email sending over office365 (smtp-mail.outlook.com) with oauth client_credentials_flow not working

[giuseppCl]

Hello,

I have set up an Azure App Registration to send emails using Microsoft services via the client_credentials flow. I am utilizing this application for this purpose.

Working Workflow with Microsoft Graph API:

I request a token using the following command

curl -X POST "https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_crede
ntials&client_id=$CLIENT_ID&client_secret=$SECRET&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default"

With the obtained token, I can successfully send an email using the Microsoft Graph API:

curl -v -X POST "https://graph.microsoft.com/v1.0/users/$SENDER_EMAIL/sendMail" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"message": {
"subject": "Subject of the email",
"body": {
"contentType": "Text",
"content": "This is the content of the email."
},
"toRecipients": [
{
"emailAddress": {
"address": "$RCPT_EMAIL"
}
}
]
}
}'

This approach works perfectly.

---

Problem with SMTP and Scope https://outlook.office365.com/.default:

However, when I use the scope https://outlook.office365.com/.default to send emails via SMTP (smtp-mail.outlook.com), authentication fails. The server and configuration used are as follows:

Despite correct credentials and using the same Azure App Registration, I receive the following error when attempting to send emails:

535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully.

I have also followed these steps using PowerShell:

1. Created a new service principal:

New-ServicePrincipal -AppId "APP_ID" -ServiceId "OBJECT_ID"

2. Updated the service principal with a display name:

Set-ServicePrincipal -Identity "OBJECT_ID" -DisplayName "email-oauth-proxy"

3. Granted the service principal full access to the mailbox:

Add-MailboxPermission -Identity "SENDER_EMAIL" -User "OBJECT_ID" -AccessRights FullAccess

Despite these steps, the issue with SMTP authentication persists.

This is my emailproxy.config

[IMAP-1993]
server_address = outlook.office365.com
server_port = 993
local_address = 0.0.0.0

[POP-1995]
server_address = outlook.office365.com
server_port = 995
local_address = 0.0.0.0

[SMTP-1587]
server_address = smtp-mail.outlook.com
server_port = 587
server_starttls = True
local_address = 0.0.0.0

[monitor@techmatrix.de]
documentation = *** note: this is an advanced O365 account example; in most cases you want the version above instead ***
token_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/.default
oauth2_flow = client_credentials
client_id = CLIENT_ID
client_secret = SECRET

Im using the dockerzied setup:

services:
  emailproxy:
    image: blacktirion/email-oauth2-proxy-docker
    container_name: emailproxy
    volumes:
     - ./config:/config
    ports:
     - 1587:1587
    environment:
      LOGFILE: true
      DEBUG: true
      CACHE_STORE: /config/credstore.config

Does anyone know what I am doing wrong? Or does anyone have any tips or guesses for further debugging?

Thanks in advance!

[giuseppCl]

I also asked a question to the azure community:
https://learn.microsoft.com/en-us/answers/questions/2129942/email-sending-over-office365-(smtp-mail-outlook-co?comment=question#newest-question-comment

[simonrob]

It might help if you post the proxy's log in debug mode so that I can see what authentication method is actually being attempted.

[depawlur]

I actually have exactly same problem, also from the instructions how can I configure my "account" - that is Azure app registrations (with app id & secret (I didn't test the certificate)) to send email as my email (the app has permissions to send as my mailbox).

it does work if I do:
I request a token using the following command

curl -X POST "https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_crede
ntials&client_id=$CLIENT_ID&client_secret=$SECRET&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default"

With the obtained token, I can successfully send an email using the Microsoft Graph API:

curl -v -X POST "https://graph.microsoft.com/v1.0/users/$SENDER_EMAIL/sendMail" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"message": {
"subject": "Subject of the email",
"body": {
"contentType": "Text",
"content": "This is the content of the email."
},
"toRecipients": [
{
"emailAddress": {
"address": "$RCPT_EMAIL"
}
}
]
}
}'

This approach works perfectly.

when I do:

curl smtp://127.0.0.1:1587 \
     --mail-from "john.doe@example.com" \
     --mail-rcpt "rcpt@gmail.com" \
     --upload-file email.txt \
     --user "john.doe@example.com:password"

I get the following log:

