Institutional Office365 not working

I am also experiencing this. On Monday I will fetch the log from such an insident.

2 Likes

Hi

This is the log when I have to authenticate the account again to get access. It looks like the refresh token lifetime is 1 day.

Håvard

Mailspring Version: 1.8.0-8983dca2
Platform: linux
Account State: invalid
Account Provider: office365
IMAP Server: outlook.office365.com
SMTP Server: smtp.office365.com
--------------------------------------------
***

115026 [2021-03-29 11:10:09.286] [main] [info] Identity created at 1607501098 - using ID Schema 1
115026 [2021-03-29 11:10:09.287] [main] [info] ------------- Starting Sync (havard.korsvoll@gaular-il.no) ---------------
115026 [2021-03-29 11:10:09.296] [metadata] [info] Metadata delta stream starting...
115026 [2021-03-29 11:10:13.296] [background] [info] Fetching XOAuth2 access token (office365) for 989dec24
115026 [2021-03-29 11:10:14.230] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum lifetime. The token was issued on 2021-03-26T08:00:57.6731988Z and the maximum allowed lifetime for this application is 1.00:00:00.\\r\\nTrace ID: b5216518-036b-4e9e-bf4c-ce8008e63800\\r\\nCorrelation ID: cf8e3ce8-cb64-4306-9671-6aef846eba1f\\r\\nTimestamp: 2021-03-29 09:10:14Z\",\"error_codes\":[700081],\"timestamp\":\"2021-03-29 09:10:14Z\",\"trace_id\":\"b5216518-036b-4e9e-bf4c-ce8008e63800\",\"correlation_id\":\"cf8e3ce8-cb64-4306-9671-6aef846eba1f\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 400","retryable":false,"what":"std::exception"}
***

115042 [2021-03-29 11:10:14.425] [main] [info] Identity created at 1607501098 - using ID Schema 1
115042 [2021-03-29 11:10:14.426] [main] [info] ------------- Starting Sync (havard.korsvoll@gaular-il.no) ---------------
115042 [2021-03-29 11:10:14.436] [metadata] [info] Metadata delta stream starting...
115042 [2021-03-29 11:10:18.435] [background] [info] Fetching XOAuth2 access token (office365) for 989dec24
115042 [2021-03-29 11:10:18.918] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum lifetime. The token was issued on 2021-03-26T08:00:57.6731988Z and the maximum allowed lifetime for this application is 1.00:00:00.\\r\\nTrace ID: b18dc211-d43d-44f5-a25c-3349897c3800\\r\\nCorrelation ID: 61354c8f-14ff-4167-b5c3-892e025eafbd\\r\\nTimestamp: 2021-03-29 09:10:18Z\",\"error_codes\":[700081],\"timestamp\":\"2021-03-29 09:10:18Z\",\"trace_id\":\"b18dc211-d43d-44f5-a25c-3349897c3800\",\"correlation_id\":\"61354c8f-14ff-4167-b5c3-892e025eafbd\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 400","retryable":false,"what":"std::exception"}
***
1 Like

Hello all, I’m new to Mailspring. I’m having the same issue any help will be appreciated. Everything seems ok with auth according to “my Sign-ins” from MS site everything auth’d ok, but the app says otherwise. I tried the downgrade to 1.7.2, same issue. I’m on 1.8.0 and same

Screenshot from 2021-03-29 10-49-35 Screenshot from 2021-03-29 10-52-20

It looks like the refresh token is never updated. Looking at the logs, I see these lines approximately every hour:

136437 [2021-03-30 10:19:26.752] [background] [info] Fetching XOAuth2 access token (office365) for 989dec24
136437 [2021-03-30 10:19:27.129] [background] [info] Syncing folder list...

24 hours after the last manual authorization, I get the errors mentioned above, and I have to authorize again.

One of two things is happening.

  1. When Mailspring fetches XOAuth2 access tokens every hour, no refresh token is returned from Microsoft.
  2. When Mailspring fetches XOAuth2 access tokens every hour, a refresh token is fetched, but it is not stored or Mailspring never uses it when authorizing again. It probably only uses the original access token each time it authorizes itself.

