OAuth2 support for opnsense/monit?

Started by phaze75, October 25, 2024, 01:13:13 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 25, 2024, 01:13:13 PM Last Edit: October 25, 2024, 01:14:59 PM by phaze75
Hi there,

recently Microsoft disabled basic username/password authentication (SMTP AUTH) for smtp-mail.outlook.com: https://tinyurl.com/ypf5w7s5

My company is using Microsoft 365 cloud services and I only realized that because Monit "stopped" sending alert emails. For now I could manually override the disabling, but it would only buy me a year, as MS will remove SMTP AUTH support by September 2025. See link above.

Thus my question: is opnsense/monit able to authenticate via OAuth2? The current configuration webform does not offer this option. My research did not come up with any hints towards OAuth2 support.

Thanks in advance for your support!
October 25, 2024, 01:19:06 PM #1
Do you have a fixed public IP address? You could set up Postfix on OPNsense as a company mail server with MS365 and configure monit accordingly.

https://forum.opnsense.org/index.php?topic=34587.0
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 25, 2024, 01:30:11 PM #2 Last Edit: October 25, 2024, 01:36:25 PM by phaze75
Thanks for the advice, but unfortunately I don't have a fixed public IP address (anymore). I recently moved most of my on-premise services into the cloud(s). Thus, I only maintain a small office network running on opnsense with a dynamic IP. And I use monit to monitor those cloud services.
October 25, 2024, 02:06:08 PM #3 Last Edit: October 25, 2024, 02:08:22 PM by phaze75
Giving postfix on opnsense a second thought: why would I need a fixed IP? If I run postfix as a purely internal (LAN) smtp relay for my remaining on-premise services (e.g. monit), it wouldn't even need to be published on the WAN, would it? As long as smtp-mail.outlook.com would then accept all emails relayed by opnsense/postfix.

Or do I miss something here?
October 25, 2024, 02:12:45 PM #4
Postfix would still need to authenticate to MS365 if you want to send mail via MS365. The postfix plugin on OPNsense does not support OAuth as far as I know.

If you only want to send mail to MS365, you might be fine. Depending on MS not blocking your dynamic IP address range or similar.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 25, 2024, 03:35:53 PM #5 Last Edit: October 25, 2024, 03:45:22 PM by phaze75
True that.

Sending email to MS365 would be sufficient. But you are right, as there is no trust or authentication established, every email sent will be fully affected by MS365's anti-spam policies. So there will always be a risk of alerts not going through. Not very favorable.

I just checked specifically for OAuth2 support by postfix and sendmail. Nothing. Well, OAuth2 is not part of the SMTP protocol standard (yet). The topic seems to be lingering for quite some time, as I found many posts - some of them years old. Google/Gmail seems to be on the same page.

The question is how this requirement will be handled in the near future. I guess many will be affected next year as soon as MS365 will not support SMTP AUTH anymore, as not everybody runs on fixed IPs. Especially not small businesses.

There is a quite nice and comprehensive OAuth2 CLI to fetch tokens: https://github.com/cloudentity/oauth2c
October 25, 2024, 03:57:24 PM #6
I guess this is not right.

Postfix is a server and can send emails to other servers. I have never seen Postfix to behave as client and authenticate itself as client - MSA. But mybe it is doable with some specific steps.

Anyway here we are talking about clients sending emails -> clients mean Outlook, Thunderbird or any other application behaving as client to the server. Here monit. But other gear may have similar.

Often such clients can send email without authentication to local server.
But to use some public provider, today you need authenticate.

So use SMTP "AUTH" - and very often plain -simple user/password.
Now MS will remove it and will use OATH authentication.

So no, MS does not remove SMTP AUTH, just changes the auth method and client has to support it.
October 25, 2024, 04:01:32 PM #7
Quote from: bman on October 25, 2024, 03:57:24 PM
Postfix is a server and can send emails to other servers. I have never seen Postfix to behave as client and authenticate itself as client - MSA. But mybe it is doable with some specific steps.

It is quite common to configure a local MTA as a client authenticating to some smart host, nowadays. And it ist doable with common in-band authentication methods like PLAIN or DIGEST-MD5 ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 29, 2024, 10:54:32 AM #8
Quote from: bman on October 25, 2024, 03:57:24 PM
Postfix is a server and can send emails to other servers. I have never seen Postfix to behave as client and authenticate itself as client - MSA. But mybe it is doable with some specific steps.

For every trusted connection between MTAs it is necessary to establish trust. One way or the other. The simplest way is to configure a trusted relay with a fixed IP. But there are other options.

Quote from: bman on October 25, 2024, 03:57:24 PM
So use SMTP "AUTH" - and very often plain -simple user/password.
Now MS will remove it and will use OATH authentication.

So no, MS does not remove SMTP AUTH, just changes the auth method and client has to support it.

Indeed, I could have been more succinct. Microsoft is merely altering the authentication method. However, given that most clients, including Monit, lack OAuth2 support, it's unlikely they will adapt by September 2025, if at all.
Print
Go Up Pages1
User actions