Thunderbird can not receive new email with Office365 via OAuth2 method
Dear all,
Microsoft banned all basic authentication method from Office365 because these method does not support multi factor authentication.
After that, I reconfigured the the configuration by used OAuth2 method on latest version of Thunderbird (78.5.1 (32-bit). The result as follows: + Can not receive new email from Offfice365 (Alert: As attached file No. 1)
+ However, I can send the email normally with OAuth2 via SMTP
Please help me fix this problem.
Thank you so much for your support.
All Replies (20)
Who can help me this case ?
hi, below settings works for Microsoft = MS email accounts, generally. POP3 protocol server pop-mail.outlook.com , SSL/TLS security , "Normal Password" auth-method , port 995. IMAP protocol server imap-mail.outlook.com , SSL/TLS security , "Normal Password" auth-method , port 993. SMTP protocol server smtp-mail.outlook.com , STARTTLS security , "Normal Password" auth-method , port 587. username: full email-address. password: MS web mail access password. ( please push MS=Microsoft to Switch From STARTTLS into SSL/TLS )1 ( please push MS to declare rDNS for each of their IP-address in their network-block-ranges )
MS allows to use SMK (Secure Mail Key) (SMK is also known as: App Key, App Password, etc) & OAuth2 for some area's some accounts , they are upgrading their systems , slowly all accounts will have these both options.
you may need to use SMK/AAK or OAuth2 , if inside your microsoft web mail access you see an option to generate SMK = Secure Mail Key (or create AAK = App Key, Approved App Password, etc) code , then that means SMK/AAK is supported for your account , and you have to use a SMK/AAK code as a password in your email-client app (for-example: TB, etc) . When you use SMK/AAK code as password, then use "Normal Password" auth-method & SSL/TLS encryption security.
You may have to delete earlier password from "Saved Passwords" list in TB , its inside Options/Preferences > Security > Password before you add SMK/AAK in TB.
if your email account is allowed to use "OAuth2" auth-method , and if you want to use OAuth2 , then in TB you will have to enable Cookies & change auth-method option from "Normal Password" into "OAuth2".
you should enable specific URLs to save cookie in TB, and not-allow cookies from all URLs as thats not safe, not secure , more info on enabling/allowing specific cookie: here (please upvote my Q+A inside that linked page, if its helpful/useful).
MS has various email related services , all are not using same settings.
few other mail-server settings are shown here by Microsoft.
users who want to use Microsoft's Exchange ActiveSync (EAS) based mail-accounts via TB , please use/add DavMail (cost-free & open-source) gateway or MExInt (cost-free) addon or ExQuilla (not-cost-free) addon or Owl-for-Exchange (not-cost-free) addon , and also see/use here (TbSync for Calendar, Contacts, etc sync addon for TB) (cost-free). and BlueMail (cost-free . Windows/Linux/Unix/macOS . Linux/Ubuntu2) supports EAS and it is an email-client app like TB.
users who uses "office365.com" mail-servers , please see below/next message.
Okulungisiwe
please read my earlier/previous message.
"OAuth2" & "STARTTLS" does not match , using these together are not secure/safe , if your ISP/MSP uses such PUSH THEM to switch to SSL/TLS security.
if you use "OAuth2" auth-method, then you MUST use "SSL/TLS" security.
if you use "STARTTLS" security, then you must choose other auth-method, for-example "Normal Password".
MS has not enabled OAth2, SMK, etc for ALL email accounts , they are SLOWLY upgrading their server side locations, in different category & in different area, etc.
they are not upgrading all type of accounts all at the same time , different things have different priority.
i think, your email-account still need to access MS emails via "Normal Password" auth-method thru secure SSL/TLS encrypted connection.
and another user also reported, that, the mail-server address that you've shown in picture, are still using earlier settings (that is, they are still using "Normal Password" auth-method) , that means, MS has not yet enabled "OAuth2" for those mail-servers.
so, please for TEST purpose do these:
use below settings: IMAP server: outlook.office365.com , Port: 993 , Encryption/Security: SSL/TLS , Auth Method: "Normal Password". POP3 server: outlook.office365.com , Port: 995 , Encryption/Security: SSL/TLS , Auth-Method: "Normal Password". SMTP server: smtp.office365.com , Port: 587 , Encryption/Security: STARTTLS , Auth-Method: "Normal Password". ( please push MS=Microsoft to Switch From STARTTLS into SSL/TLS )1 ( please push MS to declare rDNS for each of their IP-address in their network-block-ranges )
then remove MS web mail access password from Thunderbird ... goto TB main-menu > Options/Preferences/settings > in left-pane/side select "Security" > then in right-pane/side select "Password" tab > then click on "Saved Passwords" button > click on "Username" word to sort based on Username , find your mail-account , & remove those entry. exit from TB, start TB. click on "Sent" folder. TB will ask you to enter password for that MS mail-account , enter ( MS web mail access site ) password, & also select the option to remember it. click on "Inbox" , TB should show current/new emails . click on one new email, it should get email "body" & show it to you, proving that, connection is working fine.
if your MS mail-account in TB still having problems, then please change mail server address , & use the server address password that i have mentioned in earlier/previous message.
Okulungisiwe
Dears,
I want to use POP3 for receiving the new.
Also, I already added the some cookies of some urls on thunderbird as attached file but I can not get new emails.
i think, your email-account still need to access MS emails via "Normal Password" auth-method thru secure SSL/TLS encrypted connection '===> I try to use this way but it is not ok.'
''''I can use SMTP with Oauth2 for sending email to outside successful. ' Please help me.
Okulungisiwe
i updated my previous message, please see again.
for Cookie-Exception or cookie are needed for "OAuth" verification , & for browser-tab inside the Thunderbird (TB).
specific cookies related to Microsoft mail-server OAuth verification , are not known by me now , i will research on it & get list & update it here later , for now enable all cookies & try OAuth2 "auth-method".
"Oauth2" auth-method needs "SSL/TLS" security.
but MS has not enabled "OAuth2" yet for all account. if "OAuth2" works for you then you are eligible/lucky enough to be in the right category.
if the "Normal Password" auth-method with SSL/TLS security did not work in TB, then, that is indicating other errors.
for OAuth2 verification purpose , one of the specific cookie exception that might be needed is/are: https://login.microsoftonline.com/ ( there must be few more, that are also needed to be specified in Cookie-Exception list. ) ( i will add other servers here in this answer or here , later , so check when you can ).
Okulungisiwe
Hi TB Admin/Mod , please add my earlier response back here, after an edit, after i submit, its not appearing anymore.
-atErik.
hi , TB Admin / Mod , please add my previous post/answer again,
i had to edit again , and its not appearing after submitting the edit.
please fix.
-atErik.
Generally/Normally you should avoid using STARTTLS security. TLS/SSL IS MUCH MORE-SECURED THAN STARTTLS : https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations STARTTLS HAS WEAKNESSES , IT CAN BE INTERCEPTED EASILY , ( ABUSED TO SPY ON USERS ). THATS WHY ALL SERVICE PROVIDERS ARE UPGRADING & CHANGING INTO TLS/SSL , OAuth2 , SMK, etc ( AS PRIVACY-RIGHTS LAWS ARE NOW ENFORCED OR HAS BEGAN TO BE ENFORCED IN VARIOUS PLACES/AREAS , & IF A SERVICE-PROVIDER PURPOSEFULLY USE/SUPPORT INSECURE OR ANTI-PRIVACY METHODS THEN THEY WILL BE FINED+PUNISHED.
if you use OAuth2, then you should also use SSL/TLS.
but if TB only works when you use STARTTLS , & when you use SSL/TLS it does not work , then use what is working for you. but check back often, when it begins to work with Oauth2+SSL/TLS , if it does , then obviously switch to what is better security.
how to find out which specific URLs are needed for OAuth ? its shown here with other information, just pay more attention on what is related to OAuth, etc.
brief info from that page:
in FF = Firefox , add NoScript type of addon, goto basic html supported website URL or goto mobile specific website find out which exact URL is needed to be permitted for the site/service to work at initial stage. then those are the BASIC URL you need to add in TB's Cookie EXCEPTION list.
at this point it still does not have OAuth based URL yet.
load "BrowseInTab" & "uBlock-Origin" addons in TB.
unselect or remove the tick-mark from "Accept Cookies from sites" option in TB, to find out specific URLs for Cookie EXCEPTION list.
