I just received an email from MS stating that I will no longer be able to retrieve my email after 09/16/24 due their discontinuance of "Basic Authentication". I have also read that there is little chance (due to complexity) of Pegasus Mail for Windows ever incorporating "Modern Authentication" for Microsoft. I have also read the author's take on it and respect his opinion.

BUT... now I'm in trouble. I have used Pegasus Mail for around 20 years. I utilize it for my filing tray, keeping records of both personal and financial exchanges. It is my "GoTo" when a question regarding the past arises. I DON'T want to abandon PM but I don't see how I can stay with it.

I notice that PM v4.81 with OAUTH2 for Google was never moved from Beta. I don't care for GMail and their "labels" anyway... I like "folders".

First, my heartfelt thanks to David for providing such a fantastic email client for so many years.

Second, I am in need of options at this point. I have PM folders containing 20 years of info that I'd like to keep. I ALSO wish to continue to RETRIEVE my mail and store it locally as opposed to keeping it on a cloud. Internet providers have all but abandoned email services... at least in my location.

All thought would be appreciated.
Thanks in advance.
Craig

We don't know whether Microsoft will continue accepting an app password for authentication like Google has. If they don't, I'm afraid Pegasus Mail will no longer be able to connect to an Microsoft email service. This happened with Google. They announced the end of Basic Authentication but left us in the dark about the functionality of their app password. It wasn't until Basic Authentication was disabled that we determined that an app password still worked. I believe that we are in the same boat with Microsoft. Even if an app password functionality continues to work, another unknown will be how long it will be supported.

I have a couple of outlook.com email accounts but am not heavily invested in either so this Microsoft announcement is just a bump for me. You on the other hand must have a plan in the event that Microsoft stops honoring app password authentication. The only email client that comes to mind as an alternative to Pegasus Mail is Mozilla Thunderbird. I don't know enough about it to offer any advice.

Pegasus Mail will continue to provide access to email data stored locally.

I got the same email from MS. I have used Pegasus for around 30 years and don't want to give it up for the same reasons as Craig Tee has given. Unfortunately I am heavily invested in Outlook as it has been my primary email account since my ISP stopped providing email. I have already turned on 2FA in Outlook and created an app password that works. Hopefully MS may continue to support this though earlier posts in this forum suggest that MS may ban this too.

One rather cumbersome solution would be to automatically redirect all mail from Outlook to Gmail and download it from there, as long as Pegasus can still access Gmail.

I hope that a suitable working solution can be found.

David

Have an outlook.com account, but in entire time I've had it, it had only 30 messages in inbox and all were basically junk/ads. Deleted them all..

Don't have it linked to phone or anything. go to outlook.live.com and it logs in??
Checked saved passwords and there i nothing with outlook at all?? Then checked cookies, and there is also nothing for outlook. So not sure where they are storing the info, but it must be somewhere in the firefox. I'm using Linux, so it must be somewhere in the Firefox directories. Sure hackers, could make a copy of the directory, setup an outlook account, and then compare the directories, and find the exact location.

Remember many years ago, had a student locked his basic program, and hadn't make a copy of the code. According to IBM's Manual - Once a program is locked, it can never be unlocked.
Took about 15 minutes to crack it.
Made a simple program and saved it, and copied library object to a regular disk file.
Then locked it, and copied it to a different file name. Compared the two files, and only differene was 1 bit. Copied students locked program to file, changed the one bit, and then copied it back to library, and it was unlocked.

Wonder how much this stuff really adds to security. Even with encryption, a lot of setups don't protect against man-in-the middle or forged dns records in router. Was a DEFCON once, and it was interesting.

The Gmail solution is built-in to the 4.81 public beta so no worries there, at least not until Google stops supporting OAUTH2.

David, I feel your pain... we are in similar circumstances.

Brian, thanks for your thoughts on this, mine have been running along the same lines... unfortunately.

I suppose, at 73 years old, I refuse to start over and try to import all my data into a new client. Also, I have an emotional attachment to Pegasus Mail after all these years. Weird? LOL!

