starred/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-04-26 00:35:51 +03:00
Code Issues Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #171] Feature request: Support of modern auth / OAuth authentication for using office.com as relay #117

New issue
Closed
opened 2026-03-15 12:39:44 +03:00 by kerem · 9 comments
kerem commented 2026-03-15 12:39:44 +03:00
Owner
Copy link

Originally created by @akaer on GitHub (Sep 26, 2023).
Original GitHub issue: https://github.com/axllent/mailpit/issues/171

Currently the usage of Office 365 / office.com as relay is challenging because of the missing support of "modern auth" / OAuth.

So the best would be to follow the implementation suggestions from Microsoft for Authenticate a SMTP connection using OAuth: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#smtp-protocol-exchange

Originally created by @akaer on GitHub (Sep 26, 2023). Original GitHub issue: https://github.com/axllent/mailpit/issues/171 Currently the usage of Office 365 / office.com as relay is challenging because of the missing support of "modern auth" / OAuth. So the best would be to follow the implementation suggestions from Microsoft for Authenticate a SMTP connection using OAuth: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#smtp-protocol-exchange
kerem 2026-03-15 12:39:44 +03:00
  • closed this issue
  • added the
    wontfix
         label
kerem commented 2026-03-15 12:40:00 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Sep 27, 2023):

I'll see what I can do. Unfortunately I don't think I'll be able to test this as I don't have/use Office 365, so I'll need you to test once I have implemented this. I've found this which should help me with the necessary bits.

<!-- gh-comment-id:1736771106 --> @axllent commented on GitHub (Sep 27, 2023): I'll see what I can do. Unfortunately I don't think I'll be able to test this as I don't have/use Office 365, so I'll need you to test once I have implemented this. I've found [this](https://github.com/jacobalberty/smtpoauth2) which should help me with the necessary bits.
kerem commented 2026-03-15 12:40:05 +03:00
Author
Owner
Copy link

@akaer commented on GitHub (Sep 27, 2023):

That sounds great. I try to help were I can!

<!-- gh-comment-id:1736971299 --> @akaer commented on GitHub (Sep 27, 2023): That sounds great. I try to help were I can!
kerem commented 2026-03-15 12:40:10 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Sep 28, 2023):

@akaer I'm just looking at this again and I think there may be an issue. Setting a token as part of the oauth2 SMTP authentication looks easy enough - but what I am concerned about is where that token is generated.

Up until now I had assumed that you pre-generated that token in Office365 (ie: like an "app password"), however looking more into that link you sent, it appears that a token needs to be generated via the application (Mailpit) with an integration into the Microsoft authentication system.

If this is true - that you can't just get the access code from somewhere and paste it into the email relay configuration - then I'm afraid this is not an option for Mailpit. Microsoft is only one of many large-scale services that use Oauth/Oauth2, and I'm not going to entertain the idea of adding custom integrations for any of these as I simply cannot maintain or support this, then you're better off using another SMTP relay server such as Mailgun.

Please can you confirm if you generate the token yourself, or whether the application needs to do this?

<!-- gh-comment-id:1738380901 --> @axllent commented on GitHub (Sep 28, 2023): @akaer I'm just looking at this again and I think there may be an issue. Setting a token as part of the oauth2 SMTP authentication looks easy enough - but what I am concerned about is where that token is generated. Up until now I had assumed that you pre-generated that token in Office365 (ie: like an "app password"), however looking more into that link you sent, it appears that a token needs to be generated via the application (Mailpit) with an integration into the [Microsoft authentication system](https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#get-an-access-token). If this is true - that you can't just get the access code from somewhere and paste it into the email relay configuration - then I'm afraid this is not an option for Mailpit. Microsoft is only one of many large-scale services that use Oauth/Oauth2, and I'm not going to entertain the idea of adding custom integrations for any of these as I simply cannot maintain or support this, then you're better off using another SMTP relay server such as [Mailgun](https://www.mailgun.com). Please can you confirm if you generate the token yourself, or whether the application needs to do this?
kerem commented 2026-03-15 12:40:15 +03:00
Author
Owner
Copy link

@ulken commented on GitHub (Sep 28, 2023):

I haven't worked with OAuth2 in SMTP specifically, but pretty sure it's up to the application to request an access token.

That being said, I think you can get away with providing a generic OAuth2 integration. Probably still means quite some initial work, but should leave you with less maintenance 🤷

Here's an example of "regular" generic OAuth2 in Grafana:

https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth

<!-- gh-comment-id:1738799008 --> @ulken commented on GitHub (Sep 28, 2023): I haven't worked with OAuth2 in SMTP specifically, but pretty sure it's up to the application to request an access token. That being said, I think you can get away with providing a generic OAuth2 integration. Probably still means quite some initial work, but should leave you with less maintenance 🤷 Here's an example of "regular" generic OAuth2 in Grafana: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth
kerem commented 2026-03-15 12:40:20 +03:00
Author
Owner
Copy link

@ulken commented on GitHub (Sep 28, 2023):

In this particular case, I think this is the kind of flow that is applicable:

https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-smtp-imap-and-pop-connections

You must use https://outlook.office365.com/.default in the scope property in the body payload for the access token request.

