Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client not authenticated to send mail. #257

Closed
SnakeSK opened this issue Jun 27, 2024 · 5 comments
Closed

Client not authenticated to send mail. #257

SnakeSK opened this issue Jun 27, 2024 · 5 comments

Comments

@SnakeSK
Copy link

SnakeSK commented Jun 27, 2024
edited by simonrob
Loading

Hello,

we are trying to authenticate against M365 Server. Created new app registration with following permissions
image

Configuration is as follows (we dont need IMAP or POP, just SMTP

[SMTP-1587]
server_address = smtp.office365.com
server_port = 587
server_starttls = True
local_address = 192.168.X.X`

[[email protected]]
permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/.default offline_access
redirect_uri = http://localhost
client_id = from_azure_app
jwt_certificate_path = "C:\Program Files (x86)\OAuth Proxy\cert.pem"
jwt_key_path = "C:\Program Files (x86)\OAuth Proxy\private.key"

[emailproxy]
delete_account_token_on_password_error = True
encrypt_client_secret_on_first_use = False
allow_catch_all_accounts = False

In the log we are getting

2024-06-27 11:23:04,708: Running in a packaged/frozen environment - imported SSL certificates from `certifi`
2024-06-27 11:23:04,802: Initialising Email OAuth 2.0 Proxy (version 2024-05-25) from config file C:\Program Files (x86)\OAuth Proxy\emailproxy.config
2024-06-27 11:23:04,802: Starting SMTP server at 192.168.X.X:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2024-06-27 11:23:04,818: Initialised Email OAuth 2.0 Proxy - listening for authentication requests. Connect your email client to begin
2024-06-27 11:23:10,052: Setting debug mode: True
2024-06-27 11:23:14,490: New incoming connection to SMTP server at 192.168.X.X:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2024-06-27 11:23:14,490: Accepting new connection from 192.168.X.X:54621 to SMTP server at 192.168.X.X:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2024-06-27 11:23:14,537: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587) --> [ Client connected ]
2024-06-27 11:23:14,537: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'220 VI1PR08CA0253.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 27 Jun 2024 09:23:13 +0000\r\n'
2024-06-27 11:23:14,537: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587) <-- b'220 VI1PR08CA0253.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 27 Jun 2024 09:23:13 +0000\r\n'
2024-06-27 11:23:14,552: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587) --> b'EHLO SRV2\r\n'
2024-06-27 11:23:14,552: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     --> b'EHLO SRV2\r\n'
2024-06-27 11:23:14,568: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-VI1PR08CA0253.outlook.office365.com Hello [5.178.56.180]\r\n'
2024-06-27 11:23:14,568: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-SIZE 157286400\r\n'
2024-06-27 11:23:14,568: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-PIPELINING\r\n'
2024-06-27 11:23:14,568: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-DSN\r\n'
2024-06-27 11:23:14,568: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2024-06-27 11:23:14,568: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-STARTTLS\r\n'
2024-06-27 11:23:14,568: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-8BITMIME\r\n'
2024-06-27 11:23:14,568: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-BINARYMIME\r\n'
2024-06-27 11:23:14,568: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-CHUNKING\r\n'
2024-06-27 11:23:14,568: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250 SMTPUTF8\r\n'
2024-06-27 11:23:14,568: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     --> b'STARTTLS\r\n'
2024-06-27 11:23:14,583: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'220 2.0.0 SMTP server ready\r\n'
2024-06-27 11:23:14,583: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587) <-> [ Starting TLS handshake ]
2024-06-27 11:23:14,787: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587) [ Successfully negotiated SMTP server STARTTLS connection - re-sending greeting ]
2024-06-27 11:23:14,787: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     --> b'EHLO SRV2\r\n'
2024-06-27 11:23:14,834: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587) <-> [ TLSv1.3 handshake complete ]
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-VI1PR08CA0253.outlook.office365.com Hello [5.178.56.180]\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-SIZE 157286400\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-PIPELINING\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-DSN\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-AUTH LOGIN XOAUTH2\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-8BITMIME\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-BINARYMIME\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-CHUNKING\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250 SMTPUTF8\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587) <-- b'250-VI1PR08CA0253.outlook.office365.com Hello [5.178.56.180]\r\n250-SIZE 157286400\r\n250-PIPELINING\r\n250-DSN\r\n250-ENHANCEDSTATUSCODES\r\n250-AUTH PLAIN LOGIN\r\n250-8BITMIME\r\n250-BINARYMIME\r\n250-CHUNKING\r\n250 SMTPUTF8\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587) --> b'MAIL FROM:<[email protected]>\r\n'
2024-06-27 11:23:14,880: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     --> b'MAIL FROM:<[email protected]>\r\n'
2024-06-27 11:23:19,896: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'530 5.7.57 Client not authenticated to send mail. [VI1PR08CA0253.eurprd08.prod.outlook.com 2024-06-27T09:23:19.875Z 08DC959AA00CA1C7]\r\n'
2024-06-27 11:23:19,896: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587) <-- b'530 5.7.57 Client not authenticated to send mail. [VI1PR08CA0253.eurprd08.prod.outlook.com 2024-06-27T09:23:19.875Z 08DC959AA00CA1C7]\r\n'
2024-06-27 11:23:19,896: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587) <-- [ Server disconnected ]
2024-06-27 11:23:19,896: SMTP (192.168.X.X:54621-{192.168.X.X:1587}-smtp.office365.com:587) --> [ Client disconnected ]
2024-06-27 11:25:34,649: Stopping Email OAuth 2.0 Proxy
2024-06-27 11:25:34,649: Stopping SMTP server at 192.168.X.X:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)

