O365/Fetchmail

Hi all

Have searched tons about Fetchmail/o365 but to no avail, we are migrating to Office 365 but still have the exchange on-premise for RT to work. Just want to get out the question, has anyone here managed to IMAP a Shared Mailbox in O365 into RT? Also read this but no solution: Fetchmail + Office 365 Configuration + RT – I Can't Remember Anything

poll serverdomainname.here
protocol IMAP
auth password**
user “local.domain\user-credentials\shared-mailboxname”
pass “secretpassword”
mda “/usr/bin/rt-mailgate --queue Testqueue --action correspond --url http://rt.domainname” keep

Error: Authorization failure.

I have also tried to use SSL but fetchmail debug gives same error, even when trying to imap the users mailbox. We have a consultant doing this migration for us to O365, but not even them have managed to come around this issue. In my fetchmailconf file I have 15 working boxes that I’m polling, but only o365 is not working.

fetchmail: outlook.office365.com key fingerprint: 3A:A4:58:42:56:CD:BD:11:19:5B:CF:1E:85:16:8E:4D
fetchmail: outlook.office365.com fingerprints match.
fetchmail: IMAP< * OK The Microsoft Exchange IMAP4 service is ready. [SABFADEAUABSADAANgBDAEEAMAAwADcANgAuAGUAdQByAHAAcgBkADAANgAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
fetchmail: IMAP> A0001 CAPABILITY
fetchmail: IMAP< * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
fetchmail: IMAP< A0001 OK CAPABILITY completed.
fetchmail: Protocol identified as IMAP4 rev 1
fetchmail: GSSAPI error gss_inquire_cred: Unspecified GSS failure. Minor code may provide more information
fetchmail: GSSAPI error gss_inquire_cred: No Kerberos credentials available
fetchmail: No suitable GSSAPI credentials found. Skipping GSSAPI authentication.
fetchmail: If you want to use GSSAPI, you need credentials first, possibly from kinit.
fetchmail: IMAP> A0002 LOGIN “local.domain\user-credential” *
fetchmail: IMAP< A0002 NO LOGIN failed.
fetchmail: Authorization failure on local.domain\user-credential@outlook-emeawest.office365.com
fetchmail: For help, see The Fetchmail FAQ
fetchmail: IMAP> A0003 LOGOUT
fetchmail: IMAP< * BYE Microsoft Exchange Server 2016 IMAP4 server signing off.
fetchmail: IMAP< A0003 OK LOGOUT completed.
fetchmail: 6.3.26 querying outlook.office365.com (protocol IMAP) at Mon 26 Sep 2016 03:13:44 PM CEST: poll completed
Merged UID list from outlook.office365.com:

Thankful of any input on this, will post solution when found.

Found the solution to this after some head scratching, StartTLS is required towards o365, contrary to the information we got before migrating.

poll outlook.office365.com
protocol IMAP
user “email.forauthorization@yourdomain.now/Sharedmailboxname”
pass “password”
ssl
mda “/usr/bin/rt-mailgate --queue Youqueue --action correspond --url http://rt.domain” keep

Above works for me!

[Beskrivning: T3]http://www.t3.se/

JOEL BERGMARK
Thirdline support
joel.bergmark@t3.semailto:joel.bergmark@t3.se | www.t3.sehttp://www.t3.se/
[Beskrivning: T3]http://www.facebook.com/pages/Telecom3-Sverige-AB/126032287454737

Från: rt-users [mailto:rt-users-bounces@lists.bestpractical.com] För Joel Bergmark
Skickat: den 26 september 2016 15:29
Till: rt-users@lists.bestpractical.com
Ämne: [rt-users] O365/Fetchmail

Hi all

Have searched tons about Fetchmail/o365 but to no avail, we are migrating to Office 365 but still have the exchange on-premise for RT to work. Just want to get out the question, has anyone here managed to IMAP a Shared Mailbox in O365 into RT? Also read this but no solution: Fetchmail + Office 365 Configuration + RT – I Can't Remember Anything

poll serverdomainname.here
protocol IMAP
auth password**
user “local.domain\user-credentials\shared-mailboxname”
pass “secretpassword”
mda “/usr/bin/rt-mailgate --queue Testqueue --action correspond --url http://rt.domainname” keep

Error: Authorization failure.

I have also tried to use SSL but fetchmail debug gives same error, even when trying to imap the users mailbox. We have a consultant doing this migration for us to O365, but not even them have managed to come around this issue. In my fetchmailconf file I have 15 working boxes that I’m polling, but only o365 is not working.

fetchmail: outlook.office365.com key fingerprint: 3A:A4:58:42:56:CD:BD:11:19:5B:CF:1E:85:16:8E:4D
fetchmail: outlook.office365.com fingerprints match.
fetchmail: IMAP< * OK The Microsoft Exchange IMAP4 service is ready. [SABFADEAUABSADAANgBDAEEAMAAwADcANgAuAGUAdQByAHAAcgBkADAANgAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
fetchmail: IMAP> A0001 CAPABILITY
fetchmail: IMAP< * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
fetchmail: IMAP< A0001 OK CAPABILITY completed.
fetchmail: Protocol identified as IMAP4 rev 1
fetchmail: GSSAPI error gss_inquire_cred: Unspecified GSS failure. Minor code may provide more information
fetchmail: GSSAPI error gss_inquire_cred: No Kerberos credentials available
fetchmail: No suitable GSSAPI credentials found. Skipping GSSAPI authentication.
fetchmail: If you want to use GSSAPI, you need credentials first, possibly from kinit.
fetchmail: IMAP> A0002 LOGIN “local.domain\user-credential” *
fetchmail: IMAP< A0002 NO LOGIN failed.
fetchmail: Authorization failure on local.domain\user-credential@outlook-emeawest.office365.com
fetchmail: For help, see The Fetchmail FAQ
fetchmail: IMAP> A0003 LOGOUT
fetchmail: IMAP< * BYE Microsoft Exchange Server 2016 IMAP4 server signing off.
fetchmail: IMAP< A0003 OK LOGOUT completed.
fetchmail: 6.3.26 querying outlook.office365.com (protocol IMAP) at Mon 26 Sep 2016 03:13:44 PM CEST: poll completed
Merged UID list from outlook.office365.com:

Thankful of any input on this, will post solution when found.

