Thunderbird:Exchange: Difference between revisions
m (Simplified supported list, added limitations, added topicbox) |
m (add bug queries and reorganize sections, add technical details about tenants and hosts) |
||
| Line 5: | Line 5: | ||
Calendar and address book will follow at a later date. Also in the future is Exchange via Graph API, so please do not file bug reports for these items at this time. | Calendar and address book will follow at a later date. Also in the future is Exchange via Graph API, so please do not file bug reports for these items at this time. | ||
== Setup == | == User Setup == | ||
When creating a new account using classic account creation, choose the "Exchange Web Services" option. Or if using the new Account Hub, when providing an exchange email address, "Exchange" should be automatically detected. If exchange is not detected, choose the first "Exchange" option. For additional basic information about setup see the [https://support.mozilla.org/en-US/kb/thunderbird-and-exchange Exchange knowledge base article | When creating a new account in Thunderbird using classic account creation, choose the "Exchange Web Services" option. Or if using the new Account Hub, when providing an exchange email address, "Exchange" should be automatically detected. If exchange is not detected, choose the first "Exchange" option. For additional basic information about setup see the [https://support.mozilla.org/en-US/kb/thunderbird-and-exchange Exchange knowledge base article]. | ||
== Supported email features == | == Supported email features == | ||
The following features | The following features are available in release (not ESR) Thunderbird 145.0: | ||
* Creating an account using account autoconfig | * Creating an account using account autoconfig | ||
** Note: manual configuration is not supported | ** Note: manual configuration is not yet supported | ||
* Attachment detaching and deletion | * Attachment detaching and deletion | ||
* Attachment saving and displaying | * Attachment saving and displaying | ||
| Line 42: | Line 27: | ||
* Sending messages | * Sending messages | ||
** Quoting a message when replying to, or forwarding it | ** Quoting a message when replying to, or forwarding it | ||
= Limitations and In Progress = | = Limitations and In Progress = | ||
Items yet to be implemented are "Phase 5" on the near term road map, expected to by available/resolved by | Items yet to be implemented are "Phase 5" on the near term road map, expected to by available/resolved by 1Q2026. The full list of phase 5 is [https://bugzilla.mozilla.org/showdependencytree.cgi?id=1995377&hide_resolved=1 this bug list]. The [https://support.mozilla.org/en-US/kb/thunderbird-and-exchange Exchange KB article] has a summarized list. This list is subject to change. | ||
Calendar and address book via EWS are currently in development and will follow at a later date. Also in the future is Exchange via Graph API, so please do not file bug reports for these items at this time. | |||
= How to stay informed = | |||
To stay informed about progress you might watch: | |||
* Bug reports: | |||
** The [https://bugzilla.mozilla.org/show_bug.cgi?id=1847846 Exchange meta bug 1847846] tracks most related bug reports. If you create a bugzilla account, you can click "Follow" at the top of the bug report, and you will receive an email of changes to the bug, plus notification of all dependent bugs which get closed (for example "fixed). | |||
** Potentially more dynamic, up to the minute, list of "bugs" is https://mzl.la/43C0xyF which excludes items targeted for phase 5 and internal tests | |||
* The blogs posted with the exchange tag https://blog.thunderbird.net/tag/exchange/, or subscribe to the RSS feed https://blog.thunderbird.net/feed/. | |||
* The topicbox groups mentioned below. | |||
= How to report and discuss issues = | |||
We welcome your testing and feedback, and reporting of unexpected behavior or errors. | |||
'''Only email''' for exchange is available at this time. To report a problem when using version 145 or newer, please [https://bugzilla.mozilla.org/enter_bug.cgi?product=MailNews%20Core&component=Networking:%20Exchange file a bug report]. | |||
Please use topicbox to discuss or ask questions about Exchange, either the [https://thunderbird.topicbox.com/groups/beta beta group] or the [https://thunderbird.topicbox.com/groups/enterprise enterprise group]. | |||
= The future - Graph API = | |||
Microsoft EWS is a legacy SOAP-based API for accessing Exchange data, while Microsoft Graph API is a modern, RESTful API for accessing a wide range of Microsoft 365 services, including Exchange data. | |||
The EWS API is being retired by Microsoft in favor of Graph API. However, there is still a whole year before this API gets retired, '''and''' this only impacts domains hosted on Microsoft's Office365 cloud. '''On-premise instances of EWS are not subject to this retirement deadline.''' | |||
Today Thunderbird supports EWS, and will be supporting Graph API in the future. | |||
= Microsoft hosted vs. Self hosted Exchange servers = | |||
“Microsoft hosted” refers to a scenario where an organization uses the cloud-based exchange server provided by Microsoft, using URLs which resolve to the Microsoft cloud infrastructure on Outlook.com, Office365.com or hotmail.com (no custom domains are used). These configurations require users to authenticate using Oauth2 via login.microsoftonline.com. | |||
“Self hosted” refers to a scenario where an organization (like a school or a company) provides their users with an exchange mail server that is hosted sometimes on their servers, with their domain. The exchange server could also use a custom domain with Microsoft’s Office365 server - that's the case for our test account (which domain is o365.thunderbird.net despite being hosted on Office365). | |||
If the organization allows basic password authentication for their self-hosted instance, their users will be able to use Thunderbird’s new EWS support. | |||
If the organization enforces OAuth2 authentication and has basic authentication disabled, additional steps are required. This is not yet supported, largely due to limitations in the Oauth2 authentication mechanism within Thunderbird. | |||
'''Why?''' | |||
When an email client like Thunderbird wants to use a domain to perform an OAuth handshake, two things typically need to happen first: | |||
# The mail server has to be configured by an administrator to explicitly allow Thunderbird, and credentials need to be generated that can be used by Thunderbird to connect to that system. | |||
# Thunderbird has to be made aware of the credentials. | |||
An example of this can be seen in the handshake details between login.microsoftonline.com in the OAuth2Providers.sys.mjs file of the Thunderbird codebase. Note that the OAuth2Providers.sys.mjs file is currently the only place within Thunderbird where domains are enabled for Oauth2 authentication. | |||
== Microsoft hosted scenario - most common == | |||
In the Thunderbird API, office365.com, outlook.com, and hotmail.com all map to login.microsoftonline.com. So if a user’s organization uses one of these three, we have the required handshake credentials (for login.microsoftonline.com) already in Thunderbird and so they will be able to register and use their exchange email in Thunderbird. | |||
== Microsoft hosted with tenant-specific instance - less common. == | |||
TLDR - This is not yet supported. | |||
Some organizations and institutions have their own partitioned instances of Microsoft’s cloud-based infrastructure, allowing them to customize security and settings for their enterprise. In this case, their users will authenticate at a slightly different URL which is not yet supported, due to similar OAuth2 limitations. | |||
We are looking to change our Oauth2 mechanism to allow this in the near future - this year. | |||
== Self hosted scenario - less common == | |||
TLDR - self hosted (aka on-premise) is not yet supported. | |||
You can tell from this OAuth2Providers.sys.mjs file that there are no domains correlating to self hosted mail servers, meaning Thunderbird won’t know anything about an exchange web server hosted within non-cloud infrastructure so won’t be able to complete an OAuth handshake with this server. | |||
To ease this painful situation of a self hosted server being usable in Thunderbird, Geoff improved our code so that now Thunderbird can consume these handshake details via an add-on. So now it’s possible for a mail server administrator to create a customized (to their server) add-on that provides the OAuth handshake details of their server which their users can install, or that can be rolled out to users via enterprise policy. However, since this is a limited scenario (self hosted is a pain that many organizations choose not to do), we’ve struggled to get external testers (we do not have this setup in our exchange test account). | |||
There’s an additional problem with this approach if a user tries to use it with a domain that resolves to login.microsoftonline.com; let’s say the user has a second/personal exchange email that they want to also add in Thunderbird. This is problematic because the API code will reject an exact domain match, causing the user to be unable to add their second exchange email account in Thunderbird. | |||
Revision as of 22:47, 24 October 2025
Warning: Exchange support in Thunderbird is new. We recommend backing up your Thunderbird profile before using it.Our Exchange implementation is via the EWS API (Exchange Web Services), currently limited to email. First enabled in version 141, version 145 is almost feature complete for email, with some items still in progress listed below.
Calendar and address book will follow at a later date. Also in the future is Exchange via Graph API, so please do not file bug reports for these items at this time.
User Setup
When creating a new account in Thunderbird using classic account creation, choose the "Exchange Web Services" option. Or if using the new Account Hub, when providing an exchange email address, "Exchange" should be automatically detected. If exchange is not detected, choose the first "Exchange" option. For additional basic information about setup see the Exchange knowledge base article.
Supported email features
The following features are available in release (not ESR) Thunderbird 145.0:
- Creating an account using account autoconfig
- Note: manual configuration is not yet supported
- Attachment detaching and deletion
- Attachment saving and displaying
- Displaying the list of folders for an account
- Displaying the list of messages in a selected folder
- Displaying the content of messages
- Folder creation, deletion, rename, copying, moving, repair, compaction
- Folder moving and copying
- Message deleting
- Message filters
- Note: some filters, such as those requiring the full message body, aren't supported yet.
- Sending messages
- Quoting a message when replying to, or forwarding it
Limitations and In Progress
Items yet to be implemented are "Phase 5" on the near term road map, expected to by available/resolved by 1Q2026. The full list of phase 5 is this bug list. The Exchange KB article has a summarized list. This list is subject to change.
Calendar and address book via EWS are currently in development and will follow at a later date. Also in the future is Exchange via Graph API, so please do not file bug reports for these items at this time.
