OAuth2 for Microsoft Exchange support #1769
Comments
|
We'll check what can be done. Maybe it can be implemented as a module. |
|
In my opinion, it is now an absolutely necessary feature. |
|
Now I am confused as to why the team was planning to wait for OAuth to be added to the standard PHP IMAP extension when it appears that Freescout is using the Webklex laravel-imap client. Webklex/laravel-imap added OAuth support in version 2.0.0, almost a year and a half ago. Why not just upgrade it? I agree this is a necessary feature. It's unfortunate that Microsoft has pushed this change on users, but they did give well over two years notice. And Exchange is certainly in the top three corporate email services. Not supporting it doesn't seem like a very good option. In the meantime I found a workaround that will allow users to re-enable basic IMAP auth until Microsoft permanently disables it in October. None of the PowerShell methods I found in MS's docs worked, but I found this very strange thing in a June 2021 update about basic auth deprecation.
It it worked for me. I also had to add passwords to shared mailboxes using the method described in the Freescout docs. |
Webklex/laravel-imap has been complete reworked to support OAuth. It's still very fresh and most likely contains a lot of bugs. Debugging and fixing IMAP fetching is hell. When we started to use Webklex/laravel-imap there were a lot of issues with fetching emails and we had to fix them manually in FreeScout (as Webklex/laravel-imap was slow to fix and release fixes). So FreeScout's version of Webklex/laravel-imap is a bit different now. So we may try to integrate with https://github.com/Webklex/php-imap |
|
In order to add Microsoft Exchange IMAP oAuth support to the FreeScout we need an email address at Microsoft Exchange with "Exchange Online license" allowing to access Mail. If someone can provide such email address please email at [email protected]. Otherwise starting from October this year FreeScout will be unable to fetch emails from Microsoft Exchange mailboxes. UPDATE: We've got an account at Microsoft Exchange with access to Mail. |
|
OAuth support for Microsoft Exchange Server added in FreeScout 1.8.9 |
|
Thanks, this worked for receiving. Any chance this can also be used for sending? Looks like it's not possible yet. Sending in newer Office 365 accounts is pretty difficult to set up due to multi-factor authentication being required for licensed users. |
No plans for now. |
|
Microsoft claims they will not be permanently disabling SMTP auth, so we should still be able to use that for the time being. If you haven't been using SMTP, you may need to enable it using these instructions. You'll also have to set a password if using a shared mailbox, and you may have to disable security defaults in Azure or it will override SMTP settings. |
|
Thanks for the reply. I worked through those instructions but apparently you cannot do them unless you upgrade to a different version of ActiveDirectory. Newer Office 365 accounts must have multi-factor enabled within 30 days unless you change the company policy, but changing this policy isn't possible with the normal version of ActiveDirectory. SMTP provides a 535 error something like, "office 365 smtp error 535 request did not meet the criteria to be authenticated successfully" (hard to copy and paste since the red error window dialog goes away when you click inside it). One of the help resources is https://docs.microsoft.com/en-us/answers/questions/512954/535-57139-authentication-unsuccessful.html which walks through the problem and steps to resolve by re-enabling legacy authentication. That's how I figured out the AD license was needed. That said, even if I could do it, I'm not sure I'd want to, since MFA is actually a very good idea. |
|
Would it be possible for someone to point me in the direction of FreeScout 1.8.9? |
I have followed the instructions in #619 and the wiki article, but I am not able to fetch mail from Exchange mailboxes (same error messages reported in #764). IMAP is enabled and I am able to connect to the mailboxes via IMAP on clients that support OAuth2.
More importantly, it's not clear to me how the above fix ever worked in the first place, since OAuth2 is a completely different authentication protocol from IMAP TLS/SSL and adding a password to a shared mailbox does nothing to change the authentication mode. Most likely Exchange was just silently falling back to basic authentication on accounts that met the criteria to have it enabled. However, Microsoft now disables it on new accounts and will phase it out on all accounts by October of this year. See Deprecation of Basic authentication in Exchange Online
This is relevant to Gmail users as well, because app passwords are also a less secure workaround and could be deprecated by Google at any time.
It's been almost two years since this Medium post, and it doesn't look like there's been any movement on adding OAuth support to the PHP IMAP extension in at least as long, so perhaps it's time to revisit Freescout's plan for OAuth2 support.
The text was updated successfully, but these errors were encountered: