XP/Vista-compatible clients for modern email services?

[Dave-H]

49 minutes ago, Tomcat76 said:

I'm in the same boat as BAW30s, using Outlook Express to access my Hotmail account. I'm also using it for my Gmail account for which I had to enable 2FA so I could use app passwords (which took over 6 months to set up because of my insistance to use authentication over a land line so I could use my mobile number for another Gmail account). I already had to switch to webmail for my ISP-provided accounts and those associated with my websites in 2022/2023 as they offered neither app passwords nor an alternative incoming mail server after they disabled basic authentication.

I got MS-blocked almost 2 weeks ago, contrary to some here. It wasn't until yesterday, though, that I finally found out what's going on as I didn't receive the notification I was supposed to get.

Somebody (can't remember who or where) suggested that, next to the alternate incoming mail server we already had to use (pop-legacy.office365.com), we should also use an app password. So I enabled 2FA and created an app password, but it still wouldn't connect. Another app password didn't do the trick either, nor did changing the incoming mail server to pop.office365.com or the new default outlook.office365.com.

Why can't MS support app passwords used in Outlook Express when Gmail can?

The most frustrating part is that I changed all my online subscriptions to Hotmail. Maybe I should've used a Gmail account instead, but I don't like how its spam engine works or that they don't fancy mailing lists too much (it's easy to get blacklisted by them).

Like BAW30s, I had my eyes set on OE Classic a long time ago already as it looks like OE and supports identities (the paid version does), but the shortcomings outlined in this thread make me hesitate. I will look into the other ones mentioned here.

Microsoft are enforcing mandatory OAuth2 authorisation on their e-mail systems.
Basic password logins will no longer work, even with 'app specific' passwords.
I'm surprised that the mechanism for that is even still there, I suspect that it won't be for long.
Gmail will go the same way soon, I'm afraid, as will all the other major mass e-mail providers eventually, I suspect.
The writing is on the wall now for any e-mail client which doesn't support OAuth2, I'm afraid.
I use a proxy to work around the problem, but that's no help on Windows XP, where the proxy will not work.

[user57]

to me OAuth looks it just being a extra mechanism 

something like "shake-hands", that xp certainly could do if the mechanism is known where and how

 

the picture OAuth only also shows a picture where your computer is asking their "OAuth-server" if everything is ok - this "OAuth-server" then communicated with the target (such as youtube, microsoft and others)

when the OAuth with your computer was ok and the others (yt,ms ect.), then it grants access to the wanted resources like pictures and video 

 

that dont sound so special to me SSL or TCP-handshake is doing a similiar thing

 

to me then it sounds like they just added a next one doing the same thing, with only one difference that a such mechanism is used 2 times 

[Dave-H]

My understanding is that an e-mail client has to be registered with an e-mail provider for OAuth2 to work with that provider's servers.
The client is issued with a token which has to be used.
The proxy I'm using is actually using a token which was issued to Mozilla Thunderbird, and the Microsoft servers therefore think that it is Thunderbird.
I gather that the mechanism for getting a token from Microsoft is quite complex, so 'borrowing' someone else's is a lot easier than going through the hoops to get one of your own!

[Tomcat76]

5 hours ago, Dave-H said:

Gmail will go the same way soon, I'm afraid

Yes, I just came across the announcement on Google's site while searching for email providers that don't enforce OAuth.

[user57]

i think i have to understand the problem regarding oauth

 

he wanted to get his emails with outlock - what is normal and common

then microsoft aka hotmail.com added that oauth 

now it raise questions a : it need a second email for oauth / or login and pw for that oauth server

b : it is just a mechanism that connect to that oauth server - where outlock dont have the oauth code - so it cant make this part and microsoft email just stops doing its job 

 

having that what they called a "token" to me it seems to be some hash 

then it can call with this hash, the server of interests and gather the data of interests 

 

that rather sounds like you have a login to some kind of server that says "this IP has sended me the right code - let this guy on your server" 

 

this sound all very old like a handshake with TCP SSL or a server that gives out something like "let this guy in" 

 

then your email such as a hotmail email allows you to see facebook, paypal, youtube - without having entered the password for facebook,youtube or paypal

 

it raise questions where this oauth has its code , but the part that is making the question to the oauth server has to be on the users computer 

if its that it might be a module, a internal function, a hash maker in firefox, a certain code that is being executed 

that sounds insecure to me if someone has the right conditions can probaly just enter your facebook , youtube or wrose your paypal account

this not only goes for a hacker, that also means people of interests can just make this with your account (such as the right people who have that trusted status - and that will not only be the police - and if so it raise questions why the police can just enter and look around in your facebook,youtube or paypal without having anything going on ...) 

 

so its a spy mechanism for the state - the more they know about the people the better they can enslave/control them 

(because guess what these people will have that mechnism´s - one might claim "on no i would not do that" - nope he will do he get a letter from a lawers and at some point he collopse, or something like "we dont do it yet/now" -> "oh see there in 2025 the terms of use changed now every people i want i can give this")

 

 

so we cleared 1 question, why the do this - it dont give any security questions, rather it opens security questions

 

and we know how this ends in a change of the so called "terms of use" - and then its done - you can be spyed 

[Mathwiz]

The recent problems with Hotmail are actually the very same problem I had with Office 365, which led me to start this thread in the first place!

