SMTP issue with smtp.office365.com

@ricardo Well, my o365 smtp is no longer working as well. Will post back what I find.

EDIT: Basic Authentication and Exchange Online – September 2021 Update - Microsoft Tech Community

Related to retiring of “unused” basic auth. Supposedly, even after a hard date of October 2022 basic auth should still work for SMTP. See the link for instructions on how to enable. They mention they are disabling at the tenant level for those who are not already using it.

My K9Mail app is blocking legacy IMAP using app password, so I guess this is expected.

Again this link: Enable or disable SMTP AUTH in Exchange Online | Microsoft Docs includes enabling SMTP on the account level via Powershell. Instructions regarding how to verify smtp is enabled are included.

Hi Garrett,

the subscription was throught provider of microsoft.
following this article
EDIT: Basic Authentication and Exchange Online – September 2021 Update - Microsoft Tech Community

this is the result of my test

image988×924 69.2 KB

i already enable for a specific user

image1089×542 57.4 KB

I think there is a difference between basic auth and authenticated smtp.

My diagnostics say:

Your test results are indicating that Basic Auth is disabled for your organization (this is the default). I have had Basic Auth in use, and so my results are different. In the Protocol to Enable dropdown, SMTP is not listed, because it will not be disabled by default for those organizations who have been using it. However, IMAP is listed.

K9-Mail in their recent 6.2 version broke functionality with Office365 - so that was unfortunately not a good test and does not indicate a problem with your credentials. If you can test with a previous version of K9 or any other app that would help. I believe your organization settings do not permit using an app password. This is the new default setting.

EDIT: I think “Basic Auth” and SMTP Auth are interchangable. Try with another app - we have not yet confirmed your credentials are good.

HI garrett,

How i can confirm if my organization allow app password?. i will lookup for another app to test if i dont fine any old version of k9-mail

@ricardo I just tested this on my own app password, and it successfully authenticated.

First, create base64 versions of your user@domain.com and password. For me, I just used base64 with php: base64_encode(<whatever>). However you want to do it, create two strings.

Then from linux command line:
openssl s_client -starttls smtp -crlf -connect smtp.office365.com:587

This will get you connected securely instead of having to send STARTTLS command. The result should look like:

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
   i:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
 1 s:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIpjCCB46gAwIBAgIQBRY+dkz/tKL6OsKG/GC93zANBgkqhkiG9w0BAQsFADBL
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSUwIwYDVQQDExxE
aWdpQ2VydCBDbG91ZCBTZXJ2aWNlcyBDQS0xMB4XDTIyMDcwNTAwMDAwMFoXDTIz


    Start Time: 1657766875
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
250 SMTPUTF8

Then, do:
ehlo ricardo (for our purposes it can be whatever you want to put there after ehlo)

It should respond with:

250-CH2PR07CA0051.outlook.office365.com Hello [your ip address]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN XOAUTH2
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

Does it show AUTH LOGIN?

Then do:
AUTH LOGIN

It should respond with a base64 version of “username”:

334 VXNlcm5hbWU6

Then, paste in your base64 version of your username, and submit it

It should respond with base64 version of “password”:

334 UGFzc3dvcmQ6

Then, paste in your base64 version of your app password, and submit it. If successful, you will see:

235 2.7.0 Authentication successful

You can QUIT to end the connection.

Hi Garrett,

I apologize for my late anwer. I used this page https://www.base64encode.org to create my user and pass.

output
535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator. [BL1PR13CA0195.namprd13.prod.outlook.com].

@ricardo No problem, thanks for the update. This was useful as it helps us know it’s not a passbolt issue but a credentials issue.

I’m not sure what to recommend regarding your Microsoft settings but asking them via support might be a good next step.

Hi Garrett,

I disable security default and my test were successfully with app password and normal password.
openssl s_client -starttls smtp -crlf -connect smtp.office365.com:587
235 2.7.0 Authentication successful.

but when i tested by passbolt

Could not send the test email.
Error: SMTP server did not accept the password.

@ricardo Nice! Would you mind posting your email config again? Remove the username and password before posting.

Hi Garrett,

sure

image1579×643 22.3 KB

thanks for your help!

@ricardo Can you please try with the client value set to your public ip address (or domain) and see if that makes any difference. By default I think localhost is sent but sometimes mail servers don’t like that.

HI Garrett,

i put the public ip addresss but still failling with the same error.

[504] 5.7.4 Unrecognized authentication type [MN2PR08CA0002.namprd08.prod.outlook.com]

AUTH LOGIN
[334] VXNlcm5hbWU6

---

[334] UGFzc3dvcmQ6
Could not send the test email.
Error: SMTP server did not accept the password.

@ricardo When I run my send_test_email I have the same 504 error because CakePHP tries AUTH PLAIN first, and then AUTH LOGIN. However, your test is failing after the password.

In your passbolt.php config file make sure both your username and app password are stored in plain text and not the base64 versions from our testing before.

Otherwise, your configuration looks exactly like mine and I have success with my app password.

NOTE: I did notice maybe you were using the long version of your microsoft tenant name (onmicrosoft[.]com). Try the short version of your domain only.

Hi Garrett,

Yes i am sure that i am using plain text in my password.
I created a ticket on microsoft. i will come back if my issue is resolved or if the problem is in passbolt

I also was able to get K9-mail working the other day after their new update with outlook.office365.com SSL/TLS 993 and smtp.office365.com STARTTLS 587 using my app password, in case you want to give that a shot again.

Ok let me try K9 meanwihle i am waiting for microsoft

I had a call with microsoft and they told me that smtp belong to legacy protocol and you need to do Auth2.0.

i follow this guideline Amazon Simple Email Service
passbolt - postfix - aws ses

Now i am trying to use AWS SES. but the error said
status=deferred (SASL authentication failed; server emai l-smtp.us-west-1.amazonaws.com[52.53.89.16] said: 535 Authentication Credentials Invalid)

i just copy and pate the one that it was generated when i create my smtp credentials

[535] Authentication Credentials Invalid

AUTH LOGIN
[334] VXNlcm5hbWU6

---

[334] UGFzc3dvcmQ6
Could not send the test email.
Error: SMTP server did not accept the password.

its seems that i cannot use a base64 user and password on the passbolt file. SMTP credencial are on base64, I am wondering what i can do ?

@ricardo Did your credentials work with k9?

No didnt work, thats why i am looking with aws ses

If the credentials using the office365 app password don’t work with k9 there is a problem with the credentials. The errors are saying this as well. I would recommend playing with the password to remove any characters that may be causing problems.