Any clue what to set up next? Thank you
@simonrob
Copy link
Owner

Your client isn't actually sending a login command. Using the proxy doesn't mean you can send unauthenticated email; it just means that you can use SMTP's PLAIN or LOGIN options, rather than needing to use OAuth 2.0.

@SnakeSK
Copy link
Author

SnakeSK commented Jun 27, 2024
edited by simonrob
Loading

When we add credentials this comes up

2024-06-27 18:57:56,527: Running in a packaged/frozen environment - imported SSL certificates from `certifi`
2024-06-27 18:57:56,605: Initialising Email OAuth 2.0 Proxy (version 2024-05-25) from config file C:\Program Files (x86)\OAuth Proxy\emailproxy.config
2024-06-27 18:57:56,605: Starting SMTP server at 192.168.X.X:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2024-06-27 18:57:56,605: Initialised Email OAuth 2.0 Proxy - listening for authentication requests. Connect your email client to begin
2024-06-27 18:58:08,886: Setting debug mode: True
2024-06-27 19:00:34,368: New incoming connection to SMTP server at 192.168.X.X:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2024-06-27 19:00:34,368: Accepting new connection from 192.168.184.250:31241 to SMTP server at 192.168.X.X:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2024-06-27 19:00:34,416: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) --> [ Client connected ]
2024-06-27 19:00:34,431: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'220 VI1PR04CA0050.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 27 Jun 2024 17:00:33 +0000\r\n'
2024-06-27 19:00:34,431: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) <-- b'220 VI1PR04CA0050.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 27 Jun 2024 17:00:33 +0000\r\n'
2024-06-27 19:00:34,431: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) --> b'EHLO SRV3\r\n'
2024-06-27 19:00:34,431: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     --> b'EHLO SRV3\r\n'
2024-06-27 19:00:34,447: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-VI1PR04CA0050.outlook.office365.com Hello [5.178.56.180]\r\n'
2024-06-27 19:00:34,447: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-SIZE 157286400\r\n'
2024-06-27 19:00:34,447: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-PIPELINING\r\n'
2024-06-27 19:00:34,447: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-DSN\r\n'
2024-06-27 19:00:34,447: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2024-06-27 19:00:34,447: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-STARTTLS\r\n'
2024-06-27 19:00:34,447: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-8BITMIME\r\n'
2024-06-27 19:00:34,447: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-BINARYMIME\r\n'
2024-06-27 19:00:34,447: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-CHUNKING\r\n'
2024-06-27 19:00:34,447: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250 SMTPUTF8\r\n'
2024-06-27 19:00:34,447: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     --> b'STARTTLS\r\n'
2024-06-27 19:00:34,478: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'220 2.0.0 SMTP server ready\r\n'
2024-06-27 19:00:34,478: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) <-> [ Starting TLS handshake ]
2024-06-27 19:00:34,697: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) [ Successfully negotiated SMTP server STARTTLS connection - re-sending greeting ]
2024-06-27 19:00:34,712: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     --> b'EHLO SRV3\r\n'
2024-06-27 19:00:34,759: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) <-> [ TLSv1.3 handshake complete ]
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-VI1PR04CA0050.outlook.office365.com Hello [5.178.56.180]\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-SIZE 157286400\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-PIPELINING\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-DSN\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-AUTH LOGIN XOAUTH2\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-8BITMIME\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-BINARYMIME\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250-CHUNKING\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'250 SMTPUTF8\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) <-- b'250-VI1PR04CA0050.outlook.office365.com Hello [5.178.56.180]\r\n250-SIZE 157286400\r\n250-PIPELINING\r\n250-DSN\r\n250-ENHANCEDSTATUSCODES\r\n250-AUTH PLAIN LOGIN\r\n250-8BITMIME\r\n250-BINARYMIME\r\n250-CHUNKING\r\n250 SMTPUTF8\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) --> b'AUTH login [[ Credentials removed from proxy log ]]\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) <-- b'334 UGFzc3dvcmQ6\r\n'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) --> b'[[ Credentials removed from proxy log ]]'
2024-06-27 19:00:34,791: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     --> b'AUTH XOAUTH2\r\n'
2024-06-27 19:00:34,806: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'334 \r\n'
2024-06-27 19:00:35,197: Caught exception while requesting OAuth 2.0 credentials for account [email protected]: OSError(22, 'Invalid argument')
2024-06-27 19:00:35,197: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     --> b'*\r\n'
2024-06-27 19:00:40,213: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'535 5.7.3 Authentication unsuccessful [VI1PR04CA0050.eurprd04.prod.outlook.com 2024-06-27T17:00:40.197Z 08DC954D1D4D8E17]\r\n'
2024-06-27 19:00:40,213: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) <-- b'535 5.7.8  Authentication credentials invalid. Email OAuth 2.0 Proxy: Login failed for account [email protected] - please check your internet connection and retry\r\n'
2024-06-27 19:00:40,213: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) --> b'MAIL FROM:<[email protected]>\r\n'
2024-06-27 19:00:40,213: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     --> b'MAIL FROM:<[email protected]>\r\n'
2024-06-27 19:00:45,243: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587)     <-- b'530 5.7.57 Client not authenticated to send mail. Error: 535 5.7.3 Authentication unsuccessful [VI1PR04CA0050.eurprd04.prod.outlook.com 2024-06-27T17:00:45.228Z 08DC954D1D4D8E17]\r\n'
2024-06-27 19:00:45,243: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) <-- b'530 5.7.57 Client not authenticated to send mail. Error: 535 5.7.3 Authentication unsuccessful [VI1PR04CA0050.eurprd04.prod.outlook.com 2024-06-27T17:00:45.228Z 08DC954D1D4D8E17]\r\n'
2024-06-27 19:00:45,243: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) <-- [ Server disconnected ]
2024-06-27 19:00:45,243: SMTP (192.168.184.250:31241-{192.168.X.X:1587}-smtp.office365.com:587) --> [ Client disconnected ]

