Refine SMTP HELO/EHLO handling; update readme

simonrob · simonrob · commit 9a27a5684ddc · 2025-10-04T21:20:12.000+01:00
diff --git a/README.md b/README.md
@@ -4,13 +4,9 @@ Transparently add OAuth 2.0 support to IMAP/POP/SMTP client applications, script
 <div align="center">
   <br><strong>Email OAuth 2.0 Proxy is sponsored by</strong><br><br>
   <a href="https://auth-email.com/?ref=emailproxy">
-    <picture>
-      <source width="300" media="(prefers-color-scheme: dark)" srcset="https://auth-email.com/static/img/logo-full-dark.svg">
-      <source width="300" media="(prefers-color-scheme: light)" srcset="https://auth-email.com/static/img/logo-full-light.svg">
-      <img width="300" src="https://auth-email.com/static/img/logo-full.png" alt="Auth-Email.com logo">
-    </picture><br>
-    <b>Email OAuth made simple</b><br>
-    <sup>Use any app, client or device to access your OAuth mail accounts with ease.</sup>
+    <img width="300" fetchpriority="high" src="https://auth-email.com/static/img/logo-providers.svg" alt="Auth-Email.com logo and supported mail providers"><br>
+    <b>Auth-Email.com – email OAuth made easy</b><br>
+    <sup>Send and receive from <i>any</i> account with <i>every</i> email client, app or device.</sup>
   </a><br><br>
 </div>
 
@@ -24,7 +20,7 @@ It can be used with any email provider that supports OAuth 2.0 authentication, i
 
 ### Example use-cases<a id="example-use-cases"></a>
 - You need to use an Office 365 email account, but don't get on with Outlook.
-The email client you like doesn't support OAuth 2.0, which became mandatory [in January 2023](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437) ([September 2024 for personal Hotmail/Outlook accounts](https://support.microsoft.com/en-us/office/modern-authentication-methods-now-needed-to-continue-syncing-outlook-email-in-non-microsoft-email-apps-c5d65390-9676-4763-b41f-d7986499a90d); [September 2025 for O365 SMTP](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-retire-basic-auth-for-client-submission-smtp/ba-p/4114750)).
+The email client you like doesn't support OAuth 2.0, which became mandatory for IMAP/POP [in January 2023](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437) ([September 2024 for personal Hotmail/Outlook accounts](https://support.microsoft.com/en-us/office/modern-authentication-methods-now-needed-to-continue-syncing-outlook-email-in-non-microsoft-email-apps-c5d65390-9676-4763-b41f-d7986499a90d); [April 2026 for O365 SMTP](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-retire-basic-auth-for-client-submission-smtp/ba-p/4114750)).
 - You used to use Gmail via IMAP/POP/SMTP with your raw account credentials (i.e., your real password), but cannot do this now that Google has disabled this method, and don't want to use an [App Password](https://support.google.com/accounts/answer/185833) (or cannot enable this option).
 - You have an account already set up in an email client, and you need to switch it to OAuth 2.0 authentication.
 You can edit the server details, but the client forces you to delete and re-add the account to enable OAuth 2.0, and you don't want to do this.
@@ -254,7 +250,7 @@ See the [documentation and examples](https://github.com/simonrob/email-oauth2-pr
 ## Potential improvements (pull requests welcome)<a id="potential-improvements-pull-requests-welcome"></a>
 - Full feature parity on different platforms (e.g., live menu updating; monitoring network status; clickable notifications)
 - Switch to asyncio? (with Python 3.12, [PEP 594](https://peps.python.org/pep-0594/) removed the asyncore package that the proxy is built upon – currently mitigated by the use of [pyasyncore](https://pypi.org/project/pyasyncore/))
-- Remote STARTTLS for IMAP/POP?
+- Local and/or remote STARTTLS for IMAP/POP?
 
 
 ## Related projects and alternatives<a id="related-projects-and-alternatives"></a>
diff --git a/emailproxy.py b/emailproxy.py
@@ -6,7 +6,7 @@
 __author__ = 'Simon Robinson'
 __copyright__ = 'Copyright (c) 2025 Simon Robinson'
 __license__ = 'Apache 2.0'
-__package_version__ = '2025.10.2'  # for pyproject.toml usage only - needs to be ast.literal_eval() compatible
+__package_version__ = '2025.10.4'  # for pyproject.toml usage only - needs to be ast.literal_eval() compatible
 __version__ = '-'.join('%02d' % int(part) for part in __package_version__.split('.'))  # ISO 8601 (YYYY-MM-DD)
 
 import abc
@@ -2314,11 +2314,6 @@ def process_data(self, byte_data):
                                       flags=re.IGNORECASE)
             updated_response = re.sub(r'250([ -])STARTTLS(?:\r\n)?', r'', updated_response, flags=re.IGNORECASE)
             self.ehlo_response += '%s\r\n' % updated_response if updated_response else ''
-            if ehlo_end and self.ehlo.lower().startswith(b'ehlo'):
-                if 'AUTH PLAIN LOGIN' not in self.ehlo_response:
-                    self.ehlo_response += '250-AUTH PLAIN LOGIN\r\n'
-                if self.custom_configuration['local_starttls'] and not self.client_connection.ssl_connection:
-                    self.ehlo_response += '250-STARTTLS\r\n'  # we always remove STARTTLS; re-add if permitted
 
             if ehlo_end:
                 self.client_connection.connection_state = SMTPOAuth2ClientConnection.STATE.PENDING
@@ -2327,10 +2322,19 @@ def process_data(self, byte_data):
                     self.starttls_state = self.STARTTLS.NEGOTIATING
 
                 elif self.starttls_state is self.STARTTLS.COMPLETE:
-                    # we replay the original EHLO response to the client after server STARTTLS completes
-                    split_response = self.ehlo_response.split('\r\n')
-                    split_response[-1] = split_response[-1].replace('250-', '250 ')  # fix last item if modified
-                    super().process_data('\r\n'.join(split_response).encode('utf-8'))
+                    # we modify and replay the original EHLO response to the client after server STARTTLS completes
+                    self.ehlo_response = self.ehlo_response.rstrip('\r\n')
+                    if self.ehlo.lower().startswith(b'ehlo'):
+                        if 'AUTH PLAIN LOGIN' not in self.ehlo_response:
+                            self.ehlo_response += '\r\n250-AUTH PLAIN LOGIN'
+                        if self.custom_configuration['local_starttls'] and not self.client_connection.ssl_connection:
+                            self.ehlo_response += '\r\n250-STARTTLS'  # we always remove STARTTLS; re-add if permitted
+
+                        # correct the last line where needed (250- vs 250 )
+                        self.ehlo_response = self.ehlo_response.replace('\r\n250 ', '\r\n250-')
+                        self.ehlo_response = '250 '.join(self.ehlo_response.rsplit('250-', 1))
+
+                    super().process_data(b'%s\r\n' % self.ehlo_response.encode('utf-8'))
                     self.ehlo = None  # only clear on completion - we need to use for any repeat calls
                 self.ehlo_response = ''
 
