starred/mailpit

Fork 0

mirror of https://github.com/axllent/mailpit.git synced 2026-04-26 00:35:51 +03:00

[GH-ISSUE #493] Feature Request: Add XOAUTH2 Authentication #317

New issue

Closed

opened 2026-03-15 13:51:07 +03:00 by kerem · 10 comments

kerem commented

2026-03-15 13:51:07 +03:00

Owner

Originally created by @lukaszbob on GitHub (May 9, 2025).
Original GitHub issue: https://github.com/axllent/mailpit/issues/493

Thank you for your work.

Is it possible to add annother authentication mode?
For example O365 uses XOAUTH2 auth, disabling plaing authentication by default.

SMTP XOUATH2 example: https://github.com/nekomeowww/exchange-smtp-client
MS reference: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

Originally created by @lukaszbob on GitHub (May 9, 2025). Original GitHub issue: https://github.com/axllent/mailpit/issues/493 Thank you for your work. Is it possible to add annother authentication mode? For example O365 uses XOAUTH2 auth, disabling plaing authentication by default. SMTP XOUATH2 example: https://github.com/nekomeowww/exchange-smtp-client MS reference: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

kerem

2026-03-15 13:51:07 +03:00

closed this issue
added the
stale
label

kerem commented

2026-03-15 13:51:23 +03:00

Author

Owner

@axllent commented on GitHub (May 9, 2025):

Hi @lukaszbob. It is not clear to me where you are requesting XOAUTH2 to be added to, but I assume you mean the relay functionality (to relay messages from Mailpit via O365's SMTP servers)? If so, then please see #171.

@axllent commented on GitHub (May 9, 2025): Hi @lukaszbob. It is not clear to me where you are requesting XOAUTH2 to be added to, but I assume you mean the relay functionality (to relay messages from Mailpit via O365's SMTP servers)? If so, then please see #171.

kerem commented

2026-03-15 13:51:28 +03:00

Author

Owner

@lukaszbob commented on GitHub (May 10, 2025):

Yes, it's in the relay module.

I fully understand that OAuth authentication is beyond the scope of this app, but I'd like to use an already obtained token for authentication.

In the case of Office 365, the token can only be used with XOAUTH2 mode. So this feature request includes:

Adding a new authentication mode option alongside the existing ones (PLAIN, LOGIN, and CRAM-MD5).
Passing the provided token using the XOAUTH2 header, as shown in the linked example..

@lukaszbob commented on GitHub (May 10, 2025): Yes, it's in the relay module. I fully understand that OAuth authentication is beyond the scope of this app, but I'd like to use an already obtained token for authentication. In the case of Office 365, the token can only be used with XOAUTH2 mode. So this feature request includes: 1. Adding a new authentication mode option alongside the existing ones (PLAIN, LOGIN, and CRAM-MD5). 2. Passing the provided token using the XOAUTH2 header, as shown in the linked example..

kerem commented

2026-03-15 13:51:33 +03:00

Author

Owner

@axllent commented on GitHub (May 10, 2025):

Please excuse my ignorance here (and general lack of technical understanding of the core OAUTH2 protocol), but I thought that OAUTH2 tokens were automatically rotated and needed to be regularly refreshed?

@axllent commented on GitHub (May 10, 2025): Please excuse my ignorance here (and general lack of technical understanding of the core OAUTH2 protocol), but I thought that OAUTH2 tokens were automatically rotated and needed to be regularly refreshed?

kerem commented

2026-03-15 13:51:38 +03:00

Author

Owner

@lukaszbob commented on GitHub (May 12, 2025):

In general, yes — but in the case of O365, I believe it works more like an application password. I have a token with a one-year expiration period.

@lukaszbob commented on GitHub (May 12, 2025): In general, yes — but in the case of O365, I believe it works more like an application password. I have a token with a one-year expiration period.

kerem commented

2026-03-15 13:51:43 +03:00

Author

Owner

@axllent commented on GitHub (May 13, 2025):

Is this token something you generate through the o365 admin interface, or did you generate it (or extract it from) via another tool? I still get the feeling that implementing this is a bit of a hack, and that Mailpit users will expect token generation to be part of this too.

@axllent commented on GitHub (May 13, 2025): Is this token something you generate through the o365 admin interface, or did you generate it (or extract it from) via another tool? I still get the feeling that implementing this is a bit of a hack, and that Mailpit users will expect token generation to be part of this too.

kerem commented

2026-03-15 13:51:48 +03:00

Author

Owner

@lukaszbob commented on GitHub (May 13, 2025):

It was generated in Microsoft Entra panel as Application, and then Client Secret.

https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal

@lukaszbob commented on GitHub (May 13, 2025): It was generated in Microsoft Entra panel as Application, and then Client Secret. https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal ![Image](https://github.com/user-attachments/assets/b9acf934-4f8c-4dec-bd25-324876758545)

kerem commented

2026-03-15 13:51:53 +03:00

Author

Owner

@axllent commented on GitHub (May 17, 2025):

I am currently working on this, but I have no way to test if my implementation is valid/works. It is my understanding that an XOATH2 login uses only a token and no username/password.

I don't suppose there is any way you could create a temporary token for me to test with (valid for just a couple of days), and provide me with with any other detail I should know (smtp server, limitations in "From" etc)? (axllent AT gmail DOT com)

@axllent commented on GitHub (May 17, 2025): I am currently working on this, but I have no way to test if my implementation is valid/works. It is my understanding that an XOATH2 login uses **only** a token and no username/password. I don't suppose there is any way you could create a temporary token for me to test with (valid for just a couple of days), and provide me with with any other detail I should know (smtp server, limitations in "From" etc)? (axllent AT gmail DOT com)

kerem commented

2026-03-15 13:51:58 +03:00

Author

Owner

@lukaszbob commented on GitHub (May 19, 2025):

Yes, it's only the token, but I need to double-check the mechanism for obtaining it — I’m afraid I might have been misled earlier.
I’ll try testing the XOAUTH2 header on my own later this week.

@lukaszbob commented on GitHub (May 19, 2025): Yes, it's only the token, but I need to double-check the mechanism for obtaining it — I’m afraid I might have been misled earlier. I’ll try testing the XOAUTH2 header on my own later this week.

kerem commented

2026-03-15 13:52:03 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (May 27, 2025):

This issue has been marked as stale because it has been open for 7 days with no activity.

@github-actions[bot] commented on GitHub (May 27, 2025): This issue has been marked as stale because it has been open for 7 days with no activity.

kerem commented

2026-03-15 13:52:09 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (May 31, 2025):

This issue was closed because there has been no activity since being marked as stale.

@github-actions[bot] commented on GitHub (May 31, 2025): This issue was closed because there has been no activity since being marked as stale.