I think most of the setup is done on the user end and necessary parameters can be supplied to Mailpit via env vars/option flags or maybe config file.

<!-- gh-comment-id:1738806428 --> @ulken commented on GitHub (Sep 28, 2023): In this particular case, I think this is the kind of flow that is applicable: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-smtp-imap-and-pop-connections > You must use https://outlook.office365.com/.default in the scope property in the body payload for the access token request. I think most of the setup is done on the user end and necessary parameters can be supplied to Mailpit via env vars/option flags or maybe config file.
kerem commented 2026-03-15 12:40:25 +03:00
Author
Owner
Copy link

@akaer commented on GitHub (Sep 28, 2023):

@axllent You are absolutely right and I can absolutely understand that it is not desired to bring in additional code to support such third party authentication mechanisms. Especially with OAuth2 it looks like everyone is doing it a bit differently.

So I looked around a bit and found this nice library called Email OAuth 2.0 Proxy. And since I'm running Mailpit as a Docker container, there's also a ready-made Docker container for it here Email OAuth 2.0 Proxy - Docker.
I was able to use this proxy with Mailpit - so for me everything is fine and working.

If you still want to implement an OAuth2 mechanism, I'm happy to help with further testing.

<!-- gh-comment-id:1738972126 --> @akaer commented on GitHub (Sep 28, 2023): @axllent You are absolutely right and I can absolutely understand that it is not desired to bring in additional code to support such third party authentication mechanisms. Especially with OAuth2 it looks like everyone is doing it a bit differently. So I looked around a bit and found this nice library called [Email OAuth 2.0 Proxy](https://github.com/simonrob/email-oauth2-proxy). And since I'm running Mailpit as a Docker container, there's also a ready-made Docker container for it here [Email OAuth 2.0 Proxy - Docker](https://github.com/blacktirion/email-oauth2-proxy-docker). I was able to use this proxy with Mailpit - so for me everything is fine and working. If you still want to implement an OAuth2 mechanism, I'm happy to help with further testing.
kerem commented 2026-03-15 12:40:31 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Sep 28, 2023):

Thank you both for the information, and it 100% confirms my suspicions - this is a major piece of work to implement, even if it is "just" a generic oauth implementation.

The problem I foresee here is this: Let's say I did add generic oauth functionality, if you see the combined documentation required on the Grafana website, it is really a lot, and very complicated for most. This is largely why Grafana has preconfigured oauth for several of the most common ones (which makes sense), but for me to add that means a lot more code in the codebase (I'll refer to my previous comments), and a lot more to maintain.

The sole purpose of Mailpit is to provide a very functional, easy to use, easy to integrate mail testing tool, for users to capture emails and view them, or run automated testing. The mail release was an afterthought which I originally was not planning on adding, but it became clear users wanted/needed a way to do this, so this was added. Mail release is however only a very small part of the project, and far from its core purpose.

Not even including all the time needed to implement oauth into the code and documentation, adding oauth to the message release means that I would have a continuous flow of support questions ("I can't get it to work", "where do I find this option in provider X", "I run Mailpit behind a proxy and can't access..." etc etc), none of which I can support, and none of which I want to support. It is not the focus of the project, and there are easy alternative ways users can release messages using the standard SMTP protocol with "normal" authentication using any of the hundreds of existing SMTP services available (many with free tiers), or just implementing your own SMTP service. As @akaer just pointed out, there is already an existing proxy one can use for those really wanting to use oauth.

I realise it is not ideal for you, but by not implementing this, it saves me hundreds of hours of development work and support, a lot of stress, and allows me to continue developing Mailpit for what it is intended for.

I trust that my reasoning for not adding this feature makes sense? As much as I would love to support everyone's wishes, it is not always possible or feasible.