I don't hate OAuth2, but I do hate mandatory OAuth2! As @Dave-H said:

On 10/3/2024 at 5:23 PM, Dave-H said:

My understanding is that an e-mail client has to be registered with an e-mail provider for OAuth2 to work with that provider's servers.
The client is issued with a token which has to be used.

So it's a way for email providers to control which email clients work with their service. That isn't foolproof - as Dave-H noted, you can "clone" the token issued to a registered open-source client like Mozilla's Thunderbird - but it does make it tougher for the folks who still write things for Windows versions before 10 to produce an email client that works with M$, Google, etc. IOW, it's planned obsolescence.

AFAICS it doesn't add any security: you still sign on with a user ID and password as before, and you can set a cookie letting you get back into the same app without signing in again.

Apart from Web browsers, the only XP/Vista email client that's likely to work with Hotmail right now is OE Classic, which I mentioned at the start of this thread. However, it had a number of shortcomings; read the start of the thread for details. I haven't used OE Classic in a couple of years, so some of its problems may have been addressed. (OE Classic did offer a free trial, if you want to see for yourself.)

[Mathwiz]

On 2/14/2023 at 7:17 PM, AstroSkipper said:

But another candidate has long since appeared on the horizon that meets and even exceeds all my requirements. And that is @roytam1's email client MailNews, which is ultimately based on Thunderbird 52. This email client has a real, working Oauth2 protocol that makes accessing Gmail easy.

I wanted to mention that, since Hotmail has gone OAuth2-only, @roytam1 has tried to implement OAuth2 for Micro$oft in MailNews. However, it's not (yet) working correctly. Leave it to Micro$oft to make OAuth2 even more complicated on their servers than it is on Gmail!

[UCyborg]

AFAIK, the idea of OAuth 2.0 was to avoid using passwords to authenticate. Not sure how that's supposed to work with "certified" clients where the key and secret may be known (eg. Thunderbird).

The app at work (it only needs SMTP if mail notifications are desired) was recently updated to support GMail's OAuth, you basically generate your OAuth 2.0 client ID at https://console.cloud.google.com/, download JSON with the key and secret and feed it to the app, go through consent screen on the web once, then it works and never has to see your account's password.

No idea how it would work with Microsoft's mail services, if dev department will ever get around to supporting their OAuth, one customer told me they're using SMTP relay to be able to get around lack of OAuth support on the app side, no idea how that is setup and how it works exactly.

[Dave-H]

A friend told me last night that he is still successfully using OE Classic with Hotmail on XP, so presumably OE Classic does include OAuth2 support, probably with a 'borrowed' token.

[UCyborg]

14 hours ago, Mathwiz said:

IOW, it's planned obsolescence

Depends on how you look at it. It keeps the system going, people employed etc. It's how it is after basic necessities are satisfied. Once upon a time the only worries were shelter, food and water and not being eaten by the predator.

Edited October 6 by UCyborg

[AstroSkipper]

 

On 10/6/2024 at 4:47 AM, Mathwiz said:

I don't hate OAuth2, but I do hate mandatory OAuth2!

I do completely agree.

Edited October 7 by AstroSkipper

[AstroSkipper]

On 10/6/2024 at 12:56 PM, Dave-H said:

A friend told me last night that he is still successfully using OE Classic with Hotmail on XP, so presumably OE Classic does include OAuth2 support, probably with a 'borrowed' token.

 

21 hours ago, AstroSkipper said:

Actually for testing purpose, I installed OE Classic and set up my Outlook account. All in all, it was quite simple if you know what to do exactly. However, New Moon 28 has problems with the Microsoft Login tab which was called up by OE Classic and unfortunately empty. So, I first had to log into my Outlook account via the web interface in New Moon 28. On the second attempt, my account was offered to connect to OE Classic. Here is a screenshot:



Now, ir simply works. OE Classic can be used for the basic Outlook email service under Windows XP. Here is a screenshot from OE Classic's interface:

OE Classic has been registered in my Microsoft account as the email app OE Classic. So, I don't think they used a 'borrowed' token but their own one. 

Edited October 7 by AstroSkipper

[AstroSkipper]

On 10/6/2024 at 4:47 AM, Mathwiz said:

(OE Classic did offer a free trial, if you want to see for yourself.)

FYI, it's not really a trial version but a free version limited to two email accounts only with the lack of some features of the pro version.

Edited October 8 by AstroSkipper
Update of content

[Dave-H]

Good to have it confirmed that OE Classic does still work with Hotmail (and presumably Outlook) accounts on XP!

I won't be using it because my entire e-mail history going back nearly 30 years is in my Eudora e-mail client, so I don't want to change unless I have to.
Am I right in assuming that, like the original Outlook Express, OE Classic does store the mailboxes and messages locally in dbx and eml format?

[AstroSkipper]

2 hours ago, Dave-H said:

Am I right in assuming that, like the original Outlook Express, OE Classic does store the mailboxes and messages locally in dbx and eml format?

Here is a quotation from OE Classic's homepage:

Quote

OE Classic - Message storage

Public domain database formats (your email data belongs to you), all formats are documented in the help (SQLite/MBX format)

Plus import/export of standard EML files

When I get back to my desktop computer, I'll check where the mailboxes and messages are stored. BTW, for a long time the following applies: Hotmail account = Outlook account = Microsoft account. To put it more simply: all of this is ultimately Microsoft. 

Edited October 7 by AstroSkipper
Update of content