To submit a mail message for delivery, virtually all public mail
servers require clients to authenticate and will only accept messages
from authorized users. In some cases, they may also require the sender
email address match the account being used to authenticate the
session. It is also typical for most public mail servers to reject
authentication attempts over a standard (non-secure) connection. You
should always use a secure connection whenever possible.
All authentication methods require the mail server to support the
standard service extensions for authentication as specified in the RFC
4954. The server must support the ESMTP protocol extensions and the
AUTH command. A user name and password are required for
authentication. If you wish to authenticate without a user password,
you must use one of the OAuth 2.0 authentication methods.
If the nAuthType parameter is omitted, it will default to
using SMTP_AUTH_LOGIN and this is accepted by most mail servers. It is
common for mail servers to allow the SMTP_AUTH_PLAIN method as well,
however it is recommended you explicitly check whether the server
supports the desired authentication method by calling the
GetExtendedOptions method. If you attempt to use an
authentication type which is not supported by the server, this
method will fail and the last error code will be set to
ST_ERROR_INVALID_AUTHENTICATION_TYPE.
You should only use an OAuth 2.0 authentication method if
you understand the process of how to request the access token. Obtaining
an access token requires registering your application with the mail
service provider (e.g.: Microsoft or Google), getting a unique
client ID associated with your application and then requesting the
access token using the appropriate scope for the service. Obtaining
the initial token will typically involve interactive confirmation
on the part of the user, requiring they grant permission to your
application to access their mail account.
The SMTP_AUTH_XOAUTH2 and SMTP_AUTH_BEARER authentication methods are
similar, but they are not interchangeable. Both use an OAuth 2.0 bearer
token to authenticate the client session, but they differ in how the
token is presented to the server. It is currently preferable to use the
XOAUTH2 method because it is more widely available and some service
providers do not yet support the OAUTHBEARER method.
Your application should not store an OAuth 2.0 bearer token for later
use. They have a relatively short lifespan, typically about an hour, and
are designed to be used with that session. You should specify offline
access as part of the OAuth 2.0 scope if necessary and store the refresh
token provided by the service. The refresh token has a much longer
validity period and can be used to obtain a new bearer token when needed.
DWORD dwOptions = 0;
BOOL bExtended = pClient->GetExtendedOptions(&dwOptions);
if (bUseBearerToken)
{
if (bExtended && (dwOptions & SMTP_EXTOPT_XOAUTH2))
{
INT nResult = pClient->Authenticate(lpszUserName, lpszBearerToken, SMTP_AUTH_XOAUTH2);
if (nResult == SMTP_ERROR)
{
return;
}
}
else
{
return;
}
}
else
{
if (bExtended && (dwOptions & SMTP_EXTOPT_AUTHLOGIN))
{
INT nResult = pClient->Authenticate(lpszUserName, lpszPassword);
if (nResult == SMTP_ERROR)
{
return;
}
}
else
{
return;
}
}