you(using user/password) I think that's what you should use for now, even if you're using oAuth for IMAP. This is completely nuts, but it seems to be what Microsoft wants in at least some cases...

It's completely unclear to me why SMTP appears to work sometimes but not others, even when SMTP AUTH is enabled for a tenant.

You're right, my bad. For my account SMTP OAuth does not work with TB 102.6.1 as well now, so it must be something on MS side not related to this bug.

Ah, I've replied to the wrong bug. I meant to say that it's not related to bug #1810760

Summary: Thunderbird will not ask for an Oauth2 password for office 365 SMTP → Can't authenticate with Microsoft SMTP using OAuth
Status: UNCONFIRMED → NEW
Ever confirmed: true

So, I've managed to solve my problem with MS SMTP OAuth. It appears that SMTP is much more picky about usernames than IMAP. Whereas IMAP allows you to authenticate using your primary e-mail or any alias you might have, SMTP will only work with your primary e-mail (in my case I had two like firstname.lastname@mydomain.com and just lastname@mydomain.com with latter being an alias).
It was far from obvious, but after changing the SMTP username in Thunderbird settings it finally started working as expected.

Duplicate of this bug: 1824349

Doesn't work on my side. It worked as a charm until TB 111 and stopped working upon 112.
I tried resetting passwords, removing and recreating the SMTP server, changing usernames, creating a new profile... Duo pops up and approves my login, but I can't send any message, since it says "try changing your password". I am still able to receive messages save drafts, and delete from any folder.
I think that it's unlikely a server side configuration problem, since it worked until I updated Thunderbird.
Any idea?

I had to use app password instead of OAuth, and it seems K-9 Mail also has the same issue: https://forum.k9mail.app/t/outlook-com-mail-settings/6154

Nope :)
Just tried both this and ipv6 thing, but it's still stuck.
Why the heck did it work two weeks ago?

Why the heck did it work two weeks ago?

If you're referring to working in 111 beta and not working in 112 beta, look at the differences between the two:
https://hg.mozilla.org/releases/comm-beta/pushloghtml?changeset=f4421a4ae0bdded50df8b8e3a72246407093cd50
In there you'll find bug 1697805 (and bug 1780265 which was only a minor tweak). Maybe the former gives a hint.

Or did 112 beta 1 and work and a later beta didn't? Then you need to search elsewhere.

I've just set up an account at O365. TB configures it with OAuth2 for SMTP which initially failed. Switching to "normal password", letting that fail once, and then switching back to OAuth2 actually succeeded. Go figure!

Perhaps some correlation to bug 1668834 for that.

Now, OAuth2 authentication with M365 SMTP seems to be usable.

Service: M365 personal
Server Name: smtp.office365.com
Pot: 587
Authentication Method: OAuth2
Security: STARTTLS

I have tested with

  1. Tb 102.10.0 (Win10 x64 desktop and laptop machines)
  2. K-9 Mail 6.600 (Android 13)

I can send messages via SMTP using OAuth2 with both Tb and K-9.
It seems that something has been changed on MS side, not on client side.
Can anyone try?

(In reply to Massimiliano Caniparoli from comment #20)

Doesn't work on my side. It worked as a charm until TB 111 and stopped working upon 112.
I tried resetting passwords, removing and recreating the SMTP server, changing usernames, creating a new profile... Duo pops up and approves my login, but I can't send any message, since it says "try changing your password". I am still able to receive messages save drafts, and delete from any folder.
I think that it's unlikely a server side configuration problem, since it worked until I updated Thunderbird.
Any idea?

I have tried all proposed solutions without success:

  • switching from OAuth2 to "normal password" and back to OAuth2 --> failed;
  • downgrading to version 102.6.1 --> failed;
  • requesting activation of the "Authenticated SMTP" option --> impossible.

Unfortunately, under no circumstances I will be able to send emails from my work account because Basic authentication has been disabled by the system administrator for security reasons (as stated here: «If your authentication policy disables basic authentication for SMTP, clients cannot use the SMTP AUTH protocol even if you enable the settings outlined in this article»).

I don't know if this bug can be fixed by Thunderbird developers or through an agreement with Microsoft, but – as far as I know – at the moment it is not possible to solve this issue and use Thunderbird to manage Office 365 accounts. That's so frustrating…

One thing that you could try is network.dns.disableIPv6 true and see if that makes a difference

(In reply to Magnus Melin [:mkmelin] from comment #28)

One thing that you could try is network.dns.disableIPv6 true and see if that makes a difference

No, switching IPv6 option has no effect

Solved on my side, it wasn't TB's fault.
The IT department said "they disabled SMTP for all company's tenant for security reasons".
They unlocked (at least) mine and it works again: so weird it occurred upon upgrade of Thunderbird!
Thanks for your assistance!

Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → INVALID

I'm reopening, I thought it's resolved based on comment 30, but I've been told there are remaining issues.

Status: RESOLVED → REOPENED
Resolution: INVALID → ---

Is there a list of remaining issues?

Flags: needinfo?(kaie)

Basically, Thunderbird does not fully support Microsoft's Modern authentication: Office365-based corporate email accounts will not be able to send messages if Basic authentication has been disabled (as security defaults are enabled) in the organization

(In reply to Thunderbird Addicted from comment #33)

Basically, Thunderbird does not fully support Microsoft's Modern authentication: Office365-based corporate email accounts will not be able to send messages if Basic authentication has been disabled (as security defaults are enabled) in the organization

If you can point to something in Microsoft's documentation or elsewhere that actually explains what we're not doing, that'd be helpful. "Doesn't support" this or that is unfortunately not enough information to fix any remaining bug here. Note that Oauth2 SMTP works completely fine with M365 standard accounts which is what we've got to test on.

I'm honestly not even sure anyone at Microsoft understands all of their word salad security theatre approach to OAuth2.

Thunderbird does require using SMTP for sending, but that can be used with OAuth2.

I'm closing this report since there it's mixing up a few issues that were present earlier, and has no actionable data.
If you can reproduce a problem with Thunderbird 115, please file a new bug with details. An SMTP log would be useful: https://wiki.mozilla.org/MailNews:Logging

Status: REOPENED → RESOLVED
Closed: 11 months ago7 months ago
Flags: needinfo?(kaie)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.