Institutional Office365 not working

Hi

I found the problem (and the solution) for my particular problem. The XOAUTH2 authentication feature is not truly set on the office account.
It can be fixed by following this walk-through.
https://www.limilabs.com/blog/office365-temporary-server-error-please-try-again-later-prx4

2 Likes

@pcbowers @anat0lius @TheOneKevin @juancho9303 @erinanacker @joshpack @liu2z2 @callum-osborne

Does the solution above solve it for anyone? Please report yes or no, so we know whether this issue is resolvable with a basic Q&A, or whether to leave this open as a bug.

Thanks for the detective work, @hkorsvoll!

Hello,

Thanks for keeping me updated in the loop! Unfortunately I am not able to test that because my account is under the the administration of my college IT department. But if it works for anyone else, I’m glad it worked out for you!

It should be noted that @hkorsvoll 's screenshot is fundamentally different from @callum-osborne 's. @hkorsvoll’s screenshot is an SMTP error whereas @callum-osborne 's is an IMAP error. While the SMTP error may be fixed using the walkthrough he provided, the IMAP error is inherently different.

I am receiving the IMAP error specifically, though I am also aware that my institution has disabled IMAP and POP3, leaving Exchange as the only viable alternative. While authentication is working properly, it could be the simple fact that Mailspring does not currently support Exchange protocols. Correct me if I’m missing something here though!

While looking into this, I did try @hkorsvoll 's fix. I ended up running into similar permission issues. It would seem if one is trying to fix the SMTP error, one would require elevated permissions to their Office365 account to be able to allow Authenticated SMTP. That, or submit a ticket to whoever is in charge of their email within their office with the request.

See the below screenshot for permission context:

2 Likes

I too hope that we can get MFA running against O365 with Modern Authentication. With the recent issues faced on Exchange Servers, as well as O365 Online, it is recommended that MFA be used to secure user accounts. Unfortunately, Microsoft decided they would run this via their own methods, which is where we are now stuck. As time passes, we will see more users of O365 setup with MFA as a method of stopping threat actors from being given access.

I agree on both stances here. This is a free application developed by a team of amazing people , not a paid application with SLAs. I do hope that the MFA Setup from Microsoft can be supported, but of course they only support this on their Microsoft Authenticator Application. As a workaround, I hope that MFA with a 2FA Code from any Authenticator app could be supported. This will of course have to be setup on the account in question. If the institution decides not to allow other authenticators, we’re not going to get anywhere with this.

Hi

From my point of view, the authentication with Office365 is indeed working. There are two criteria that must be satisfied:

  1. The account must be enabled for IMAP
  2. Approved SMTP must be enabled, (may need to be set off and on again)

My setup is working with multi-factor authentication. Mailspring does not need to handle the multi-factor authentication since it is using OAUTH2 as the authentication method.

This is how authentication is reported in Azure for my account:



I use Linux and I don’t have admin permissions.
My error is about an expired token:

22504 [2021-03-25 12:44:13.465] [background] [info] Fetching XOAuth2 access token (office365) for d4f3745c
22504 [2021-03-25 12:44:13.465] [metadata] [info] Metadata delta stream starting...
22504 [2021-03-25 12:44:13.934] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum lifetime. The token was issued on 2021-03-24T10:42:43.2993501Z and the maximum allowed lifetime for this application is 1.00:00:00.\\r\\nTrace ID: 0f0b26f1-fd5b-4680-a50a-665d83574800\\r\\nCorrelation ID: 13ae523a-9ee8-4fac-9ad8-8563d87e7fae\\r\\nTimestamp: 2021-03-25 11:44:13Z\",\"error_codes\":[700081],\"timestamp\":\"2021-03-25 11:44:13Z\",\"trace_id\":\"0f0b26f1-fd5b-4680-a50a-665d83574800\",\"correlation_id\":\"13ae523a-9ee8-4fac-9ad8-8563d87e7fae\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 400","retryable":false,"what":"std::exception"}
***

