Outlook 5.7.3 Authentication unsuccessful

[betacatgo]

Since Microsoft no longer allows basic authentication after September 16th, 2024 (app passwords don't work either), I could no longer use git-send-email to send patches through my Outlook personal account, and then I found this project.

5.7.3 Authentication unsuccessful [LO4P123CA0207.GBRP123.PROD.OUTLOOK.COM 2024-10-10T21:50:33.251Z 08DCE9686F3D146F]

After a long time of struggling with the configuration, I am still stuck on this error and I think I need some help.

./pyenv/bin/python3 emailproxy.py --no-gui --local-server-auth --debug
2024-10-10 23:49:45: Initialising Email OAuth 2.0 Proxy (version 2024-10-04) in debug mode from config file /home/xxx/email-oauth2-proxy/emailproxy.config
2024-10-10 23:49:45: Starting IMAP server at 127.0.0.1:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-10-10 23:49:45: Starting POP server at 127.0.0.1:1995 (unsecured) proxying outlook.office365.com:995 (SSL/TLS)
2024-10-10 23:49:45: Starting SMTP server at 127.0.0.1:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2024-10-10 23:49:45: Initialised Email OAuth 2.0 Proxy - listening for authentication requests. Connect your email client to begin
2024-10-10 23:49:56: New incoming connection to SMTP server at 127.0.0.1:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2024-10-10 23:49:56: Accepting new connection from 127.0.0.1:53878 to SMTP server at 127.0.0.1:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587) --> [ Client connected ]
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'220 LO4P302CA0005.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 10 Oct 2024 22:49:55 +0000 [08DCE8B62813AB2B]\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587) <-- b'220 LO4P302CA0005.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 10 Oct 2024 22:49:55 +0000 [08DCE8B62813AB2B]\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587) --> b'EHLO debian.aux.lan\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     --> b'EHLO debian.aux.lan\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-LO4P302CA0005.outlook.office365.com Hello [193.115.217.23]\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-SIZE 157286400\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-PIPELINING\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-DSN\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-STARTTLS\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-8BITMIME\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-BINARYMIME\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-CHUNKING\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250 SMTPUTF8\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     --> b'STARTTLS\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'220 2.0.0 SMTP server ready\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587) <-> [ Starting TLS handshake ]
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587) [ Successfully negotiated SMTP server STARTTLS connection - re-sending greeting ]
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     --> b'EHLO debian.aux.lan\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587) <-> [ TLSv1.3 handshake complete ]
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-LO4P302CA0005.outlook.office365.com Hello [193.115.217.23]\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-SIZE 157286400\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-PIPELINING\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-DSN\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-AUTH LOGIN XOAUTH2\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-8BITMIME\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-BINARYMIME\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250-CHUNKING\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'250 SMTPUTF8\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587) <-- b'250-LO4P302CA0005.outlook.office365.com Hello [193.115.217.23]\r\n250-SIZE 157286400\r\n250-PIPELINING\r\n250-DSN\r\n250-ENHANCEDSTATUSCODES\r\n250-AUTH PLAIN LOGIN\r\n250-8BITMIME\r\n250-BINARYMIME\r\n250-CHUNKING\r\n250 SMTPUTF8\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587) --> b'AUTH PLAIN [[ Credentials removed from proxy log ]]\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     --> b'AUTH XOAUTH2\r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587)     <-- b'334 \r\n'
2024-10-10 23:49:56: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587; xxx.xxx@outlook.com)     --> b'[[ Credentials removed from proxy log ]]\r\n'
2024-10-10 23:50:01: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587; xxx.xxx@outlook.com)     <-- b'535 5.7.3 Authentication unsuccessful [LO4P302CA0005.GBRP302.PROD.OUTLOOK.COM 2024-10-10T22:50:01.030Z 08DCE8B62813AB2B]\r\n'
2024-10-10 23:50:01: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587; xxx.xxx@outlook.com) <-- b'535 5.7.3 Authentication unsuccessful [LO4P302CA0005.GBRP302.PROD.OUTLOOK.COM 2024-10-10T22:50:01.030Z 08DCE8B62813AB2B]\r\n'
2024-10-10 23:50:01: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587) <-- [ Server disconnected ]
2024-10-10 23:50:01: SMTP (127.0.0.1:53878-{127.0.0.1:1587}-smtp.office365.com:587; xxx.xxx@outlook.com) --> [ Client disconnected ]

Above is the failed debug information that frustrates me.

