Email proxy re-authentication
Closed this issue · 12 comments
I use an outdated email client to connect to Hotmail and it works perfectly for the past couple of months. My config is as follows:
[IMAP-1993]
documentation = *** note: this server will work for both Office 365 and personal Outlook/Hotmail accounts ***
server_address = outlook.office365.com
server_port = 993
local_address = 127.0.0.1
[POP-1995]
documentation = *** note: this server will work for both Office 365 and personal Outlook/Hotmail accounts ***
server_address = outlook.office365.com
server_port = 995
local_address = 127.0.0.1
[SMTP-1587]
documentation = *** note: this server will work for both Office 365 and personal Outlook/Hotmail accounts ***
server_address = outlook.office365.com
server_port = 587
server_starttls = True
local_address = 127.0.0.1
[myemail@hotmail.com]
permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access
redirect_uri = http://localhost
client_id = myid
client_secret = mysecret
last_activity = 1735316850
token_salt = mytokensalt
token_iterations = myiterations
access_token = myaccesstoken
access_token_expiry = myaccesstokenexpiry
refresh_token = myrefreshtoken
NOTE: The last set of values with my are removed for security reasons.
So, it's working for a couple of months with no problems. However, sometimes I need to use a backup program which I configured to send me an email when backup is complete. In the config of the blat.exe (command line to send an email), it's set up as
set username=myemail
set password=mypassword
set server=127.0.0.1
set port=1587
set sender=myemail
set recipient=myemail
When blat.exe is executed proxy is asking to re-authenticate to my email account. When I do, it's successful and send an email. After this if I go to my email client and click to sync and get new emails, proxy is asking me to authenticate again. So, if I use one and not the other consistently, it doesn't ask me to re-authenticate for months. If I use both, it does. Any thoughts? Anything missing in either of configs?
You are using a different password for your outdated email client and blat.exe. You need to use the same password in both.
Credentials are the same.
Many clients (older ones in particular) store a separate password for IMAP/POP vs. SMTP, so you need to check two different places. Either way, there isn't really any other cause for this behaviour except for different passwords, so either the values are different, or one of your clients is providing the value incorrectly. Because of the way the proxy works, this is seen as a different password, so a reauthentication is required.
An easy way to check this is to set delete_account_token_on_password_error = False. You'll find that one of your clients can no-longer log in.
I'm assuming I need to set it under [SMTP-1587] and others. So, here's what i did: I got the baseline by using my client. tried multiple times and not asking to re-authenticate. Executed blat.exe and it's asking to authenticate. I tripple checked the passwords and none are set. I did another set of tests where I set the password (exactly the same) and behavior was the same. After authenticating blat.exe, i can run it multiple times without re-authentication but it's asking to re-authenticate for my mail client.
I set delete_account_token_on_password_error = False
I ran exactly the same experiments as mentioned above and it has the same behavior. I'm able to authrnticate to each one, one at the time but not at the same time. You stated that "You'll find that one of your clients can no-longer log in.". If you meant one at the time, than that's what's already happening in a baseline. if you're saying that I won't be able to login with one of the client permanently, than that's not what I'm observing.
I'm assuming I need to set it under [SMTP-1587] and others
What do you mean by this? You don't manually set the password in the proxy; this is handled automatically when you log in to an account. This is all documented in the readme.
I set delete_account_token_on_password_error = False
Did you restart the proxy after changing this value? Please restart the proxy in --debug mode and post the log here.
I'm assuming I need to set it under [SMTP-1587] and others
What do you mean by this? You don't manually set the password in the proxy; this is handled automatically when you log in to an account. This is all documented in the readme.
I was responding to your statement to set delete_account_token_on_password_error = False. I was confirming whether it has to be added in the config around [SMTP-1587] section or not.
I set delete_account_token_on_password_error = False
Did you restart the proxy after changing this value? Please restart the proxy in
--debugmode and post the log here.
I did. I also did enable debug. I use interface version, so I enabled it from the "Debug Mode" option and I confirmed in the log that it was enabled. I will post the log tomorrow.
Ah, ok. No - you put this separately in the [emailproxy] section as it's a global setting.
I hope the log doesn't show too much personal information but I'm attaching as is. Below was the plan and its findings based on the lines in log:
1 - 1329 - delete_account_token_on_password_error = False
1 - 10 - Initialize program and set into Debug mode
11 - 660 - email 1st run - Did not ask for credentials. Email works
661 - 714 - blat.exe 1st run - Did not ask for credentials - No email received
715 - 768 - blat.exe 2nd run - Did not ask for credentials - No email received
769 - 1322 - email 2nd run - Did not ask for credentials. Email works
1323 - 1329 - Closing the program
1330 - 2551 - delete_account_token_on_password_error = True
1330 - 1339 - Initialize program and set into Debug mode
1340 - 1836 - email 1st run - Did not ask for credentials. Email works
1837 - 1879 - blat.exe 1st run - Asked for credentials - Email received
1880 - 1929 - blat.exe 2nd run - Did not ask for credentials - Email received
1930 - 2544 - email 2nd run - Asked for credentials. Email works
2545 - 2551 - Closing the program
My understanding is that I should NOT set the password in my client or email program, so I have them set to nothing. Understanding is that it doesn't matter what the password is because when it will ask you to authenticate, I will need to provide proper credentials. If my understanding is not correct, please let me know.
I see a number of entries saying "Invalid password". Is it because of the above (mis)understanding? Whenever I was prompted to authentication the password was always valid.
As suspected, the error is due to the password being different between your two clients. There are four instances in the log where this happens:
2025-03-05 11:38:38,895: Invalid password to decrypt credentials for account *** - aborting login: InvalidToken()
2025-03-05 11:38:45,224: Invalid password to decrypt credentials for account *** - aborting login: InvalidToken()
2025-03-05 11:39:53,737: Invalid password to decrypt credentials for account *** - aborting login: InvalidToken()
2025-03-05 11:40:00,052: Invalid password to decrypt credentials for account *** - aborting login: InvalidToken()
While it may be possible to not set a password in your client application, the danger is that different applications do different things here (for example, I know of at least one client that sends the string "(null)" if no password is set). From the proxy's perspective, this is a different password to, say an empty string, and so this behaviour is triggered. The best thing to do is always set a password, but, as explained above, set the same password in every client that accesses the same account. It doesn't matter what the password value is, and it doesn't need to be related in any way to your actual account password, but it absolutely does matter that every client that accesses a single account uses the same password.
Fair enough. So, I added the same password to the email client and blat.exe.
delete_account_token_on_password_error = False - nothing worked. Email client kept asking to enter a password. I was entering the password and it wasn't taking it. Same errors with blat.exe
1- 676 - delete_account_token_on_password_error = True - same test, both email client and blat.exe has a valid password hardcoded. Notice how switching from one client to another prompts for credentials. Once again, credentials are exactly the same.
1 - 10 - Initialize program and set into Debug mode
11 - 184 - email 1st run - Asked for credentials. Email works
185 - 227 - blat.exe 1st run - Asked for credentials - No email received
228 - 277 - blat.exe 2nd run - Did not ask for credentials - Email received
278 - 669 - email 2nd run - Asked for credentials. Email works
670 - 676 - Closing the program
Ok, I found the issue. Blat.exe is executed from my batch script where I hardcode the password. I just realized that batch script has special characters like !, &, % and others. I had to escape those characters. After I did that. I re-ran the test above and it no longer was asking me to re-authenticate switching between the clients.
I also set delete_account_token_on_password_error = True as it was originally.
Thanks for confirming that the error was different client passwords as suspected. I'm glad you managed to resolve this.