Here are instructions to configure University of Helsinki Office 365 (O365) account to be used in Cubbli Linux. These instructions aren't Cubbli spesific and can be applied to other Linux versions and even other operating systems.
Cubbli has multiple email clients installed by default. We provide Office 365 configuration for Thunderbird, Evolution and alpine (text based). These instructions are known to work only on Cubbli 20 installations!
University will switch to multi factor authentication (MFA) with OAuth2 protocol during 2021 for security reasons (our users keep giving their passwords for phishers). If your email or calendar configuration which has worked before suddenly stops working even when the user account and passwords are correct, your account probably has had mandatory MFA turned on. These instructions assume that MFA is being used.
Configuring Office365 to work with desktop applications and MFA can be complicated. Unless you really need a desktop email or calendar application, please consider just using Outlook the web application (OWA) at https://www.helsinki.fi/office365.
Teams is installed by default in Cubbli. Please see the Microsoft Teams page. Teams has builtin Office365 Calendar available.
One option for O365 calendar access is to sync your Office 365 calendar to your Google calendar and then sync Google Calendar from your desktop calendar application. Google then will have access to your O365 calendar too.
General settings for any email client
Your email client needs to support OAuth2 authentication. You need to use your own AD account instead of firstname.lastname@example.org and your own email address instead of email@example.com. O365 does not allow you to use any other than your own email address.
- When using Linux you need to have at least Cubbli 20 / Ubuntu 20.04 installation. Older distributions are unlikely to work.
- The authentication domain is ad.helsinki.fi and your account is of the form firstname.lastname@example.org, while the email domain is just email@example.com. You need to get both correctly entered.
- First, enable some MFA autentication methods for your user account. Here are our local wiki instructions (in Finnish). Here are your personal MFA settings at O365. If you MFA is not yet on for your O365 account these instructions are likely to still work, but without the extra authentication step.
- Set incoming mail settings (IMAP):
- User account: firstname.lastname@example.org
- IMAP Mail server: outlook.office365.com
- Connection security: SSL/TLS
- Authentication method: OAuth2
- Set outgoing mail settings (SMTP)
- User account: email@example.com
- Your correct exact email address (O365 does not allow changing sender address): firstname.lastname@example.org
- SMTP server: smtp.office365.com
- Connection security: STARTTLS
- Authentication method: OAuth2
- The mail client will forward you to University of Helsinki Office 365 authentication server stshy.helsinki.fi for password authentication If you get forwarded anywhere else, something went wrong and you should not give your password.
- At this point you do the second authentication with the MFA authentication option you selected.
If you have an application that supports IMAP and SMTP but does not support MFA, this MS documentation might help: https://support.microsoft.com/en-us/account-billing/using-app-passwords-with-apps-that-don-t-support-two-step-verification-5896ed9b-4263-e681-128a-a6f2979a7944
If your have an application that needs tenant id for ad.helsinki.fi it is 98ae7559-10dc-4288-8e2e-4593e62fe3ee.
NOTE: these instructions have been created with the help of Gnome wiki: https://wiki.gnome.org/Apps/Evolution/EWS/OAuth2
You need evolution-ews plugin to be installed for this. It is installed by default in Cubbli.
Select Edit/Accounts and then Add / Mail account. Do not select the "Look up mail server details" button. It won't work.
Change "Server type" to "Exchange Web Services"
Useas Host URL.
On Authentication, click the box "Override Office365 OAuth2 settings" and use 20460e5d-ce91-49af-a3a5-70b6be7486d1 as Application ID.
At this point Evolution hung.
After restart the process continued.
Use Edit / Account settings button to edit your incoming and outgoing email settings.
Thunderbird IMAP and SMTP settings:
Thunderbird Multi Factor Authentication (MFA)
The windows will look slightly different depending if you are doing this in the University internal network or external Internet. You need to accept the MFA authentication in your phone.
Login to University first with password
Approve sign-in request with your phone
Give Thunderbid permissions to your email.
Alpine (or Pine)
Cubbli 20 has a version of (Al)Pine which works with University O365 email by default. T
- If you have an old version of
~.pinercrename or delete it first (
$ mv ~/.pinerc ~/.pinerc_old(for example) or
- make .pine-passfile ($ touch ~/.pine-passfile) to which your authentication token will be saved.
- start Alpine and follow instructions. It will ask you to create a password for the passfile and ask if you want to save the authentication information there. Say yes so you don't have to do the MFA every time you start Alpine. You just need to know the password that you gave earlier.
- Other than the above the procedure will go as pictured below.
When your INBOX is configured to access O365 Alpine login process looks like this. MFA login probably is simpler when Alpine is treated as a device.