send yourself a HTML based email with a link to the website that you are trying to access.
open that link, inside the TB in a browser-tab , by right-click on URL & select "Open Link in New Tab".
make sure, basic login/sign-in into the (web mail access) website is working, if any more URL is need to be added into the EXCEPTION, then do that.
in one of the "mail-account" in TB which supports OAuth2 , begin OAuth verification process or begin to add a new OAuth2 mail-account : in TB's bottomside border & in topside URL bar , you will see which websites TB is attempting to connect or connecting, etc , either take screen shot whenever an URL changes by pressing screenshot buttons , or write down each URLs when URL changes. If only one site is needed for OAuth then after adding one site (in Exception list) , oauth verification will complete, but as it is still not yet in Exception list , OAuth will not succeed . So add it in Exception list . And again initiate oauth verification from email client app (TB) . this time it will succeed. if oauth verification need to use multiple sites, then you will also have to add multiple times different URLs in Exception list, and you also have to initiate oauth verification process multiple times, from email client app. when oauth succeeds then you're done. now you have list of few extra URL which are needed for OAuth , (along with the BASIC-service access URL list) , these should be added into Exception list.
share also , only the server-domain-name portions : for-example if an URL has : https://subDomain.mainDomain-URL.com/... then share only : https://subDomain.mainDomain-URL.com/
atErik, Thank you so much for your support.
Until now, the problem did not resolve. I'd like to update and clarify some information as below:
1. OAuth2 but MS has not enabled "OAuth2" yet for all account. if "OAuth2" works for you then you are eligible/lucky enough to be in the right category. ====> our domain already use this OAuth2 method.
2. Exception Cookies Here is some urls already added in Exception Cookies as attached file.
3. Here is our configuration:
+ SMTP with OAuth2 (STARTTLS): it works normally and successful.
+ POP3 with OAuth2 (SSL/TLS): It does not work.
4. Some log: The DELE command did not succeed. Error marking a message as deleted. Mail server outlook.office365.com responded: Session invalidated - AccessTokenExpired
Please check and help me
Thank you for updating us here.
MS = Microsoft . TB = Thunderbird.
1. MS = Microsoft OAuth info & config info, is here.
2. Thanks for sharing the Cookie-EXCEPTION list.
• please change 2 items which has "Allow for session" into "Allow".
• this list does not include what i have requested to add:
please add+ALLOW the four URLs shown here in "Microsoft Outllook" section.
• ( please use Ctrl+F to search for word in a webpage. )
• 5th URL exists in your Cookie-Exception list.
• i think there are few more URLs for "*.office365.com" based mail-server sign-in/login & OAuth.
• Please read this patiently , those sections which are related to Microsoft & OAuth & EXCEPTION.
• To know HOW EXCEPTION LIST IS CREATED, ( read both section that starts with "EXCEPTION" ).
3. what are the NETWORK PORT numbers ?
SMTP suppose to be port 587 & Security: StartTLS in TB.
POP suppose to be port 995 & Security: SSL/TLS in TB.
4. Log record "Session invalidated - AccessTokenExpired"
• is indicating your Cookie related to OAuth2 has expired , means you have to again do OAuth2 verification.
NEW INFO & STEPS: (Microsoft , App Pass Key , OAuth2) • For some category of account in some area , MS has enabled App-Password-Key (to approve Third-Party) , its like Secure-Mail-Key what AT&T uses , different ISP/MSPs are using different terms/words for the same function. • So, goto your MS web mail access account, sign-in/login & find out where is the App-Password-Key or App-Key generation/creation page/option . it should be inside SECURITY. • ( Note: if it does not exist, then its not available/enabled for your account yet ) • generate/create a App Password Key/code for TB, in MS mail web access site. • in TB, change auth-method, from "OAuth2" into "Normal Password" , for both POP3 & SMTP server settings.
• This App-Password-Key code, has to be used with TB app in it's password field of a MS mail-account. • And, previous "Saved Password" in TB has to be deleted (before adding App Password key code) : TB main menu > Options/Preferences > Security > Passwords > "Saved Passwords" > click-on "Username" column-header to sort based on usernames > find your email-address under "Username" column > select it > Remove. • restart TB. • goto MS 'mail-account's "Sent" folder , TB will ask/prompt you to enter Passowrd, in password field/box specify App-Passowrd key/code. • MS may/will ask you to confirm/verify your identity by sending TEXT code or email code , please complete that process, • TB will begin to function after this. • MS "mail-account" in TB should not have any problem at this point.
