Retry segment causes application to fail

[ronald-wentworth]

Hey not a python developer but am using your email proxy program. We ran into an issue where the invalid token exception would retry and fail. Needed to restart to recover. I removed the retry functionality contained in and we no longer seem to have the issue.
The following is the error we would receive after a retry attempt.

Email OAuth 2.0 Proxy Local server auth mode: please authorise a request for account rtoc@moblize.com
2023-08-22 15:52:43: Local server auth mode (localhost:6767): unable to start local server. Please check that redirect_uri for rtoc@moblize.com is unique across accounts, specifies a port number, and is not already in use. See the documentation in the proxy's sample configuration file. OSError(98, 'Address already in use')

We are running in non-qui mode.

[ronald-wentworth]

Ok we still had the issue it just occurred later.

[ronald-wentworth]

My concern with the code is that the close looks to dereference not actually end the connection especially if an error were to occur during the close. If you need further information I can provide you whatever you need.

[simonrob]

Thanks for reporting this – at the moment I'm not quite sure which retry functionality you are referring to, because the error message you've posted relates to local server mode. Do you mean when an authentication request fails, for example due to being rejected by the user?

It would be useful if you could point to exactly where you think the issue is being caused and what you've changed.

Also, could you clarify whether you are using the issue-183 branch, which separates out the token error from other connection issues?

[ronald-wentworth]

We are using thead safe branch because we were getting config corruption when we got this error and had to redeploy. The retry I'm talking about is the retry in the
except InvalidToken as e:
block

[simonrob]

Thanks – it's worth trying the concurrent branch that you are using in conjunction with the issue-183 branch because that separates out the token error in a different way. Could you try the issue-189 branch, which merges the two? (I intend to merge both of these into the main project anyway once the original reporters are able to test)

[ronald-wentworth]

We did try 183. Got the following error.
23-08-24 19:47:21: Retrying login due to exception while decrypting OAuth 2.0 credentials for rtoc@moblize.com (invalid password): InvalidToken()
Retrying login due to exception while decrypting OAuth 2.0 credentials for rtoc@moblize.com (invalid password): InvalidToken()

[ronald-wentworth]

The token works again after restart.

[simonrob]

Have you set delete_account_token_on_password_error to False? And are you using multiple clients at once perhaps? I suspect you have one client with the right password and another with the wrong one, which could cause this error.

[ronald-wentworth]

Yes there are multiple clients. I'll try the delete_account_token_on_password_error to false. Even if this was the case we should get a good one the next time the correct password is sent. But by this time the entire connection is gone and we get the above port error.

[simonrob]

The port error is explained in the documentation - local server mode is an extra feature to support situations where interactive authentication is not possible. Improvements are welcome if you spot another way to handle this, but it's a bonus capability rather than the core focus for the proxy.

It's fine to use multiple clients at the same time, but they do all need to use the correct password.

[simonrob]

Did you resolve this? I'll close the issue if so.

[ronald-wentworth]

No we're still having issues. We're still trying to identify if this could be email password related. We haven't found 1 yet.

[simonrob]

Were you able to make any progress here?

[simonrob]

I intend to close this issue in the next few days under the assumption that it has been resolved, but just let me know if that's not the case.

[ronald-wentworth]

So I think the issue is still there in the retry code. You did mention that this was "enhancement" feature but it looks like if you're running headless and an auth fails the application will stop working. So at least I would recommend something that bypasses this route.

[simonrob]

Thanks for following up. I may be completely missing something here, but I don't see how the retry can cause the proxy to fail. The proxy closes the local server after finishing using it (whether successful or failed), and even if this is for whatever reason not happening properly, you can reconnect the client (perhaps after a short wait for the socket to be cleared up).

How can I replicate this to look into it? And what am I missing that means your setup doesn't close the local authentication server?

[DevStefan1]

Hello,
i have got the same problem.
"Retrying login due to exception while decrypting OAuth 2.0 credentials for abc@abc.com (invalid password): InvalidToken()"
The problem occurs only with one account connection to outlook, any other account works fine. The Password is definetely correct. I have already tested it with some new created accounts and as i said, everyone works, except this one. But this one, even after deleting and recreating with exact the same properties as newly created (except the name) will always give this error.
I came to use your E-Mail-Proxy after failing with DavMail, which also had problems with connecting to this specific account.
The problem also only occurs with sending mails with SMTP. When catching via IMAP it works fine, but when i try to send an email it directly gives the error and wants to reauthorize.
The first try after authorizing mostly works, but when when attempting to send another mail, error occurs.

I tried setting
if AppConfig.get_global('delete_account_token_on_password_error', fallback=true)
to false, but it didnt work.

Any other approaches?

[simonrob]

Interesting that you say it only happens for SMTP. Are you 100% sure that your client is using the same password for SMTP and IMAP?

I will need to see a proxy log (in --debug) mode to look further into this – please could you provide one?

I tried setting
if AppConfig.get_global('delete_account_token_on_password_error', fallback=true)
to false, but it didnt work.

