Re: using oauth2 with vm

[Tim Cross]

<prayner@unimelb.edu.au> writes:

> Looks like MS is requiring oauth2 or similar from next week. Looks
> like smtpmail has a potential workaround for this and there seems to
> be an enhancement for sasl to deal with it. Has anyone got this to
> work with the exchange server remaining as the remote spool file or is
> it recommended to switch to a separate tool like mbsync and use the
> local spool file? As usual I've left this change and research to the
> last minute so replies within a few days welcome.
> regards
> Peter

Hi Peter,

probably your best bet is to use davMail. http://davmail.sourceforge.net
It works like a sort of proxy - you configure it to get the data from
o365 and then configure VM to get the mail from davMail's imap. You use
davMail SMTP, which in turn uses o365's smtp.

One advantage of davMail is that it uses the OWA API (same as outlook).
MS is pushing hard to not support imap and will be placing pressure on
your University to turn off imap support completely. While you can
probably use other ways to get messages via imap using oauth2, that
won't help if imap support is disabled. Also, setting up and maintaining
an oauth2 connection from within Emacs, regardless of MUA being used, is
possible, but a pain to setup and maintain. Part of the problem is that
you have to get a special token, which needs to be refreshed from
time-to-time and which requires a web connection (probably with JS
support). So essentially, you have to visit a web page, get a token,
copy it and use that as the password. To make matters worse, most oauth2
providers also require either that the application used to get the token
is registered (with a registered application token) or you register as a
developer, which gives you a token which you can then use to get the
authentication and refresh toeksn needed for proper oauth2 integration.

The whole thing is a pain and particularly painful under Emacs because
it is essentially a web based authentication workflow which often relies
on JS support. It can be cobbled together in Emacs, but is tedious and
error prone. Google is also planning to turn off password based
IMAP/SMTP services and only supporting oauth2. However, I think they
have delayed their rollout due to covid.

The davMail solution seems to be the most robust solution I've found for
MS exchange based services. Most Linux distributions have davMail
packages and I think the davMail site has download packages for most
Linux package managers (rpm, deb).

There has been lots of discussion on the emacs devel list about getting
Emacs registered as an application with Google and MS to make oauth2
support easier to implement. However, the T&C for Google (and MS I
think) specifically prohibit making the registration 'secret' token
available - which means it is difficult to include it with Emacs. There
is some debate regarding this and interpretation of the T&C, but no sign
of any progress along these lines.