[user]
	email = xxx.xxx@outlook.com
	name = XXX XXX
[sendemail]
	smtpServer = 127.0.0.1
	smtpUser = xxx.xxx@outlook.com
	smtpPass = xxxxx
	smtpServerPort = 1587
	confirm = always
	suppresscc = all

Above is my gitconfig.

[IMAP-1993]
server_address = outlook.office365.com
server_port = 993
local_address = 127.0.0.1

[POP-1995]
server_address = outlook.office365.com
server_port = 995
local_address = 127.0.0.1

[SMTP-1587]
server_address = smtp.office365.com
server_port = 587
server_starttls = True
local_address = 127.0.0.1

[xxx.xxx@outlook.com]
permission_url = https://login.microsoftonline.com/tenant id/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/tenant id/oauth2/v2.0/token
oauth2_scope = https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access
redirect_uri = http://localhost:8080
client_id = xxxxxxxxxxxx
client_secret = xxxxxxxxxxxx
token_salt = xxxxxxxx
token_iterations = 870000
access_token = xxxxxxxxxxxxxxx
access_token_expiry = 1728601964
refresh_token = xxxxxxxxxxx

[emailproxy]
delete_account_token_on_password_error = True
encrypt_client_secret_on_first_use = False
use_login_password_as_client_credentials_secret = False
allow_catch_all_accounts = False

Above is my emailproxy.config

I can already get the token_salt, access_token, refresh_token, but the authentication is still unsuccessful.

Above are all my configurations in Azure.

I have completed the permission acceptance and can show OAuth 2.0 proxy successfully.

I am sure that SMTP is not disabled in my Outlook as I can use Thunderbird to send emails successfully.

I have tried changing smtp.office365.com to smtp-mail.outlook.com, https://outlook.office.com/SMTP.Send to https://graph.microsoft.com/SMTP.Send, offline_access to https://graph.microsoft.com/offline_access and Web application to SPA application, but none of them work.

I have tried everything I can think of.

If anyone can help me I would be very grateful.

This is important to me.

Many thanks!

[simonrob]

Thanks for the detailed report. Unfortunately I don't have capacity to troubleshoot Azure/Entra setups, but there are plenty of other guides to help you navigate the confusing process required - this was the first result for me just now, for example.

Re: proxy setup, you should stick with what is in the example configuration file (i.e., not the Graph scopes).

[betacatgo]

Thanks for your reply, I tried the method in the article you mentioned, but it doesn't work.

In fact, I have tried many articles on configuring Azure/Entra and none of them work.

The following is some additional information.

As a personal account, there are actually no Office 365 permissions, and only Graph permissions are related to emails.

I have tried turning off all the security configurations I can find, but it doesn't work.

I have also tried turning off two-step authentication, or turning on two-step authentication and using app passwords, but neither works.

I struggled for a long time here, but couldn't make the authentication successful.

If there is still no solution, I can only give up my Outlook account and use other email providers...

[simonrob]

Ah, that's an important detail - if you're using a free Outlook account you'll need to reuse an OAuth client ID that has been approved by Microsoft as you're not able to approve your own (you're not the administrator). There are links in the proxy's readme to various options here.

[betacatgo]

Thanks for the information, it helped me finally find the cause.

Since you mentioned that I need to use a Microsoft approved client id, it made me curious to find out what client id Thunderbird uses.