To be clear, you change the value of delete_account_token_on_password_error in the config file, rather than editing that code. Is that what you're doing?

[DevStefan1]

Oh, no, i changed the code. I try to edit it in the config. Is it correct to just add
delete_account_token_on_password_error = false
after the credentials?
(Sorry I am a not that experienced)
edit: ok i found it and tried: didnt work.
And i guess the password is the same for smtp and imap? i didnt specify any other thing and every other account works like that?

So, i tried to log everything. Firstly, i authorize while fetching mails via imap:

2023-09-14 11:06:35: New incoming connection to IMAP server at [::]:143 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2023-09-14 11:06:35: Accepting new connection to IMAP server at [::]:143 (unsecured) proxying outlook.office365.com:993 (SSL/TLS) via ('::ffff:127.0.0.1', 51521, 0, 0)
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) --> [ Client connected ]
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) <-> [ Starting TLS handshake ]
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) <-> [ TLSv1.2 handshake complete ]
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993)     <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [RgBSADAAUAAyADgAMQBDAEEAMAAwADAANQAuAEQARQBVAFAAMgA4ADEALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [RgBSADAAUAAyADgAMQBDAEEAMAAwADAANQAuAEQARQBVAFAAMgA4ADEALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) --> b'82 capability\r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993)     --> b'82 capability\r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993)     <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993)     <-- b'82 OK CAPABILITY completed.\r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) <-- b'82 OK CAPABILITY completed.\r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) --> b'83 authenticate PLAIN\r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) <-- b'+ \r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) --> b'[[ Credentials removed from proxy log ]]'
2023-09-14 11:06:35: Authorisation request received for abc@test.de (interactive mode)
2023-09-14 11:06:36: IMAP ([::]:143; [::ffff:127.0.0.1]:51519->outlook.office365.com:993; ghi@test.de) --> b'59 IDLE\r\n'
2023-09-14 11:06:36: IMAP ([::]:143; [::ffff:127.0.0.1]:51519->outlook.office365.com:993; ghi@test.de) <-- b'+ IDLE accepted, awaiting DONE command.\r\n'
[pywebview] Using WinForms / Chromium
2023-09-14 11:06:49: Waiting for URL matching `redirect_uri`; following browser redirection to login.microsoftonline.com/[...]
2023-09-14 11:06:52: Waiting for URL matching `redirect_uri`; following browser redirection to login.microsoftonline.com/[...]
2023-09-14 11:06:56: Returning authorisation request result for abc@test.de
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993)     --> b'83 AUTHENTICATE XOAUTH2 '
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993)     --> b'[[ Credentials removed from proxy log ]]\r\n'
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de)     <-- b'83 OK AUTHENTICATE completed.\r\n'
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) [ Successfully authenticated IMAP connection - releasing session ]
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) <-- b'83 OK AUTHENTICATE completed.\r\n'
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) --> b'84 capability\r\n'
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CLIENTACCESSRULES CLIENTNETWORKPRESENCELOCATION BACKENDAUTHENTICATE CHILDREN IDLE NAMESPACE LITERAL+\r\n84 OK CAPABILITY completed.\r\n'
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) --> b'85 ID ("name" "Thunderbird" "version" "102.15.1")\r\n'
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) <-- b'* ID ("name" "Microsoft.Exchange.Imap4.Imap4Server" "version" "15.20")\r\n85 OK ID completed\r\n'
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) --> b'86 select "INBOX"\r\n'
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) <-- b'* 2 EXISTS\r\n* 0 RECENT\r\n* FLAGS (\\Seen \\Answered \\Flagged \\Deleted \\Draft $MDNSent)\r\n* OK [PERMANENTFLAGS (\\Seen \\Answered \\Flagged \\Deleted \\Draft $MDNSent)] Permanent flags\r\n* OK [UNSEEN 1] Is the first unseen message\r\n* OK [UIDVALIDITY 14] UIDVALIDITY value\r\n* OK [UIDNEXT 18] The next unique identifier value\r\n86 OK [READ-WRITE] SELECT completed.\r\n'
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) --> b'87 UID fetch 1:* (FLAGS)\r\n'
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) <-- b'* 1 FETCH (FLAGS () UID 12)\r\n'
2023-09-14 11:06:57: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) <-- b'* 2 FETCH (FLAGS (\\Seen) UID 15)\r\n87 OK FETCH completed.\r\n'
2023-09-14 11:06:59: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) --> b'88 IDLE\r\n'
2023-09-14 11:06:59: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993; abc@test.de) <-- b'+ IDLE accepted, awaiting DONE command.\r\n'

After successfully authorizing, fetching works. I can send Email (also via your proxy) from different accounts such as admin@, mark.something@ and the problematic mail account fetches them. But then i try to send an email via smtp:

