This isn't a code specific question, but more of a general question regarding OAuth2. I maintain a system that for the past 20+ years has been able to easily connect to any SMTP enabled email server, then send an email (only requiring authentication info and a server path). This email account is always system related, and isn't specific to one user, such as support#.
With GMail and Office365 (and other major email providers) dropping support for SMTP direct sends, I have been learning OAuth2. With all the reading I've done, OAuth2 is very email server specific (or so it seems). But from a systems standpoint, I need to be able to send support email regardless of whom is logged into the system, and regardless of what email host, with no authentication popups.
Is a single solution even possible with OAuth2? Will I need to code for every email provider differently? (GMail, Office365, etc) (I can currently get an authorization token from Office 365, but it seems very specific to Office 365) I have yet to figure out how to actually send an email through Office365 with my OAuth2 token, since MailKit doesn't seem to support OAuth. Is there a single protocol that will allow me to send an OAuth2 token through any email host?
I understand how SMTP direct send has been abused for a long time, but replacing it sucks.
Related
I have a Windows Service which currently sends emails of office 365 users using their email and password via the older smtp method.
Microsoft is turning this ability off very soon.
Currently I use mailkit and c# within a windows service
The only details I have are the users smtp username and password
My app has no user interaction ability as it runs on another box
I have read many ways about how to send email with oauth2 and ms and it seems a lot of people do it differently, and their is no clear path. I have seen such as using ms azure registered applications and different azure library's.
So my question is, what is the easiest route to take regarding a new non user inactive service being able to still send email on behalf of a user.
Most of the users I deal with are not able to setup up azure and it's products as their are small companies with limited it support.
I feel like I have perhaps gone down the wrong path of trying to use azure graph
So what is the correct, most similar to smtp and simple route to recreate a simple email sending windows service using c#
Thank you for your time in reading this
As far as I know Microsoft usually recommends the use of the GraphApi for this stuff.
The preferred way would be to use delegated permissions, i.e. your application has the permission to send an email in the name of the logged in user. If I understood you correctly that is not an option for you because you want to send the mails from a non-interactive background service.
That means that you application itself needs the permission to send an email in any users name. Obviously this is a much broader permission and you should think about if you really want to do it this way. Also, if you are in some kind of corporate context, you might also have to involve and get consent from the data protection officer or the like.
On the technical side such a permission is called an "application permission" thus you need the Mail.Send application permission which requires admin consent i.e. not the individual users of your application decide if they what to give you permission to send mail in their name (this would be delegate permissions) but an AAD admin has to consent for all of them at once.
See https://learn.microsoft.com/en-us/graph/api/user-sendmail?view=graph-rest-1.0&tabs=http#permissions
and https://learn.microsoft.com/en-us/graph/permissions-reference#application-permissions-38
I have a native desktop app in C# that currently accesses the GMail API via POP3/SMTP using OAuth 2.0 for email send and receive from within the app. This uses 3-legged OAuth, with the user being redirected to allow access, then the app uses the access token and refresh token received for all future requests.
My question is, can I access any GMail account using 2-legged OAuth, without the redirect? Or is this only possible if the user's email is a domain email listed in a Google Workspace with a service account with domain wide delegation?
I am trying to find a way to use 2-legged OAuth to allow the app to send/receive emails via GMail API without needing user redirect authentication. Is this possible for all GMail accounts?
Currently I have used GMail API (OAuth Credential for Web) to read and send email messages. How can we send email on behalf of another user (i.e. noreply#example.com)?
In enterprise application, do we need to use service account for reading specific user's mail labels, messages and send email on behalf of that user?
Solution
Indeed you CAN send and read the mailbox of other user's in your domain with the Gmail API using a service account with domain wide delegation.
You will need to grant the service account with the Project Role of Owner using the domain wide authorization.
Apart from the official documentation linked above, here is a tutorial on how to send emails on behalf of other users using service accounts. To read from their mailbox you would follow the same process. Here is more information on mail delegation in case you are interested.
NOTE : in order to do this your service account must be in the same domain as the user's email you are trying to send and read messages from.
I hope this has helped you. Let me know if you need anything else or if you did not understood something. :)
i'm trying to send email via google apps acc, using smtp server using c#, but i get error "Gmail Error :The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required". Now, most of the answers to this question are outdated and wrong, so let's unravel this mysterious detective. The truth that is up to date :
1) "lesssecureapps" settings are not available for google apps acc.
2) password is correct, login is correct.
3) people in google forums are lost themselves, they dont know anything about their product, its like talking to a dealer, that was caught be the cops - "i dont know anything", so no answers "ask in google forums".
4) in account activity, i see lots of "Account disabled", "Account enabled".
The Google Apps SMTP Relay Service can be configured to accept unencrypted and without username/password authentication. This would be the proper way to configure an internal server or application to send out mail from your domain and Google Apps.
Really getting frustrated at this. My company is using Outlook 365 for its Exchange services. I am trying to automate sending of exception emails from the client via exchange. However all of the literature on the subject seems to show that I have to provide a NetworkCredential with plain text username/passwords somehow. I am hoping to connect using the logged in user's account.
From an infrastructure point of view, I understand that Office 365 is authenticating users via ADFS, which is why bog standard negotiate is not working. It would also make sense that this is why I need the plain text password. However it would seem to me that there should be no reason why Kerberos style auth would not work.
In summary, is there some programmatic way to send emails via Outlook 365 without encoding privileged information into the application either the source or the config?
Thanks
Generally, if you can login to the Office 365 Live with Internet Explorer without providing username\password than you should be able to get the NetworkCredintials for the currently logged in user with CredentialCache.DefaultCredentials.