After some time of debugging using the Thunderbird Developer Tool, I found it all at OAuth2Providers.sys.mjs.

The Thunderbird client id can also be found in this blog.

Outlook personal accounts may not require complex Azure/Entra configurations, as Thunderbird client id can be used (interestingly, we don't need to provide client_secret when using Thunderbird client id).

But when I use the Thunderbird client id, the same error appears again.

5.7.3 Authentication unsuccessful.

This makes me suspect that this is not the problem.

I compared the authentication process of Thunderbird with email-oauth2-proxy which is exactly the same but with different results.

Eventually I debugged Thunderbird with breakpoints and I discovered that the OAuthToken sent by Thunderbird was very different from the one sent by email-oauth2-proxy.

The OAuthToken length sent by Thunderbird is 1585, but the length sent by email-oauth2-proxy is 3401.

After I base64 decoded it, only the very beginning user=xxx.xxx@outlook.comauth=Bearer is the same, while the rest is very different.

I tried to modify the code in SMTPOAuth2ServerConnection and replace OAuth2Helper.encode_oauth2_string(result) with the OAuthToken I got in Thunderbird.

I finally saw the long-awaited 250 OK and the email was sent successfully!

250 2.0.0 OK <XXXXX@XXXXX.eurprd03.prod.outlook.com>

I am not an email expert, but can confirm that there should be bugs in OAuth2Helper.get_oauth2_credentials or OAuth2Helper.encode_oauth2_string.

Hopefully this information provided above can help you fix it.

Many thanks!

[qianbinbin]

Have you tried smtp-mail.outlook.com after changing the client_id? They seem different, see https://answers.microsoft.com/en-us/outlook_com/forum/all/incorrect-popsmtp-servers/85848f40-87ea-44ab-a983-e9c71cfc1c7c and https://support.microsoft.com/en-us/office/pop-imap-and-smtp-settings-for-outlook-com-d088b986-291d-42b8-9564-9c414e2aa040

[betacatgo]

@qianbinbin Thanks for letting me know!

After I changed the SMTP server to smtp-mail.outlook.com, emails can be sent normally.

I no longer need to set up the OAuthToken myself.

The following is the summary for others who want to use email-oauth2-proxy to send emails from their Outlook personal account:

TL;DR

Use Thunderbird Client ID and use smtp-mail.outlook.com as the SMTP server.

[qianbinbin]

Cheers! For others who want a quick setup for personal Outlook on macOS (in Chinese): https://qianbinbin.github.io/posts/oauth-2.0-proxy-for-email-client/

[filipe3x]

I have a similar problem as you betacatgo, but I don't want to send e-mails, just read the email folder's. So I guess I am stuck to IMAP instead of SMTP. Is there a way to apply a similar solution as yours, but with IMAP servers?
My whole issue is discussed here #290 seems very similar to your problem, as I also tried to create an Azure app as most tutorials told me to do so, but in the end I couldn't find a solution to read my personal email's from my outlook's personal account using IMAP.

My current config:

`[filipe.it@outlook.pt]

permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office.com/IMAP.AccessAsUser.All offline_access https://outlook.office.com/SMTP.Send
redirect_uri = https://login.microsoftonline.com/common/oauth2/nativeclient
client_id = 9e5f94bc-e8a4-4e73-b8be-63364c29d753
client_secret = TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82`

[filipe3x]

I managed to get it to work! After almost a month! Thank you very much qianbinbin for your tutorial.

My final config file is

[filipe.it@outlook.pt]
permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access
client_id = 9e5f94bc-e8a4-4e73-b8be-63364c29d753
redirect_uri = https://localhost:7598

[betacatgo]

Congratulations! @filipe3x

Yes, most tutorials tell us to create Azure app, but that makes everything complicated and doesn't work.

Actually we just need to simply use the Thunderbird Client ID and then everything works fine.

