Baisc Authentication Vs SMTP Authentication

Question

Hi Team,

We have few confusions on Basic Authentication Deprecation in Exchange Online – September 2022 Update

https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437

In our Java application we are using SMTP(smtp.office365.com) to send emails where we are setting following parameters for authentication

                    props.put("mail.transport.protocol", "smtp");  

              

		props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");  

		Session session = Session.getInstance(props, new javax.mail.Authenticator() {  

			protected PasswordAuthentication getPasswordAuthentication() {  

				return new PasswordAuthentication(config.getUsername(), config.getPassword());  

			}  

		});  

I believe whatever we are doing through above setting is SMTP_AUTH. Please correct me if I am wrong.

If its SMTP AUTH(not basic auth), Will it going to get impact on Basic Authentication Deprecation by Microsoft?

Answer 1

SMTP Auth is just the protocol extension that allows a client to use Authentication when sending a message https://en.wikipedia.org/wiki/SMTP_Authentication (eg typically SMTP between two MTA's wouldn't use SMTP Auth as they are just transport messages between endpoint). How it relates to basic authentication is that basic authentication is one of the different authentication methods that is supported by SMTP Auth eg (PLAIN).

What Microsoft have done is by default disable SMTP Auth by default in a tenant because they don't want client applications sending email via SMTP eg client apps should be using the Graph, where that is not possible you can re-enable SMTP Auth in a Tenant https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission. Previously SMTP Auth was enabled in all Tenants.

Basic Authentication is a different matter and for a different/related reason Microsoft are disabling the ability to use basic authentication across all protocols and API endpoints and this is something you won't be able to re-enable in the future because of the security issues around basic authenticaiton.

So if you need to use SMTP to send email you would use SMTP Auth (which you may need to re-enable in you tenant) and you need to use XOAUTH2 eg in Java https://javaee.github.io/javamail/OAuth2 to generate the access token look at the MSAL library https://github.com/AzureAD/microsoft-authentication-library-for-java

Answer 2

Hi @Hari S
Thank you for asking this question on the **Microsoft Q&A Platform. **

In this document I found:

SMTP AUTH will still be available when Basic authentication is permanently disabled on October 1, 2022. The reason SMTP will still be available is that many multi-function devices such as printers and scanners can't be updated to use modern authentication. However, we strongly encourage customers to move away from using Basic authentication with SMTP AUTH when possible.

Microsoft recommends Authenticate an IMAP, POP or SMTP connection using OAuth

Hope this helps,

----------

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
NOTE: To answer you as quickly as possible, please mention me in your reply.

Answer 3

Lets say you have the following types of authentication:

Password-based authentication.
Multi-factor authentication.
Certificate-based authentication.
Biometric authentication.
Token-based authentication.

If using you used the "Password-based authentication" this is considered basic authentication and will deprecated. If you are using SMTP_AUTH this just means you need you now need to pick another authentication type instead. Looks like the above code snippet is using basic authentication.