@SnakeSK SnakeSK mentioned this issue Jun 27, 2024
Closed
@simonrob
Copy link
Owner

Thanks for posting the additional context. Initially, I thought this might be a case where the proxy's cautious approach to security makes it harder to debug (I'd benefit from seeing what is the actual content of the [[ Credentials removed from proxy log ]] lines in order to rule that out).

However, I then noticed that you have put quotes around the jwt_certificate_path and jwt_key_path values. This is not required. Please could you remove the quotes and try again?

@simonrob simonrob reopened this Jun 27, 2024
@SnakeSK
Copy link
Author

SnakeSK commented Jun 27, 2024

Thank you for understanding. I did not manually remove anything, I just censored the IP and email address, it is in the logs as you see it pasted.

But without quotes we are getting somewhere, I was fighting the authorization windows since the popup is in IE, it wont let me go past the MFA skip prompt (we have exception for this account to not to require MFA from certain locations, however the registration still pops up), after checking the external authorization, I had to view the source to copy the URL. I copied the url, I had to click to continue the script execution and finally after submitting I was authorised :)

I just hope this wont have to be done often. Have you thought about implementing a device login? Or Edge/Chrome WebView?
https://login.microsoftonline.com/common/oauth2/deviceauth

If you need any more info I am available :)

@simonrob
Copy link
Owner

Thanks for following up – I'm glad you were able to resolve this. I have updated the sample configuration file to point to the configuration file format documentation and explicitly note that quoting of values is not required. Hopefully this will help avoid other people making this mistake.

The proxy has very little control over the authentication/authorisation process – this is up to the provider. However (with the caveat that this depends on your Entra configuration), I'd expect this to have to be done very infrequently – many months apart, if not even less often.

There are known issues with the web browser popup in some configurations, and these are beyond the scope of the proxy to fix. But you could always try one of the other authorisation options if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simonrob @SnakeSK