fetchmail stopped donwloading pop3 mail from outlook

English Network/Internet
#1

I have fetchmail configured to download the mail from one corporative microsoft account since long.
Two days ago it stopped working
I can enter through the web
https://susepaste.org/93471349
https://susepaste.org/93471349but fetchmail return a authentication error

have tried this


fperal@tutatis:~> openssl s_client -crlf -showcerts -connect outlook.office365.com:995 
CONNECTED(00000003) 
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA 
verify return:1 
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1 
verify return:1 
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com 
verify return:1 
--- 
Certificate chain 
 0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com 
   i:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1 
-----BEGIN CERTIFICATE----- 
.......
-----END CERTIFICATE----- 
 1 s:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1 
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA 
-----BEGIN CERTIFICATE----- 
.......
-----END CERTIFICATE----- 
--- 
Server certificate 
subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com 

issuer=C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1 

--- 
No client certificate CA names sent 
Peer signing digest: SHA256 
Peer signature type: RSA-PSS 
Server Temp Key: ECDH, P-384, 384 bits 
--- 
SSL handshake has read 3998 bytes and written 489 bytes 
Verification: OK 
--- 
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 
Server public key is 2048 bit 
Secure Renegotiation IS supported 
Compression: NONE 
Expansion: NONE 
No ALPN negotiated 
SSL-Session: 
    Protocol  : TLSv1.2 
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384 
    Session-ID: 9E340000F4F3C5F160C2923C1B6B1DB7FACE2B883CB55528977780CB4D60C3E4 
    Session-ID-ctx:  
    Master-Key: 67B4D35C8FF7564785DFB40F18F37F204CAB2058B1204B9D8C4DF9BB183B100F18B7D9F6F4271DBB5F53DEBD1D4D6325 
    PSK identity: None 
    PSK identity hint: None 
    SRP username: None 
    Start Time: 1667672414 
    Timeout   : 7200 (sec) 
    Verify return code: 0 (ok) 
    Extended master secret: yes 
--- 
+OK The Microsoft Exchange POP3 service is ready. [TABOAFgAUAAyADYANQBDAEEAMAAwADUAMgAuAEcAQgBSAFAAMgA2ADUALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==] 
user ****myuser***
+OK 
pass ****mypass*****
-ERR Logon failure: unknown user name or bad password. 
-ERR Connection is closed. 12 
read:errno=0

Similar authentication error

some clue about what can be failing?

best regards

#2

See here: https://www.hesk.com/knowledgebase/?article=93 and https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
Microsoft now requires OAuth or MFA since 1st Nov 2022.

#3

oh, I see. I fear oauth is one of the invention google (and microsoft) is using to try to kill email as we knew it and force everybody to work with their servers and methods

#4

>:) But, but, but →

  • You have a contract with an ISP who connects you to the Internet and,
    Most ISPs offer an e-Mail service as part of the monthly payments you pay them to provide your Internet access.
    I would be very very surprised if you pay a monthly fee for the use of Microsoft or Alphabet/Google e-Mail accounts.

Golden rule →

  • If you pay for it, USE IT!!!

[HR][/HR]Solution:

  • Both Microsoft and Alphabet/Google allow you to setup your e-Mail account(s) with them, to forward all incoming e-Mail to another e-Mail account.
    I personally use this facility with my accounts where I have registered with Microsoft (Windows licenses) and, Alphabet/Google (Android mobile telephones) … >:)

The only annoying “feature” is, when you login to the web interface of the Outlook or GMail e-Mail account from a Linux computer, you’ll be bombarded with e-Mails from Microsoft and Alphabet/Google with content of «Just making sure that, it’s really you.»

  • For the case of Alphabet/Google, I’ve also noticed that, they tend to send e-Mail related to the Terms and Conditions of your account with them, only to the e-Mail address where the GMail e-mail is being forwarded to and, not
    to the GMail inbox …

[HR][/HR]But, please be aware that, the ISP I use, allows up to 100 e-Mail accounts to be setup as part of the monthly payments I make to them.

#5

Yes, I know. I stopped using google and microsoft “free” accounts a long time ago for personal use (they are not free, you just are selling your data to them for a very little price). I have my own domain which I pay for and email accounts for these domain. but, but, but… In my work we have two corporative email accounts, one from google and one from microsoft and It is nothing I can do to avoid that (I will if I could).
I have another account with a prevate domain at work also and I use it for everything I have to read the other two accounts (the google one and the microsoft one) because I receive some mail in them, so I download the two accounts with fetchmail who send it to the mbox of my linux user, then I read them with pop from thunderbird and I read it all also using pop3 from home also with thunderbird, so I have two sets of locally downloaded mail, one at work and one at home.
And yes, I thought about the email forwarding, I tried to set a email forwarding from the microsoft account to some other email account, The system let me set it but it does not work (dunno why).

