Syncing outlook.com / o365 account with OAuth2 Token fails (kind of)

i_like_beef

Hi all,
I’m trying to sync an outlook.com mail account to my mailcow account. Basically I have been doing it like suggested here: Fetch from Microsoft (@hotmail.com or @outlook.om).
The thing is: When it is run as a sync-job, then the execution fails because the authentication at the MS-Server fails. When I run the same command as the perl script does manually from inside the dovecot container, the authentication is fine and the sync would work.

This is the log copied from the Mailcow GUI:

get options: [1][39]
Docker context detected with the file /.dockerenv
No log by default in Docker context. Use --log to trigger logging to the logfile.
Changing current directory to /var/tmp/uid_65534
numopt:39
Here is imapsync 2.178 on host e756e7e4e0e2, a linux system with 0.9/7.8 free GiB of RAM
with Perl 5.40.3 and Mail::IMAPClient 3.43
Transfer started at Friday 16 January 2026-01-16 23:20:01 +0100 CET
PID is 405 my PPID is 389
No log file because of option --nolog
System load: 0.30 0.39 0.28 1/1044
Load is 0.30 0.39 0.28 1/1044 on 4 cores
Current directory is /var/tmp/uid_65534
Real user id is nobody (uid 65534)
Effective user id is nobody (euid 65534)
$RCSfile: imapsync,v $ $Revision: 2.178 $ $Date: 2022/01/12 21:28:37 $ 
Command line used, run by perl:
/usr/local/bin/imapsync --tmpdir /tmp --nofoldersizes --addheader --timeout1 600 --timeout2 600 --exclude '(?i)spam|(?i)junk' --maxage 30 --delete2duplicates --subscribeall --delete --automap --ssl1 --host1 outlook.office365.com --user1 REDACTED@outlook.com --passfile1 /tmp/imapsync.iAypcVx --port1 993 --host2 localhost --user2 REDACTED@REDACTED.de*8h3ktnxus9kopns3@mailcow.local --passfile2 /tmp/imapsync.pBBCwhk --dry --no-modulesversion --noreleasecheck --office1 --oauthaccesstoken1='/etc/dovecot/oauth2_imap/tokens/oauth2_tokens_thunderbird_office365_REDACTED_at_outlook.com.txt' --debug --debugimap --debugimap1
Temp directory is /tmp ( to change it use --tmpdir dirpath )
Option --office1 is like: --host1 outlook.office365.com --ssl1 --exclude "^Files$"
Option --office1 (cont) : unless overrided with --host1 otherhost --nossl1 --noexclude
Under docker context so installing only signals to exit
kill -INT 405 # special behavior: call to sub catch_exit
kill -QUIT 405 # special behavior: call to sub catch_exit
kill -TERM 405 # special behavior: call to sub catch_exit
No variable pid_filename
PID file is unset ( to set it, use --pidfile filepath ; to avoid it use --pidfile "" )
IMAPClient 3.43
Info: will resync flags for already transferred messages. Use --noresyncflags to not resync flags.