I found the source for Mailspring-Sync, and the function handling this is MakeOAuthRefreshRequest. Unfortunately, I am not a skilled C++ developer, but hopefully someone is able to figure out what is happening here:

const json MakeOAuthRefreshRequest(string provider, string clientId, string refreshToken) {
    CURL * curl_handle = curl_easy_init();
    const char * url =
          provider == "gmail" ? "https://www.googleapis.com/oauth2/v4/token"
        : provider == "office365" ? "https://login.microsoftonline.com/common/oauth2/v2.0/token"
        : "";
    curl_easy_setopt(curl_handle, CURLOPT_URL, url);
    curl_easy_setopt(curl_handle, CURLOPT_CONNECTTIMEOUT, 20);
    
    auto c = curl_easy_escape(curl_handle, clientId.c_str(), 0);
    auto r = curl_easy_escape(curl_handle, refreshToken.c_str(), 0);
    string payload = "grant_type=refresh_token&client_id=" + string(c) + "&refresh_token=" + string(r);
    if (provider == "office365") {
        // workaround the fact that Microsoft's OAUTH flow allows you to authorize many scopes, but you
        // have to get a separate token for outlook (email + IMAP) and contacts / calendar / Microsoft Graph APIs
        // separately. The same refresh token will give you access tokens, but the access tokens are different.
        payload += "&scope=https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Foutlook.office365.com%2FSMTP.Send";
    }
    struct curl_slist *headers = NULL;
    headers = curl_slist_append(headers, "Accept: application/json");
    headers = curl_slist_append(headers, "Content-Type: application/x-www-form-urlencoded");
    if (provider == "office365") {
        // workaround "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type
        // may only be redeemed via cross-origin requests"
        headers = curl_slist_append(headers, "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Mailspring/1.7.8 Chrome/69.0.3497.128 Electron/4.2.12 Safari/537.36");
        headers = curl_slist_append(headers, "Origin: null");

    }
    curl_easy_setopt(curl_handle, CURLOPT_CUSTOMREQUEST, "POST");
    curl_easy_setopt(curl_handle, CURLOPT_HTTPHEADER, headers);
    curl_easy_setopt(curl_handle, CURLOPT_POSTFIELDS, payload.c_str());
    
    return PerformJSONRequest(curl_handle);
}
1 Like

I have just read a little bit about how OAuth 2.0 is supposed to work :slight_smile:

Apparently, Google APIs have long lived refresh tokens (up to 6 months), but it looks like the Office365 refresh tokens only are valid for 1 day. I guess there are some settings in Azure to increase the lifetime of a refresh token.

This article is describing token lifetime policy properties in Azure.

They made some changes from January 30th this year. I don’t know if that affects the refresh token lifetime.

2 Likes

Hi. I can’t get my office365 account to work. I’ve tried signing in by adding account and choosing Office365 and I get this error.

Authentication Error - Check your username and password. (SMTP)

When I try signing in using IMAP I get this error with View Log

Authentication Error - Check your username and password. (SMTP)View Log

I have set it up using the settings you provide on your website. Below is the output from the log. For your info, I’ve set my account up on Samsung Email and after Mailspring failed I downloaded BlueMail for linux and had no problems at all with it. I’d much rather not have to have two email programs and I’d rather use Mailspring since I’m paying for it, so any help you can give me to get it up and running would be much appreciated. Thanks.