[simonrob]

I'm glad you got things working – thanks for following up. As I mentioned above in my second response, the fact that a personal (i.e., free) account is the one you were trying to use here is a crucial factor. Unlike Gmail, where any client can be configured to access the account, Microsoft's process requires administrator approval, and since you are not the administrator of Outlook.com you cannot add new Azure/Entra clients, so must adopt the ID from an existing client. Thunderbird is the most obvious option here.

In the rest of the discussion in this issue there are a lot of other misconceptions or incorrect assumptions. I'll try to clear a few of them up here. First and foremost – all of the attempts to try different scopes, servers or other parameters in the proxy's configuration file are often the source of the problem in the first place. The default configuration is rarely at fault, and trying random values here will just create another problem that stops the proxy working.

Edit: In 31eac06 I've updated the example configuration file and readme to explicitly mention free Outlook.com (and Hotmail) accounts.

Turning to the other points:

I am not an email expert, but can confirm that there should be bugs in OAuth2Helper.get_oauth2_credentials or OAuth2Helper.encode_oauth2_string.

I think you're making this assumption because Thunderbird's token is a different length to the one obtained by the proxy? That's an incorrect assumption, and not the cause of your issue.

I tried to modify the code in SMTPOAuth2ServerConnection and replace OAuth2Helper.encode_oauth2_string(result) with the OAuthToken I got in Thunderbird.

This will work, but not for long. Unlike a standard username/password login, OAuth 2.0 is based on a token that is periodically refreshed. So, once the token you've copied from Thunderbird expires, the proxy will stop working for you again.

After I changed the SMTP server to smtp-mail.outlook.com, emails can be sent normally.

This is the standard configuration as found in the example configuration file. Don't change it!

Cheers! For others who want a quick setup for personal Outlook on macOS (in Chinese): https://qianbinbin.github.io/posts/oauth-2.0-proxy-for-email-client/

Thanks for adding documentation in Chinese. The "its documentation is not really written for humans" bit made me laugh! Just a few minor points: while what you've written about sent emails being duplicated is correct, this can often be disabled in the email client itself (e.g., in Thunderbird, turn off 'Place a copy in "Sent" Folder' in the Copies & Folders tab of the account's settings). If you can't do this, the plugin-enabled version of the proxy has a helper for this. Similarly, while the autostart configuration you've listed will work, if you use the GUI version of the proxy this can be managed automatically for you.

Finally, another issue not mentioned here, but previously raised in connection to free Outlook.com accounts: the errror BAD User is authenticated but not connected. may occur even when you've successfully authenticated your account with the proxy. The reason for this is that IMAP/POP/SMTP is not enabled for your account. Once this is done, things will start working.

[qianbinbin]

Thank you @simonrob for your brilliant work. I mean the documentation is a little bit confusing.

Microsoft uses different servers for Office 365 and personal users, and the domains are just misleading.

However, many sections of the document describe the configuration of Office 365 accounts, but only provide the SMTP configuration for free accounts. And in the Account setup part, only Office 365 configuration is provided.

It would be more convenient if there're some typical templates, e.g. free-outlook.config, office-365.config, gmail.config.

The plugin-enabled version looks awesome. It would be great if we could install it by pip install emailproxy[plugin].

[simonrob]

Thanks for the feedback – this is useful. I'll try to clarify about O365 vs. free/personal accounts.

Re: SMTP configuration – this is the same for both paid and free accounts. And re: accounts, there's currently an example for both O365 and personal accounts. I could perhaps make this clearer by linking directly to examples from the readme.

The plugins version is currently only available by installing manually I'm afraid. This is because the architecture of the proxy makes it quite difficult (perhaps not possible) to achieve in the flexible manner that it currently works. But I'm happy to look at this again if there's significant interest in this version. If you've already got the proxy installed via pip, you can just download the new version of the script and plugins from its branch and try things out, as you've already got everything else required (i.e., there are no extra dependencies).