sslcheck
Host2: probing ssl on port 993 ( use --nosslcheck to avoid this ssl probe ) 
DEBUG: .../IO/Socket/SSL.pm:3073: new ctx 140563424585840
DEBUG: .../IO/Socket/SSL.pm:709: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:711: socket connected
DEBUG: .../IO/Socket/SSL.pm:734: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:778: using SNI with hostname localhost
DEBUG: .../IO/Socket/SSL.pm:849: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:3800: * TLSv1.3 (OUT), TLS handshake, Client hello (1)
DEBUG: .../IO/Socket/SSL.pm:3800: * TLSv1.3 (IN), TLS handshake, Server hello (2)
DEBUG: .../IO/Socket/SSL.pm:3800: * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8)
DEBUG: .../IO/Socket/SSL.pm:3800: * TLSv1.3 (IN), TLS handshake, Certificate (11)
DEBUG: .../IO/Socket/SSL.pm:3800: * TLSv1.3 (IN), TLS handshake, CERT verify (15)
DEBUG: .../IO/Socket/SSL.pm:3800: * TLSv1.3 (IN), TLS handshake, Finished (20)
DEBUG: .../IO/Socket/SSL.pm:3800: * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1)
DEBUG: .../IO/Socket/SSL.pm:3800: * TLSv1.3 (OUT), TLS handshake, Finished (20)
DEBUG: .../IO/Socket/SSL.pm:852: done Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:907: ssl handshake done
socket: IO::Socket::SSL=GLOB(0x7fd780bdf968)
DEBUG: .../IO/Socket/SSL.pm:3800: * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4)
DEBUG: .../IO/Socket/SSL.pm:3800: * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4)
banner: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
DEBUG: .../IO/Socket/SSL.pm:3800: * TLSv1.3 (OUT), TLS alert, close notify (256)
DEBUG: .../IO/Socket/SSL.pm:3122: free ctx 140563424585840 open=140563424585840
DEBUG: .../IO/Socket/SSL.pm:3133: OK free ctx 140563424585840
Host2: sslcheck detected open ssl port 993 so turning ssl on (use --nossl2 --notls2 to turn off SSL and TLS wizardry)
SSL debug mode level is --debugssl 1 (can be set from 0 meaning no debug to 4 meaning max debug)
Host1: SSL default mode is like --sslargs1 "SSL_verify_mode=0", meaning for host1 SSL_VERIFY_NONE, ie, do not check the certificate server.
Host1: Use --sslargs1 SSL_verify_mode=1 to have SSL_VERIFY_PEER, ie, check the certificate server of host1
Host2: SSL default mode is like --sslargs2 "SSL_verify_mode=0", meaning for host2 SSL_VERIFY_NONE, ie, do not check the certificate server.
Host2: Use --sslargs2 SSL_verify_mode=1 to have SSL_VERIFY_PEER, ie, check the certificate server of host2
Info: turning on --expunge1 because --delete1 --noexpunge1 is very dangerous on the second run.
Info: if expunging after each message slows down too much the sync then use --noexpungeaftereach to speed up
Info: will act as --uidexpunge2
Info: turned ON syncinternaldates, will set the internal dates (arrival dates) on host2 same as host1.
Host1: will try to use LOGIN authentication on host1
Host2: will try to use LOGIN authentication on host2
Host1: imap connection timeout is 600 seconds
Host2: imap connection timeout is 600 seconds
Host1: imap connection keepalive is on on host1. Use --nokeepalive1 to disable it.
Host2: imap connection keepalive is on on host2. Use --nokeepalive2 to disable it.
Host1: IMAP server [outlook.office365.com] port [993] user [REDACTED@outlook.com]
Host2: IMAP server [localhost] port [993] user [REDACTED@REDACTED.de*8h3ktnxus9kopns3@mailcow.local]
Host1: connecting and login on host1 [outlook.office365.com] port [993] with user [REDACTED@outlook.com]
Connecting with IO::Socket::SSL PeerAddr outlook.office365.com PeerPort 993 Proto tcp Timeout 600 Debug 1 SSL_verifycn_scheme imap SSL_cipher_list DEFAULT:!DH SSL_verify_mode 0
Connected to outlook.office365.com
Read: 	* OK Microsoft Exchange IMAP4 service ready. (tcpproxy/15.20.9542.003 BACKENDAUTHENTICATE) [RgBSADQAUAAyADgAMQBDAEEAMAAzADUANgAuAEQARQBVAFAAMgA4ADEALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]
Host1 IP address: 52.98.179.178
Host1 banner: * OK Microsoft Exchange IMAP4 service ready. (tcpproxy/15.20.9542.003 BACKENDAUTHENTICATE) [RgBSADQAUAAyADgAMQBDAEEAMAAzADUANgAuAEQARQBVAFAAMgA4ADEALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]
