Re: [mailop] Microsoft Outlook "Modern Authentication"?
On 6/17/20 11:15 PM, Dave Warren via mailop wrote: > A bit late, sorry. > > On Tue, Jun 2, 2020, at 04:55, Ken O'Driscoll via mailop wrote: >> On Thu, 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote: >>> Does anyone know if there is any alternative to Outlook to access >>> >>> Exchange Online mailboxes that require modern authentication? >> >> Take a look at Davmail, it's basically a proxy that sits in-between your >> existing "legacy" MUA and O365. It handles all of the MFA and talks EWA then >> presents standards based IMAP, SMTP, CalDAV and CardDAV protocol interfaces >> for your MTA to use. >> >> I don't know if it will work for your specific environment but it works for >> most people that what to continue to use Thunderbird etc. with Exchange. Davmail seems to work okay for single user systems, but hosting it as a proxy for multiple users seems dicey. I got it running in a container and started down the process of fishing out the OAuth URI from the logs so that I could somehow render it back to the user to complete the authorization process... At that point I started to get skeptical that it would scale and have adequate session isolation. > Thunderbird beta (78.0b2) supports M365’s OAuth2 support natively, no > external shim required. > > The setup is a little weird, you need to set up the account, go to the > advanced settings (so that it creates the account despite not working), > switch the authentication to OAuth2 for both IMAP and SMTP, it just works. Yes, the TB devs did a great job! I assume that Microsoft offered some assistance behind the scenes, so kudos to them too. I'm using it now. I think they're making some improvements to the setup UX based on the comments I've seen in Bugzilla. Once it comes out of beta, I can combine it with the TBSync extension (which syncs the non-email things from M365) it will be my sole MUA again. Jesse ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
A bit late, sorry. On Tue, Jun 2, 2020, at 04:55, Ken O'Driscoll via mailop wrote: > On Thu, 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote: >> Does anyone know if there is any alternative to Outlook to access >> >> Exchange Online mailboxes that require modern authentication? > > Take a look at Davmail, it's basically a proxy that sits in-between your > existing "legacy" MUA and O365. It handles all of the MFA and talks EWA then > presents standards based IMAP, SMTP, CalDAV and CardDAV protocol interfaces > for your MTA to use. > > I don't know if it will work for your specific environment but it works for > most people that what to continue to use Thunderbird etc. with Exchange. > Thunderbird beta (78.0b2) supports M365’s OAuth2 support natively, no external shim required. The setup is a little weird, you need to set up the account, go to the advanced settings (so that it creates the account despite not working), switch the authentication to OAuth2 for both IMAP and SMTP, it just works. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
On Fri, 5 Jun 2020, Brandon Long via mailop wrote: The weird thing to me is that I thought O365 and outlook.com already supported OAUTHBEARER (or equivalent). https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth That says: Learn how to use OAuth authentication to connect with IMAP, POP or SMTP protocols and access email data for Office 365 users. OAuth2 support for IMAP, POP, SMTP protocols as described below is not supported for Outlook.com users. - so O365 yes, outlook.com no. :-( -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
On Thu, Jun 4, 2020 at 9:30 PM Daniele Nicolodi via mailop < mailop@mailop.org> wrote: > On 02/06/2020 02:41, Andrew C Aitchison via mailop wrote: > > > > On Thu, 28 May 2020, Daniele Nicolodi asked: > >> The IT department of the organization that is pushing thins says that > >> modern authentication and disabling IMAP (over SSL) enhance security. > >> I don't see how this is the case. Does anyone have an opinion? > > > > Phil Pennock replied: > > PP> As to IMAP/TLS -- I know of no security reason to mandate disabling > > PP> IMAP as opposed to any other access protocol. This sounds more like > > PP> the traditional Outlook FUD-spreading re open protocols. > > > > For the 95% or more of users who only use Microsoft clients and thus > > don't use IMAP, disabling IMAP means that dictionary attacks over > > ports 143 or 993 are impossible. > > I don't see the gain as the same attacks are possible over a different > protocol. I don't think that eliminating IMAP (and keeping SMTP > submission as far as I know) reduces the attack surface. Am I missing > something? > The attack surface is definitely reduced, but maybe you mean it doesn't reduce the threat, and that is also true. Ie, having two ways to do something vs one is definitely reduced, just not eliminated. There's also a raft of things which target IMAP right now, and so eliminating that buys time before there is enough incentive to move the tools to the new surface. OTOH, 0365 is definitely popular enough that the tools will move. OTOOH, re-using the O365 web login surface means they were already protecting that and maybe they will have more resources to work on that. The longer list of things they included may also indicate their thinking, that IMAP is just one of a lot of protocols they aren't upgrading. Who knows what percentage of their users use each one as well, it's possible it really doesn't make sense, that some of those other ones actually have higher usage than IMAP. The weird thing to me is that I thought O365 and outlook.com already supported OAUTHBEARER (or equivalent). https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth Brandon ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
