Hotmail/Free Outlook accounts

[ExolonDX]

Hi Simon,

First thanks for writing this proxy server, both my spam filter and pop checker are working.

I just saw your update regarding Hotmail/Free Outlook accounts; I was trying to use the Azure Portal website to set everything up, although everything appeared to be OK, I kept on getting authentication errors.

Just about to give when I came across another proxy server, Raiden Mail Oauth Proxy. On Raidens website it gave instructions on how to setup client_id/client_secret but using the Microsoft Entra website, not the Azure Portal website.

However, this gave me the following error:

2024-10-20 22:56:08,123: Authorisation request received for [email protected] (interactive mode)
2024-10-20 22:56:17,170: Returning authorisation request result for [email protected]
2024-10-20 22:56:17,172: Authorisation result error for account [email protected] - aborting login. OAuth 2.0 authorisation error for account [email protected]: invalid_request; The request is not valid for the application's 'userAudience' configuration. In order to use /common/ endpoint, the application must not be configured with 'Consumer' as the user audience. The userAudience should be configured with 'All' to use /common/ endpoint.
2024-10-20 22:56:17,174: POP (127.0.0.1:54802-{127.0.0.1:3995}-outlook.office365.com:995)     --> b'*\r\n'
2024-10-20 22:56:17,192: POP (127.0.0.1:54802-{127.0.0.1:3995}-outlook.office365.com:995)     <-- b'-ERR The AUTH protocol exchange was canceled by the client.\r\n'
2024-10-20 22:56:17,193: POP (127.0.0.1:54802-{127.0.0.1:3995}-outlook.office365.com:995) <-- b"-ERR Authentication failed. Email OAuth 2.0 Proxy: Login failed for account [email protected]: OAuth 2.0 authorisation error for account [email protected]: invalid_request; The request is not valid for the application's 'userAudience' configuration. In order to use /common/ endpoint, the application must not be configured with 'Consumer' as the user audience. The userAudience should be configured with 'All' to use /common/ endpoint.\r\n"
2024-10-20 22:56:17,205: POP (127.0.0.1:54802-{127.0.0.1:3995}-outlook.office365.com:995) --> b'QUIT\r\n'

A quick Google search and the suggestions were to edit the Manifest and change the "signInAudience" from "PersonalMicrosoftAccount" to "AzureADandPersonalMicrosoftAccount", then everything authenticated successfully:

2024-10-20 23:03:05,508: Accepting new connection from 127.0.0.1:54998 to POP server at 127.0.0.1:3995 (unsecured) proxying outlook.office365.com:995 (SSL/TLS)
2024-10-20 23:03:05,508: Ignoring incoming connection to POP server at 127.0.0.1:3995 (unsecured) proxying outlook.office365.com:995 (SSL/TLS) - no connection information
2024-10-20 23:03:05,615: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995) --> [ Client connected ]
2024-10-20 23:03:05,615: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995) <-> [ Starting TLS handshake ]
2024-10-20 23:03:06,041: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995) <-> [ TLSv1.2 handshake complete ]
2024-10-20 23:03:06,043: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995)     <-- b'+OK The Microsoft Exchange POP3 service is ready. [TABPADQAUAAyADYANQBDAEEAMAAwADcANAAuAEcAQgBSAFAAMgA2ADUALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2024-10-20 23:03:06,043: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995) <-- b'+OK The Microsoft Exchange POP3 service is ready. [TABPADQAUAAyADYANQBDAEEAMAAwADcANAAuAEcAQgBSAFAAMgA2ADUALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2024-10-20 23:03:06,046: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995) --> b'USER [email protected]\r\n'
2024-10-20 23:03:06,046: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995) <-- b'+OK\r\n'
2024-10-20 23:03:06,062: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995) --> b'PASS [[ Credentials removed from proxy log ]]\r\n'
2024-10-20 23:03:06,062: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995)     --> b'AUTH XOAUTH2\r\n'
2024-10-20 23:03:06,077: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995)     <-- b'+ \r\n'
2024-10-20 23:03:07,025: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995)     --> b'[[ Credentials removed from proxy log ]]\r\n'
2024-10-20 23:03:07,698: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected])     <-- b'+OK User successfully authenticated.\r\n'
2024-10-20 23:03:07,698: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) [ Successfully authenticated POP connection - releasing session ]
2024-10-20 23:03:07,698: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) <-- b'+OK User successfully authenticated.\r\n'
2024-10-20 23:03:07,701: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) --> b'STAT\r\n'
2024-10-20 23:03:07,810: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) <-- b'+OK 2 212965\r\n'
2024-10-20 23:03:07,812: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) --> b'LIST\r\n'
2024-10-20 23:03:07,895: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) <-- b'+OK 2 212965\r\n1 133774\r\n2 79191\r\n.\r\n'
2024-10-20 23:03:07,899: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) --> b'UIDL\r\n'
2024-10-20 23:03:07,964: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) <-- b'+OK\r\n1 7425\r\n2 7429\r\n.\r\n'
2024-10-20 23:03:07,967: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) --> b'RETR 1\r\n'
2024-10-20 23:03:08,116: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) <-- b'+OK\r\n'
2024-10-20 23:03:08,250: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) --> b'DELE 1\r\n'
2024-10-20 23:03:08,305: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) <-- b'+OK\r\n'
2024-10-20 23:03:08,307: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) --> b'RETR 2\r\n'
2024-10-20 23:03:08,425: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) <-- b'+OK\r\n'
2024-10-20 23:03:08,462: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) --> b'DELE 2\r\n'
2024-10-20 23:03:08,507: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) <-- b'+OK\r\n'
2024-10-20 23:03:08,514: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) --> b'QUIT\r\n'
2024-10-20 23:03:09,271: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) <-- b'+OK Microsoft Exchange Server POP3 server signing off.\r\n'
2024-10-20 23:03:09,275: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995; [email protected]) --> [ Client disconnected ]
2024-10-20 23:03:09,278: POP (127.0.0.1:54998-{127.0.0.1:3995}-outlook.office365.com:995) <-- [ Server disconnected ]