The IMAP settings show successful

----------SMTP----------connect smtp.office365.com 587220 MWHPR04CA0026.outlook.office365.com Microsoft ESMTP MAIL Service ready at Sat, 3 Apr 2021 14:52:21 +0000initEHLO lonnie-HP-ENVY-x360-Convertible-15-ee0xxx250-MWHPR04CA0026.outlook.office365.com Hello [2601:646:203:b7e0:4547:ee4b:7389:172b]250-SIZE 157286400250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-8BITMIME250-BINARYMIME250-CHUNKING250 SMTPUTF8start TLSSTARTTLS220 2.0.0 SMTP server readydoneOpenSSL version: OpenSSL 1.1.0f 25 May 2017init after starttlsEHLO lonnie-HP-ENVY-x360-Convertible-15-ee0xxx250-MWHPR04CA0026.outlook.office365.com Hello [2601:646:203:b7e0:4547:ee4b:7389:172b]250-SIZE 157286400250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-AUTH LOGIN XOAUTH2250-8BITMIME250-BINARYMIME250-CHUNKING250 SMTPUTF8AUTH LOGIN334 VXNlcm5hbWU6cGFjbWFuQG1hbmphcm8ucHJv334 UGFzc3dvcmQ6bGVlYWxsZW43535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit aka.ms/smtp_auth_disabled for more info. [MWHPR04CA0026.namprd04.prod.outlook.com]

SASL_PATH: /usr/share/mailspring/resources/app.asar.unpacked

SMTP Last Response Code: 535SMTP Last Response: 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit aka.ms/smtp_auth_disabled for more info. [MWHPR04CA0026.namprd04.prod.outlook.com]

mailsmtp Last Error Code: 17mailsmtp Last Error Explanation: MAILSMTP_ERROR_AUTH_LOGINmailsmtp Last Error Location: 10mailsmtp Last Auth Type: 16

Hi @backslidr

The clue lies in the error message in your log:

Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit aka.ms/smtp_auth_disabled for more info. 

Mailspring only supports connection through the IMAP and SMTP protocols. It looks like SMTP authentication is turned off for your organization.

Visit Enable or disable SMTP AUTH | Microsoft Docs for more information.

Well, it looks like I’m out of luck on this one. I followed your link and and it says to go to the Microsoft 365 Admin Center. When I click on that link it takes me to GoDaddy where the option I’m supposed to use is non-existent. I found I could get to an admin center online, but the options aren’t there either. The only other way they say to do it is to enter a command in PowerShell, but since I don’t have Windows I can’t do that either. I don’t really understand what’s going on with Mailspring since all I have to do to add an account in any other mail app I just have to add an Office365 account. Mailspring has this but I get the same error message when I try and it won’t let me log into my account. It works with BlueMail, Thunderbird, Android mail, everything but Mailspring. I really appreciate your help, but unless there’s another way it looks like I’m just going to have to use two email apps from now on or just use one of the other apps instead of Mailspring, neither of which I care for. Thanks!

Hey all,

Obviously having the same issue as most here, except I think I may be in the wrong area and was hoping someone could/would help point me to the correct area? I see a few mentions that this is a free service/ labor of love in response to the frustrations caused by this bug(or whatever term you want to apply). Where do those of us who pay for this service go? I understand the limitations for a free service, absoutely, but I am looking for the message board for paying customers who aren’t receiving the service they pay for.
Any help is greatly appreciated!

Thanks!

It’s the same place for everyone. The Pro subscription covers the costs of the server and (very expensive) APIs that make the Pro features possible, as well as the costs of the security audits that Google et al demand. It doesn’t provide enough money to hire support staff or full-time developers. Without Pro subscriptions, the Pro features just simply wouldn’t exist, and everyone using the software would be on Mailspring Basic.

There’s also no Big Company backing Mailspring development — Foundry376’s involvement is merely as the legal business entity that makes the subscriptions possible.

That’s all there is to it, really. Mailspring Pro never promises or pretends to provide “premium support”. You’re paying for the features that cost Mailspring money to provide, nothing more.

Thank you for replying!

I appreciate your thoroughness and promptness. Very informative!

The issue I have isn’t with a Pro feature, however. It’s with a basic feature (having more than one O365 address) and then, subsequently, the avenues with which I’m able to rectify that issue. And that’s the issue I have that’s germane to the post I replied to; it doesn’t include the other problems/bugs I’ve experienced with MailSpring.

And while I understand that Pro features are only available because of the subs, I didn’t sign up to “donate”, I signed up to receive the services advertised as being exlusive to Pro. Once money changes hands, I leave “community” and become “consumer”, my concern for backstories takes a muted second place to my demand for the product I paid for and the promised functionality thereof.

I appreciate you taking time to reach out to myself and what appears to be everyone else with complaints here. I cannot fathom how stressful that workload must be.

KUTGW,
O.

I understand your frustration. Unfortunately, there’s nothing more we can do either. This is a high priority, but it isn’t possible to know when it’ll be resolved. As you said, this is a basic feature, and as such, the Pro subscription really has no bearing on it.

Ben, the core developer, is wrapping up a release with some urgent promised functionality right now, and then hopefully this can be the next item on the horizon. That’s why this is tagged #critical and #accepted.

Thank you for your patience.

Hey folks! Thanks for triaging this and adding so much detail - I really appreciate it! This is the #1 priority for the 1.9.1 release and I’ve set up a business Office365 account I’m hoping we can use to reproduce the problem. I’ve also reached out and found someone willing to share their Exchange university login so I can test with that too.

@hkorsvoll, I think you are correct - Mailspring should be storing the new refresh tokens that Office365 returns when we refresh the access token. I think that will alleviate some of the problems, and we can make that change immediately. That said, there are a couple other things happening here I think:

  • Mailspring only supports Office 365 via IMAP + SMTP, which CAN be turned off at the organizational level, leaving only Exchange. If your organization has turned off IMAP+SMTP in Office365, you cannot use Mailspring. The Exchange protocol is closed source and very different from IMAP, and we haven’t built support for it. (I was actually hoping to never have to since they have expanded IMAP+SMTP support a lot in the last few years, but it seems folks are disabling that for security purposes, leaving Exchange important).

  • Mailspring uses OAuth to sign you in to Office365, and that OAuth flow (where it bounces out to your web browser) will direct you through 2FA if it is configured by your organization. Exchange might provide a way for email clients to directly capture and send your 2FA authentication code, but as far as I know we cannot do that via IMAP.

  • I need to read all the docs linked above, but if your organization decides that OAuth refresh tokens must be refreshed every day, odds are you’ll have to sign in to Mailspring every day. This is a totally awful user experience I’m hoping we can improve a bit, but at the end of the day if your university / company is putting in place policies that discourage use of third party mail clients, it’s going to be pretty rough.

Thanks everyone - sorry this has taken a while to get resolved. As we figure this out, I’ll also create a dedicated page we can link folks to from the Office365 authentication screen that details the limitations and solutions, etc. as we get them ironed out!

Ben

7 Likes

Great news @bengotow

I do have admin access to an office365 domain (NGO, 100 free licenses). So I can contribute by setting up mail accounts for you to test on.

Håvard

2 Likes

FYI - I’m running Mailspring 1.9.1, but still having issues with institutional 365 login with two factor authentication - but closer than before. Possibly the issue is because IMAP+SMTP is turned off by my institution, but I have no confirmation of that. When I try to set up an account i’m redirected to my institutional web login, which then appears to work with a screen saying “You’re all set! Go back to Mailspring to finish linking your account and configuring the app.” On returning to Mailspring the dialogue box reads “Authentication Error - Check your username and password. (IMAP)”.

1 Like

Hi everyone

I am using 1.9.1 now. There are still issues with short-lived refresh tokens. Microsoft is probably not giving out a new refresh token when Mailspring fetches the access token. They probably only serve the original one.
I guess the solution is to find a way to make Microsoft issue longer-lived refresh tokens.

