Needed to set up getting email from Office365 for some DMARC reports through Elastic. Parsedmarc requires a connection to an IMAP server, so what do you do, then when the account is on Office 365, and you need to use MFA, and app passwords are disabled.
So, a program that can do this is DAVmail. It can run in headless mode, and do the bridge of IMAP from client, and EWS using MFA. I used Docker to run the application.
This is my docker-compose file
version: '2.2' services: davmail: container_name: "davmail" image: kran0/davmail-docker:latest ports: - 1143:1143 volumes: - ./davmail/davmail.properties:/davmail/davmail.properties - /var/log/davmail365:/var/log/davmail restart: always
The davmail\davmail.properties file starts off list this. This will enable you to test the connection using standard IMAP, if you are able to do it (account without MFA).
# DavMail settings, see http://davmail.sourceforge.net/ for documentation ############################################################# # Basic settings # Server or workstation mode davmail.server=true # Exchange/Office 365 connection mode: # - O365Modern Office 365 modern authentication (Oauth2) # - O365Interactive Office 365 with interactive browser window, not available in headless mode (OpenJFX required) # - O365Manual Office 365 with interactive dialog, not available in headless mode # - O365 Office 365 EWS mode # - EWS Exchange 2007 and later # - WebDav Exchange 2007 and earliear WebDav mode # - Auto WebDav mode with EWS failover davmail.mode=EWS # base Exchange OWA or EWS url davmail.url=https://outlook.office365.com/EWS/Exchange.asmx # Listener ports #davmail.caldavPort=1080 davmail.imapPort=1143 #davmail.ldapPort=1389 #davmail.popPort=1110 #davmail.smtpPort=1025 ############################################################# # Network settings # Network proxy settings davmail.enableProxy=false davmail.useSystemProxies=false davmail.proxyHost= davmail.proxyPort= davmail.proxyUser= davmail.proxyPassword= # proxy exclude list davmail.noProxyFor= # allow remote connection to DavMail davmail.allowRemote=true # bind server sockets to a specific address davmail.bindAddress= # client connection timeout in seconds - default 300, 0 to disable davmail.clientSoTimeout= # DavMail listeners SSL configuration davmail.ssl.keystoreType= davmail.ssl.keystoreFile= davmail.ssl.keystorePass= davmail.ssl.keyPass= # Accept specified certificate even if invalid according to trust store davmail.server.certificate.hash= # disable SSL for specified listeners davmail.ssl.nosecurecaldav=false davmail.ssl.nosecureimap=true davmail.ssl.nosecureldap=false davmail.ssl.nosecurepop=false davmail.ssl.nosecuresmtp=false # disable update check davmail.disableUpdateCheck=true # Send keepalive character during large folder and messages download davmail.enableKeepAlive=true # Message count limit on folder retrieval davmail.folderSizeLimit=0 # Default windows domain for NTLM and basic authentication davmail.defaultDomain= ############################################################# # Caldav settings # override default alarm sound davmail.caldavAlarmSound= # retrieve calendar events not older than 90 days davmail.caldavPastDelay=90 # EWS only: enable server managed meeting notifications davmail.caldavAutoSchedule=true # WebDav only: force event update to trigger ActiveSync clients update davmail.forceActiveSyncUpdate=false ############################################################# # IMAP settings # Delete messages immediately on IMAP STORE \Deleted flag davmail.imapAutoExpunge=true # Enable IDLE support, set polling delay in minutes davmail.imapIdleDelay= # Always reply to IMAP RFC822.SIZE requests with Exchange approximate message size for performance reasons davmail.imapAlwaysApproxMsgSize= ############################################################# # POP settings # Delete messages on server after 30 days davmail.keepDelay=30 # Delete messages in server sent folder after 90 days davmail.sentKeepDelay=90 # Mark retrieved messages read on server davmail.popMarkReadOnRetr=false ############################################################# # SMTP settings # let Exchange save a copy of sent messages in Sent folder davmail.smtpSaveInSent=true ############################################################# # Loggings settings # log file path, leave empty for default path davmail.logFilePath=/var/log/davmail.log # maximum log file size, use Log4J syntax, set to 0 to use an external rotation mechanism, e.g. logrotate davmail.logFileSize=1MB # log levels log4j.logger.davmail=WARN log4j.logger.httpclient.wire=WARN log4j.logger.org.apache.commons.httpclient=WARN log4j.rootLogger=WARN ############################################################# # Workstation only settings # smartcard access settings davmail.ssl.pkcs11Config= davmail.ssl.pkcs11Library= # SSL settings for mutual authentication davmail.ssl.clientKeystoreType= davmail.ssl.clientKeystoreFile= davmail.ssl.clientKeystorePass= # disable all balloon notifications davmail.disableGuiNotifications=false # disable tray icon color switch on activity davmail.disableTrayActivitySwitch=false # disable startup balloon notifications davmail.showStartupBanner=true # enable transparent client Kerberos authentication davmail.enableKerberos=false log4j.logger.org.apache.commons.httpclient=WARN log4j.logger.httpclient.wire=WARN log4j.rootLogger=WARN log4j.logger.davmail=DEBUG
If the account has MFA then the above config will work if App Passwords are allowed. If they are not allowed, then it wont work. To get this working, you need to change the line
`davmail.mode=EWS` to `davmail.mode=O365Modern`.
Set the account to use the Microsoft Authenticator for MFA. Then connect to the davmail output, and you should see it pop up with a URL during signin
https://login.microsoftonline.com/common/oauth2/authorize?client_id=UUID HERE&response_type=code&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient&response_mode=query&login_hint=useraccount&resource=https%3A%2F%2Foutlook.office365.com
At this point, copy the URL into a browser and authenticate. You will be prompted for MFA. Accept the permissions that are being added to the account for DAVmail. The browser will stay at a blank screen.
To continue on, but may not be accurate. I noticed that it was polling for MFA again, so accepted, and then away it goes – IMAP through MFA account.
DAVmail will keep the token renewed, so that is great.