2025-03-17 01:34:31,699: Initialising Email OAuth 2.0 Proxy (version 2025-03-14) in debug mode from config file emailproxy.config
2025-03-17 01:34:31,701: Starting SMTP server at 127.0.0.1:1587 (unsecured) proxying smtp-mail.outlook.com:587 (STARTTLS)
2025-03-17 01:34:31,705: Initialised Email OAuth 2.0 Proxy - listening for authentication requests. Connect your email client to begin
2025-03-17 01:35:40,928: New incoming connection to SMTP server at 127.0.0.1:1587 (unsecured) proxying smtp-mail.outlook.com:587 (STARTTLS)
2025-03-17 01:35:40,928: Accepting new connection from 127.0.0.1:60786 to SMTP server at 127.0.0.1:1587 (unsecured) proxying smtp-mail.outlook.com:587 (STARTTLS)
2025-03-17 01:35:40,962: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) --> [ Client connected ]
2025-03-17 01:35:40,975: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'220 BL1P222CA0011.outlook.office365.com Microsoft ESMTP MAIL Service ready at Mon, 17 Mar 2025 05:39:10 +0000 [08DD62E5192EE6DD]\r\n'
2025-03-17 01:35:40,975: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-- b'220 BL1P222CA0011.outlook.office365.com Microsoft ESMTP MAIL Service ready at Mon, 17 Mar 2025 05:39:10 +0000 [08DD62E5192EE6DD]\r\n'
2025-03-17 01:35:40,976: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) --> b'EHLO email.txt\r\n'
2025-03-17 01:35:40,976: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     --> b'EHLO email.txt\r\n'
2025-03-17 01:35:40,988: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-BL1P222CA0011.outlook.office365.com Hello [100.2.245.226]\r\n'
2025-03-17 01:35:40,989: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-SIZE 157286400\r\n'
2025-03-17 01:35:40,989: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-PIPELINING\r\n'
2025-03-17 01:35:40,989: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-DSN\r\n'
2025-03-17 01:35:40,990: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2025-03-17 01:35:40,990: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-STARTTLS\r\n'
2025-03-17 01:35:40,990: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-8BITMIME\r\n'
2025-03-17 01:35:40,990: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-BINARYMIME\r\n'
2025-03-17 01:35:40,990: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-CHUNKING\r\n'
2025-03-17 01:35:40,991: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250 SMTPUTF8\r\n'
2025-03-17 01:35:40,991: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     --> b'STARTTLS\r\n'
2025-03-17 01:35:41,002: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'220 2.0.0 SMTP server ready\r\n'
2025-03-17 01:35:41,003: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-> [ Starting TLS handshake ]
2025-03-17 01:35:41,015: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) [ Successfully negotiated SMTP server STARTTLS connection - re-sending greeting ]
2025-03-17 01:35:41,015: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     --> b'EHLO email.txt\r\n'
2025-03-17 01:35:41,046: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-> [ TLSv1.3 handshake complete ]
2025-03-17 01:35:41,069: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-BL1P222CA0011.outlook.office365.com Hello [100.2.245.226]\r\n'
2025-03-17 01:35:41,069: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-SIZE 157286400\r\n'
2025-03-17 01:35:41,069: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-PIPELINING\r\n'