So instead of trying to use another applications client_id which has the potential to change and cause problems, you can create your own using Microsofts Entra website.

Colin.

[simonrob]

Thanks for this very useful insight! This is something I've never tried myself (I don't use the free version of these services), and based solely on others' reported experiences had always thought that it wasn't supported But it seems like this was a mistaken assumption, and as long as you have a M365 Developer or Azure account this is in fact possible.

I just tried this myself with a Hotmail account, and was able to get it working very easily. After clicking the button to create a new app registration from the Entra admin centre, these were the only steps I needed:

1. On the app registration page, enter any display name of your choice, and for the supported account types option, select "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)". I ignored the optional redirect URI at this stage, and just clicked Register.
2. Once the application is created, copy the Application (client) ID from the summary page that is displayed – this is required for the proxy's configuration file (see below).
3. In the Authentication tab, click the button to add a platform, and choose "Mobile and desktop applications". In the Custom redirect URIs box, enter http://localhost and press Configure.

The corresponding proxy configuration entry to support IMAP/POP/SMTP is:

[[email protected]]
permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access
redirect_uri = http://localhost
client_id = *** your client ID from step 2 here ***

This was all that was required for me, and it worked first time with no issues. Considering this is so much easier than Google's version of the same process, I'm surprised it has caused as much trouble as it has. I will point to this discussion from the proxy's readme and configuration file, and hopefully this will help others navigate the process a little easier.

It's interesting to see Raiden's application. I haven't looked into whether it is just a paid-for wrapper around this proxy or a separate product, but the client setup documentation is perhaps useful nonetheless.

[Eds1989]

I've given this a go, but not been able to get it to work.

I've completed the steps to create an App Registration in the Entra admin center, and added my client ID into the corresponding section of the config for my email, but when submitting a test message from myself to myself, I get:
530 5.7.57 Client not authenticated to send mail

What could I have gotten wrong?

Edit: NVM, just sorted it as it was me being dumb 🤦‍♂️

[Whitehua]

here is my resolution.
open the ufw port (windows firewall TCP port)1587 587 and so on;

[Eds1989]

Do we have to use the exact same app password for every client we point at the OAuth proxy?

I had some clients configured and authorised ok, and was receiving messages. I added a couple of new clients with new app passwords (as I didn't save the first app password) and had to reauthorise. It looks like everything works, until a client with a different app password submits a message, at which point I have to reauthorise?