Outlook sign in technology for notifications
-
I'm getting emails from Microsoft warning me about using third party systems (pfsense) for authenticating an outlook.com account. Basically, it's saying the app needs to support their newer secure authentication method. I'm unaware of a way to get pfSense to use this. Is this just a limitation of pfSense and I'm stuck or is there a trick that I'm missing? I've been successfully using an app PW for that account in pfSense, but MSFT says they will stop supporting this later this month.
-
pfSense doesn't know who or what "Microsoft Outlook" is.
That is, you, as an admin, could have instructed pfSense ' to do something with a "Microsoft Outlook" service, so tell us what you did or do, and we'll tell you to undo itSo, for the sake of "what I know", I do imagine this :
"Microsoft Outlook" mail services, after years of waiting and doing nothing to secure the access to their services, finally updated their usage rules.
I presume they started to use the same access rules as what Google (gmail) does for years now.This is what is happening : when use a software tool, an app like Microsoft Oulouk 365, or an app in a phone, or a web mail access, "Microsoft Outlook" will know some details about the app used, as the app and "Microsoft Outlook" will exchange some info.
What you saw : "Microsoft Outlook" knows that it was 'pfSense' that was accessing your mail account, and they asked you to visit your "Microsoft Outlook" mail account settings, and create a special 'for this app only' access. You can probably still use the email to login, but instead of your password, you'll be proposed a special password, that only this device (app, pfSense) can use.
Because : people use more and more devices to send mails, for example, my coffee machine sends me a mail when there are no more grains, or the waste bin is full.
When the device breaks, I change it ... and of course I throw it away and forget about removing my mail account and my mail password ....
I've already seen what can happen from now on : years ago, I leased a huge scanner/laser printer devices (the 200 kg type of printer). At the end of the lease, we return the device, and got a new one. Weeks later, we started to receive mails from this printer which left our office. It was telling me that it was out of paper, and that the blue cartridge was nearly empty.Hummm. So the device was rented to some one else, and the lease company didn't reset the device before they re leased it.
Me neither ..... that was my fault.
From then on, I learned something - again.In your case : if some one gets your hands on your pfSense settings, and reverse engineer the settings and thus obtain your mail password, you have a problem.
With the special password, when it is used, it can only be used to, for example, send mails. Not accessing other, in your case, all your other "Microsoft Outlook" settings.Anyway, back to your question :
As said, I'm just inventing something, although pretty sure that this is the issue.Now, please confirm, I nailed it ?
-
@mtk67 said in Outlook sign in technology for notifications:
I'm getting emails from Microsoft warning me about using third party systems (pfsense) for authenticating an outlook.com account.
Did you configure a (Microsoft / Office365 / ...) SMTP account here?
System / Advanced / Notifications -
Of course he did
AFAIK, there is no other place where pfSense would contact Microsoft mail servers. It's the pfSense notification system and he is probably using some msn, hotmail or outlook mail. -
@mtk67 said in Outlook sign in technology for notifications:
but MSFT says they will stop supporting this later this month.
where did they say that.. From what I found here
OUTGOING uses SMTP. SMTP authentication still works with App Passwords. INCOMING email to your device uses IMAP or POP. That is where the issue is. Due to security concerns, devices that are using those protocols can no longer use App Passwords. Your options are to use a supported application such as Outlook, or to use the web.
Other devices that send using SMTP will still continue to function with App Passwords. If you want to receive email, you will need an application that can authenticate you correctly.
Maybe they didn't actually setup an app password?
-
Here is the "notice" I think he is referencing - so this is where (and what) they said:
the notice in my case, was not directly related to my pfSense box however, it uses a different mail server.
The link in that email regarding "Modern Authentication ..." is this
-
No doubt anymore.
It's informs the 'admin'** that a dedicated 'app' password must be set up to access (use the smtp or send mail facilities), as it (Microrsoft=) doesn't' want 'pfSense', which is app after all, use the original password. They don't want that to happen anymore.** admins use admin language ^^
Btw : They used the words "third-party email apps". That my cofee machine, the door bell light bulb, my priters and pfSense. Aka : stuff that notifies, so it needs to send a mail ones in a while.
"Second party" is probably the Outlook mail app in your phone, or the outlook (hotmail, msn) web access.
First = Them selves, the 'server'.Google (gmail) invented all this, many years ago. They do the same thing. AFAIK.
-
Actually informs the admin, that the coffee maker is using "Basic Auth" and simply put, don't do that.
"PLAIN' with a user name and password will stop working, that is likely what he has setup.
