0 votes
by (140 points)

Is there a Rebex blog post that explains how to register an unattended "daemon" app that sends emails using Rebex Secure Mail with Outlook SMTP, authenticating with OAuth on the Microsoft Outlook server?

The only permission this app should require is SMTP.Send -- it doesn't read any mail or fetch anything from the server.

We've been using Rebex mail for this purpose with email-address + password authentication which is soon to be eliminated.

1 Answer

0 votes
by (132k points)

It looks like Office 365 only supports unattended (app-only) authentication for EWS protocol and for Microsoft Graph API, while interactive (delegated) authentication is supported for classic mail protocols as well). There might be a way to make it work for SMTP, IMAP and POP3 as well, but we are not currently aware of it. Please contact Microsoft for clarification regarding protocol and authentication support in their cloud services.

To make it simple to get started with using EWS instead of SMTP for sending e-mail, we published a sample app that uses app-only authentication to access an Office365 mailbox using the EWS protocol. It is suitable for unattended (deamon/service) applications because no user interaction is required for app-only authentication mode. Instead, an application uses a 'client secret' (basically an application password) to access mailboxes for a specific organization and send email on their behalf.

Prerequisities:
- An application has to be registered in Azure Active Directory with full_access_as_app permission (= Use Exchange Web Services with full access to all mailboxes) configured by editing the manifest in Azure AD app registration.
- Admin consent granted for an organization.
- A client secret generated.

Once this is configured, it's possible to use Microsoft.Identity.Client library to obtain an access token, and use that with Rebex Ews class to access organization's mailboxes, as shown in the sample app.

However, this notably does not grant SMTP.Send permission (which does not seem to be available for app-only mode), although it does make it possible to send emails using Ews.SendMessage API.

There might be a way to make this work for the SMTP protocol as well, but I have not been able to find any relevant Microsoft document describing how to achieve that. Unfortunately, SMTP.Send is among "delegated permissions", which only apply to application that access Microsoft APIs as a signed-in user (= not for unattended/deamon mode). The other mode (unattended/daemon apps) does not seem to offer SMTP.Send. It offers Mail.Send permission instead, which supposedly allows the app to send mail as any user. Unfortunately, it looks like this can only be utilized via MS Graph API (not via SMTP). Perhaps a relevant permission exits that can be added by manually editing the manifest (just like for EWS), but we are not aware of it.

The following screenshot shows different relevant permissions, both for "delegated" (= attended apps) and "application" (= unattended deamons) access:
Azure AD mail permissions

...