Mail Server Authentication Errors

When attempting to use SocketTools components or libraries to connect with a mail server using either SMTP, POP3 or IMAP, the connection fails or an error is returned indicating the user's credentials are invalid. The user name and password are valid and a connection can be established using a mail client such as Outlook.

Sending Email

Most modern mail servers will not permit the use of any authorization methods when the connection is not secure. This is a security measure intended to prevent clients from sending user credentials in a unencrypted format. Those servers will also typically prohibit connections from clients which attempt to use an older, less secure version of TLS or cryptographically weak cipher suites.

Mail servers which accept email messages for any recipient without authorization are known as "open relay" servers. This is considered an improper configuration, and messages from open relays are typically rejected by other servers as an anti-spam measure. A properly configured mail server will only accept messages without authentication from mail transfer agents (MTAs) if the message recipient is valid for that domain.

To submit a message for delivery to your mail server, check the following:

  1. Verify the correct domain name is being used for the service
  2. Always establish a secure connection using TLS 1.2
  3. Most SMTP servers will expect you to use port 587 instead of port 25
  4. Service providers (ISPs) may block outbound traffic on port 25

Some mail services will use different domains for sending and retrieving email. For example, Gmail uses the domain and requires authentication. Check with the service provider to make sure you're using the correct domain name when connecting to the service.

When you are providing user credentials, always make sure the connection is secure, either by setting the appropriate option or by setting the Secure property to True. By default, SocketTools will only use TLS 1.2 and will use explicit TLS (STARTTLS) if either port 25 or port 587 is specified.

If you are connecting using a non-standard port number, such as 2525, make sure you specify the appropriate type of TLS connection, implicit or explicit. An implicit TLS connection means the secure connection is negotiated immediately, while explicit TLS means the secure connection is negotiated after the connection has been made, but before the user's credentials are provided.

Some residential Internet service providers may intentionally block all outbound traffic on port 25 to prevent systems which may have been compromised by malware from being used to send unsolicited emails. Although less common, some providers may choose to force customers to send all outbound emails through their mail servers. If the connection to the mail server is timing out, and you are sure you have the correct domain name and port number, check with your service provider to ensure they're not restricting access to the port.

Retrieving Email

The same general information listed above also applies to both POP3 and IMAP when attempting to download email messages. Mail servers will expect you to use a secure connection and will not accept a user's credentials over an unencrypted channel. Most servers today will also require you to use TLS 1.2 and will reject attempts to use older versions of the protocol.

If your application is using POP3 to download emails, most mail servers will expect either an explicit TLS connection on port 110 or an implicit TLS connection on port 995. If you are using IMAP, most servers will expect either an explicit TLS connection on port 143 or an implicit TLS connection on port 993. Some services will listen on both ports and the client can choose whether to use implicit or explicit TLS and SocketTools supports both methods.

OAuth 2.0 Authorization

It is increasingly common for mail services to require clients to use OAuth 2.0 for authorization. Unlike the traditional method of using a username and password, services which use OAuth 2.0 require a bearer token (also called an access token). These tokens are issued by the service provider and enable your application to access the resource without requiring the user to provide you with their password.

Microsoft announced they will be requiring OAuth 2.0 to access commercial Microsoft 365 mail accounts and Google requires the use of OAuth 2.0 to access G Suite accounts. Access to consumer Gmail accounts requires the use of OAuth unless the user enables “Less Secure Apps” in their security settings.

See Also

OAuth 2.0 Frequently Asked Questions
Testing Secure Connections with OpenSSL
Unable to Establish Security Context
Windows and Supported TLS Versions