22504 [2021-03-25 12:44:13.935] [background] [critical] *** Stack trace (line numbers are approximate):
*** ??:?        ValidateRequestResp(CURLcode, void*, string)
*** ??:?        PerformRequest(void*)
*** ??:?        PerformJSONRequest(void*)
*** ??:?        MakeOAuthRefreshRequest(string, string, string)
*** ??:?        XOAuth2TokenManager::partsForAccount(shared_ptr)
*** ??:?        MailUtils::configureSessionForAccount(mailcore::IMAPSession&, shared_ptr)
*** ??:?        SyncWorker::configure()
*** ??:?        runBackgroundSyncWorker()
*** main.cpp:?  main::{lambda()#3}::operator()() const
*** main.cpp:?  _Bind_simple::operator()()
*** main.cpp:?  thread::_Impl::_M_run()
*** thread.o:?  execute_native_thread_routine()
***

My issue has been intermittent. I’ve followed the instructions and it seems to be working but I don’t know for sure for a bit. Thank you, Erin

Hi @CodeMouse92 Just checking back in. This did not resolve my issue. It still has me re-authenticate periodically (1-3 per day).

3 Likes

I am also experiencing this. On Monday I will fetch the log from such an insident.

2 Likes

Hi

This is the log when I have to authenticate the account again to get access. It looks like the refresh token lifetime is 1 day.

Håvard

Mailspring Version: 1.8.0-8983dca2
Platform: linux
Account State: invalid
Account Provider: office365
IMAP Server: outlook.office365.com
SMTP Server: smtp.office365.com
--------------------------------------------
***

115026 [2021-03-29 11:10:09.286] [main] [info] Identity created at 1607501098 - using ID Schema 1
115026 [2021-03-29 11:10:09.287] [main] [info] ------------- Starting Sync (havard.korsvoll@gaular-il.no) ---------------
115026 [2021-03-29 11:10:09.296] [metadata] [info] Metadata delta stream starting...
115026 [2021-03-29 11:10:13.296] [background] [info] Fetching XOAuth2 access token (office365) for 989dec24
115026 [2021-03-29 11:10:14.230] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum lifetime. The token was issued on 2021-03-26T08:00:57.6731988Z and the maximum allowed lifetime for this application is 1.00:00:00.\\r\\nTrace ID: b5216518-036b-4e9e-bf4c-ce8008e63800\\r\\nCorrelation ID: cf8e3ce8-cb64-4306-9671-6aef846eba1f\\r\\nTimestamp: 2021-03-29 09:10:14Z\",\"error_codes\":[700081],\"timestamp\":\"2021-03-29 09:10:14Z\",\"trace_id\":\"b5216518-036b-4e9e-bf4c-ce8008e63800\",\"correlation_id\":\"cf8e3ce8-cb64-4306-9671-6aef846eba1f\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 400","retryable":false,"what":"std::exception"}
***

115042 [2021-03-29 11:10:14.425] [main] [info] Identity created at 1607501098 - using ID Schema 1
115042 [2021-03-29 11:10:14.426] [main] [info] ------------- Starting Sync (havard.korsvoll@gaular-il.no) ---------------
115042 [2021-03-29 11:10:14.436] [metadata] [info] Metadata delta stream starting...
115042 [2021-03-29 11:10:18.435] [background] [info] Fetching XOAuth2 access token (office365) for 989dec24
115042 [2021-03-29 11:10:18.918] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum lifetime. The token was issued on 2021-03-26T08:00:57.6731988Z and the maximum allowed lifetime for this application is 1.00:00:00.\\r\\nTrace ID: b18dc211-d43d-44f5-a25c-3349897c3800\\r\\nCorrelation ID: 61354c8f-14ff-4167-b5c3-892e025eafbd\\r\\nTimestamp: 2021-03-29 09:10:18Z\",\"error_codes\":[700081],\"timestamp\":\"2021-03-29 09:10:18Z\",\"trace_id\":\"b18dc211-d43d-44f5-a25c-3349897c3800\",\"correlation_id\":\"61354c8f-14ff-4167-b5c3-892e025eafbd\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 400","retryable":false,"what":"std::exception"}
***
1 Like

Hello all, I’m new to Mailspring. I’m having the same issue any help will be appreciated. Everything seems ok with auth according to “my Sign-ins” from MS site everything auth’d ok, but the app says otherwise. I tried the downgrade to 1.7.2, same issue. I’m on 1.8.0 and same

Screenshot from 2021-03-29 10-49-35 Screenshot from 2021-03-29 10-52-20

It looks like the refresh token is never updated. Looking at the logs, I see these lines approximately every hour:

136437 [2021-03-30 10:19:26.752] [background] [info] Fetching XOAuth2 access token (office365) for 989dec24
136437 [2021-03-30 10:19:27.129] [background] [info] Syncing folder list...

