💾 Archived View for rawtext.club › ~jmq › recycled › mutt+o365.gmi captured on 2023-01-29 at 04:16:24. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
By Fall 2019, Montgomery College had transitioned all its faculty and staff to the use of two-factor authentication (2FA). Access to any services using the MyMC login page, including Office365 and Blackboard, would hinge on the user being able to authenticate their identity by possession of a "second factor" (e.g. a land line, an SMS-capable phone, the smartphone app Duo, or a fob/token). At the time, 2FA had been available as an opt-in security measure for several years already, but Fall 2019 marked the first semester when faculty and staff were required to use it.
Three years before the mandatory 2FA adoption, the IT department rolled out Office365. If an employee had *not opted in* to 2FA during those three years, users could easily connect their preferred email software (e.g., pine, mutt, Thunderbird, or Apple Mail) to the Exchange web server, without needing to go through the hoops of configuring what Microsoft calls "modern authentication."
First answer: RSI. Navigating a busy inbox by mouse all day can be more damaging to one's forearm and wrists than the equivalent navigation task with keyboard alone. Even though desktop Outlook might have good support for keyboard navigation, that support does not survive the transition from desktop software to web app, if the browser decides to intercept keyboard input before the Outlook web app can see it.
The Outlook web interface is touted as the fallback option that's always available, even on operating systems with no native Outlook desktop client. Unfortunately, even with a cooperating browser, navigating the Outlook web interface by keyboard is clunkier and less well-documented than the analogous navigation in a native desktop client.
This write-up is therefore targeted at any users suffering from repetitive stress injury (RSI) who would like to reap the benefits of a *keyboard-centric email workflow* even on platforms where no desktop version of Outlook is available. Disentangling one's inbox from the Exchange web server also gives the user access to more featureful programming languages for *mail processing* and *database indexing*, allowing quick lookup of faculty-student correspondence when the student comes back years later asking for a recommendation letter.
In the wake of the 2FA rollout, users who preferred keyboard-centric email applications might have availed themselves of the auto-forwarding rules in Outlook. Using such rules, incoming email could be redirected to a server that still allowed clients to connect by the legacy protocols POP3 or IMAP. For example, faculty who also teach at UMD College Park have a umd.edu address hosted on Gmail, and with app-passwords Gmail can be configured to allow IMAP and SMTP connections from older clients. (The Microsoft server that hosts MC email could have been configured similarly to let users create app-passwords for legacy clients, but MC's hosting agreement with Microsoft opted to keep this feature disabled.)
A recent audit by IT security found instances of auto-forwarding rules still in effect, and the department issued a warning that auto-forwarding emails outside the montgomerycollege.edu domain might violate student privacy. Their recommended solutions mention only Outlook (presumably the desktop version), "the Office 365 web portal, or the Outlook mobile app." Users who have neither a desktop version of Outlook for their preferred platform (e.g., FreeBSD, Linux, or OpenBSD), nor the desire to run a Windows virtual machine just to access email, are unhelpfully given no option for avoiding the RSI-inducing Office 365 web portal.
On the web it's easy to get lost in a sea of outdated information, since old HOWTOs persist for decades and keep showing up in search results. Thankfully a judicious choice of search words led to the page
This blog post revealed that recent versions of the Davmail gateway now have the necessary support for 2FA. There was brief window of time between the rollout of 2FA at Montgomery College, and the update of Davmail to support modern authentication, when it was just easier to use the deprecated solution of auto-forwarding if you wanted a keyboard-centric email workflow. Now that auto-forwarding is prohibited by IT Security, it could not come as more welcome news that Microsoft is amenable to treating the oauth-capable Davmail on an equal footing with its own oauth-capable Outlook.
Davmail runs in a Java virtual machine, so the user can install it on almost any platform. Once running, it opens two ports on the local machine: one for IMAP connections (incoming mail), one for SMTP connections (outgoing mail). Data transfer on these ports does not travel across the network and hence has no need for encryption. The secure connections are initiated by Davmail when it translates local IMAP or SMTP requests into protocols understood by the Exchange web server. The bare minimum configuration of Davmail includes these lines:
davmail.mode=O365Manual davmail.url=https://outlook.office365.com/EWS/Exchange.asmx
The first time Davmail attempts to access the Exchange web server, you will have to enter your credentials on the MyMC login page, and then approve the login using whatever device you selected for 2FA. Then you have to submit a request to the email hosting provider Microsoft, asking that Davmail be granted access to your mailbox on an equal footing as less-obscure oauth-capable clients. During normal business days, Microsoft might approve your request in as little as an hour. The approval will come from `azure-noreply@microsoft.com` with a subject line like "Request for access to Davmail approved."
The interface for configuring Davmail lets you select any available local ports for IMAP or SMTP connections. Take note of which ports you select, and then configure your mail clients appropriately. (Because connection to these ports is not encrypted, it's a good idea to have your firewall drop any network connections that attempt to access these ports.) Here is a sample config for `getmail` (retrieving mail), which makes use of the mail filtering program `maildrop` and the password-management program `password-store`.
[destination] type=MDA_external path=/usr/bin/maildrop # arguments=() [options] delete=true [retriever] type=SimpleIMAPRetriever server=localhost username=flast@montgomerycollege.edu password_command=("pass","Email/outlook") port=1143
Here is a sample config for `msmtp` (sending mail), again using password-store to look up the password.
# Outlook account outlook host localhost port 1025 protocol smtp from First.Last@montgomerycollege.edu user flast@montgomerycollege.edu auth login tls off tls_starttls off passwordeval pass Email/outlook # Set a default account account default : outlook
Finally, tell your preferred mail user agent (MUA) to:
Details will vary depending on the MUA. With `mutt` the config file might include:
set sendmail="/usr/bin/msmtp" set sendmail_wait="0" set use_from=yes mailboxes \ =atpa \ =bulk \ =inbox \ =sent \ =teaching \ =union
which represents the situation where `maildrop` sorts your incoming messages into folders called atpa, bulk, inbox, sent, teaching, and union. Constructing the mailfilter recipes that perform this sorting is outside the scope of this tutorial, but thankfully the syntax is much easier to learn than that of `procmail` (no longer in active development and probably full of security holes).
In this tutorial you have seen that the freedom to choose a different email workflow is still available, thanks to software innovations that came out after MC put together its official FAQ on two-factor authentication. You now have an alternative to the unsanctioned workaround of forwarding to an external domain, if the prospect of having to surrender your mailbox management to the inefficient web version of Outlook was giving you reason to seek out a workplace more supportive of software/platform choice.