I don't care for GMail due to their usage of "labels" as opposed to "folders". It is too easy to confuse GMail for some reason(?) and then have to go searching for that "lost" piece of mail.

I think my saving grace in all of this is my use of the Sneakemail.com service. All my mail comes addressed to them and then is forwarded to whatever account I choose. It's not a free service but WELL worth the few dollars a month for a ZERO SPAM inbox. (IMHO!)

Since there appears to be no way around MS's decision, I will find a new email provider that doesn't require 0AUTH2 and send MS Outlook packing.

I would appreciate suggestions from any who use another email service provider that DOESN'T require 0AUTH2 or charge an arm and a leg for personal accounts, has a simple web interface, some megabytes of cloud storage (don't need gigs), and the ability for cloud folder storage. Something like GMail but with folders instead of labels.

Thanks again for your thoughts on this.
They were read and appreciated.
Craig

From Microsoft:
(They state they will no longer support the email/password login combination)
Email:
"The safety and security of your information is top priority for Microsoft. To help keep your account secure, Microsoft will no longer support the use of third-party email and calendar apps which ask you to sign in with only your Microsoft Account username and password. To keep you safe you will need to use a mail or calendar app which supports Microsoft’s modern authentication methods. If you do not act, your third-party email apps will no longer be able to access your Outlook.com, Hotmail or Live.com email address on September 16th."

https://support.microsoft.com/en-us/office/modern-authentication-methods-now-needed-to-continue-syncing-outlook-email-in-non-microsoft-email-apps-c5d65390-9676-4763-b41f-d7986499a90d

This phrase gives me hope that credentialing with an app password will continue to be supported. I have not been able to confirm that though.

Not weird at all. I suspect there are a bunch of us who feel that way. I sure do. Pegasus Mail made me look good by allowing me to provide email service for the small business I was employed at as a fledgeling network admin (among other duties). Thirty years later they did everything they could to try to keep me from retiring. I will never feel like I have repayed my debt of gratitude to David Harris for the role his Pegasus Mail and Mercury products played in my success.

This is most likely the next thing to come for email applications as well: https://www.microsoft.com/en-us/security/blog/2024/05/02/microsoft-introduces-passkeys-for-consumer-accounts/

I got my "Action Needed – You may lose access to some of your third-party mail and calendar apps" email from Microsoft this morning. It doesn't seem possible to know which of my email apps it applies to (I use several, with Pegasus Mail the one with 20+ years of stored emails and the others for more or less mobile extras).

I have just now set up two-step verification and created three app passwords for the first three email clients. That, as noted, is not "only my Microsoft account name and password" because it's no longer using the main password, but instead, the appropriate app passwords.

I used Windows 10's Settings command -> Your info -> Manage my Microsoft account to find myself logging in to account.live.com to adjust security options. Not something I do very often, and needed a small amount of thinking as to how to change settings. It's not a feature of my Outlook configuration, which is where I looked first.

All of them is a safe assumption.

Thanks for posting this. It should be a "must do" for anyone still using their Microsoft account name and password as the credentials for POP3, IMAP, and/or SMTP access to a Microsoft email service.

Thanks MHI and Brian. I suppose I have a learning curve ahead as I move from the login/password set into new territory. MHI, I appreciate your primer on that front and will be referring back to it.

I updated to v4.81 from v4.73 to set up Gmail for a fallback. 1st (auto) attempt failed... POP3 worked but SMTP failed authentication. Second attempt wiped out my Outlook settings.... grrrrr... maybe third time will be the charm.

I do hope MHI's solution continues to work. I like using Outlook to weed through mail and keep messages that I wish to access from other machines. I retrieve the rest for filing in WPM. Old habits and all.

Thanks again and you'll probably see me back in here as I try to work through these "new" changes.
Craig

If you use multiple identities, be sure to run the Gmail setup while in the identity that accesses the Gmail account.

