Unable to have multiple tokens for the same email address (use_login_password_as_client_credentials_secret)

[Geod24]

Configuration:

[emailproxy]
allow_catch_all_accounts = True
encrypt_client_secret_on_first_use = False
use_login_password_as_client_credentials_secret = True

[@example.com]
token_url = https://login.microsoftonline.com/XXXX/oauth2/v2.0/token
oauth2_flow = client_credentials
oauth2_scope = https://outlook.office365.com/.default

[noreply@example.com]
client_id = XXXXXXXX

This use case (service accounts) was described in #271 . This works quite well, however it does have a limitation: One may have multiple applications sending from noreply@example.com, and thus want to give them different client secret:

However, this is not possible - the first application to authenticate successfully with the proxy will cause the token to be added to the cache, and other applications will not be able to authenticate. I thought delete_account_token_on_password_error could be my salvation, however the last sentence in the documentation mentions that:

For accounts using the O365 CCG flow or a Google Cloud service account this option will be overridden and always set to False.

This is the message I get at the minute:

2025-04-02 13:17:00.654 | 2025-04-02 11:16:40: Accepting new connection from 10.0.2.100:36246 to SMTP server at 0.0.0.0:1587 (STARTTLS) proxying smtp-mail.outlook.com:587 (STARTTLS) |  
2025-04-02 13:17:00.654 | 2025-04-02 11:16:46: Invalid password to decrypt credentials for account noreply@XXX - aborting login: InvalidToken()

As I am using O365 CCG flow, no dice. What would be the recommended approach here ?

[simonrob]

At the moment the proxy supports only one set of credentials per account (shared over all protocols). I think what you're wanting is probably quite a rare use-case, so the best way to achieve this right now would be to run multiple instances of the proxy (changing local ports to avoid conflicts).