Mailspring Version: 1.9.1-30ef802f
Platform: linux
Account State: invalid
Account Provider: office365
IMAP Server: outlook.office365.com
SMTP Server: smtp.office365.com
--------------------------------------------
***

251655 [2021-04-19 22:57:51.356] [main] [info] Identity created at 1607501098 - using ID Schema 1
251655 [2021-04-19 22:57:51.357] [main] [info] ------------- Starting Sync (Havard.Korsvoll@*******.com) ---------------
251655 [2021-04-19 22:57:51.364] [metadata] [info] Metadata delta stream starting...
251655 [2021-04-19 22:57:52.364] [background] [info] Fetching XOAuth2 access token (office365) for 2........4
251655 [2021-04-19 22:57:52.676] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum lifetime. The token was issued on 2021-04-18T20:06:09.9921920+00:00 and the maximum allowed lifetime for this application is 1.00:00:00.\\r\\nTrace ID: d4d0638e-d304-464d-bcb4-cbc2e17f4900\\r\\nCorrelation ID: 9ae91127-2af9-49d0-95ac-cfb95c98b2c6\\r\\nTimestamp: 2021-04-19 20:57:52Z\",\"error_codes\":[700081],\"timestamp\":\"2021-04-19 20:57:52Z\",\"trace_id\":\"d4d0638e-d304-464d-bcb4-cbc2e17f4900\",\"correlation_id\":\"9ae91127-2af9-49d0-95ac-cfb95c98b2c6\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 400","retryable":false,"what":"std::exception"}
***
3 Likes

I’m facing the same problem with Office365 on macOS. Here is a part of the log of the problem:

Mailspring Version: 1.9.1-30ef802f
Platform: darwin
Account State: invalid
Account Provider: office365
IMAP Server: outlook.office365.com
SMTP Server: smtp.office365.com
--------------------------------------------
***

73589 [2021-04-22 12:29:05.639] [background] [critical] *** Stack trace (line numbers are approximate):
*** in mailsync  ValidateRequestResp(CURLcode, void*, string)
*** in mailsync  PerformRequest(void*)
*** in mailsync  PerformJSONRequest(void*)
*** in mailsync  MakeOAuthRefreshRequest(string, string, string)
*** in mailsync  XOAuth2TokenManager::partsForAccount(shared_ptr)
*** in mailsync  MailUtils::configureSessionForAccount(mailcore::IMAPSession&, shared_ptr)
*** in mailsync  SyncWorker::configure()
*** in mailsync  runBackgroundSyncWorker()
*** in mailsync  main::$_6::operator()() const
*** in mailsync  void* __thread_proxy(void*)
*** in mailsync  thread_start()
***

73598 [2021-04-22 12:29:05.844] [main] [info] Identity created at 1619087345 - using ID Schema 1
73598 [2021-04-22 12:29:05.852] [main] [info] ------------- Starting Sync (commissaricna@fibs.it) ---------------
73598 [2021-04-22 12:29:05.865] [metadata] [info] Metadata sync disabled, not logged in.
73598 [2021-04-22 12:29:07.865] [background] [info] Fetching XOAuth2 access token (office365) for 40f968ef
73598 [2021-04-22 12:29:08.365] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error
\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum 
lifetime. The token was issued on 2021-04-19T15:03:54.5612034+00:00 and the maximum allowed lifetime for 
this application is 1.00:00:00.\\r\\nTrace ID: 53b61948-44d0-40cd-aac2-183fb2c52700\\r\\nCorrelation ID:
e5a22a79-817a-456b-85ce-83c21b9b939b\\r\\nTimestamp: 2021-04-22 10:29:08Z\",\"error_codes\":[700081]
\"timestamp\":\"2021-04-22 10:29:08Z\",\"trace_id\":\"53b61948-44d0-40cd-aac2-183fb2c52700
\",\"correlation_id\":\"e5a22a79-817a-456b-85ce-83c21b9b939b\",\"error_uri
\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 
400","retryable":false,"what":"std::exception"}
***

Hoping that the fix coming very soon.

Alex.

I just wanted to say that this worked for me.
I was getting “An unknown error has occurred (mailsync: 3765269347)” but after adding authenticated SMTP to my account, I was able to login and start using Mailspring.
Just wanted to contribute my results.

Thanks for sharing with the class. :smiley:

I have the same problem and would like to identify a solution!