Really, nothing to do with the brand of coffee maker.
-
it reads "continue syncing Outlook Email in non-Microsoft email apps" pfsense isn't syncing anything - its sending email, that is all.. If you are using an app password.. your not syncing.
As @Gertjan mentions google did this quite some time ago, my pfsense uses a app password to send email, ie send notifications, like my certs are going to expire or there was some other error.
Maybe he got that email because he has some other 3rd party app, but I can find nothing about "app" passwords going away.
-
Syncing also means sending --- Look (for example) at the sample for thunderbird they give in the link, notice the SMTP sample, notice the Auth Method box highlighted and the wording
For Authentication method, select OAuth2 (instead of Normal password).
Normal = Plain in this context.
"users attempting to connect their Microsoft accounts through Basic Authentication will fail to do so."
You have to connect to send...
But isn't this a simple as the Poster likely has "PLAIN" and needs to select the other available option "LOGIN" ?
Maybe the prompt text below the option means something else ..
"Select the authentication mechanism used by the SMTP server. Most work with PLAIN, some servers like Exchange or Office365 might require LOGIN."I can't comment specifically on using an outlook account on a netgate, because I don't.
-
@jrey I don't use it either.. but what I can do is set it up and see.. But if they were taking away the app passwords, don't you think they would mention it on the page on how to create app passwords?
Or state in their warning that APP passwords will no longer function?
And yes its quite possible "basic" or plain auth is going away.. But I can not find anything that says APP passwords are going away...
Agree shouldn't be using plain as auth method.
-
@jrey I double checked and I'm set to LOGIN not PLAIN.
-
@jrey I'm not using PLAIN. I'm using LOGIN.
-
@mtk67 so its the 16th that they make this go away right.. Guess we will know in a few days.. But for sure don't see them taking away app passwords.
-
@johnpoz The best guess on what the 'modern authentication' is that they're referring to is similar to what, I think, Google does. And that is upon entering your creds you have to confirm authentication on another device (like your phone). Microsoft uses their Authenticator app.
I know that Synology uses this now so it was a change they had to make (don't ask me what, maybe OAUTH/2 as someone mentioned in a reply) to make this work. That's really the only other place I'm setup for notifications to this outlook.com address. Thus, this is why I suspect the notice that I received is due to my attempt to use it for pfSense notifications.
-
@mtk67 Well I bet you a beer ;) that app passwords don't go away..
On the 17th I will do a test of sending notification emails with pfsense using a @live.com (microsoft) email address and servers.
-
@johnpoz I'm sure you're right about app passwords. It'll be interesting to see what, if anything, changes next week.
-
Other the other hand, your notice may have been because of another device (the coffee maker) and not because of the pfSense settings at all.. (their notice of course does not tell you what device, only that you have "something" that is using Basic on that account) Assuming you use outlook on other devices, maybe one of those caused you to get the notice from MS and there are clear instructions for some of those cases in the article. They are truly only flagging that something using your account is using Basic Auth, nothing more.
The app password are not going away, the ability to use Normal/Plain/Basic is.
In my case the notice was generated because a legacy system (a script actually not even a mail application installed on this system) but that was still wanting to "talk" to outlook to send mail and it was set to basic, opps. Every thing else was already using what they reference as "modern" connections with regards to outlook - and the account and passwords still apply. You are not being asked to change your account or password.
the extended wording throughout the article and examples they provide are pretty clear and consistent. Don't use Basic Auth.
"Until September 16th, users signing into Outlook.com through Basic Authentication may experience recurring password prompts in Outlook and other third-party email applications. This is a known issue. After September 16th, users attempting to connect their Microsoft accounts through Basic Authentication will fail to do so."
You'll still be able to login with your account and password, again just not using Basic Auth.
Even though I don't use outlook on the netgate, my expectation (and interpretation of the message below the selection) is that LOGIN should work and PLAIN for those set that may be set that way will start to fail consistently. (assuming all the other setting are correct). Since you are already set for LOGIN - hit "Test SMTP Settings" on the 17th and you will know.
Have fun!
-
@jrey I guess I'll find out next week. But as I mentioned in an earlier reply I am only using this email account in two places... One is on my Synology and the other is here. Pretty sure it's not the NAS as mentioned, so that just leaves this. Maybe this is much ado about nothing.
My coffee maker is not connected to the net. ;)
-
@mtk67 and so did your notifications stop?
I just setup notification in my 2.7.2 vm using outlook.com - didn't even create an app password and working