2023-09-14 11:08:24: New incoming connection to SMTP server at [::]:25 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2023-09-14 11:08:24: Accepting new connection to SMTP server at [::]:25 (unsecured) proxying smtp.office365.com:587 (STARTTLS) via ('::ffff:127.0.0.1', 51596, 0, 0)
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) --> [ Client connected ]
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'220 FR4P281CA0083.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 14 Sep 2023 09:08:24 +0000\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-- b'220 FR4P281CA0083.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 14 Sep 2023 09:08:24 +0000\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) --> b'EHLO [127.0.0.1]\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     --> b'EHLO [127.0.0.1]\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-FR4P281CA0083.outlook.office365.com Hello [111.111.111.111]\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-SIZE 157286400\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-PIPELINING\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-DSN\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-STARTTLS\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-8BITMIME\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-BINARYMIME\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-CHUNKING\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250 SMTPUTF8\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     --> b'STARTTLS\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'220 2.0.0 SMTP server ready\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-> [ Starting TLS handshake ]
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) [ Successfully negotiated SMTP STARTTLS connection - re-sending greeting ]
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     --> b'EHLO [127.0.0.1]\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-> [ TLSv1.3 handshake complete ]
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-FR4P281CA0083.outlook.office365.com Hello [111.111.111.111]\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-- b'250-FR4P281CA0083.outlook.office365.com Hello [111.111.111.111]\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-SIZE 157286400\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-- b'250-SIZE 157286400\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-PIPELINING\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-- b'250-PIPELINING\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-DSN\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-- b'250-DSN\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-ENHANCEDSTATUSCODES\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-- b'250-ENHANCEDSTATUSCODES\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-AUTH LOGIN XOAUTH2\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-- b'250-AUTH PLAIN LOGIN\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-8BITMIME\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-- b'250-8BITMIME\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-BINARYMIME\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-- b'250-BINARYMIME\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250-CHUNKING\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-- b'250-CHUNKING\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'250 SMTPUTF8\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) <-- b'250 SMTPUTF8\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) --> b'AUTH PLAIN [[ Credentials removed from proxy log ]]\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     --> b'AUTH XOAUTH2\r\n'
2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587)     <-- b'334 \r\n'
2023-09-14 11:08:25: Retrying login due to exception while decrypting OAuth 2.0 credentials for abc@test.de (invalid password): InvalidToken()
2023-09-14 11:08:25: Authorisation request received for abc@test.de (interactive mode)

I can either authorize again, then it will mostly send the mail, but for another email it will need another authorization. If I skip it, he can still receive emails.
(hopefully i replaced all personal data..)
Thanks for the help!!

[simonrob]

Thanks – this is really useful. Two things to follow up on:

1. What SMTP client are you using? The IMAP log is from Thunderbird 102.15.1. I'm assuimg that this is also what you are using for SMTP, but could you confirm?

2. Please download this version of the proxy script, and edit line 126 to be CENSOR_CREDENTIALS = False. Note: this will cause the proxy to print your username and password to the console instead of the [[ Credentials removed from proxy log ]] message.

I need you to check that, firstly, the same values are printed for both IMAP and SMTP (to make sure you don't have, say, an old SMTP password cached in your client). Based on your log above, the relevant values in the debug log after this change should be something like:

• IMAP:

2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) --> b'83 authenticate PLAIN\r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) <-- b'+ \r\n'
2023-09-14 11:06:35: IMAP ([::]:143; [::ffff:127.0.0.1]:51521->outlook.office365.com:993) --> b'AGVtYWlsQGV4YW1wbGUuY29tAHBhc3N3MHJk\r\n'

• SMTP:

2023-09-14 11:08:25: SMTP ([::]:25; [::ffff:127.0.0.1]:51596->smtp.office365.com:587) --> b'AUTH PLAIN AGVtYWlsQGV4YW1wbGUuY29tAHBhc3N3MHJk\r\n'

It is critical that the output after the connection details and IMAP/SMTP commands is character-for-character identical in both cases (the AGVtYWlsQGV4YW1wbGUuY29tAHBhc3N3MHJk in my example). If these values do not match, then either you have a different password set up in your client for IMAP vs. SMTP; or, there is another variant of the PLAIN authentication method that the proxy is not accounting for.

If the values are identical, and you can provide me with the actual values you see here (perhaps after changing your password in your client to something temporary) then all the better.

[DevStefan1]

You are right!! There are two different passwords!
The IMAP Password is the current one and the SMTP Password is the old one. Very mysterious.
But your proxy works fine and did the right thing. Nothing to do for you here anymore =)
If you have any quick tips regarding Microsoft Exchange Online SMTP and IMAP password management or similar advice, I'm certainly open to them. Otherwise, the issue is resolved from my end (and maybe it helps the original poster).
Thanks!

[simonrob]

Thanks for following up and confirming this – I'm glad this turned out to be on the client side rather than an issue with the proxy.

I'll merge the minor changes from this branch and add documentation about the fact that many clients (mostly for historical reasons) support different passwords for POP/IMAP and SMTP, and that it is important to be sure that these are identical.

In terms of tips for password management, it's worth reiterating that the password used by your client with the proxy does not need to be the same as your actual account password, so you can perhaps manage this using a different approach. Conversely, if you want to use the same password for both the proxy and your actual account, this is also okay. Whatever works best for you.