Mailer Error - Unable to email via SMTP

bbop

Hello, I have successfully setup OAuth2 on my recently upgraded osTicket v1.17.2
When I send a test email using the account on the Emails > Diagnostic page, I get the message "Test email sent successfully to <address>"
However, I check the System Logs and see Mailer Error, with this message:

Unable to email via SMTP: <email address here> (tls://smtp.office365.com:587/SMTP) 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Mailbox. Visit https://aka.ms/smtp_auth_disabled for more information.

I have verified that SmtpClientAuthentication is in fact ENABLED for my tenant, as well as the mailbox.

so what gives?

KevinTheJedi

bbop

Is the email it's sending from the one you got the token with? If so, then you'd need to contact your O365 admin or email provider as the error states that SmtpClientAuthentication is disabled. This comes directly from MS so either you're using the wrong account to get the token or you truly have it disabled.

Cheers.

bbop

KevinTheJedi

No, I obtained the token with my admin email (bbop@corp.com). The email it is trying to send from (helpdesk@corp.com) does not have admin permissions.
When I try to obtain the token with the helpdesk@corp.com, I get this message:

After submitting the request for approval I see:

If I click "back to app," it does not redirect me back to the osTicket URL (osticket.mysite.com/api/auth/oauth2), but to osticket.mysite.com

I also cannot seem to invalidate the token obtained with my personal email address in order to try again.

Edit:
So, I changed this setting in Azure AD to "allow user consent for apps" in order to disable the approval prompt...

but now after authenticating it is just redirecting me back to osticket.mysite.com:

bbop

KevinTheJedi
Ok, I have somehow obtained the token with the same account, now that I enabled "allow user consent for apps"
However, I do want to switch this back, and make sure only admins can approve 3rd party app access for our tenant. If I do so, will osTicket have trouble updating its access token?

KevinTheJedi

bbop

That’s your issue. For now you must consent as the email itself. In the next update we will allow authorization using admin/service account.

For this you can provide admin consent in the Registered Applications > click app > Permissions section and modify the plugin to remove the prompt=consent option. After that you should be good although I’d recommend doing it in an incognito window to avoid it using your admin login automatically.

Cheers.

bbop

KevinTheJedi

For this you can provide admin consent in the Registered Applications > click app > Permissions section and modify the plugin to remove the prompt=consent option. After that you should be good although I’d recommend doing it in an incognito window to avoid it using your admin login automatically.

Are these instructions for within Azure AD? I am not sure where you are referring to.

KevinTheJedi

bbop

More than likely but haven’t tested that specific scenario.

Cheers.

KevinTheJedi

bbop

Part of it is. The first part is within Azure Active Directory (in the Azure Portal). Go to Enterprise Applications (I misspoke earlier), click the app for osTicket, click Permissions, and click the button to grant admin consent. See more information here.

Once you provide admin consent the remaining change deals with the plugin itself. For this you will need to unpack the plugin (if you don’t know how there are guides online and earlier threads on this forum that explain it - and these instructions I'm explaining as well; a quick search can bring them up), remove (delete) the 'prompt' => 'consent' line almost all the way at the bottom of the /path/to/unpacked_plugin/oauth2.php file, login to the database, go to the plugin table, find the OAuth2 plugin record, set isphar to 0, update the install_path and remove the .phar from the value, and restart your webserver (and PHP-FPM if you’re running it).

Cheers.