2025-03-17 01:35:41,070: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-DSN\r\n'
2025-03-17 01:35:41,070: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2025-03-17 01:35:41,070: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-AUTH LOGIN XOAUTH2\r\n'
2025-03-17 01:35:41,070: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-8BITMIME\r\n'
2025-03-17 01:35:41,071: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-BINARYMIME\r\n'
2025-03-17 01:35:41,071: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-CHUNKING\r\n'
2025-03-17 01:35:41,071: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250 SMTPUTF8\r\n'
2025-03-17 01:35:41,071: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-- b'250-BL1P222CA0011.outlook.office365.com Hello [100.2.245.226]\r\n250-SIZE 157286400\r\n250-PIPELINING\r\n250-DSN\r\n250-ENHANCEDSTATUSCODES\r\n250-AUTH PLAIN LOGIN\r\n250-8BITMIME\r\n250-BINARYMIME\r\n250-CHUNKING\r\n250 SMTPUTF8\r\n'
2025-03-17 01:35:41,072: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) --> b'AUTH PLAIN\r\n'
2025-03-17 01:35:41,072: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-- b'334 \r\n'
2025-03-17 01:35:41,075: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) --> b'[[ Credentials removed from proxy log ]]'
2025-03-17 01:35:41,075: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     --> b'AUTH XOAUTH2\r\n'
2025-03-17 01:35:41,087: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'334 \r\n'
2025-03-17 01:35:42,472: Error requesting access token for account john.doe@example.com - received invalid response: {'error': 'invalid_grant', 'error_description': 'AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: 6895e414-1444-4d13-a596-38a350a61800 Correlation ID: b4e2a1d5-82cc-4fb2-9f02-489db7f5bd57 Timestamp: 2025-03-17 05:39:12Z', 'error_codes': [50126], 'timestamp': '2025-03-17 05:39:12Z', 'trace_id': '6895e414-1444-4d13-a596-38a350a61800', 'correlation_id': 'b4e2a1d5-82cc-4fb2-9f02-489db7f5bd57', 'error_uri': 'https://login.microsoftonline.com/error?code=50126'}
2025-03-17 01:35:42,473: Caught exception while requesting OAuth 2.0 credentials for account john.doe@example.com: {'error': 'invalid_grant', 'error_description': 'AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: 6895e414-1444-4d13-a596-38a350a61800 Correlation ID: b4e2a1d5-82cc-4fb2-9f02-489db7f5bd57 Timestamp: 2025-03-17 05:39:12Z', 'error_codes': [50126], 'timestamp': '2025-03-17 05:39:12Z', 'trace_id': '6895e414-1444-4d13-a596-38a350a61800', 'correlation_id': 'b4e2a1d5-82cc-4fb2-9f02-489db7f5bd57', 'error_uri': 'https://login.microsoftonline.com/error?code=50126'}
2025-03-17 01:35:42,473: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     --> b'*\r\n'
2025-03-17 01:35:47,475: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'535 5.7.3 Authentication unsuccessful [BL1P222CA0011.NAMP222.PROD.OUTLOOK.COM 2025-03-17T05:39:17.618Z 08DD62E5192EE6DD]\r\n'
2025-03-17 01:35:47,477: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-- b'535 5.7.8  Authentication credentials invalid. Email OAuth 2.0 Proxy: Login failed for account john.doe@example.com - please check your internet connection and retry\r\n'
2025-03-17 01:35:47,480: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) --> [ Client disconnected ]
2025-03-17 01:35:47,481: SMTP (127.0.0.1:60786-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-- [ Server disconnected ]

