Sep 30

MailBot 16.54. Mandatory authentication via OAuth2 for Outlook mail servers. Part 1.

Updates Добавить комментарий

MailBot has been updated to version 16.54.

OAuth2 logo

Since September 20, 2024, Microsoft has almost completely disabled authentication via regular password (PLAIN method) on its IMAP, SMTP and POP3 servers, leaving only the OAuth2 option (XOAUTH2 method). As of today, only a few servers remain unpatched, and it is almost impossible to authenticate with a regular password on Outlook mail servers.

If you try to authenticate with a regular password, for example, the Outlook SMTP server will respond with this error:

535 5.7.139 Authentication unsuccessful, basic authentication is disabled.

and the Outlook IMAP server will respond with this one:

001 NO AUTHENTICATE failed.

To some extent, this also affected MailBot, since the verification of recovery emails in the program is carried out via the IMAP protocol.

In connection with this, a new setting “Authentication” appeared in the recovery email source settings window in MailBot, which is a list with two values:

  • Plain password
  • OAuth2

New authentication method setting for IMAP in MailBot

When connecting Outlook accounts as recovery emails, you now need to select only OAuth2, and the format of the recovery emails in the file should look like this:

username@hotmail.com:password:refresh_token

A semicolon is also supported as a separator.

An example of what Microsoft’s OAuth2 refresh token looks like:

M.C522_SN1.0.U.-Ctgv3XGdVpv*7WjPJo4asf*R2J0ShdPOe*rrDBPC0wvA9FpqQ!BcTeQP8SKxf0A1nT293ChAVCPxzJk12dQaoLCZRHJvSaUWh*z*PV6Wt63jQvW7k4W4TeQchDxf44fWzjkyWm9LDrkd0nj4W!sRBNqaVg8UjFUA4e340BCVjcNwVFg8c!1sloS2evwBwRlXEldnJxxMrpmwMKwlbd05CTaYYV40Zj8GC54p!MkJ1*AHq0qQyd*fG6uJNI4X5Eati6YZDawhuB32877upqbcATebtQnuxP82plt!zSSR9nKwKQQWRV8nnN*EZhWxISn8mCinTwAEA4WKb9JmILxjXu!kk2xoUoSSI37RVLVRx*s!7wEravRZtSNKzgUQ6JwxSsMSvwyOr*ixGiIBYN5RGoxB*ZXfQ2DXfKPVg9YviqMd

Where can I get this refresh token?

Now some Outlook account shops have already started selling accounts bundled with a ready-made refresh token, for example, a purchased account may look like this:

[{"Email":"liempigrembi@outlook.com","Password":"password","RefreshToken":"M.C541_SN1.0.U.-Cp7fz0BmTWxFSgsyNdI5mTjhia8TV33owTlD2VV2ss6iupptTsjDdL0w5SjETwbfM*5OAbkl6!C48Nfs8wDlD*5E!vjnHl4bNqR7QbDcodxShzipvdBdBdDSUS1BOqx87HVlf4aQU7csynm3u*GbszSJgYOI9JgBzSeivk7yFxP90DncQqtmV8N2NuVg*nI9b3QqxtvThR2hQCk4NrKGqndRlDgOu7lWdVIqT*9zmJeDbZ11fO3sjOa4ZMs2*xuBDeOcL273LabT6V8ZN6p9mnxrHvCfGTVXF7jikaUn88OrlRZJXWHqTr73D7rNWNU1lZLt6WmpE6PQsUcgn*lIpAfKG!5AciVkUEGKutMWGWhH8MQquWJtU6P6ScmIz6tCjG2FNNuUq2vTMWmpWRW!rEEZdjib9Z8lCvMAlhtPIVl*","AccessToken":null,"R_Expire":"9e5f94bc-e8a4-4e73-b8be-63364c29d753","ClientId":"9e5f94bc-e8a4-4e73-b8be-63364c29d753"}]

All you need to do is copy the value from the “RefreshToken” field to the end of the line with the Outlook recovery mailbox.

Most likely, in the future, all shops will supply Outlook accounts bundled with an OAuth2 refresh token, but I understand that MailBot should also be able to generate a refresh token for the Outlook accounts it creates, so this article will have a second part when such functionality is implemented.

Attention! MailBot assumes that the refresh token was received for the Mozilla ThunderBird IMAP client, which has the ClientId 9e5f94bc-e8a4-4e73-b8be-63364c29d753 in Outlook.
If the refresh token was obtained for a different ClientId, authentication will not be successful.
It is also assumed that the refresh token was received with permissions that include IMAP access.

The OAuth2 method is now supported for the ride for Mail.ru, Yahoo and AOL.com IMAP servers, the format of recovery emails in the file is the same as for Outlook, the refresh token must also be received for the Mozilla ThunderBird ClientId. For these email providers, authentication via plain password is still possible, so selecting “OAuth2” in the “Authentication” setting is not necessary for them.

Also is implemented in MailBot 16.54:

  • full support for new CAPTCHA type: CloudFlare Turnstile
  • a “Default” button has been added to the “Profile” tab, which inserts the string %DEFAULT% into the “Template” field
  • a new setting “Connect to IMAP server via current thread proxy” has been added to the form for editing the recovery email source
  • a new setting “STARTTLS” has appeared in the recovery email source editing window
  • support for the feedbackTask method in the CapSolver API
  • for VAK-SMS an additional mirror domain moresms.net has been added
  • added Google Chrome 128 fingerprint

Fixed:

  • the “X seconds before first request of result” timeout on the CAPTCHA service account edit form can now be set to 0 seconds (previously it was at least 1 second)
  • a rare error with the text like Code from the verification letter on recovery email "username@email.com" is "" when searching for a letter with a verification code
  • WP.pl and O2.pl modules
  • error EEmailAPIRecoveryEmailSendCode: {"State":200} after sending an email with a verification code to a recovery mailbox
  • detection of an external IP address in Outlook creator
  • re-confirmation of recovery email when linking it to an Outlook account
  • a rare EFormURLNotFound error when retrieving a signup form in Yahoo/AOL.com creators
  • Yandex checker and creating app passwords in Yandex module
  • transliteration of first and last names for most European languages ​​(as well as pinyin) when generating a username for email account

Related posts:

  • MailBot 16.57. Mandatory authentication via OAuth2 for Outlook mail servers. Part 2.
  • MailBot 11.1. Separate passwords for LSA (less secure apps, POP3 / IMAP / SMTP) in Yahoo and AOL.com
  • MailBot 12.32. FunCAPTCHA in Outlook, hCaptcha in Inbox.lv and cancellation of current SMS activations when threads are stopped

    • автор tavel \\ теги: , , , , , , , , , , , , , ,


    Write a reply

    You must be logged in to comment.