How to stay informed
To stay informed about progress you might watch:
- Bug reports:
- The Exchange meta bug 1847846 tracks most related bug reports. If you create a bugzilla account, you can click "Follow" at the top of the bug report, and you will receive an email of changes to the bug, plus notification of all dependent bugs which get closed (for example "fixed).
- Potentially more dynamic, up to the minute, list of "bugs" is https://mzl.la/43C0xyF which excludes items targeted for phase 5 and internal tests
- The blogs posted with the exchange tag https://blog.thunderbird.net/tag/exchange/, or subscribe to the RSS feed https://blog.thunderbird.net/feed/.
- The topicbox groups mentioned below.
How to report and discuss issues
We welcome your testing and feedback, and reporting of unexpected behavior or errors.
Only email for exchange is available at this time. To report a problem when using version 145 or newer, please file a bug report.
Please use topicbox to discuss or ask questions about Exchange, either the beta group or the enterprise group.
The future - Graph API
Microsoft EWS is a legacy SOAP-based API for accessing Exchange data, while Microsoft Graph API is a modern, RESTful API for accessing a wide range of Microsoft 365 services, including Exchange data.
The EWS API is being retired by Microsoft in favor of Graph API. However, there is still a whole year before this API gets retired, and this only impacts domains hosted on Microsoft's Office365 cloud. On-premise instances of EWS are not subject to this retirement deadline.
Today Thunderbird supports EWS, and will be supporting Graph API in the future.
Microsoft hosted vs. Self hosted Exchange servers
“Microsoft hosted” refers to a scenario where an organization uses the cloud-based exchange server provided by Microsoft, using URLs which resolve to the Microsoft cloud infrastructure on Outlook.com, Office365.com or hotmail.com (no custom domains are used). These configurations require users to authenticate using Oauth2 via login.microsoftonline.com.
“Self hosted” refers to a scenario where an organization (like a school or a company) provides their users with an exchange mail server that is hosted sometimes on their servers, with their domain. The exchange server could also use a custom domain with Microsoft’s Office365 server - that's the case for our test account (which domain is o365.thunderbird.net despite being hosted on Office365).
If the organization allows basic password authentication for their self-hosted instance, their users will be able to use Thunderbird’s new EWS support.
If the organization enforces OAuth2 authentication and has basic authentication disabled, additional steps are required. This is not yet supported, largely due to limitations in the Oauth2 authentication mechanism within Thunderbird.
Why?
When an email client like Thunderbird wants to use a domain to perform an OAuth handshake, two things typically need to happen first:
- The mail server has to be configured by an administrator to explicitly allow Thunderbird, and credentials need to be generated that can be used by Thunderbird to connect to that system.
- Thunderbird has to be made aware of the credentials.
An example of this can be seen in the handshake details between login.microsoftonline.com in the OAuth2Providers.sys.mjs file of the Thunderbird codebase. Note that the OAuth2Providers.sys.mjs file is currently the only place within Thunderbird where domains are enabled for Oauth2 authentication.
Microsoft hosted scenario - most common
In the Thunderbird API, office365.com, outlook.com, and hotmail.com all map to login.microsoftonline.com. So if a user’s organization uses one of these three, we have the required handshake credentials (for login.microsoftonline.com) already in Thunderbird and so they will be able to register and use their exchange email in Thunderbird.
Microsoft hosted with tenant-specific instance - less common.
TLDR - This is not yet supported.
Some organizations and institutions have their own partitioned instances of Microsoft’s cloud-based infrastructure, allowing them to customize security and settings for their enterprise. In this case, their users will authenticate at a slightly different URL which is not yet supported, due to similar OAuth2 limitations.
We are looking to change our Oauth2 mechanism to allow this in the near future - this year.
Self hosted scenario - less common
TLDR - self hosted (aka on-premise) is not yet supported.
You can tell from this OAuth2Providers.sys.mjs file that there are no domains correlating to self hosted mail servers, meaning Thunderbird won’t know anything about an exchange web server hosted within non-cloud infrastructure so won’t be able to complete an OAuth handshake with this server.
To ease this painful situation of a self hosted server being usable in Thunderbird, Geoff improved our code so that now Thunderbird can consume these handshake details via an add-on. So now it’s possible for a mail server administrator to create a customized (to their server) add-on that provides the OAuth handshake details of their server which their users can install, or that can be rolled out to users via enterprise policy. However, since this is a limited scenario (self hosted is a pain that many organizations choose not to do), we’ve struggled to get external testers (we do not have this setup in our exchange test account).
There’s an additional problem with this approach if a user tries to use it with a domain that resolves to login.microsoftonline.com; let’s say the user has a second/personal exchange email that they want to also add in Thunderbird. This is problematic because the API code will reject an exact domain match, causing the user to be unable to add their second exchange email account in Thunderbird.