Sending: 1 CAPABILITY
Sent 14 bytes
Read: 	* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
  	1 OK CAPABILITY completed.
Host1 capability before authentication: IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+ AUTH
Sending: 2 AUTHENTICATE XOAUTH2
Sent 24 bytes
Read: 	+
Sending: [Redact: Count=2 Showcredentials=OFF]
Sent 198 bytes
Read: 	2 NO [Error="AuthFailed:LogonDenied-None-OAuthLog:AuthExc_Auth Failed. For details, use these fields to correlate with Core Auth telemetry. RequestId: 00000000-0000-0000-0000-000000000000, OperationId: 2d0f97e2-9d1c-48b9-b3c0-994641ef7812, cV:  User:REDACTED@outlook.com" AuthResultFromPopImapEnd=0 Proxy=WA1P291MB0208.POLP291.PROD.OUTLOOK.COM:1993:SSL MailboxBE=WA1P291MB0208.POLP291.PROD.OUTLOOK.COM Service=Imap4] AUTHENTICATE failed.
ERROR: 2 NO [Error="AuthFailed:LogonDenied-None-OAuthLog:AuthExc_Auth Failed. For details, use these fields to correlate with Core Auth telemetry. RequestId: 00000000-0000-0000-0000-000000000000, OperationId: 2d0f97e2-9d1c-48b9-b3c0-994641ef7812, cV:  User:REDACTED@outlook.com" AuthResultFromPopImapEnd=0 Proxy=WA1P291MB0208.POLP291.PROD.OUTLOOK.COM:1993:SSL MailboxBE=WA1P291MB0208.POLP291.PROD.OUTLOOK.COM Service=Imap4] AUTHENTICATE failed. at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 3319.
	Mail::IMAPClient::authenticate(Mail::IMAPClient=HASH(0x7fd780c75000), "XOAUTH2", CODE(0x7fd7808d7528)) called at /usr/share/perl5/vendor_perl/Mail/IMAPClient.pm line 579
	Mail::IMAPClient::login(Mail::IMAPClient=HASH(0x7fd780c75000)) called at /usr/local/bin/imapsync line 8344
	main::oauthaccesstoken(HASH(0x7fd780e81208), HASH(0x7fd783737728), Mail::IMAPClient=HASH(0x7fd780c75000), "outlook.office365.com", "REDACTED\@outlook.com") called at /usr/local/bin/imapsync line 8194
	main::authenticate_imap(Mail::IMAPClient=HASH(0x7fd780c75000), "outlook.office365.com", 993, "REDACTED\@outlook.com", "dummy", 1, undef, 1, ...) called at /usr/local/bin/imapsync line 8085
	main::login_imap("outlook.office365.com", 993, "REDACTED\@outlook.com", "dummy", 1, undef, 1, 100, ...) called at /usr/local/bin/imapsync line 2020
	main::single_sync(HASH(0x7fd780e81208), HASH(0x7fd783737728), HASH(0x7fd780c9e6e0)) called at /usr/local/bin/imapsync line 1350
Host1 failure: Error login on [outlook.office365.com] with user [REDACTED@outlook.com] auth [XOAUTH2 accesstoken]: 2 NO [Error="AuthFailed:LogonDenied-None-OAuthLog:AuthExc_Auth Failed. For details, use these fields to correlate with Core Auth telemetry. RequestId: 00000000-0000-0000-0000-000000000000, OperationId: 2d0f97e2-9d1c-48b9-b3c0-994641ef7812, cV:  User:REDACTED@outlook.com" AuthResultFromPopImapEnd=0 Proxy=WA1P291MB0208.POLP291.PROD.OUTLOOK.COM:1993:SSL MailboxBE=WA1P291MB0208.POLP291.PROD.OUTLOOK.COM Service=Imap4] AUTHENTICATE failed.