24 hours after the last manual authorization, I get the errors mentioned above, and I have to authorize again.

One of two things is happening.

  1. When Mailspring fetches XOAuth2 access tokens every hour, no refresh token is returned from Microsoft.
  2. When Mailspring fetches XOAuth2 access tokens every hour, a refresh token is fetched, but it is not stored or Mailspring never uses it when authorizing again. It probably only uses the original access token each time it authorizes itself.

I found the source for Mailspring-Sync, and the function handling this is MakeOAuthRefreshRequest. Unfortunately, I am not a skilled C++ developer, but hopefully someone is able to figure out what is happening here:

const json MakeOAuthRefreshRequest(string provider, string clientId, string refreshToken) {
    CURL * curl_handle = curl_easy_init();
    const char * url =
          provider == "gmail" ? "https://www.googleapis.com/oauth2/v4/token"
        : provider == "office365" ? "https://login.microsoftonline.com/common/oauth2/v2.0/token"
        : "";
    curl_easy_setopt(curl_handle, CURLOPT_URL, url);
    curl_easy_setopt(curl_handle, CURLOPT_CONNECTTIMEOUT, 20);
    
    auto c = curl_easy_escape(curl_handle, clientId.c_str(), 0);
    auto r = curl_easy_escape(curl_handle, refreshToken.c_str(), 0);
    string payload = "grant_type=refresh_token&client_id=" + string(c) + "&refresh_token=" + string(r);
    if (provider == "office365") {
        // workaround the fact that Microsoft's OAUTH flow allows you to authorize many scopes, but you
        // have to get a separate token for outlook (email + IMAP) and contacts / calendar / Microsoft Graph APIs
        // separately. The same refresh token will give you access tokens, but the access tokens are different.
        payload += "&scope=https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Foutlook.office365.com%2FSMTP.Send";
    }
    struct curl_slist *headers = NULL;
    headers = curl_slist_append(headers, "Accept: application/json");
    headers = curl_slist_append(headers, "Content-Type: application/x-www-form-urlencoded");
    if (provider == "office365") {
        // workaround "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type
        // may only be redeemed via cross-origin requests"
        headers = curl_slist_append(headers, "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Mailspring/1.7.8 Chrome/69.0.3497.128 Electron/4.2.12 Safari/537.36");
        headers = curl_slist_append(headers, "Origin: null");

    }
    curl_easy_setopt(curl_handle, CURLOPT_CUSTOMREQUEST, "POST");
    curl_easy_setopt(curl_handle, CURLOPT_HTTPHEADER, headers);
    curl_easy_setopt(curl_handle, CURLOPT_POSTFIELDS, payload.c_str());
    
    return PerformJSONRequest(curl_handle);
}
1 Like

I have just read a little bit about how OAuth 2.0 is supposed to work :slight_smile:

Apparently, Google APIs have long lived refresh tokens (up to 6 months), but it looks like the Office365 refresh tokens only are valid for 1 day. I guess there are some settings in Azure to increase the lifetime of a refresh token.

This article is describing token lifetime policy properties in Azure.

They made some changes from January 30th this year. I don’t know if that affects the refresh token lifetime.

2 Likes

Hi. I can’t get my office365 account to work. I’ve tried signing in by adding account and choosing Office365 and I get this error.

Authentication Error - Check your username and password. (SMTP)

When I try signing in using IMAP I get this error with View Log

Authentication Error - Check your username and password. (SMTP)View Log

I have set it up using the settings you provide on your website. Below is the output from the log. For your info, I’ve set my account up on Samsung Email and after Mailspring failed I downloaded BlueMail for linux and had no problems at all with it. I’d much rather not have to have two email programs and I’d rather use Mailspring since I’m paying for it, so any help you can give me to get it up and running would be much appreciated. Thanks.

