MailKit unsuccessful SMTP OAuth with Microsoft 365 server

1
votes

I'm using MailKit 2.6.0.0 to connect to Microsoft 365 using OAuth for authentication with POP3, IMAP, and SMTP. The ImapClient and Pop3Client authenticate successfully but the SmtpClient does not. Here's the protocol log from MailKit:

Connected to smtp://smtp.office365.com:587/?starttls=always
S: 220 MN2PR04CA0011.outlook.office365.com Microsoft ESMTP MAIL Service ready at Sat, 30 May 2020 07:48:32 +0000
C: EHLO [192.168.1.240]
S: 250-MN2PR04CA0011.outlook.office365.com Hello [my-ip]
S: 250-SIZE 157286400
S: 250-PIPELINING
S: 250-DSN
S: 250-ENHANCEDSTATUSCODES
S: 250-STARTTLS
S: 250-8BITMIME
S: 250-BINARYMIME
S: 250-CHUNKING
S: 250 SMTPUTF8
C: STARTTLS
S: 220 2.0.0 SMTP server ready
C: EHLO [192.168.1.240]
S: 250-MN2PR04CA0011.outlook.office365.com Hello [my-ip]
S: 250-SIZE 157286400
S: 250-PIPELINING
S: 250-DSN
S: 250-ENHANCEDSTATUSCODES
S: 250-AUTH LOGIN XOAUTH2
S: 250-8BITMIME
S: 250-BINARYMIME
S: 250-CHUNKING
S: 250 SMTPUTF8
C: AUTH XOAUTH2 BASE64USERANDTOKEN
S: 535 5.7.3 Authentication unsuccessful [MN2PR04CA0011.namprd04.prod.outlook.com]
C: QUIT
S: 221 2.0.0 Service closing transmission channel

I've cracked open the BASE64USERANDTOKEN value and it looks exactly like that provided in the successful POP3/IMAP connections. I don't know whether the unsuccessful SMTP authentication is caused by a mis-configuration of Microsoft 365 or a problem in the protocol dialogue. I'm using the Microsoft 365 Developer Subscription provided as a benefit of my MSDN subscription. I can't find any configuration setting specific to SMTP and I've used the correct scope (https://outlook.office365.com/SMTP.Send} when exchanging an authorization code for the access toke. I also can't find any error log entries in Microsoft 365 which would help in diagnosing the problem.

As for the protocol dialogue, I noticed Microsoft's description at https://docs.microsoft.com/en-gb/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

[connection begins]
C: auth xoauth2
S: 334
C: dXNlcj1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB5YTI5LnZGOWRmdDRxbVRjMk52YjNSbGNrQmhkSFJoZG1semRHRXVZMjl0Q2cBAQ==
S: 235 2.7.0 Authentication successful
[connection continues...]

differs from Google's at https://developers.google.com/gmail/imap/xoauth2-protocol which is like the MailKit protocol log:

[connection begins]
S: 220 mx.google.com ESMTP 12sm2095603fks.9
C: EHLO sender.example.com
S: 250-mx.google.com at your service, [172.31.135.47]
S: 250-SIZE 35651584
S: 250-8BITMIME
S: 250-AUTH LOGIN PLAIN XOAUTH XOAUTH2
S: 250-ENHANCEDSTATUSCODES
S: 250 PIPELINING
C: AUTH XOAUTH2 dXNlcj1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB5YTI5LnZGOWRmdDRxbVRjMk52YjNSbGNrQmhkSFJoZG1semRHRXVZMjl0Q2cBAQ==
S: 235 2.7.0 Accepted
[connection continues...]

Is this a possible cause of the authentiation failure?

1
office365mailkitsmtp-auth
I'm aware that this is a duplicate of stackoverflow.com/questions/62027014/… but I was unable to add my findings as a comment to that post. Apparently my reputation is not high enough for that.Hans Schlagermeier
It's possible that the problem is that MailKit is sending it on 1 line, but the XOAUTH2 mechanism is supposed to allow doing that (it's called SASL-IR - where IR stands for Initial Response). It should be fine either way, but you could subclass SaslMechanismOAuth2 and override the SupportsInitialResponse property to have it return false. That should be enough to test the theory.jstedfast
Thanks for the help @jstedfast but my theory disproved. I modified the calling code as suggested and authentication was still unsuccessful. Here's the end of the protocol log: C: AUTH XOAUTH2 S: 334 C: BASE64USERANDTOKEN S: 535 5.7.3 Authentication unsuccessful [MN2PR15CA0014.namprd15.prod.outlook.com] C: QUIT S: 221 2.0.0 Service closing transmission channel I'll try a bit harder to find Microsoft 365 log entries which point to the cause of the failure (surely unsuccessful signin attempts are part of some sort of security audit trail).Hans Schlagermeier

1 Answers

1
votes

Found the actual cause of unsuccessful authentication. As mentioned in the original post I'm using my Microsoft 365 Developer Subscription, which gives me a domain looking something like schlagermeier.onmicrosoft.com (not real, folks). I went into the Microsoft 365 admin portal for that account and was offered a "guided configuration" experience or somesuch. This was a sort of wizard ui as a series of webpages. One page had a "choose domain" with two radio buttons. One button was labelled "Use schlagermeier.onmicrosoft.com" and the other was "Enter domain" with an input box for a domain you're already registered and own (e.g. schlagermeier.com). So it appears that you have to explicitly set a domain for SMTP to work, which makes sense. I just assumed the onmicrosoft domain would be used.