• if you still want to use OAuth2, then do these :
• ( Note: before using OAuth2 "auth-method" , you need to use TB with App Password Key )
• in TB's MS mail-account Account-Settings > change "Normal Password" auth-method setting, into "OAuth2" (auth-method),
• restart TB.
• in TB goto MS mail-account, click-on "Sent" or other folder , then TB will begin the OAuth2 verification process,
• during OAuth2 verification process, you will be asked to sign/login into MSN/Outlook/Live.com site,
• use MS web mail access passwords to sign-in/login & approve the 3rd party email client app TB=Thunderbird.
• when OAuth2 verification completes , then begin to test email sending & receiving.
• if you dont want to find out specific Cookie-Exception URLs, then select the "Allow Cookie From Sites" option inside "Privacy" , to accept all cookie , during the OAuth2 verification process.
• when OAuth2 verification succeeds , then later you can unselect that "Allow Cookie From Sites" option.
to TB Mod / Admin , please see why my post is not added here , i posted it few hours earlier, under this topic/quesiton.
atErik,
Please find the my answer as follows:
• please change 2 items which has "Allow for session" into "Allow". ===> I already updated this items. But It still meet problem.
• is indicating your Cookie related to OAuth2 has expired , means you have to again do OAuth2 verification. ===> I already delete the password and verification again. But the same log is still appear.
• This App-Password-Key code, has to be used with TB app in it's password field of a MS mail-account. ====> I tried the App-Password but our domain does not accept it
• if you don't want to find out specific Cookie-Exception URLs, then select the "Allow Cookie From Sites" option inside "Privacy" , to accept all cookie , during the OAuth2 verification process. =====> I already tried this way. But It still meet problem.
if you still want to use OAuth2, then do these :
• ( Note: before using OAuth2 "auth-method" , you need to use TB with App Password Key )
• in TB's MS mail-account Account-Settings > change "Normal Password" auth-method setting, into "OAuth2" (auth-method),
• restart TB.
• in TB goto MS mail-account, click-on "Sent" or other folder , then TB will begin the OAuth2 verification process,
• during OAuth2 verification process, you will be asked to sign/login into MSN/Outlook/Live.com site,
• use MS web mail access passwords to sign-in/login & approve the 3rd party email client app TB=Thunderbird.
• when OAuth2 verification completes , then begin to test email sending & receiving
'=====> I tried this way, But the problem did not resolve
'
Thank you so much.
atErik,
Please find the my answer as follows:
• please change 2 items which has "Allow for session" into "Allow". ===> I already updated this items. But It still meet problem.
• is indicating your Cookie related to OAuth2 has expired , means you have to again do OAuth2 verification. ===> I already delete the password and verification again. But the same log is still appear.
• This App-Password-Key code, has to be used with TB app in it's password field of a MS mail-account. ====> I tried the App-Password but our domain does not accept it
• if you don't want to find out specific Cookie-Exception URLs, then select the "Allow Cookie From Sites" option inside "Privacy" , to accept all cookie , during the OAuth2 verification process. =====> I already tried this way. But It still meet problem.
if you still want to use OAuth2, then do these :
• ( Note: before using OAuth2 "auth-method" , you need to use TB with App Password Key )
• in TB's MS mail-account Account-Settings > change "Normal Password" auth-method setting, into "OAuth2" (auth-method),
• restart TB.
• in TB goto MS mail-account, click-on "Sent" or other folder , then TB will begin the OAuth2 verification process,
• during OAuth2 verification process, you will be asked to sign/login into MSN/Outlook/Live.com site,
• use MS web mail access passwords to sign-in/login & approve the 3rd party email client app TB=Thunderbird.
• when OAuth2 verification completes , then begin to test email sending & receiving
'=====> I tried this way, But the problem did not resolve
'
Thank you so much.