The way the Gmail setup works is that it first creates an OAUTH2 profile that is specific to the identity that created it. The creation of the profile occurs in conjunction with validating your Google account. After that, the POP3, SMTP, and IMAP host configurations are created as requested. They are tied to the OAUTH2 profile which is only visible and accessible to its creator ID. Start a new discussion if you need help with it.

This was posted on the Pegasus Mail support istserv mailing list PM-WIN:

Posted by Han van den Bogaerde on 2 Jul 2024 at 23:32

App passwords will no longer be supported by MS mail systems.

It's most likely (almost certain) that Pegasus Mail for Windows will no longer work with the
Microsoft mailing systems like Hotmail, Live, Outlook, Exchange, Office 365 and probably
more.

Gmail will be supported as it is now in the 4.81 /4.9 versions.

Hello Brian,

I learned that the hard way after I trashed my Outlook identity. grrrr.....

The third time WAS charm, I got an authentication error, learned how to set up app specific passwords on Google, and changed a security setting and now I get gmail.

This is really a shame. I DO like the Outlook interface for quickly separating the wheat from the chaff prior to retrieval.

OK... I got all the tools in place... now to try to salvage the best parts possible.

Thanks again for all your help Brian.
I wish Pegasus Mail could access MS Outlook but would NEVER ask David to consider adding it after watching his fiasco with Gmail.... sigh....
Craig

The app password is not the same as OAUTH2. I believe it is a safe assumption that Google's support for the app password will not be long lived. Getting OAUTH2 authentication working is the best long term solution for Gmail. The Gmail OAUTH2 process in Pegasus Mail gives you the option of replacing the existing host configuration files or keeping them and creating new ones. Keeping them allows you to confirm OAUTH2 is working before deleting the host configurations you no longer need.

FWIW, I never experienced a failed OAUTH2 POP3 or SMTP host configuration. I got bitten by the identity specific nature of the OAUTH2 profile though. It leaves behind a useless OAUTH2 profile file, and any host configuration files that were created will not work. Unfortunately, David Harris can not prevent the issue because there is no way to determine whether the ID triggering the Gmail configuration is one configured to access a Google email account. In retrospect, the button labeled "GMail" maybe should have been labled "Google" considering the unknown number of domain names using Google email services.

Sorry Brian, should have been more clear. "The third time' WAS my third attempt at setting up OAUTH2 for Gmail. I received a message stating it was already done and did I want to refresh it. so I said yes. After that Google DID require an app password and a security tweak.

Anyway, Gmail OAUTH2 is now enabled. I wish it also worked for MS.

Interesting! I wonder why the app password was required. OAUTH2 authentication wouldn't use it.

I have not heard of the app password requirement, perhaps because folks who have done it already had an app password.

FYI, Google seems to randomly invalidate authentication credentials. When it happens to an OAUTH2 authentication, the revalidate function in Pegasus Mail fixes it.

I still use the app password setup for Gmail. Do recall a while ago, I changed my gmail password, and it required me to redo the app password, since a change in the primary password makes any app passwords invalid. But once I did process the new app password worked fine.

My knowledge of POP3&SMTP is weak at best and non-existent with IMAP. I suffer the learning curve, set things up, and then coast for the next 10-15 years until the powers that be start screwing with a perfectly good system and break it for me. LOL!

When I set the Pegasus client up with a new (or changed) server, I put in the values the server instructions dictate, and then start dealing with the PM errors I get when attempting to access POP3 and later SMTP. After a few attempts (maybe coupled with some additional reading) I can usually get things up and running... all without a good, thorough, working knowledge on how it all functions. sigh....

Anyway... I usually have to attempt to decipher PM's error messages and try to figure out which setting page I should screw with to try to make things work. After installing the OAUTH2 (TOTALLY SEAMLESS by the way! Thanks David!) I attempted to access POP3. The error message made it plain (for a change!) that I needed to install a specific app password. I did and the error message did not repeat. Yay!

SMTP required making a change to the security page. The security names offered by the servers NEVER exactly match what I see on the PM security page. LOL!

Really appreciate the heads up here, Brian! AND, thanks again to David for all his efforts toward making the OAUTH2 painless for PM users.
Craig