Host1: failed login on [outlook.office365.com] with user [REDACTED@outlook.com] auth [XOAUTH2 accesstoken]
Host2: connecting and login on host2 [localhost] port [993] with user [REDACTED@REDACTED.de*8h3ktnxus9kopns3@mailcow.local]
Connecting with IO::Socket::SSL PeerAddr localhost PeerPort 993 Proto tcp Timeout 600 Debug 1 SSL_verify_mode 0 SSL_cipher_list DEFAULT:!DH SSL_verifycn_scheme imap
Connected to localhost
Read: 	* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Host2 IP address: ::1
Host2 banner: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Sending: 1 CAPABILITY
Sent 14 bytes
Read: 	* CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN
Read: 	1 OK Pre-login capabilities listed, post-login capabilities have more.
Host2 capability before authentication: IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN AUTH
Host2: localhost says it has CAPABILITY for AUTHENTICATE LOGIN
Sending: 2 LOGIN "REDACTED@REDACTED.de*8h3ktnxus9kopns3@mailcow.local" [Redact: Count=2 Showcredentials=OFF]
Sent 92 bytes
Read: 	* CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY METADATA SPECIAL-USE COMPRESS=DEFLATE QUOTA ACL RIGHTS=texk
  	2 OK Logged in
Host2: success login on [localhost] with user [REDACTED@REDACTED.de*8h3ktnxus9kopns3@mailcow.local] auth [LOGIN] or [LOGIN]
Host2 Buffer I/O: 4096
++++ Listing 1 errors encountered during the sync ( avoid this listing with --noerrorsdump ).
Err 1/1: Host1 failure: Error login on [outlook.office365.com] with user [REDACTED@outlook.com] auth [XOAUTH2 accesstoken]: 2 NO [Error="AuthFailed:LogonDenied-None-OAuthLog:AuthExc_Auth Failed. For details, use these fields to correlate with Core Auth telemetry. RequestId: 00000000-0000-0000-0000-000000000000, OperationId: 2d0f97e2-9d1c-48b9-b3c0-994641ef7812, cV:  User:REDACTED@outlook.com" AuthResultFromPopImapEnd=0 Proxy=WA1P291MB0208.POLP291.PROD.OUTLOOK.COM:1993:SSL MailboxBE=WA1P291MB0208.POLP291.PROD.OUTLOOK.COM Service=Imap4] AUTHENTICATE failed.
The most frequent error is ERR_AUTHENTICATION_FAILURE_USER1. Check the credentials for REDACTED@outlook.com.
Exiting with return value 161 (EXIT_AUTHENTICATION_FAILURE_USER1) 1/50 nb_errors/max_errors PID 405
Disconnecting from host2 localhost user2 REDACTED@REDACTED.de*8h3ktnxus9kopns3@mailcow.local
Sending: 3 LOGOUT
Sent 10 bytes
Read: 	* BYE Logging out
  	3 OK Logout completed (0.001 + 0.000 secs).
No log file because of option --nolog
```!<

❌ Login is not successful…

However, if I do the following (basically running the command that was given in the log above):

mailserver:~ # docker exec -it mailcowdockerized-dovecot-mailcow-1 /bin/bash
e756e7e4e0e2:/# touch /tmp/imapsync.iAypcVx
e756e7e4e0e2:/# /tmp/imapsync.pBBCwhk
e756e7e4e0e2:/# echo 'mypasswd' > /tmp/imapsync.pBBCwhk
e756e7e4e0e2:/# /usr/local/bin/imapsync --tmpdir /tmp --nofoldersizes --addheader --timeout1 600 --timeout2 600 --exclude '(?i)spam|(?i)junk' --maxage 30 --delete2duplicates --subscribeall --delete --automap --ssl1 --host1 outlook.office365.com --user1 REDACTED@outlook.com --passfile1 /tmp/imapsync.iAypcVx --port1 993 --host2 localhost --user2 REDACTED@REDACTED.de --passfile2 /tmp/imapsync.pBBCwhk --dry --no-modulesversion --noreleasecheck --office1 --oauthaccesstoken1='/etc/dovecot/oauth2_imap/tokens/oauth2_tokens_thunderbird_office365_REDACTED_at_outlook.com.txt' --debug --debugimap --debugimap1

✅ Then the result is a perfectly running sync with successful authentication and authorisation also on the MS side…

I absolutely can’t get my head around that. What am I missing here?
