You are here

Deprecation of Basic Auth for University Mail

At the beginning of October 2022, Microsoft will make changes to the University email service. As a result, some email clients may no longer be able to access emails on the University's servers. This page explains the change, so that you know whether you're likely to be affected.

Background


The University email service is based on Microsoft Exchange. Exchange servers can communicate with email clients in a number of ways. Modern clients, especially those produced or supported by Microsoft and Apple, can use Exchange-specific protocols to access the server, and will be unaffected by these changes. Clients which do not support the MS protocols use older open standard protocols such as POP and IMAP for access. These will be affected.

In the past, these clients have been able to use what Microsoft calls "basic auth" to access the server. This means that the client simply provides the server with a username and password for authentication. As a security measure, Microsoft is turning this mechanism off at some point after the 1st of October. After then, mail clients will need to use the "OAuth2" authentication mechanism instead, at least when they access the University mail servers via POP or IMAP.

When are these changes taking effect?


This is not entirely clear. In its announcement of this change, Microsoft says that disabling of basic auth will begin on Exchange servers on the 1st of October 2022. There is no news on how long it will take Microsoft to get around to the University's servers, but it would be unwise to rely on it being much after the 1st of October.

Which Clients Will Continue to Work?


All modern Microsoft mail clients such as the Office 365 web mail client (the University's recommended client), Outlook 2016 or newer for Windows or Mac, and the Windows 10 and 11 mail apps will be unaffected.

The default mail apps on up-to-date versions of macOS, iOS/iPadOS and Android will also continue working, especially when configured to use the Exchange protocol - though Microsoft advise that on mobile clients you may need to delete and recreate your mail account after the change is made.

Thunderbird is explicitly not supported by the University, but it supports OAuth2 for IMAP and will continue to work after some reconfiguration.

Command line clients Alpine and Mutt can be made to work with OAuth2 - see below for some details.

What if an Email Client isn't Mentioned Above?


If your favourite email client isn't mentioned in the above paragraph, then you will need to carry out some investigations to see if it can continue to work with the University mail service after basic auth has been switched off. Check whether it offers native Exchange support (very few clients that don't come from Microsoft will do this). If it doesn't offer native support, then it is almost certainly using the IMAP protocol to access the Exchange server, so you will need to check whether the client supports IMAP authentication via OAuth2. If it doesn't, then it's time to start planning a move to an email client which will continue working. Computing support may be able to offer advice on migrating to a supported mail client.

Please note that Informatics computing support can offer little or no assistance in getting unsupported mail clients working. Please also note that turning off basic auth is not a School or even University decision but is being applied to Exchange servers across the globe by Microsoft.

Some client-specific advice

Alpine


Versions of Alpine newer than 2.24 (DICE Ubuntu currently provides 2.26) can be configured to used OAuth2 with IMAP. Some details:


  • create a password file with
    touch ~/.pine-passfile


  • Reconfigure alpine by ensuring your connection string ends like:
    user=<UUN>@ed.ac.uk/auth=xoauth2

    That is, add the /auth... bit.

    Depending on your alpine setup,

    user=<UUN>
    may appear several times. The main entry to get mail working is "Inbox path" and should look something like
    {outlook.office365.com/tls/user=<UUN>@ed.ac.uk/auth=xoauth2}<PATH TO INBOX>
    

    If you are using the University SMTP server for outgoing mail, you will also need to set SMTP server to something like

    outlook.office365.com/submit/user=<UUN@ed.ac.uk>/auth=xoauth2
    

    If you are using the University SMTP server, make sure that you are not using the Customized Header Config setting to set a different from: address. If you do so attempts to send mail will fail with a error 250 message.


  • Save these changes and try to access your University mail account. You will need to enter your University mail password at this point if you have not already done so. Alpine should display a code and a Microsoft URL to visit. Visit the web site, enter the code and when prompted log into your Office365 account and grant Alpine access.

  • Return to your Alpine window and press Y to store the token. You will be prompted to create a master password for your new passfile. DO NOT use your DICE or University password.

  • To avoid inadvertently saving other passwords in the passfile, we recommend now setting the configuration variable
    [X]  Disable Password File Saving.

    in alpine. This doesn't prevent O365 tokens from being renewed, but it avoids prompts to save passwords for other servers.


Subsequent logins will simply ask for your passfile password, which may be easier to remember than your DICE or University password as it's "only" unlocking a token which itself can only access your email under limited circumstances. DO NOT use your DICE or University password as your passfile password.

Mutt


Mutt 2.0 has OAUTH support: http://www.mutt.org/relnotes/2.0/

See also a relevant link on refresh script usage: https://luxing.im/mutt-integration-with-gmail-using-oauth/

Thunderbird


Setting up OAuth2 in Thunderbird is easy to do. While in the Server Settings dialog box, either while changing the settings of an existing account or setting up a new one, change the Authentication method dropdown to OAuth2 as seen in the image.

Choosing OAuth2

Note that when setting up an account, the OAuth2 option won't appear until you have set up the hostname, port and connection security of the server using the settings found in the IS documentation. Remember to specify OAuth2 as the authentication method for both the IMAP and SMTP servers.

Other clients


If we receive any useful information on getting other clients working, we will add it here. It you have any information which you think would be useful for other Informatics users to know, get in touch!
Last reviewed: 
31/08/2022

System Status

Home dirs (AFS)
Network
Mail
Other services
University services
Scheduled downtime

Choose a topic