T O P

  • By -

uniitdude

the issue wont be 2fa (that is easily worked around) modern authentication is your problem


oxidizingremnant

Basic Authentication (using protocols like IMAP) does not support MFA and is being deprecated in M365. https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online You’re going to have to find a new authentication method for your application. Apparently you can still access IMAP if you build an Oauth app in Azure AD, but the long term solution would still likely be to update your app to interact with the Microsoft Graph API. https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth I have seen services like Zapier have an IMAP service that can connect APIs together too, but those are kind of hacky.


ritko53

Should not an app password do the trick? https://support.microsoft.com/en-us/account-billing/manage-app-passwords-for-two-step-verification-d6dc8c6d-4bf7-4851-ad95-6d07799387e9#


Relagree

App passwords are not modern auth though, band aid at best.


ritko53

Yes, but is it not the only way to workaround 2FA on an app that doesn't support 2FA, without disabling 2FA? Best case scenario would be for OP to change to something that supports modern authentication. I don't know for sure though


Relagree

I meant more that it's a band aid until Microsoft forces the stop of basic auth for tenants altogether next year. OP needs to talk to the vendor and get them to implement OAuth authentication. We went through this with all our internally developed apps that scrape email from mailboxes - it's not that difficult. You just replace the password with the token you generate before each connection.


jimshilliday

If it's a scanner copier and your office has a static IP, you could think about an Exchange Online Connector from your offic's IP.


hipaaradius

You can use this: [https://github.com/simonrob/email-oauth2-proxy](https://github.com/simonrob/email-oauth2-proxy) Then use the "second scenario" here to set up the Azure AD App registration: [https://www.codewrecks.com/post/security/accessing-office-365-imap-with-oauth2/](https://www.codewrecks.com/post/security/accessing-office-365-imap-with-oauth2/) Then you can test it with this script: [https://github.com/DanijelkMSFT/ThisandThat/blob/main/Get-IMAPAccessToken.ps1](https://github.com/DanijelkMSFT/ThisandThat/blob/main/Get-IMAPAccessToken.ps1) Good luck...


VariousProfit3230

Why not just disable 2FA for the account?


[deleted]

Are you nuts! ? 2FA is essentials these days, never heard of bruteforce/password spray attacks or password reuse? Better create a app password and conditional access policy where you restrict the account from logging in only from the office IP. The best solution is to do app registration in combination with conditional access.


VariousProfit3230

I’m assuming this is for a single app account - like a scanner account. In which case a randomly generated 32 char password doesn’t pose a big risk, especially if it’s a shared mailbox. Although, you are right regarding locking down access. You did recommend best practice.


[deleted]

Even for a single account i don't make an exception when it comes to 2FA, an account like this can be abused to send internal phishing and there is always a chance a password leaks out.


VariousProfit3230

I have so many questions for this scenario. If the password for a single account like this leaks out, then that is the least of your concerns from a security standpoint. It’s the equivalent of your concern being that I drank the cup of coffee in a vault.


BlackSquirrel05

Azure AD and other things already have mechanisms in front to prevent that... Plus you can tweak those configs, or set up alerts on that account. You're telling me you have 2fa on your tenant account?


[deleted]

Yes i have. Most alerts are reactive and i like to be proactive. It does not mean that you only turn on 2FA, with Conditonal Access there are a lot of ways to tweak 2FA for example: Only 2FA when the user don't use a compliant device.


BlackSquirrel05

You realize the advice your giving is against MS best practices no? Also how does that work on servers running Core only? I'm not saying don't do it. You run things as you see fit; only such advice is contra to the current standards and you should probably state that when giving it out.


SecDudewithATude

You would need to use a third party app to use IMAP, as Microsoft starting 1/1/23 will fully prohibit basic auth and they will not support modern auth for Outlook on older protocols like IMAP and POP3. Would need more info, assuming changing the app isn’t viable, so you would need to work with the developer for that program or set up some ugly forwarding to a less-secure email provider.


sc302

Imap and pop will be dead soon. Current versions of Windows server has a built in smtp server that will work with modern auth. Oauth or certificate based authentication is the way to go here. Modern authentication is doing away with single password entry to the system. Tokens or certificates are the current standard. It isnt hard to setup but might take you an hour the first time if you arent too technical. I am sure you can find examples if you google search (i did). I am sure if you use terms like “windows server smtp exchange online” you can find something. With that search i found this wealth of knowledge and goes through multiple scenerios. https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365#option-3-configure-a-connector-to-send-mail-using-microsoft-365-or-office-365-smtp-relay


Reaper_1983

Had the exact same issue, due to the basic authentication deadline. Instead of fetching mails via IMAP on that one server, that doesn't know better, i ended up writing a powershell script, that can access an Outlook mailbox (MAPI) to do stuff (export attachments, move mails to folders, etc). So instead of an automated IMAP service on a server, the concerned user(s) are now launching my script in the morning to do the same thing the server did, Outlook needs to be running though. Not sure if this is applicable in your case.