Can anybody point me in the right direction?

Best regards!

ETNyx

My guess is that you have permission problem. As log show sync via UI is run as:

Real user id is nobody (uid 65534)
Effective user id is nobody (euid 65534)

And your test using docker exec is run as root. And when sync via UI does not see your token oauth2_tokens_thunderbird_office365_REDACTED_at_outlook it posting empty token to M$ auth server resulting in auth fail,..

To test my theory make your token widely readable and test it again. Just for testing, usually you do not want keep secrets widely readable.

i_like_beef

ETNyx Thanks for your reply!
I was testing that already, just to be sure, I did it again. Unfortunately without success 🙁

Changed the permissions to 644 and switched user to nobody on container. I am then able to read the token file:

e756e7e4e0e2:/# su -s /bin/sh nobody
ls -lah /etc/dovecot/oauth2_imap/tokens/
total 4.0K
drwxrwxr-x 1 root root  134 Jan 19 14:30 .
drwxr-xr-x 1 root root  656 Jan 16 17:44 ..
-rw-r--r-- 1 root root 2.1K Jan 19 14:30 oauth2_tokens_thunderbird_office365_REDACTED_at_outlook.com.txt
cat /etc/dovecot/oauth2_imap/tokens/oauth2_tokens_thunderbird_office365_REDACTED_at_outlook.com.txt
HEREWASTHEFIRSTTOKEN
HEREWASTHESECONDTOKEN
# The first   line is the access  token
# The second  line is the refresh token
# Account is REDACTED@outlook.com
# File generated on Mon Jan 19 14:30:03 2026 by ./oauth2_imap REDACTED@outlook.com

I’m really going nuts here… I absolutely can’t understand why it is working when I copy / paste the commandline that is run by perl from the logs to the shell (just adjusting the local mailcow mailbox credentials)…
I’m running out of ideas how to debug that 😢

ETNyx

Quick question, in UI you are using “Custom parameters” to fill those --oauthaccesstoken1?

Try something like --oauthaccesstoken1="$(cat /etc/dovecot/oauth2_imap/tokens/oauth2_tokens_thunderbird_office365_REDACTED_at_outlook.com.txt | head -1)"

Idea is that you may be sending exactly what you wrote there not content of this file,…

i_like_beef

ETNyx
Exactly, I’m using the “Custom Parameters” field.

I got the idea, but unfortunately the UI doesn’t let me save this:

But again, if I run this from the commandline inside the docker (as user “nobody”) with --oauthaccesstoken1="$(cat /etc/dovecot/oauth2_imap/tokens/oauth2_tokens_thunderbird_office365_REDACTED_at_outlook.com.txt | head -1)" imapsync runs perfectly fine!
Could this be a bug in the perl wrapper script?

i_like_beef

Okay, I think you have pointed me in the right direction and now it works.

Solution:
You have to ONLY have the access token in the file that you are referring to with the parameter “–oauthaccesstoken1”.
I now have a slightly extended version of the cron-script updating the access token every 60 mins, so that it writes the new access token to a separate file, which I then refer to for imapsync.
Added line:

echo "$(cat /etc/dovecot/oauth2_imap/tokens/oauth2_tokens_thunderbird_office365_REDACTED_at_outlook.com.txt | head -1)" > /etc/dovecot/oauth2_imap/tokens/oauth2_access_token_thunderbird_office365_REDACTED_at_outlook.com.txt

Thanks again for your input!