E-mail with text-based clients, using IMAP and SMTP with Nexus 365

Some people find web-based or other graphical mail clients cumbersome or unwieldy, and there are circumstances under which using a graphical interface is inconvenient or simply not possible. Here are our recommendations for text-based mail clients on desktop systems in Physics.

MFA

The university is starting a policy of requiring MFA for logins, this means when it is enabled app passwords must be created and used for text-based mail clients. Generating them is completely reliant on central IT, please follow the instructions here and generate one before configuration:

https://help.it.ox.ac.uk/create-an-app-password-for-nexus365

This app password should be used in place of your sso password.

Replacement strategy

The configuration instructions use metavariable names, which you should replace with values pertaining to you:

• replace abcd1234 by your University-wide SSO username (usually of the form phys1234);
• replace my_physics_login by whatever you use to log into Physics's desktops and servers;
• replace my_email_identity by your registered e-mail identity (eg "J.Random.Physicist@physics.ox.ac.uk";
• replace My Real Name by however you wish people to address you-as-you formally.

Please note:

• Where @OX.AC.UK is specified, using capital letters is important.
• Some lines may end up with two at signs. This is intentional: the first is part of your Nexus365 login name, which happens to have an embedded at sign. This is agreed to be confusing.

Please see also:

• OUITS: setting up alternative email clients
• OUITS: Message Submission

Fundamentals

• Ext username: abcd1234@OX.AC.UK # (amend abcd1234 as above)

• Incoming:
  • Site: outlook.office365.com
  • Prococol: IMAP4 (port 993)
  • Encryption: STARTTLS

• Outgoing:
  • within University network:
    • Site: smtp.ox.ac.uk
    • Protocol: SMTPS, port 587
    • Encryption: TLS, or STARTTLS
  • off-site:
    • Site: outlook.office365.com
    • Protocol: SMTPS, port 587
    • Encryption: STARTTLS

Pine, and Alpine

Configuration

This is done by editing the file .pinerc in your home directory, or equivalently (for some settings, but not all) by entering Setup inside pine. Please take a copy of this file before you update it as insurance, and as documentation of what used to work (including settings not discussed here).

IMAP settings: access your inbox

This will permit you to read incoming e-mails, and to move them between folders. You will be prompted for a password when you invoke alpine this should be an app password generated via the Nexus system.

inbox-path={outlook.office365.com:993/ssl/novalidate-cert/user=abcd1234@OX.AC.UK}Inbox

This password is (intentionally) hard to remember and difficult to type, so we will also enable password storage by typing

touch ~/.pine-passfile; chmod 600 ~/.pine-passfile

When you start up alpine this will cause it to prompt for the password and then whether or not you want to store it. The storage uses encryption with a master password (that you can set) so there is little risk to this method. This will also store your SMTP password once you've typed it in the first time.

Mail folders

To see mail folders other than Inbox from Nexus365 in alpine add the following line:

folder-collections=Nexus365folders {outlook.office365.com:993/ssl/novalidate-cert/user=abcd1234@OX.AC.UK}[]

If this does not work, please see the folder-collection line in:

Stanford's Alpine configuration suggestions

.... and be creative; then let us know what you did, and whether or not it worked, so we can amend this section.

Copies to self

To file copies to yourself in the Sent Items folder, add:

default-fcc={outlook.office365.com:993/ssl/novalidate-cert/user=abcd1234@OX.AC.UK}Sent Items

SMTP (outgoing mail), on-site:

For desktop systems or servers on-site, please use:

smtp-server=smtp.ox.ac.uk:587/tls/novalidate-cert/user=abcd1234@OX.AC.UK

.... replacing abcd1234 with your own SSO.

This is known to demand you enter your password for each e-mail sent. Ways of working round this are under investigation.

SMTP (outgoing mail), off-site:

For laptops, and other systems off-site, please use:

smtp-server=smtp.office365.com:587/tls/novalidate-cert/user=abcd1234@OX.AC.UK

.... replacing abcd1234 with your own SSO. Please let us know whether you have problems with this, other than with being nagged for passwords.

Further reading:

Please see also (and compare and contrast):

Stanford's Alpine configuration suggestions
Florida State Uni's suggestions

.... and be prepared to make local substitutions.

Mutt, and neomutt

This has been shamelessly stolen from mutt-office365 on Github, with hints from Stanford's mutt configuration suggestions, and some local modifications.

Build and configuration

The copy of mutt to be used should have TLS (nee SSL) and PGP support. For example, the version we distribute to Apple desktop systems with MacPorts is built using:

port install neomutt +gdbm +imap +gnutls +gpgme +mutt

.... where +mutt adds a symbolic link, so it can be invoked as "mutt" under the Principle of Least Surprise.

When mutt starts up, it looks for the file .muttrc or .mutt/muttrc in your home directory. The directives below go there. (Please note that the order of definitions in one's .muttrc is significant.)

IMAP settings: access your inbox

This will permit you to read incoming e-mails, and to move them between folders. You can add the app password into the settings file. There are ways to encrypt this (https://unix.stackexchange.com/questions/20570/mutt-how-to-safely-store-...) but they are beyond the scope of this guide.

set imap_user="abcd1234@OX.AC.UK"
set imap_pass = "app password"
# use your own SSO; capital letters matter here
set folder="imaps://outlook.office365.com:993/"

set imap_check_subscribed="yes"
set imap_list_subscribed="no" # See below
set timeout=15
set mail_check=90
set imap_keepalive=180
set imap_idle
unset mark_old
set ssl_use_sslv3=yes

Please note: mutt-office365 includes set imap_list_subscribed="yes", which results in one's Directory browser display being empty, and disables the perniciously-useful tab completion mechanism for folder names. Disabling imap_list_subscribed is an experimental variation (implicit in Standford's suggestions), which we have found re-enables Directory listing and tab completion. We reserve the right to revert this suggestion in the light of experience.

Mail folders

This lets you access the mail folders you specify in the Mailboxes browser. The macro definition is a single line which has had to be backslash-folded twice to fit in this margin; the list of mailboxes shown is merely an extremely truncated example (my full list stretches halfway to the horizon).

set spoolfile=+INBOX
mailboxes +INBOX +code-coffee +oxcert +backups # .... snipissimo
# NB: These two lines must come after the IMAP settings block.

# Add keystroke aliases to enter and leave Browser mode.
#
macro index,pager y \
"<change-folder>?<toggle-mailboxes><toggle-mailboxes>" \
"show incoming mailboxes list"
#
bind browser y exit

# Ensure any FCC reply is saved in the current folder.
folder-hook . 'set record=^'

Please note: the symbol + in the first two lines means "with respect to my mail directory"; the IMAP settings block changes said mail directory from the default ~/Mail/ to your office365 mailbox; and the order of configuration lines is significant. Upshot: said two lines need to come after the IMAP settings block.

Copies to self

Please see the last line in the previous subsection, which causes copies to appear in the current mail directory, alongside the message being replied to.

SMTP (outgoing mail)

set smtp_url=smtp://abcd1234@OX.AC.UK@outlook.office365.com:587
set ssl_force_tls=yes
set smtp_pass=apppassword