Update: On September 1, 2022, Microsoft updated their published schedule for deactivating Basic Authentication on cloud hosted email. Starting October 1, they will start randomly disabling authentication for Exchange Online. If you are running a service that uses Basic Auth to load email for RT, read on for options. See also this blog post with updated options.
As far back as September 2019, Microsoft began posting notifications that they planned to discontinue support for Basic Authentication for Office 365. A post in September 2021 set the date for them to begin disabling at October 2022. Even though it has been pushed out a few times, it is definitely time to have a plan to make updates if you rely on Basic Authentication to fetch email automatically on a server.
For RT users with email integrated with Office 365, this may mean that the existing email integration will no longer work. We are happy to announce that we have released a new utility called App-wsgetmail that will help replace some of the previous integrations.
There are two main approaches for integrating email with RT from Microsoft Exchange and Office 365: pushing email to RT or pulling email in from the RT server. The first approach involves setting up rules to forward or relay incoming email on selected addresses (like support@example.com) from the main MS mail server to the RT server. The RT server runs an MTA like postfix to receive the email and pipe it into RT. These configurations should continue to work without issue.
As organizations migrated from on-premise Exchange servers to Office 365, many moved away from the relay approach, either because the configuration was more difficult in Office 365 or because it was harder to lock down incoming email to the RT server once the MS email server was in the cloud. Organizations running RT often migrated to the second approach.
The second approach, pulling in email, is usually implemented with utilities like fetchmail and getmail, which act just like an email client by logging in and downloading email, but run automatically on the server. These utilities typically use Basic Authentication, which is the service MS is discontinuing. The challenge with converting automated utilities like these to the new alternatives like OAuth2 is that the new methods rely on prompting a user for a password. With an automated system, no one is there to respond to the prompts to set up the session.
To solve this challenge, we have released App-wsgetmail as an alternative that can use tokens to authenticate to the new MS Office 365 services and pull in mail. We created this primarily to route email into RT, so it currently only downloads email. You can then pipe the email to RT, similar to existing utilities. Allowing accounts to login in this way requires configuration on the MS Office 365 side and we have included documentation for this setup. We have found that there are several ways to enable authentication for MS services, so it's likely the current version doesn't yet cover all scenarios.
The utility doesn’t have anything specific to RT, so it can be used for any scenario that requires fetching email automatically on a server. For RT, you’ll use the “command” and “command-args” options to pipe each email into RT using rt-mailgate. This is very similar to the configuration you may have used with fetchmail or getmail.
We're very thankful to sponsors who made this new utility possible. You can provide feedback on our forum or submit bug reports via rt.cpan.org. Note that bug submissions are public, so please do not include anything that shouldn't be publicly seen (like login details, phone numbers, etc.). For professional assistance, you can also contact us at sales@bestpractical.com.