Osticket: Microsoft is retireing basic auth for POP & IMAP

This has been reported multiple times on the forums and the devs are aware of the deadline.

If you want to work around this, one option is to set up a service like SendGrid to handle your emails. One of the platform capabilities is for SendGrid to call a webhook when an email message is received. We set this up to point to an Azure Function (or AWS Lambda if you prefer) which calls the osTicket API to create a ticket.

It's been extremely robust for us, and obviously there's no polling involved. Plus you get to do some smart filtering, logging, and categorisation in the Function/Lambda before you pass everything on to osTicket.

You will need to make a minor mod to osTicket code: off the top of my head, you need to make it respect the X-Forwarded-For header and make your Function/Lambda set this to an IP address that the osTicket API is configured to accept. Other than that, I think you're peachy.

Are there plans to have this ready by October? We are looking for a new helpdesk solution and while we are willing to put in some effort having no email support will be hard to sell to the boss.

@ds6

Both Microsoft and Google have delayed the cutoff for legacy auth until further notice. It was supposed to happen in October but COVID-19 has delayed this. With this being said we are currently working on OAuth2.0 support for IMAP/POP and SMTP. We hope to have it completed before the cutoff so stay tuned.

Cheers.

@JediKev Thank you for the update. However I have not seen any recent Message Center notifications from Microsoft pushing the date back any further than October of this year. Maybe (hopefully) you know something I don't?

One of the reasons we might end up switching to osTicket is due to 1) lack of funds this fiscal cycle; 2) our current solution uses TLS 1.0 for email; and 3) it also uses Basic auth—osTicket solves the first two and hopefully will solve the third.

Since I have your attention might I put https://github.com/osTicket/osTicket-plugins/issues/29 in your head? We also experience this issue in our environment, though it's easy enough of a fix that I will take care of it in a fork.

@ds6

There are many articles online that explain the Legacy Auth extension. Below is a good read:

• https://www.bleepingcomputer.com/news/security/microsoft-and-google-postpone-insecure-authentication-removal/

Cheers.

@JediKev MC208814 was updated on April 6th to explain the changes. Instead of disabling Basic authentication in October, it will be automatically disabled for tenants that have no history of its use. They have pushed it back until the second half of 2021. Associated blog post.
I somehow missed this, thank you for notifying me.

Hi, What's the status on this?

@melville876

Still in progress. If you see no update here and no pull request then assume it's still in progress.

Cheers.

@JediKev Thanks, I would like to support the dev team by donation, is this possible

@JediKev I am also interested in status updates for this as my email provider is attempting to impose basic auth retirement deadlines earlier than the ones published by Microsoft. If there were a way to provide support (money, dev time, testing, etc) towards this particular feature I'd be interested.

@zaphoyd

For status updates just subscribe to this thread. You should then receive emails when new updates are made to this thread.

Cheers.

Hello all. I work for an organization that had to switch to the "Modern Authentication" flow for our AAD. As a workaround for keeping a small osTicket instance happy, I've found a workaround to share with you all. At least until proper OAuth flow is implemented in osTicket!

The workaround uses the tool davmail, a gateway to expose IMAP (et. al.) while handling the communication with Exchange.

This is briefly my setup, on a Amazon EC2 instance running the Amazon Linux AMI (v1)

• Via Azure, create a new single-tenant application for davmail. Use the native client URL as the redirect URI. (Note the Client ID).
• Create settings file for server setup
  
  
  
  • Add settings for the three davmail.oauth values as specified in the FAQ, as well as using the standard EWS endpoint.
  
  
  • Set davmail.mode to O365Modern
  
  
• Back in the Azure application, edit the Manifest to add the resource access scopes specified in the FAQ. (requiredResourceAccess already exists, just need to add the two JSON objects to it.)
• Under API permissions, grant admin consent for the tenant.
• Under Authentication, enable Allow public client flows, and save those changes.

Then, after starting davmail, point osTicket's email to use IMAP via the machine running davmail with the port you configured. (So for my case, just localhost and port 1143. I'm also using IMAP without SSL, as it's just local to this one machine.)

Assuming you've got it all configured right, you should have successfully built a bridge between osTicket and Exchange that can be used while using Modern Authentication. Tiresome to be sure, but at least it's happy until osTicket supports OAuth mainline!

Good luck!

@nitz Thank you for the information! We may have to end up doing this in the near future, so I will report back if we do and whether or not it works for us as well. I am thankful there is a compatibility layer available for this.

@nitz Thank you for posting your workaround, I'll try this and post updates here.