Hi @Joel_Bergmark

Do you still have your Exchange configuration file for Fetchmail? If so, are you able to share?

I’m in the process of creating my RT5 installation/configuration and our e-mail is managed on an hybrid Exchange On-Prem and On-Cloud (O365).

Kind regards,

Hi there,

We’ve recently released a utility, App-wsgetmail, that will fetch mail from Office 365 and route it into RT. You can read more about it on our blog.

Let us know how it works for you!
Jason

Hi,

we have managed to get wsgetmail working with global_access: 0 (username and password).

But not with global_access: 1 (username and secrect key) – has anyone?

Although we have followed the instructions how to configure it in Azure (API permissions etc.), we still get 401 Unauthorized error.

fetching mail using configuration /home/rt/App-wsgetmail/wsgetmail_Testi2.json
making GET request to url https://graph.microsoft.com/v1.0/users/xxxxx@multicom.fi/mailFolders at /usr/local/share/perl5/App/wsgetmail/MS365/Client.pm line 222.
getting system access token at /usr/local/share/perl5/App/wsgetmail/MS365/Client.pm line 288.
failed to fetch folder detail 401 Unauthorized at /usr/local/share/perl5/App/wsgetmail/MS365.pm line 340.
unable to fetch messages, can’t find folder Inbox at /usr/local/share/perl5/App/wsgetmail/MS365.pm line 386.
processed 0 messages

BR,
Olli

Did it worked for you? i was looking for it.

No, we have not found a solution how to get it working with secret key.
Keys are ok, we can see a successful login in Azure portal.
So the problem has something to do with permission handling between wsgetmail/Azure.

@Olvi what keys did you use to work with user and password? i already tested with client and tenant id and it didnt work… i get bad request with tenant id and with tenant and client id i get unauthorized client. The user and password are ok.

{
“global_access”: 0,
“username”: “user@email.com”,
“user_password”: “password”,
“folder”: “Inbox”,
“command”: “/opt/rt5/bin/rt-mailgate”,
“command_args”: “–url=https://rtir.domain.local/ --queue=‘General’ --action=correspond”,
“action_on_fetched”: “mark_as_read”,
tenant_id": “tenant_id”
}

any advice?

thanks,
Tiago

Hi Tiago,

you need to use both client_id and tenant_id.

Another problem with your json-file is the missing quotation mark at the beginning of tenant_id -key.

BR,
Olvi

make sure your AAD API permissions are set up properly. Delegated permissions are for use with a signed in user; the Application permissions are for use when not utilizing a signed in user.

The Application permission list doesn’t have the exact same options as in the official documentation for the wsgetmail app (those appear to be for use when authenticating as a user). That got me past the 401 Unauthorized error, but now I’m dealing with some additional “bad request” errors that may or may not be related.

Hi,
thanks for the hint.
We got it working with global_access: 1 (username and secrect key) using Application permissions

• Mail.Read
• Mail.ReadBasic
• Mail.ReadBasic.All
• Mail.ReadWrite

BR,
Olvi

Hello @Olvi ,

Could you let me know if we need to grant the admin consent after adding the permission you mentioned?

Thank you.

Hi Sathish,

yes, you need to grant admin consent.

Sorry for the late answer, I was on my summer holiday.

BR,
Olvi

Hi Olvi,
Where did you consented the application?

In my case, it say it doesn’t need an administrator consent.

Hi Tiago,

I’m not quite sure if I understand your question right…
Do you mean that your environment works ok without granting consents?

I did it through Microsoft APIs - Microsoft Graph - Application permissions as shown in screenshot attached.

BR,
Olvi

image1004×339 91.9 KB

Any writeup on how to configure this wsgetmail, unfortunately Fetchmail failed on us today, Auth Failure which I suspect is the issue to do with Microsoft disabling Basic Auth

Fetchmail failed on us recently too. Going through the same headache getting wsgetmail to work. Our Azure administrator is concerned that granting app permissions of Mail.Read* will allow wsgetmail to pull mail from any mailbox. I don’t know enough yet to tell them otherwise, but it’s a concern. If anyone can chime in on this, I’d sure appreciate it!

@mwicarly If you have access to your Azure AD portal, and have permissions it seems easy enough. Register an app, add the API permissions, copy down the tenant ID, client ID, and generate the secret value. Put it in your wsgetmail.json file that you create.

I got it working and have a fetch action to “mark_as_read”, however it’s not always marking something as read – thus retrieves it again and creates a duplicate. Did you have any issues with this? I guess I’ll see if --debug option provides more info.

“folder”: “Inbox”,
“command”: “/opt/rt4/bin/rt-mailgate”,
“command_args”: “–url=https://rt-website.com/ --queue=Support --action=correspond”,
“action_on_fetched”: “mark_as_read”
}

Disregard, the “mark_as_read” appears to be working now. However, I am still worried about retrieving more than just the intended mailbox. Anyone know the solution for locking this down more on the Azure AD side?

Try utilizing this: Limiting application permissions to specific Exchange Online mailboxes - Microsoft Graph | Microsoft Learn