<!-- gh-comment-id:1739879338 --> @axllent commented on GitHub (Sep 28, 2023): Thank you both for the information, and it 100% confirms my suspicions - this is a major piece of work to implement, even if it is "just" a generic oauth implementation. The problem I foresee here is this: Let's say I did add generic oauth functionality, if you see the combined documentation required on the Grafana website, it is really a lot, and very complicated for most. This is largely why Grafana has preconfigured oauth for several of the most common ones (which makes sense), but for me to add that means a lot more code in the codebase (I'll refer to my previous comments), and a lot more to maintain. The sole purpose of Mailpit is to provide a very functional, easy to use, easy to integrate mail testing tool, for users to capture emails and view them, or run automated testing. The mail release was an afterthought which I originally was not planning on adding, but it became clear users wanted/needed a way to do this, so this was added. Mail release is however only a very small part of the project, and far from its core purpose. Not even including all the time needed to implement oauth into the code and documentation, adding oauth to the message release means that I would have a continuous flow of support questions ("I can't get it to work", "where do I find this option in provider X", "I run Mailpit behind a proxy and can't access..." etc etc), none of which I can support, and none of which I want to support. It is not the focus of the project, and there are easy alternative ways users can release messages using the standard SMTP protocol with "normal" authentication using any of the hundreds of existing SMTP services available (many with free tiers), or just implementing your own SMTP service. As @akaer just pointed out, there is already an existing proxy one can use for those really wanting to use oauth. I realise it is not ideal for you, but by not implementing this, it saves me hundreds of hours of development work and support, a lot of stress, and allows me to continue developing Mailpit for what it is intended for. I trust that my reasoning for not adding this feature makes sense? As much as I would love to support everyone's wishes, it is not always possible or feasible.
kerem commented 2026-03-15 12:40:36 +03:00
Author
Owner
Copy link

@akaer commented on GitHub (Sep 28, 2023):

@axllent Perfectly summarized and to the point. I absolutely agree with you that Mailpit has a different focus here and that's good. Since I opened the ticket, I'm happy for it to be closed, since using other components like the proxy for OAuth2 solved the problem.

Regardless, I would just like to say thank you! Thank you for the quick response and detailed discussion. Mailpit is a really great product with an even better developer. Just thanks for that!

<!-- gh-comment-id:1739905708 --> @akaer commented on GitHub (Sep 28, 2023): @axllent Perfectly summarized and to the point. I absolutely agree with you that Mailpit has a different focus here and that's good. Since I opened the ticket, I'm happy for it to be closed, since using other components like the proxy for OAuth2 solved the problem. Regardless, I would just like to say thank you! Thank you for the quick response and detailed discussion. Mailpit is a really great product with an even better developer. Just thanks for that!
kerem commented 2026-03-15 12:40:41 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Sep 28, 2023):

Thanks for your kind words @akaer, not to mention the sponsorship ❤️ I really appreciate that, and am glad Mailpit is helping you too!

<!-- gh-comment-id:1739946285 --> @axllent commented on GitHub (Sep 28, 2023): Thanks for your kind words @akaer, not to mention the sponsorship :heart: I really appreciate that, and am glad Mailpit is helping you too!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
master
v1.29.7
v1.29.6
v1.29.5
v1.29.4
v1.29.3
v1.29.2
v1.29.1
v1.29.0
v1.28.4
v1.28.3
v1.28.2
v1.28.1
v1.28.0
v1.27.11
v1.27.10
v1.27.9
v1.27.8
v1.27.7
v1.27.6
v1.27.5
v1.27.4
v1.27.3
v1.27.2
v1.27.1
v1.27.0
v1.26.2
v1.26.1
v1.26.0
v1.25.1
v1.25.0
v1.24.2
v1.24.1
v1.24.0
v1.23.2
v1.23.1
v1.23.0
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.21.1
v1.21.0
v1.20.7
v1.20.6
v1.20.5
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.18.7
v1.18.6
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.1
v1.17.0
v1.16.0
v1.15.1
v1.15.0
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.1
v1.12.0
v1.11.1
v1.11.0
v1.10.4
v1.10.3
v1.10.2
v1.10.1
v1.10.0
v1.9.10
v1.9.9
v1.9.8
v1.9.7
v1.9.6
v1.9.5
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.1
v1.7.0
v1.6.22
v1.6.21
v1.6.20
v1.6.19
v1.6.18
v1.6.17
v1.6.16
v1.6.15
v1.6.14
v1.6.13
v1.6.12
v1.6.11
v1.6.10
v1.6.9
v1.6.8
v1.6.7
v1.6.6
v1.6.5
v1.6.4
v1.6.3
v1.6.2
v1.6.1
v1.6.0
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.0
v1.3.11
v1.3.10
v1.3.9
v1.3.8
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.9
v1.2.8
v1.2.7
v1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.0
1.0.0-beta1
0.1.5
0.1.4
0.1.3
0.1.2
0.1.1
0.1.0
0.0.9
0.0.8
0.0.7
0.0.6
0.0.5
0.0.4
0.0.3
0.0.2
0.0.1-beta
Labels
Clear labels   
awaiting feedback

   
bug

   
docker

   
documentation

   
enhancement

   
github_actions

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
wontfix
No labels
awaiting feedback
bug
docker
documentation
enhancement
github_actions
invalid
pull-request
question
stale
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mailpit#117
No description provided.