Postfix OAuth for Office 365 / Microsoft 365

Zwiegnet provides specialized Postfix expertise to implement modern OAuth2 authentication (XOAUTH2 / SASL OAuth) for relaying email through Microsoft 365 / Exchange Online SMTP (smtp.office365.com:587). With Microsoft's phase-out of basic authentication, we help Linux servers, applications, printers, and legacy systems continue sending reliably and securely — without passwords in configs or insecure workarounds.

Our Postfix OAuth services include:

• Microsoft Entra App Registration & Permissions – Register apps in Entra ID (Azure AD), grant SMTP.Send delegated permissions, configure redirect URIs (e.g., for device code flow), and handle tenant/client ID/secret setup.
• sasl-xoauth2 Installation & Configuration – Build/install the SASL XOAUTH2 plugin (from tarickb/sasl-xoauth2 or compatible forks), set up token storage, and integrate with Postfix for client-side OAuth support.
• Postfix Relay Setup for Microsoft 365 – Configure relayhost=[smtp.office365.com]:587, enable smtp_sasl_auth_enable, mechanism filtering (xoauth2), TLS enforcement, and password_maps pointing to token files.
• Token Acquisition & Refresh – Use device code flow or authorization code flow to obtain/refresh access tokens securely; automate with scripts, systemd timers, or tools like sasl-xoauth2-tool for unattended operation.
• Relay for Legacy/Non-OAuth Clients – Set up Postfix as an intermediate authenticated relay for devices/apps (printers, scanners, monitoring tools) that only support basic auth or no auth — forward securely via OAuth to Microsoft 365.
• Security Hardening & Compliance – Firewall rules, fail2ban integration, certificate validation, conditional access policy compatibility, minimal scopes, and token file permissions/SELinux contexts.
• Troubleshooting & Deliverability – Diagnose token refresh failures, SPF/DKIM/DMARC alignment, rate limiting, authentication logs (/var/log/maillog), and issues with shared mailboxes or multi-tenant setups.
• Migration from Basic Auth – Transition existing Postfix relays from login/password to OAuth2 before deadlines; test with low-traffic senders and monitor for disruptions.
• Integration & Automation – Combine with Ansible for deployment, WHMCS/Virtualmin hooks, or custom scripts; support for multiple accounts/domains and fallback relays.

Ideal for businesses, hosting providers, sysadmins, and organizations with on-prem Linux servers or devices needing to send via Microsoft 365 securely — especially post-basic-auth deprecation. We ensure full compliance with modern authentication requirements while maintaining deliverability and uptime.

Located between Madison and Milwaukee, Wisconsin since 2009 — direct access to experienced Postfix specialists with real-world OAuth2 deployments on AlmaLinux, Ubuntu, Debian, and other enterprise Linux distributions.