The IMAP settings show successful

----------SMTP----------connect smtp.office365.com 587220 MWHPR04CA0026.outlook.office365.com Microsoft ESMTP MAIL Service ready at Sat, 3 Apr 2021 14:52:21 +0000initEHLO lonnie-HP-ENVY-x360-Convertible-15-ee0xxx250-MWHPR04CA0026.outlook.office365.com Hello [2601:646:203:b7e0:4547:ee4b:7389:172b]250-SIZE 157286400250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-8BITMIME250-BINARYMIME250-CHUNKING250 SMTPUTF8start TLSSTARTTLS220 2.0.0 SMTP server readydoneOpenSSL version: OpenSSL 1.1.0f 25 May 2017init after starttlsEHLO lonnie-HP-ENVY-x360-Convertible-15-ee0xxx250-MWHPR04CA0026.outlook.office365.com Hello [2601:646:203:b7e0:4547:ee4b:7389:172b]250-SIZE 157286400250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-AUTH LOGIN XOAUTH2250-8BITMIME250-BINARYMIME250-CHUNKING250 SMTPUTF8AUTH LOGIN334 VXNlcm5hbWU6cGFjbWFuQG1hbmphcm8ucHJv334 UGFzc3dvcmQ6bGVlYWxsZW43535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit aka.ms/smtp_auth_disabled for more info. [MWHPR04CA0026.namprd04.prod.outlook.com]

SASL_PATH: /usr/share/mailspring/resources/app.asar.unpacked

SMTP Last Response Code: 535SMTP Last Response: 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit aka.ms/smtp_auth_disabled for more info. [MWHPR04CA0026.namprd04.prod.outlook.com]

mailsmtp Last Error Code: 17mailsmtp Last Error Explanation: MAILSMTP_ERROR_AUTH_LOGINmailsmtp Last Error Location: 10mailsmtp Last Auth Type: 16

Hi @backslidr

The clue lies in the error message in your log:

Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit aka.ms/smtp_auth_disabled for more info. 

Mailspring only supports connection through the IMAP and SMTP protocols. It looks like SMTP authentication is turned off for your organization.

Visit Enable or disable SMTP AUTH | Microsoft Docs for more information.

Well, it looks like I’m out of luck on this one. I followed your link and and it says to go to the Microsoft 365 Admin Center. When I click on that link it takes me to GoDaddy where the option I’m supposed to use is non-existent. I found I could get to an admin center online, but the options aren’t there either. The only other way they say to do it is to enter a command in PowerShell, but since I don’t have Windows I can’t do that either. I don’t really understand what’s going on with Mailspring since all I have to do to add an account in any other mail app I just have to add an Office365 account. Mailspring has this but I get the same error message when I try and it won’t let me log into my account. It works with BlueMail, Thunderbird, Android mail, everything but Mailspring. I really appreciate your help, but unless there’s another way it looks like I’m just going to have to use two email apps from now on or just use one of the other apps instead of Mailspring, neither of which I care for. Thanks!

Hey all,

Obviously having the same issue as most here, except I think I may be in the wrong area and was hoping someone could/would help point me to the correct area? I see a few mentions that this is a free service/ labor of love in response to the frustrations caused by this bug(or whatever term you want to apply). Where do those of us who pay for this service go? I understand the limitations for a free service, absoutely, but I am looking for the message board for paying customers who aren’t receiving the service they pay for.
Any help is greatly appreciated!

Thanks!

It’s the same place for everyone. The Pro subscription covers the costs of the server and (very expensive) APIs that make the Pro features possible, as well as the costs of the security audits that Google et al demand. It doesn’t provide enough money to hire support staff or full-time developers. Without Pro subscriptions, the Pro features just simply wouldn’t exist, and everyone using the software would be on Mailspring Basic.

There’s also no Big Company backing Mailspring development — Foundry376’s involvement is merely as the legal business entity that makes the subscriptions possible.

That’s all there is to it, really. Mailspring Pro never promises or pretends to provide “premium support”. You’re paying for the features that cost Mailspring money to provide, nothing more.

Thank you for replying!

I appreciate your thoroughness and promptness. Very informative!

The issue I have isn’t with a Pro feature, however. It’s with a basic feature (having more than one O365 address) and then, subsequently, the avenues with which I’m able to rectify that issue. And that’s the issue I have that’s germane to the post I replied to; it doesn’t include the other problems/bugs I’ve experienced with MailSpring.

And while I understand that Pro features are only available because of the subs, I didn’t sign up to “donate”, I signed up to receive the services advertised as being exlusive to Pro. Once money changes hands, I leave “community” and become “consumer”, my concern for backstories takes a muted second place to my demand for the product I paid for and the promised functionality thereof.

I appreciate you taking time to reach out to myself and what appears to be everyone else with complaints here. I cannot fathom how stressful that workload must be.

KUTGW,
O.