I have seen that I can set thunderbird to use oauth2 to log in to the microsoft account, it uses something in mozilla.net to authenticate, I was wondering if it has saved some token somewhere and I will be able to use this token to set the authentication with fetchmail

#6

Good. So open ticket with IT support at work.

I have seen that I can set thunderbird to use oauth2 to log in to the microsoft account, it uses something in mozilla.net to authenticate, I was wondering if it has saved some token somewhere and I will be able to use this token to set the authentication with fetchmail

There are enough detailed instructions how to configure fetchmail for OAuth2 (and SUSE backported OAuth 2.0 support from fetchmail development branch, so all you need is to actually read fetchmail documentation which is installed on your system). I do not know where Thunderbird stores access token, but technically it is possible to abuse OAuth2 by pretending fetchmail is Thunderbird. Thunderbird client id and secret are easily available and just a google search away.

#7

It is stored as a password, and you can see it in the list of stored passwords in TB, but access tokens have very short validity period, so you would need to implement some script to fetch the updated token. And token is updated by Thunderbird, so if Thunderbird did not run to refresh token, token will be expired.

Besides, you still need fetchmail with OAuth2 support, because it needs different method to authenticate (it is not simply sending token instead of user password).

#8

Yes, it does not seem to be a worthy aproach.
I have seen oauth2 is included in the version of fetchmail in opennsuse 15.4 (I have thought it will be necessary to install a patch) … from info fetchmail

    --auth <type>
               (Keyword: auth[enticate])
               This option permits you to specify an authentication type (see USER AUTHENTICATION below for details).  The possible values are any, password,
               kerberos_v5,  kerberos  (or, for excruciating exactness, kerberos_v4), gssapi, cram-md5, otp, ntlm, msn (only for POP3), external (only IMAP),
               ssh and oauthbearer (requires token).  When any (the default) is specified, fetchmail tries first methods that don't require a  password  (EX-
               TERNAL,  GSSAPI,  KERBEROS IV,  KERBEROS 5);  then it looks for methods that mask your password (CRAM-MD5, NTLM, X-OTP - note that MSN is only
               supported for POP3, but not autoprobed); and only if the server doesn't support any of those will it ship your password en clair.  Other  val-
               ues  may  be used to force various authentication methods (ssh suppresses authentication and is thus useful for IMAP PREAUTH).  (external sup-
               presses authentication and is thus useful for IMAP EXTERNAL).  Any value other than password, cram-md5, ntlm, msn  or  otp  suppresses  fetch-
               mail's  normal inquiry for a password.  Specify ssh when you are using an end-to-end secure connection such as an ssh tunnel; specify external
               when you use TLS with client authentication and specify gssapi or kerberos_v4 if you are using a protocol variant that employs GSSAPI  or  K4.
               Choosing  KPOP protocol automatically selects Kerberos authentication.  This option does not work with ETRN.  GSSAPI service names are in line
               with RFC-2743 and IANA registrations, see Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and
               Security Layer (SASL) Service Names ⟨https://www.iana.org/assignments/gssapi-service-names/⟩.
 
 
               oauthbearer expects the supplied password to be an oauth2 authentication token instead of a password, as used by services like gmail.  See RFC
               7628 and RFC 6750.  The oauthbearer setting also allows the non-standard "xoauth2" SASL scheme (using the  same  token)  if  the  server  only
               claims  to  support  "xoauth2".  External tools are necessary to obtain such tokens.  Access tokens often expire fairly quickly (e.g. 1 hour),
               and new ones need to be generated from renewal tokens, so the "passwordfile", "passwordfd", or "pwmd_*" options may be useful.  See  the  con-
               trib/fetchmail-oauth2.py script from the fetchmail source code, which was derived from code associated with Google's Oauth2 Run Through
               ⟨https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough⟩, and other oauth2 documentation.  For services like gmail,  an  "App
               Password"  is  probably  preferable  if  available, because it has roughly the same security risks, and is a whole lot simpler to get working.
               "App Password" and oauthbearer both need to protect secrets on the client machine (files) and over the network (SSL/TLS).  But "App  Password"

               is sometimes completely disabled by business "G-suite" administrators.

so I have in mind to try it, I think the python script is provided by python3-oauth2client package.
I have to make some research and I will report here what I achieve.

The other alternative I was thinking on is davmail.

#9

As I already told you.

I have to make some research

https://gitlab.com/fetchmail/fetchmail/-/blob/next/README.OAUTH2

#10

I was wrong. Thunderbird does not store access token at all, it stores refresh token. Which means every time it starts it will request new access token. So saved information cannot be directly used for fetchmail at all (fetchmail does not really support OAuth 2.0 protocol, it has rudimentary support for sending access token but it has no way to request or refresh access token).