On 9/25/2023 9:59 AM, Volker Schmid via curl-library wrote:
we are using libcurl in version 7.71.1 (32 bit) on Windows to send
email using SMTP. The login fails to some customers office365.com
server. Here is the log. I replaced some sensitive information with
xxxxxxx, please apologise.
CURL: Trying 52.97.201.114:25...
CURL: Connected to smtp.office365.com (52.97.201.114) port 25 (#0)
CURL: 220 AM9P195CA0024.outlook.office365.com Microsoft ESMTP MAIL
Service ready at Thu, 21 Sep 2023 13:58:47 +0000
CURL: EHLO XXXXXXXXXX-102
CURL: 250-AM9P195CA0024.outlook.office365.com Hello [185.173.180.160]
CURL: 250-SIZE 157286400
CURL: 250-PIPELINING
CURL: 250-DSN
CURL: 250-ENHANCEDSTATUSCODES
CURL: 250-STARTTLS
CURL: 250-8BITMIME
CURL: 250-BINARYMIME
CURL: 250-CHUNKING
CURL: 250 SMTPUTF8
CURL: STARTTLS
CURL: 220 2.0.0 SMTP server ready
CURL: EHLO XXXXXXXXXX-102
CURL: 250-AM9P195CA0024.outlook.office365.com Hello [185.173.xxx.xxx]
CURL: 250-SIZE 157286400
CURL: 250-PIPELINING
CURL: 250-DSN
CURL: 250-ENHANCEDSTATUSCODES
CURL: 250-AUTH LOGIN XOAUTH2
CURL: 250-8BITMIME
CURL: 250-BINARYMIME
CURL: 250-CHUNKING
CURL: 250 SMTPUTF8
CURL: AUTH LOGIN
CURL: 334 xxxxxxxxxxxxxxxx
CURL: xxxxxxxxxxxxxxxxxxxxxx==
CURL: 334 xxxxxxxxxxxxxxxx
CURL: xxxxxxxxxxxxxxxxx=
CURL: Operation timed out after 8002 milliseconds with 0 out of 0
bytes received
CURL: Closing connection 0
CURL: schannel: shutting down SSL/TLS connection with
smtp.office365.com port 25
Error performing GET. Curl ec:28
CURL Error Buffer content: Operation timed out after 8002
milliseconds with 0 out of 0 bytes received
It looks like only AUTH LOGIN XOAUTH2 is supported and the lib is
trying AUTH LOGIN. This was answered with silence for > 8 seconds and
then timed out.
Is there some flag or option we need to turn on in libcurl to allow
SMTP sending through such email server?
I already found the CURLOPT_XOAUTH2_BEARER option, but to be honest I
don't know the process to get the values needed. From where do I get a
Bearer Token? Do I have to ask the customer on every sending for some
token? Or is this some setting the customer enters like a username and
I have to save and use it? How does this work?
If you're seeing it only on some accounts then maybe there's a setting
to shut it off. Google had a similar situation for a while and now on
most accounts they require the tokens for security since by using them
you can limit the scope of what can be accessed on the account.
I can't speak to MS but for Google there has to be some initial
interactive authentication (as in, a browser or something will open) on
the user's end where they are logged in to their account and authorize
access to an "app" registered beforehand (you can do this as a
developer) that can access specific scopes of the account (eg app can
only access gmail e-mail). Once the interactive auth is complete it
gives an access token (ephemeral) and a refresh token (use to get more
access tokens when they expire). Depending on how long the refresh token
will last you could use it to generate more access tokens.
I don't know of what library in C can do this. Once the interaction
phase is over you could work with the user's refresh token via libcurl
to request new access tokens via libcurl, if MS API allows it. For
Google I wrote some perl scripts that use curl to retrieve tokens [1].
[1]: https://github.com/jay/curl_google_oauth
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