On 5 Jun 2020, at 05:26, Daniele Nicolodi via mailop wrote: > I don't see the gain as the same attacks are possible over a different > protocol. I don't think that eliminating IMAP (and keeping SMTP > submission as far as I know) reduces the attack surface. Am I missing > something? Very much so. For malware families like Emotet and friends, one of the attack vectors is to hoover up emails from mailboxes then use those as implant methods by 'replying' to them with malware droppers attached. In UK HE we've also seen some similar methods utilised in attacks designed to con browsers into giving up the access token they're currently using, so actually making use of moden auth techniques! Modern auth on IMAP and SMTP stops that pretty well dead, as does turning off authenticated SMTP (stopping the injection of content for outbound submission) and/or IMAP (for hoovering up the content in the first place). It's a very long game though, this one. Graeme ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
On Thu, 4 Jun 2020, Daniele Nicolodi via mailop wrote: On 02/06/2020 02:41, Andrew C Aitchison via mailop wrote: On Thu, 28 May 2020, Daniele Nicolodi asked: The IT department of the organization that is pushing thins says that modern authentication and disabling IMAP (over SSL) enhance security. I don't see how this is the case. Does anyone have an opinion? Phil Pennock replied: PP> As to IMAP/TLS -- I know of no security reason to mandate disabling PP> IMAP as opposed to any other access protocol. This sounds more like PP> the traditional Outlook FUD-spreading re open protocols. For the 95% or more of users who only use Microsoft clients and thus don't use IMAP, disabling IMAP means that dictionary attacks over ports 143 or 993 are impossible. I don't see the gain as the same attacks are possible over a different protocol. I don't think that eliminating IMAP (and keeping SMTP submission as far as I know) reduces the attack surface. Am I missing something? Depends whether it is a dictionary attack or a zero-day exploit. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
On 02/06/2020 02:41, Andrew C Aitchison via mailop wrote: > > On Thu, 28 May 2020, Daniele Nicolodi asked: >> The IT department of the organization that is pushing thins says that >> modern authentication and disabling IMAP (over SSL) enhance security. >> I don't see how this is the case. Does anyone have an opinion? > > Phil Pennock replied: > PP> As to IMAP/TLS -- I know of no security reason to mandate disabling > PP> IMAP as opposed to any other access protocol. This sounds more like > PP> the traditional Outlook FUD-spreading re open protocols. > > For the 95% or more of users who only use Microsoft clients and thus > don't use IMAP, disabling IMAP means that dictionary attacks over > ports 143 or 993 are impossible. I don't see the gain as the same attacks are possible over a different protocol. I don't think that eliminating IMAP (and keeping SMTP submission as far as I know) reduces the attack surface. Am I missing something? Cheers, Dan ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
On Thu, 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote: > Does anyone know if there is any alternative to Outlook to access > > Exchange Online mailboxes that require modern authentication? Take a look at Davmail, it's basically a proxy that sits in-between your existing "legacy" MUA and O365. It handles all of the MFA and talks EWA then presents standards based IMAP, SMTP, CalDAV and CardDAV protocol interfaces for your MTA to use. I don't know if it will work for your specific environment but it works for most people that what to continue to use Thunderbird etc. with Exchange. Ken. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
On Thu, 28 May 2020, Daniele Nicolodi asked: The IT department of the organization that is pushing thins says that modern authentication and disabling IMAP (over SSL) enhance security. I don't see how this is the case. Does anyone have an opinion? Phil Pennock replied: PP> As to IMAP/TLS -- I know of no security reason to mandate disabling PP> IMAP as opposed to any other access protocol. This sounds more like PP> the traditional Outlook FUD-spreading re open protocols. For the 95% or more of users who only use Microsoft clients and thus don't use IMAP, disabling IMAP means that dictionary attacks over ports 143 or 993 are impossible. On the basis that a computer that is switched off, unplugged and encased in concrete is more secure from hackers than one that is not, what that IT department says is accurate. Different people's minds work in different ways. For those whose minds don't match Microsoft's model mind, forcing us to use their clients can kill productivity. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
> On 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote: >> Does anyone know if there is any alternative to Outlook to access >> Exchange Online mailboxes that require modern authentication? >> >> The IT department of the organization that is pushing thins says that >> modern authentication and disabling IMAP (over SSL) enhance security. I >> don't see how this is the case. Does anyone have an opinion? > > There's two orthogonal things here: using temporary tokens for protocol > login, and using IMAP. > > If you move a lot of the authentication into one common system which can > present short-lived tokens for other application protocols to use, then > you can start piling in more checks in one place. It becomes easier to > require two-factor authentication, etc etc. Typically you then get an > OAuth token out of that. > > You can use OAuth tokens in other protocols; within email and IMAP, > Google use the `OAUTHBEARER` SASL mechanism, and Brandon Long of Google > contributed support to mutt (requires external commands to handle the > flow, in the usual mutt manner). > > As to IMAP/TLS -- I know of no security reason to mandate disabling IMAP > as opposed to any other access protocol. This sounds more like the > traditional Outlook FUD-spreading re open protocols. > > -Phil > Start with https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication Azure AD supports several of the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication refers to protocols that use basic authentication. Typically, these protocols can't enforce any type of second factor authentication. Examples for apps that are based on legacy authentication are: Older Microsoft Office apps Apps using mail protocols like POP, IMAP, and SMTP ... Legacy authentication protocols The following options are considered legacy authentication protocols Authenticated SMTP - Used by POP and IMAP client's to send email messages. Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online. Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multi-factor authentication. Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps. IMAP4 - Used by IMAP email clients. MAPI over HTTP (MAPI/HTTP) - Used by Outlook 2010 and later. Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook. Outlook Anywhere (RPC over HTTP) - Used by Outlook 2016 and earlier. Outlook Service - Used by the Mail and Calendar app for Windows 10. POP3 - Used by POP email clients. Reporting Web Services - Used to retrieve report data in Exchange Online. Other clients - Other protocols identified as utilizing legacy authentication. Regards Mark. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
On 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote: > Does anyone know if there is any alternative to Outlook to access > Exchange Online mailboxes that require modern authentication? > > The IT department of the organization that is pushing thins says that > modern authentication and disabling IMAP (over SSL) enhance security. I > don't see how this is the case. Does anyone have an opinion? There's two orthogonal things here: using temporary tokens for protocol login, and using IMAP. If you move a lot of the authentication into one common system which can present short-lived tokens for other application protocols to use, then you can start piling in more checks in one place. It becomes easier to require two-factor authentication, etc etc. Typically you then get an OAuth token out of that. You can use OAuth tokens in other protocols; within email and IMAP, Google use the `OAUTHBEARER` SASL mechanism, and Brandon Long of Google contributed support to mutt (requires external commands to handle the flow, in the usual mutt manner). As to IMAP/TLS -- I know of no security reason to mandate disabling IMAP as opposed to any other access protocol. This sounds more like the traditional Outlook FUD-spreading re open protocols. -Phil ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
On 25/05/2020 04:16, Andrew C Aitchison via mailop wrote: > On Mon, 25 May 2020, Daniele Nicolodi via mailop wrote: >> Does anyone know what "modern authentication" mean in the context of the >> Office365 / Microsoft email accounts? > > https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online > suggests that it is based on the Active Directory Authentication Library > (ADAL) and OAuth 2.0. > > That page has many links to pages of information on using "modern > authentication" with Microsoft clients :-) I read a bit more about this and "modern authentication" means also that the IMAP protocol to connect the the mailboxes is disabled. Does anyone know if there is any alternative to Outlook to access Exchange Online mailboxes that require modern authentication? The IT department of the organization that is pushing thins says that modern authentication and disabling IMAP (over SSL) enhance security. I don't see how this is the case. Does anyone have an opinion? Thank you. Cheers, Dan ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft Outlook "Modern Authentication"?
On Mon, 25 May 2020, Daniele Nicolodi via mailop wrote: Hello, sorry for the slight OT. I have an email account with an organization that uses Office365 for their email. I recently received a email stating that they will be phasing out "basic authentication" and that "modern authentication" will be required starting from July 1st. There isn't any information about what "modern authentication" is, except that using a Microsoft Outlook client is the recommended way to use it. Does anyone know what "modern authentication" mean in the context of the Office365 / Microsoft email accounts? https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online suggests that it is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0. That page has many links to pages of information on using "modern authentication" with Microsoft clients :-) https://docs.microsoft.com/en-us/graph/auth-v2-user is a guide for developers on how to get their app to use OAuth2.0 access on behalf of a user (for MS Graph, but there is an example which allows the app to read the mail of the signed in user). https://developer.microsoft.com/en-us/graph/blogs/end-of-support-for-basic-authentication-access-to-exchange-online-apis-for-office-365-customers/ (published September 20, 2019) says: Today, we are announcing that on October 13th, 2020 we will stop supporting and retire Basic Authentication for Exchange Active Sync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), and Remote PowerShell (RPS) in Exchange Online. This means that new or existing applications using one or more of these APIâs/protocols will not be able to use Basic Authentication when connecting to Office 365 mailboxes or endpoints and will need to update how they authenticate. Please note this change does not affect SMTP AUTH and we will continue to support Basic Authentication for it in Exchange Online at this time. With the large number of solutions, devices, and appliances that use SMTP for sending mail we are working on ways to further secure SMTP AUTH and will continue to update you as we make progress. This change also does not impact on-premises versions of Exchange Server and only applies to Exchange Online. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
