Outlook/Exchange Authentication in DavMail

Microsoft has made life even more difficult

I have previously written an article on setting up Outlook/Exchange email on Linux, in which I discussed setting up DavMail, a Java program that allows you to use a standard IMAP/SMTP interface to communicate with Outlook email. Unfortunately, not long after I wrote that article, Microsoft rolled out an update that broke it. In that article, I presented a DavMail configuration that uses Basic Authentication, which was at the time the lowest friction approach to authentication. Unfortunately, Microsoft has now disabled support for basic authentication.

Thankfully, the fix isn’t complicated, although it does require a little bit more work. DavMail has support for several different authentication modes, which can be set by adjusting the davmail.mode property in the configuration file. The relevant values here are O365Modern for “modern” authentication, or O365Manual for manual authentication.

I don’t know if it is down to me not using it correctly, or the way Penn State configures its email, but I cannot get O365Modern to work. Instead, I use O365Manual. It isn’t nearly as much of a pain as you might expect.

To use manual authentication, set up your DavMail properties file as you normally would, using O365Manual for the mode. If you’re just getting started with DavMail, here is a simple configuration to get you started,

# Disallow access to the davmail server from remote hosts (i.e., other
# computers on the network)

# Don't use SSL (between email client and davmail)

# Ports to run the different services on. You'll need these to connect
# your clients. If you have several Exchange accounts, each one will need
# to run on different ports

# Connection details for your exchange account. Odds are good that the
# url listed here will work for you. If not, see if your University/employer
# has any details on the correct host URL to connect to their email services
# with.

# Set the authentication mode to manual

# Run davmail in server mode

With your configuration file set up, run DavMail manually in a terminal,

$ davmail <path to configuration file>
2022-12-24 16:37:35,829 INFO  [main] davmail  - DavMail Gateway 6.0.1-3390 listening on SMTP port 5003 IMAP port 5001 CALDAV port 5000 LDAP port 5002 

Next, configure your email client of choice to connect to DavMail. Use has the hostname for IMAP and SMTP (this special IP address indicates localhost, the same computer running the email client), and give it the ports that you’ve used from your configuration file for DavMail, as well as your usual username (probably your full email address) and password. If you haven’t set up SSL/TLS, be sure to use unencrypted connections1 here.

I personally use mbsync(1) for accessing my email and msmtp(1) for sending email, so here is what my configurations look like, where get-pass is a wrapper script to the pass(1) password manager that I use (and can be found here).

mbsync config

IMAPAccount university
Port 1143
UserCmd "get-pass -c email/psu email"
PassCmd "get-pass -c email/psu"
SSLType None
AuthMechs LOGIN

IMAPStore university-remote
Account university

MaildirStore university-local
Subfolders Verbatim
Path ~/.local/share/mail/university/
Inbox ~/.local/share/mail/university/Inbox

Channel university
Far :university-remote:
Near :university-local:
SyncState *
Patterns *
Create Both
Sync All
Expunge Near

msmtp config:

account university
port 1025
protocol smtp
auth plain
tls off
passwordeval "get-pass email/psu"

Once these are configured, attempt to connect to the email server. In my case, with mbsync(1), this is done with,

$ mbsync university

The email synchronization will block, and you should see an authentication prompt in your DavMail output, something like this

Please open the following link: 
 proceed through authentication steps and paste back the final url that contains authentication code (blank page)
Authentication code: 

Copy and paste the provided URL into your web browser, and you should be presented with an Office365 login screen, or possibly with a blank white screen if you are already authenticated with Office365 in your browser. If you don’t get a white screen right away, complete your sign on as usual, after which you should get the white screen.

Once you’re on the white screen, simply copy and paste the entire URL from your browser into the DavMail terminal window, and hit enter. This will complete the authentication process.

There’s fairly good odds your email sync will have timed out by now. So go ahead and repeat the process. This time, you should get let in without any manual intervention.

If you examine your DavMail configuration file again, you should see a new entry called davmail.oauth.<email>.refreshToken. This is the token that you retrieved during the manual sign-on process above.

This token is part of the authentication process, and should be treated with the same care as a password. Be careful not to accidentally commit it to a public git repository (or private one, for that matter).

The token will remain valid for some time (I don’t know precisely how long, but it is on the order of weeks in my experience), during which you can automatically authenticate with Outlook even if your DavMail is running as a service in the background. If at some point your authentication fails randomly, it is likely that the token has expired, in which case you only need to repeat the above process to get a new token.

And that’s it! With a little bit of manual intervention every couple of weeks, you should be able to get access to your Microsoft Outlook/Exchange email on Linux and BSD. DavMail has, in my experience, been pretty reliable, if a good bit slower than a direct IMAP connection. But, so far as I am concerned, slow but working is better than not working at all!

I hope that you found this information useful. Happy emailing!

  1. Some email clients will object to making an unencrypted connection, but this should be able to be overridden. For example, msmtp initially complains, but can be satisfied by adding the auth plain option to its configuration. Additionally, some email clients (like Geary), lack the ability to specify custom ports for services. In this case, they will expect IMAP/POP/SMTP to be running on their default ports. Theoretically, I think you can bind DavMail to these ports, although it will require running DavMail as root, but I’ve not tested this myself as I don’t use any email clients with this limitation. ↩︎