• This App-Password-Key code, has to be used with TB app in it's password field of a MS mail-account. ====> I tried the App-Password but our domain does not accept it
let me rephrase that • This App-Password-Key code, has to be used with TB app in it's MS-mail-account , as it's password in password field.
please first fix mail-account in TB, to access microsoft mailserver based mail-account, by using the "App Password" aka "App Key", etc via "Normal Password" auth-method thru TLS/SSL security.
when thats working perfectly, then you may again switch into OAuth2 "auth-method".
did you generate/create an App-Key (aka Secure-Mail-Key aka Third-Party-App-Key aka App-Password, etc) in Microsoft email access website ? if not, please do so : Select your name or avatar in Microsoft web-mail access website's top-side navigation bar, and then select My Account > Security > Update > Security Basics > More security options > Set up two-step verification > Next > it prompts you to set up "Microsoft Authenticator" app, (which lets you tap (Yes or No, or similar choices) in an approval notification, to give an app access to your MS Email account , without requiring you to type your main password or code) , select Cancel as our objective is App-Key for TB , so "Cancel" will allow to move on to setting up two-step verification, aka 2FA > follow instructions to enable 2FA > on 3rd-step you'll see an option to set up your smartphone or computer with an app password . Select your device type related to setup TB on Windows computer > Follow on-screen instructions to finish setup on your smartphone or computer > once you have an app password set up, you can use it in your app . more info: 1, 2, 3.
app-password aka app-key must be entered into TB's mail-account , which has your microsoft mailserver based email account , which you're trying to fix.
change Microsoft account in TB, from "OAuth2" auth-method into "Normal Password", then, remove earlier password from TB's "Saved Passwords" , restart TB , then click on "Sent" folder to bring the password entering prompt , there enter the App-Password. click on "Inbox" , TB should be able to show emails inside "Inbox". at this point, Microsoft may send you a code in TEXT/SMS or email a code & or ask you via "Microsoft-Outlook" mobile app (or via "Mircosoft Authenticator" app) that , if it is indeed you, who is trying to access your emails from a 3rdparty app (Thunderbird) , enter code, verify that its indeed you, who is doing this. once/when verification is done, then Tb will begin to access emails.
if i remember anything important or related, i may edit this later.
please wait for my last post to appear in top/earlier of this message , a TB Mod/Admin need to approve it.
Okulungisiwe
atErik,
did you generate/create an App-Key (aka Secure-Mail-Key aka Third-Party-App-Key aka App-Password, etc) in Microsoft email access website ? =====> Yes, I did. (As attached files). but it still meet problem. Now, App Password can not use with our domain. Our domain only accept the OAuth2.
When I change to OAuth2. I receive code for verification and when verification is done.
+ I can sent email to outside successfully
+ But I can not receive new email.
That's keypoint as I think.
( sorry to add response in late ... this time of the season, etc )
please delete EARLIER PASSWORD first from "Saved Passwords" list inside TB, remove all cookies that are related to Microsoft service that you use . then restart TB once . then AGAIN follow App-Password or OAuth2 setup process for your domain-email. with correct POP+SMTP mail Server Settings. if you do not have other mail-account in TB thats also using OAuh2 , then you can delete/remove all cookie , to be sure that older token/cookie is not remaining inside the TB. As an old token/cookie is still inside your TB , so OAuth2 auth-method cannot work properly. the error you posted earlier, that is what it is indicating to.
users who are using their own domain-name with Microsoft or Google (server/hosting/cloud) services , they can access (view/receive & send) emails by using TB with App Password/Key or via main (web mail access) password.
Some users (with their own domain) have issue with using OAuth2 from email client.
if this is not caused by a configuration issue in TB , then as you're saying all of your configurations are right (that you applied+using correct mail-servers as shown in linked pages, or what is given by MS-service to you, etc),
then it appears to be a server side issue , so in such server-side related issue you have to also contact your service dept in MS(Microsoft) , where you've setup your account/service.
atErik,
My problem resolved as step-by-step:
1. Removed current account. 2. Add again the account with OAuth2 3. Configuration as follows: "When downloading mail from this account's server, use following folder to store new message ==> Inbox for this account"
Before, I changed and used the "Local Folder" for storing the new message after that i can not get new email.
I'm not sure this problem will meet in the future or not. I will check and feedback after 1 month.
Thank you so much for your support and contribution.