Is there an option not to use username and password?

curl smtp://127.0.0.1:1587 \
     --mail-from "john.doe@example.com" \
     --mail-rcpt "rcpt@gmail.com" \
     --upload-file email.txt \

logs for when I don't pass the username and password:

2025-03-17 01:46:23,366: Initialising Email OAuth 2.0 Proxy (version 2025-03-14) in debug mode from config file emailproxy.config
2025-03-17 01:46:23,368: Starting SMTP server at 127.0.0.1:1587 (unsecured) proxying smtp-mail.outlook.com:587 (STARTTLS)
2025-03-17 01:46:23,372: Initialised Email OAuth 2.0 Proxy - listening for authentication requests. Connect your email client to begin
2025-03-17 01:47:07,631: New incoming connection to SMTP server at 127.0.0.1:1587 (unsecured) proxying smtp-mail.outlook.com:587 (STARTTLS)
2025-03-17 01:47:07,633: Accepting new connection from 127.0.0.1:60791 to SMTP server at 127.0.0.1:1587 (unsecured) proxying smtp-mail.outlook.com:587 (STARTTLS)
2025-03-17 01:47:07,661: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587) --> [ Client connected ]
2025-03-17 01:47:07,672: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'220 BLAPR03CA0030.outlook.office365.com Microsoft ESMTP MAIL Service ready at Mon, 17 Mar 2025 05:50:37 +0000 [08DD650169F617E5]\r\n'
2025-03-17 01:47:07,674: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-- b'220 BLAPR03CA0030.outlook.office365.com Microsoft ESMTP MAIL Service ready at Mon, 17 Mar 2025 05:50:37 +0000 [08DD650169F617E5]\r\n'
2025-03-17 01:47:07,674: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587) --> b'EHLO email.txt\r\n'
2025-03-17 01:47:07,675: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     --> b'EHLO email.txt\r\n'
2025-03-17 01:47:07,686: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-BLAPR03CA0030.outlook.office365.com Hello [100.2.245.226]\r\n'
2025-03-17 01:47:07,686: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-SIZE 157286400\r\n'
2025-03-17 01:47:07,686: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-PIPELINING\r\n'
2025-03-17 01:47:07,687: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-DSN\r\n'
2025-03-17 01:47:07,687: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2025-03-17 01:47:07,687: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-STARTTLS\r\n'
2025-03-17 01:47:07,687: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-8BITMIME\r\n'
2025-03-17 01:47:07,688: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-BINARYMIME\r\n'
2025-03-17 01:47:07,692: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-CHUNKING\r\n'
2025-03-17 01:47:07,692: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250 SMTPUTF8\r\n'
2025-03-17 01:47:07,692: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     --> b'STARTTLS\r\n'
2025-03-17 01:47:07,703: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'220 2.0.0 SMTP server ready\r\n'
2025-03-17 01:47:07,705: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-> [ Starting TLS handshake ]
2025-03-17 01:47:07,717: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587) [ Successfully negotiated SMTP server STARTTLS connection - re-sending greeting ]
2025-03-17 01:47:07,717: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     --> b'EHLO email.txt\r\n'
2025-03-17 01:47:07,748: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-> [ TLSv1.3 handshake complete ]
2025-03-17 01:47:07,768: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-BLAPR03CA0030.outlook.office365.com Hello [100.2.245.226]\r\n'
2025-03-17 01:47:07,768: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-SIZE 157286400\r\n'
2025-03-17 01:47:07,768: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-PIPELINING\r\n'
2025-03-17 01:47:07,769: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-DSN\r\n'
2025-03-17 01:47:07,769: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2025-03-17 01:47:07,769: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-AUTH LOGIN XOAUTH2\r\n'
2025-03-17 01:47:07,769: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-8BITMIME\r\n'
2025-03-17 01:47:07,770: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-BINARYMIME\r\n'
2025-03-17 01:47:07,770: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250-CHUNKING\r\n'
2025-03-17 01:47:07,770: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'250 SMTPUTF8\r\n'
2025-03-17 01:47:07,770: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-- b'250-BLAPR03CA0030.outlook.office365.com Hello [100.2.245.226]\r\n250-SIZE 157286400\r\n250-PIPELINING\r\n250-DSN\r\n250-ENHANCEDSTATUSCODES\r\n250-AUTH PLAIN LOGIN\r\n250-8BITMIME\r\n250-BINARYMIME\r\n250-CHUNKING\r\n250 SMTPUTF8\r\n'
2025-03-17 01:47:07,771: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587) --> b'MAIL FROM:<john.doe@example.com> SIZE=5\r\n'
2025-03-17 01:47:07,771: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     --> b'MAIL FROM:<john.doe@example.com> SIZE=5\r\n'
2025-03-17 01:47:12,793: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587)     <-- b'530 5.7.57 Client not authenticated to send mail. [BLAPR03CA0030.namprd03.prod.outlook.com 2025-03-17T05:50:42.952Z 08DD650169F617E5]\r\n'
2025-03-17 01:47:12,795: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-- b'530 5.7.57 Client not authenticated to send mail. [BLAPR03CA0030.namprd03.prod.outlook.com 2025-03-17T05:50:42.952Z 08DD650169F617E5]\r\n'
2025-03-17 01:47:12,795: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587) <-- [ Server disconnected ]
2025-03-17 01:47:12,796: SMTP (127.0.0.1:60791-{127.0.0.1:1587}-smtp-mail.outlook.com:587) --> [ Client disconnected ]

Here's my config:

[SMTP-1587]
documentation = *** note: this server will work for both Office 365 and personal Outlook/Hotmail accounts ***
server_address = smtp-mail.outlook.com
server_port = 587
server_starttls = True
local_address = 127.0.0.1

[john.doe@example.com]
documentation = *** note: this is an advanced O365 account example; in most cases you want the version above instead ***
token_url = https://login.microsoftonline.com/dsadsa-dsd-asdasdda-ddsadsada/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/.default
oauth2_flow = client_credentials
client_id = a69dasdad5-................
client_secret = DSdsdsdaDSAD..............

[dmintz7]

Did you find a solution to this? I'm having the same issue

[simonrob]

Given the various errors that are being received in the logs posted here, this is an issue with the configuration of the OAuth client on the Azure/Entra side, rather than an issue with the proxy.

@depawlur re: username/password – there is not an option to skip the username/password – this is an essential part of the process. In the log where you do include the username and password, this is being handled by the proxy, and the OAuth token is being sent instead on your behalf (the line containing [[ Credentials removed from proxy log ]]). Microsoft's error message is confusing and not helpful here.

I'd recommend ensuring that SMTP AUTH is enabled, and looking at the response to the question @giuseppCl posted on the Azure community