uOS 1.35 – SMTP with Microsoft OAuth 2.0

Zyxel_Lynn

With uOS 1.35, Zyxel firewalls now support SMTP authentication using Microsoft OAuth 2.0. This update is critical because Microsoft has deprecated traditional username + password authentication for mail services in favor of token-based OAuth authentication with multi-factor support.

Why This Matters

• Traditional SMTP login relied on just a username and password.
• Microsoft accounts now require OAuth 2.0, which involves:
  • Multi-factor authentication (via Authenticator app, fingerprint, etc.)
  • Token-based sessions stored in the client
  • The ability to use a single token across multiple services (single sign-on).

This presented a challenge for firewalls, which cannot perform interactive MFA like a human user.

Zyxel’s Solution

The firewall uses a user-assisted initial authentication to obtain the token.

1. The administrator authenticates once in a browser (on behalf of the firewall).
2. Microsoft Azure returns an authentication code to the firewall via a Redirect URI.
3. The firewall stores the token and uses refresh tokens to keep it valid indefinitely.
4. From then on, the firewall can send SMTP notifications securely without requiring repeated MFA.

Configuration Requirements

To enable Microsoft OAuth 2.0 for SMTP, you will need:

• Tenant ID
• Client ID
• Client Secret

These values are obtained from Microsoft Azure.

Additionally, the firewall requires a Redirect URI that matches exactly the IP address or FQDN used to access the firewall GUI.

Step-by-Step Setup

1. Register an Application in Azure

• Log in to the Azure Portal.
• Go to App Registrations > New Registration.
• Name the app (e.g., SMTP with OAuth 2.0).
• Under Redirect URI, select Web and enter:

https://<firewall_IP_or_FQDN>/cgi-bin/ms_oauth2.cgi

(Use the same IP/FQDN you’ll use to access the firewall GUI — mismatches will cause errors.)

2. Collect Application IDs

• From the app Overview page, copy:
  • Tenant ID
  • Client ID
• Under Certificates & Secrets, create a new Client Secret.
  • Copy the value immediately (Azure hides it after refresh).

3. Grant API Permissions

• Go to API Permissions.
• Add Microsoft Graph → Delegated Permissions:
  • offline_access
  • SMTP.Send

4. Configure the Firewall

On the firewall GUI:

• Navigate to System > Notification > Mail Server.
• Select Microsoft OAuth 2.0 authentication.
• Enter:
  • Sender email (your Microsoft 365 account)
  • Tenant ID
  • Client ID
  • Client Secret
• Click Get New Token.

A Microsoft login window will appear. Complete the authentication once, and the firewall will store the token.

Common issue: If you registered 192.168.169.1 as your redirect URI but you accessed the firewall via 192.168.168.1, Azure will reject the authentication with a redirect URI mismatch.

Always ensure the Redirect URI in Azure matches the exact management IP/FQDN you use when authenticating.

Testing

• After obtaining a valid token, use Send Report Now under notifications.
• The firewall will send an email summary via Microsoft 365 authenticated SMTP.
• Event logs will confirm token validity and SMTP success.

Key Benefits

• Supports Microsoft’s modern authentication requirements.
• Works with two-factor accounts (token stored, no need for repeated MFA).
• Ensures firewalls can still send critical alert and summary emails through Office 365.

Key Takeaway

With uOS 1.35, Zyxel firewalls are fully compatible with Microsoft’s OAuth 2.0 SMTP authentication, ensuring reliable email alerts and reports even after legacy login deprecation.