[POCO (class Poco::Net::SMTPException - 0): SMTP Exception: The mail service does not support XOAUTH2 authentication

[Vin745]

I am trying to send an email using OAUTH2.0 Authentication type, using Poco 1.11.0 version, but I am getting the below expectation.

Your email system reported an error sending mail. details: [POCO (class Poco::Net::SMTPException - 0): SMTP Exception: The mail service does not support XOAUTH2 authentication: 250-MA1PEPF00007263.mail.protection.outlook.com Hello [XXX.XXX.XXX.XXX]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8]

Please review the code snippet below and let me know your thoughts.

#include
#include
#include <Poco/JSON/Parser.h>
#include "Poco/Net/MailMessage.h"
#include "Poco/Net/MailRecipient.h"
#include "Poco/Net/SMTPClientSession.h"
#include "Poco/Net/StringPartSource.h"
#include "Poco/Net/NetException.h"
#include "Poco/Net/SecureSMTPClientSession.h"
#include "Poco/Net/SslManager.h"
#include "Poco/Net/HTTPRequest.h"
#include "Poco/Net/HTTPSClientSession.h"
#include "Poco/Net/HTTPResponse.h"
#include <Poco/Net/AcceptCertificateHandler.h>
#include <Poco/Net/Context.h>

int main(int argc, char** argv)
{
string AuthToken = //Getting from other function.
string smtpHost = "Servername";
Poco::UInt16 port = 25;
try {
// Initialize SSL Context for STARTTLS
// POCO SSL initialization.
std::shared_ptr sessionPtr;

	Poco::SharedPtr<InvalidCertHandler> invalidCertHandler(new InvalidCertHandler());
	Context::Ptr contextPtr = new Context(
		Context::TLS_CLIENT_USE,
		"",
		Context::VerificationMode::VERIFY_STRICT,
		Context::OPT_PERFORM_REVOCATION_CHECK | Context::OPT_TRUST_ROOTS_WIN_CERT_STORE | Context::OPT_USE_STRONG_CRYPTO);

	contextPtr->disableProtocols(Context::PROTO_SSLV2 | Context::PROTO_SSLV3 | Context::PROTO_TLSV1 | Context::PROTO_TLSV1_1 | Context::PROTO_TLSV1_3);

	SSLManager::instance().initializeClient(nullptr, invalidCertHandler, contextPtr);

	std::shared_ptr<SecureSMTPClientSession> secureSessionPtr(new SecureSMTPClientSession(smtpHost, port));
	secureSessionPtr->login(Poco::Net::SMTPClientSession::AUTH_XOAUTH2, sender_email, AuthToken);
	secureSessionPtr->startTLS();
	sessionPtr = secureSessionPtr;
}
catch (const Poco::Exception& e)
{
	const Poco::Net::SMTPException* pSmtpExc = dynamic_cast<const Poco::Net::SMTPException*>(&e);
	if (pSmtpExc)
	{
		int errorClass = e.code() / 100;
		if (errorClass == 5)
		{
			//shouldRetry = false;
		}
	}

	string pocoMsg = e.message();
	if (pocoMsg.empty() && !pSmtpExc && e.code() != 0)
	{
		pocoMsg = e.code();
	}

	string msg = "[POCO ({0} - {1}): {2}]";
	replaceAll(msg, "{0}", e.className());
	replaceAll(msg, "{1}", to_string(e.code()));
	replaceAll(msg,"{2}", e.name() + string(": ") + pocoMsg);
	//AfxMessageBox(msg.c_str());

}

}

[matejk]

Does it work with the latest version of Poco?

[Vin745]

Did you mean the 1.14.0 version? I haven't tried it, but I can give it a try.

Poco 1.11.0 doesn't support OAuth 2.0, let me know if you have any idea.

[matejk]

Analysis

This is not a POCO bug - it's a code sequence error.

The Problem

Your code calls login() with AUTH_XOAUTH2 before calling startTLS():

secureSessionPtr->login(Poco::Net::SMTPClientSession::AUTH_XOAUTH2, sender_email, AuthToken);  // ❌ Auth FIRST
secureSessionPtr->startTLS();  // TLS second

Why This Fails

1. SMTP servers don't advertise AUTH methods before STARTTLS - this is standard security practice
2. Look at your server's EHLO response - it lists STARTTLS but no AUTH mechanisms:

   250-STARTTLS
   250-8BITMIME
   250 SMTPUTF8
   

3. POCO correctly checks if XOAUTH2 is advertised, finds it's not, and throws the exception

Correct Order

From POCO's NetSSL_OpenSSL/samples/Mail/src/Mail.cpp:

SecureSMTPClientSession session(mailhost);
session.login();                                    // 1. Initial EHLO (no auth)
session.startTLS(pContext);                         // 2. Upgrade to TLS
session.login(SMTPClientSession::AUTH_XOAUTH2,      // 3. Auth AFTER TLS
              username, password);
session.sendMessage(message);

Corrected Code

Poco::Net::initializeSSL();

SharedPtr<InvalidCertificateHandler> pCert = new AcceptCertificateHandler(false);
Context::Ptr pContext = new Context(
    Context::TLS_CLIENT_USE, "", 
    Context::VERIFY_RELAXED,    // Use VERIFY_RELAXED for Outlook
    9, true);
SSLManager::instance().initializeClient(nullptr, pCert, pContext);

SecureSMTPClientSession session(smtpHost, port);
session.login();                                    // Initial EHLO
session.startTLS(pContext);                         // Upgrade to TLS
session.login(SMTPClientSession::AUTH_XOAUTH2,      // Authenticate
              sender_email, AuthToken);
session.sendMessage(message);
session.close();

Poco::Net::uninitializeSSL();

Additional Notes

1. Port 25 is typically for relay/MTA traffic. For authenticated submission, port 587 is standard. Consider switching.
2. For Outlook OAuth2, the "password" parameter should be the OAuth2 access token (not the refresh token)
3. POCO 1.11.0 should support AUTH_XOAUTH2 - the issue is purely the call sequence

Please try the corrected flow and let us know if it works. This is a usage question rather than a bug, so I'd recommend converting this to a Q&A discussion.