Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft Graph mail driver #5194

Open
2 tasks done
mschoon85 opened this issue Sep 6, 2024 · 3 comments
Open
2 tasks done

Microsoft Graph mail driver #5194

mschoon85 opened this issue Sep 6, 2024 · 3 comments
Labels
🐕 Support

Comments

@mschoon85
Copy link

Attempted Debugging

  • I have read the debugging page

Searched GitHub Issues

  • I have searched GitHub for the issue.

Describe the Scenario

Hi @ssddanbrown,

In a previous ticket, it was mentioned that Windows Server with Apache may not be suitable for production. Consequently, I began setting up an Ubuntu server with Docker. Currently, I encounter issues when saving a new page or editing an existing one. The log files indicate SMTP connection errors, which makes sense as the new server lacks access to our internal SMTP server. In attempting to resolve this, I'm considering the possibility of using MS Graph for mailing. Could this be configured with the settings in the .env file, as shown below?

MAIL_DRIVER=msgraph
MAIL_MS_GRAPH_CLIENT_ID=your-application-client-id
MAIL_MS_GRAPH_TENANT_ID=your-tenant-id
MAIL_MS_GRAPH_CLIENT_SECRET=your-client-secret
MAIL_MS_GRAPH_FROM_ADDRESS=[email protected]
MAIL_MS_GRAPH_FROM_NAME=BookStack

Kind regards,

Michel

Exact BookStack Version

24.05.3

Log Content

[2024-09-06 12:05:32] production.ERROR: Connection could not be established with host "xxx:25": stream_socket_client(): php_network_getaddresses: getaddrinfo for smtp.xxx failed: Name does not resolve {"userId":54,"exception":"[object] (Symfony\Component\Mailer\Exception\TransportException(code: 0): Connection could not be established with host "smtp.xxx:25": stream_socket_client(): php_network_getaddresses: getaddrinfo for smtp.xxx failed: Name does not resolve at /app/www/vendor/ssddanbrown/symfony-mailer/Transport/Smtp/Stream/SocketStream.php:154)

Hosting Environment

Ubuntu 24.04 with docker
@ssddanbrown
Copy link
Member

Hi @mschoon85,
I'm not keen on supporting vendor-specific drivers/options for mailing, as I'd prefer to keep to open standards where possible to avoid the maintenance burden of supporting/documenting/maintaining vendor specific options.

@mschoon85
Copy link
Author

mschoon85 commented Sep 10, 2024
edited
Loading

Hi @ssddanbrown,

Thank you for your quick response. I completely understand your perspective on avoiding vendor-specific solutions and adhering to open standards to reduce maintenance and dependencies. However, given the upcoming changes regarding Basic Authentication (Basic Auth), I’d like to explain why I’m considering using MS Graph with OAuth2.

Difference between Basic Auth and OAuth:

1. Basic Authentication (Basic Auth):

  • How it works: A username and password are sent directly to the server in plain text (though encrypted via SSL/TLS).
  • Risks: Vulnerable to phishing, man-in-the-middle attacks, and brute-force attempts because credentials are exchanged directly.
  • Example in my current setup: 
    MAIL_HOST=smtp.myserver.lan
MAIL_PORT=25
MAIL_VERIFY_SSL=false

2. OAuth (Open Authorization):

  • How it works: OAuth uses access tokens instead of login credentials. These tokens expire after a set time and have limited permissions.
  • Benefits: Much more secure than Basic Auth. Less vulnerable to credential theft since no login credentials are directly exchanged.
  • Application to my scenario: Migrating to Exchange Online would require OAuth configuration keys like Client ID, Client Secret, and tokens.

Microsoft’s Phase-out of Basic Auth:

Microsoft has announced that Basic Authentication for SMTP will be completely phased out by September 2025. After this point, only OAuth will be supported for SMTP AUTH in Exchange Online. This change is essential for reducing security risks. For more details, please refer to: https://ourcloudnetwork.com/prepare-for-exchange-online-basic-auth-permanent-retirement and https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-retire-basic-auth-for-client-submission-smtp/ba-p/4114750

Proposal:

While I understand the desire to avoid vendor-specific solutions, I believe that supporting OAuth2 would be a broadly applicable and future-proof solution. OAuth2 is widely used by many cloud providers and offers a modern, secure method for authentication.

I’m open to your suggestions on how we can address these challenges while staying aligned with open standards.

Best regards,
Michel

@ssddanbrown
Copy link
Member

Microsoft has announced that Basic Authentication for SMTP will be completely phased out by September 2025. [...] This change is essential for reducing security risks.

But they will still provide other mail-specific services that will support standard SMTP auth.

While I understand the desire to avoid vendor-specific solutions, I believe that supporting OAuth2 would be a broadly applicable and future-proof solution. OAuth2 is widely used by many cloud providers and offers a modern, secure method for authentication.

But OAuth2, from what I've seen so far, has vendor specific quirks that often require vendor specific implementation, maintenance and testing. If multiple vendors have jumped into a strong non-service-specific implementation (like OIDC is to OAuth for authentication) I'd be happy to get into that.
Otherwise, it's kinda frustrating to have to bend to the will of a massive entity like Microsoft at our cost, instead of working to vendor agnostic standards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐕 Support
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ssddanbrown @mschoon85