OAuth 2.0 with Office365/Exchange IMAP/POP3/SMTP

June 23rd, 2020

First you need to register your application in Azure Portal.

Here’s a detailed guide how to do that:
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Then you need to apply correct API permissions and grant the admin consent for your domain.

In the API permissions / Add a permission wizard, select Microsoft Graph and then Delegated permissions to find the following permission scopes listed:

  • offline_access
  • email
  • IMAP.AccessAsUser.All
  • POP.AccessAsUser.All
  • SMTP.AccessAsUser.All

Remember to grant admin consent.

Use Microsoft Authentication Library for .NET (MSAL.NET) nuget package to obtain an access token:

https://www.nuget.org/packages/Microsoft.Identity.Client/

var pcaOptions = new PublicClientApplicationOptions
{
    ClientId = "Application (client) ID",
    TenantId = "Directory (tenant) ID",
    RedirectUri = "https://login.microsoftonline.com/common/oauth2/nativeclient"
};

var pca = PublicClientApplicationBuilder
    .CreateWithApplicationOptions(pcaOptions)
    .Build();

var scopes = new string[] 
{
    "offline_access",
    "email",
    "https://outlook.office.com/IMAP.AccessAsUser.All",
    "https://outlook.office.com/POP.AccessAsUser.All",
    "https://outlook.office.com/SMTP.AccessAsUser.All",
};

In addition, you can request for offline_access scope. When a user approves the offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.

Now acquire the access token and user email address:

var authResult = pca.AcquireTokenInteractive(scopes).ExecuteAsync().Result;

string user = authResult.Account.Username;
string accessToken = authResult.AccessToken;

Finally you can connect to IMAP/POP3/SMTP server and authenticate:

using (Imap client = new Imap())
{
    client.ConnectSSL("'outlook.office365.com");
    client.LoginOAUTH2(user, accessToken);
 
    client.SelectInbox();

    // ...

    client.Close();
} 

As this is fairly new feature for Exchange/Office365, here are some useful links:

https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

https://stackoverflow.com/questions/29747477/imap-auth-in-office-365-using-oauth2

https://stackoverflow.com/questions/43473858/connect-to-outlook-office-365-imap-using-oauth2

https://stackoverflow.com/questions/61597263/office-365-xoauth2-for-imap-and-smtp-authentication-fails

NavigateToTest VS2019 extension

March 19th, 2020

Extension is available for other Visual Studio versions:

You can download the extension here:
NavigateToTest Visual Studio 2019 extension

Here’s the latest version that supports Visual Studio 2019.

Extension is convention based. It matches ClassName file with ClassNameTest or ClassNameTests and vice-versa, so you can easily navigate to the test file and back.

Here are some screenshots:

Here’s the toolbar name, in case it is not added automatically:

You can download the extension here:
NavigateToTest Visual Studio 2019 extension

Helpful POP3 and IMAP Exchange 2019 links

January 9th, 2020

Here is the list of some helpful links regarding IMAP and POP3 protocols in Exchange 2013:

Enable IMAP4 in Exchange 2019

Enable POP3 in Exchange 2019

POP3 and IMAP4

Public folders in Exchange 2019
Public folders and IMAP

Shared mailboxes in Exchange 2019
Accessing shared and delegated mailboxes

Using App Passwords with Gmail

October 18th, 2019

Go to your Google Account and on the left navigation panel, choose Security.

On the “Signing in to Google” panel, make sure I that 2-Step Verification is turned on and choose App Passwords. …

Select device and choose the device you’re using. Choose Generate.

Copy the generated password:

Log in to your IMAP, SMTP, POP3 account using your email and the generated password (instead of your email’s password):

Remember – no spaces!

C# code:

using (Imap client = new Imap()) 
{ 
    client.ConnectSSL("imap.gmail.com"); 
    client.UseBestLogin("XXXXX@gmail.com", "kvrcdzlicajaupje"); 

    // ... 

    client.Close(); 
}

VB.NET code:

Using imap As New Imap 
    imap.ConnectSSL("imap.gmail.com") 
    imap.UseBestLogin("XXXXX@gmail.com", "kvrcdzlicajaupje") 

    ' ... 

    imap.Close() 
End Using

FTP TLS encrypted data connections fail (EMS)

October 16th, 2019

Problem

After the installation of the October 8, 2019 — KB4517389 or KB4520003 or KB4519998 or KB4519990 update (depending on OS version), all TLS encrypted data connections to the affected FTP servers fail.

Error you may see is: “TLS session of data connection has not resumed or the session does not match the control connection”

Detailed explanation

In FTP protocol, data connection does not directly authenticate the client.

Client uses control connection to authenticate, then it established data connection using PASV command followed by the STOR (upload) or RETR (download) command.

The server opens a port and waits for the client to connect to it and upload/download files.

An attacker could figure out the port the server listens to, connect to it before the client, and upload a piece of malware.

TLS session resumption prevents this. It acts as a form of authentication. If the TLS session of the data connection matches the session of the control connection, both the client and the server have the guarantee, that the data connection is genuine. Any mismatch in sessions indicates a potential attack.

Ftp.dll library uses .NET’s SslStream that relies on Schannel (Microsoft Secure Channel – a security package that facilitates the use of Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS))

Cause

The KB4517389 addresses the following issue:

“Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don’t support Extended Master Secret (EMS) RFC 7627 to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don’t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates.”

It looks like Schannel stared enforcing EMS. If the server runs a TLS stack which is not compatible with this change, the FTP data connection fails.

OpenSSL, which is used by most servers, supports EMS since version 1.1.0 (released 25th August 2016).

Affected Servers

  • All FTP servers using OpenSSL older than version 1.1.0
  • FileZilla Server (all versions). The latest version uses an insecure/outdated OpenSSL version 1.0.2.11 from 2017.

Solution

Contact the server administrator, explain the situation and and request an upgrade of the FTP server software and of the installed OpenSSL version.

As a temporary workaround, the KB4517389 (or equivalent for non-Windows 10 machines) can be uninstalled.

As a temporary workaround on FileZilla server you can go to “FileZilla Server Interface/Edit/Settings/Ftp over TLS setting” and uncheck “Require TLS resumption on data connection when using FTP over TLS”: