SASL XOAuth2 for IMAP | POP Authentication in Zoho Mail

    IMAP (Internet Message Access Protocol) and POP (Post Office Protocols) helps fetch emails from an email server and store and display them through an email client.

    In this guide, you will learn how to use SASL XOAuth2 mechanism to authenticate the IMAP/ POP connection from your application to send or fetch emails using Zoho Mail.

    OAuth 2.0 is the standard authentication framework that enables third-party applications to gain secure access to application resources, without having to authenticate every time. It provides a secure channel for third-party application developers to create and implement features and functions in their customised applications enabling end users to access server resources through predefined API calls. Learn more about OAuth 2.0.

    Register your application

    To use the SASL XOAuth2 mechanism to send out emails from your application using Zoho Mail, you need to register your application as a Self-Client in Zoho Mail API Console, with the scope ZOHOMAIL.PROTOCOL.<Protocol Name> to generate the Authorization code

    The scope for each protocol will be as follows:

    1. IMAP - ZOHOMAIL.PROTOCOL.IMAP
    2. POP - ZOHOMAIL.PROTOCOL.POP

    Generate access token

    Once you register your application as a self client in Zoho API console and generate the Authorization code, use the code to generate the Access and Refresh tokens to authenticate the connection requests.

    SASL XOAuth2 mechanism

    The SASL XOAuth2 mechanism uses base64 encoding to encode the access token along with the username to make the connection request to the server. To encode the values, the username and access token should be provided in the following format:

    base64("user="username"^Aauth=Bearer "accesstoken"^A^A")

    The ^A given above represents Control+A.

    For example, the initial response for the user name testuser@zylker.com and the access token 1000.dummyAccessTokenForIMAP.74352743ff0ac7e0d88b0bea0d10e5e5 will be as given below:

    base64("user=testuser@zylker.com^Aauth=Bearer 1000.dummyAccessTokenForIMAP.74352743ff0ac7e0d88b0bea0d10e5e5^A^A")

    After the base64 encoding, the format will be as given below (line break inserted for clarity):

    dXNlcj10ZXN0VXNlckB6eWxrZXJiaXouY29tAWF1dGg9QmVhcmVyIDEwMDAuZHVtbXlBY2Nlc3NUb2tlbkZ
    vclNNVFAuNzQzNTI3NDNmZjBhYzdlMGQ4OGIwYmVhMGQxMGU1ZTUBAQ

    IMAP Protocol Exchange

    The IMAP Protocol Exchange method using the SASL XOAUTH2 mechanism is explained below:

    Auth Command

    The connection begins with the client response for the AUTH command using XOAUTH2 parameter as given below:

    tag AUTHENTICATE XAOUTH2 <base64 string in XOAUTH2 format>

    Authentication: Success

    The sample client-server exchange message resulting in authentication success will be as given below (line-breaks are inserted for clarity):

    S: * OK abc.zoho.com IMAP4 Server (Zoho Mail IMAP4rev1 Server version 1.0)
    C: tag authenticate xoauth2
    S: + dXNlcj1hcnVua3VtYXJwQHpvaG9jb3JwLmNvbV5BYXV0aD1CZWFyZXIgMTAwMC42Y2RiMmZmODUyY2IwZDc5ZGI0ZDQwNGQzZjMxNTEyNy5jNDg3NGZiNDQ5YTExYjg3OGM2MzQyMjNmMGY5YjIyYl5BXkE=
    S: * CAPABILITY IMAP4rev1 UNSELECT CHILDREN XLIST NAMESPACE IDLE MOVE ID AUTH=PLAIN SASL-IR UIDPLUS ESEARCH LIST-EXTENDED LIST-STATUS WITHIN LITERAL- APPENDLIMIT=41943040 MULTISEARCH ACL ENABLE CONDSTORE AUTH=XOAUTH2 tag OK Success

    Authentication: Failure

    The sample client-server exchange message resulting in authentication failure will be as given below (line-breaks are inserted for clarity):

    S: * OK abc.zoho.com IMAP4 Server (Zoho Mail IMAP4rev1 Server version 1.0)
    C: th authenticate xoauth2
    S: +
    C: dXNlcj1hcnVua3VtYXJwQHpvaG9jb3JwLmNvbV5BYXV0aD1CZWFyZXIgMTAwMC4wMjMwY2IzOGUwZTliMmVhNmZmMWJlYzdmZmE3NmY5My5mMGJhYmUxZmIyOTVlZWUyZjlm
    S: th NO [AUTHENTICATIONFAILED] Invalid credentials(Failure)

    POP Protocol Exchange

    The POP Protocol Exchange method using the SASL XOAUTH2 mechanism is explained below:

    Auth Command

    The connection begins with the client response for the AUTH command using XOAUTH2 parameter as given below:

    AUTH XAOUTH2 <base64 string in XOAUTH2 format>

    Authentication: Success

    The sample client-server exchange message resulting in authentication success will be as given below (line-breaks are inserted for clarity):

    S: +OK POP3 zohomail.com.in v1.0 server ready <25921.1754981836641@zohomail.com.in>
    C: auth xoauth2
    S: + Ready for additional text
    C: dXNlcj1hcnVua3VtYXJwQHpvaG9jb3JwLmNvbV5BYXV0aD1CZWFyZXIgMTAwMC5kYjBmOTUzOGVkM2FjNTg1NWZmYzc1OWViY2UzYTMwZS43ZGQ3OWVlMzU3ZTQwMTdkMWY1NTY1YThmODY0Y2IwYl5BXkE=
    S: +OK

    Authentication: Failure

    The sample client-server exchange message resulting in authentication failure will be as given below (line-breaks are inserted for clarity):

    S: +OK POP3 zohomail.com.in v1.0 server ready <28783.1754ab2262209@zohomail.com.in>
    C: auth xoauth2
    S: + Ready for additional text
    C: dXNlcj1hcnVua3VtYXJwQHpvaG9jb3JwLmNvbV5BYXV0aD1CZWFyZXIgMTAwMC5kYjBmOTUzOGVkM2FjNTg1NWZmYzc1OWViY2UzYTMwZS43ZGQ3OWVlMzU3ZTQwMTdkMWY1NTY1YThmODY0Y2Iw
    S: -ERR Authentication failed

    PREVIOUS

    UP NEXT