Merge branch 'main' into build

Author: simonrob

.github/workflows/build.yml

@@ -15,7 +15,7 @@ jobs:
       output: ${{ steps.latest_tag.outputs.tag }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - id: latest_tag
         run: |
             git fetch -a
@@ -31,15 +31,15 @@ jobs:
         os: [macos-latest, windows-latest]
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.x'
 
       # install requirements
       # - note: `imageio` is required here to convert our PNG icon to a format nuitka can handle (nuitka itself is a separate action)
       # - note: `certifi` is required here because pyinstaller no longer bundles certificates (pyinstaller #7229)
-      # - note: `boto3`, `requests`, `google-auth` and corresponding pyinstaller hidden imports / nuitka included 
+      # - note: `boto3`, `requests`, `google-auth` and corresponding pyinstaller hidden imports / nuitka included
       #         packages are so that advanced proxy features work in pre-built binaries
       # - note: `--hidden-import timeago.locales.en_short` is required for GUI mode until `timeago` #40 is fixed
       - run: |
@@ -77,7 +77,7 @@ jobs:
           filename: emailproxy-${{ needs.get_tag.outputs.output }}_pyinstaller-${{ runner.os }}.zip
 
       # append the pyinstaller zip to the latest release
-      - uses: xresloader/[email protected].0
+      - uses: xresloader/[email protected].1
         with:
           file: dist/*.zip
           update_latest_release: true
@@ -89,6 +89,7 @@ jobs:
             move emailproxy.py _.py
             echo '# nuitka-project-if: {OS} in ("Windows"):' >> _.txt
             echo '#    nuitka-project: --windows-icon-from-ico=icon.png' >> _.txt
+            echo '#    nuitka-project: --windows-console-mode=disable' >> _.txt
             echo '# nuitka-project-if: {OS} == "Darwin":' >> _.txt
             echo '#    nuitka-project: --macos-app-icon=icon.png' >> _.txt
             move _.txt emailproxy.py
@@ -108,7 +109,7 @@ jobs:
                           google
                           jwt
           nofollow-import-to: '*.tests'
-      
+
       # replace previous build files (-f vs. -fo behaviour differences mean we can't combine); add macOS quarantine tips
       - if: runner.os == 'macOS'
         run: |
@@ -130,7 +131,7 @@ jobs:
           filename: emailproxy-${{ needs.get_tag.outputs.output }}_nuitka-${{ runner.os }}.zip
 
       # append the nuitka zip to the latest release
-      - uses: xresloader/[email protected].0
+      - uses: xresloader/[email protected].1
         with:
           file: dist/*.zip
           update_latest_release: true

.github/workflows/pypi.yml

@@ -13,8 +13,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.x'
 
@@ -57,7 +57,7 @@ jobs:
             ./dist/*.whl
 
       # append the built packages to the latest release
-      - uses: xresloader/upload-to-github-release@v1
+      - uses: xresloader/upload-to-github-release@v1.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

README.md

@@ -4,13 +4,9 @@ Transparently add OAuth 2.0 support to IMAP/POP/SMTP client applications, script
 <div align="center">
   <br><strong>Email OAuth 2.0 Proxy is sponsored by</strong><br><br>
   <a href="https://auth-email.com/?ref=emailproxy">
-    <picture>
-      <source width="300" media="(prefers-color-scheme: dark)" srcset="https://auth-email.com/static/img/logo-full-dark.svg">
-      <source width="300" media="(prefers-color-scheme: light)" srcset="https://auth-email.com/static/img/logo-full-light.svg">
-      <img width="300" src="https://auth-email.com/static/img/logo-full.png" alt="Auth-Email.com logo">
-    </picture><br>
-    <b>Email OAuth made simple</b><br>
-    <sup>Use any app, client or device to access your OAuth mail accounts with ease.</sup>
+    <img width="300" fetchpriority="high" src="https://auth-email.com/static/img/logo-providers.svg" alt="Auth-Email.com logo and supported mail providers"><br>
+    <b>Auth-Email.com – email OAuth made easy</b><br>
+    <sup>Send and receive from <i>any</i> account with <i>every</i> email client, app or device.</sup>
   </a><br><br>
 </div>
 
@@ -24,7 +20,7 @@ It can be used with any email provider that supports OAuth 2.0 authentication, i
 
 ### Example use-cases<a id="example-use-cases"></a>
 - You need to use an Office 365 email account, but don't get on with Outlook.
-The email client you like doesn't support OAuth 2.0, which became mandatory [in January 2023](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437) ([September 2024 for personal Hotmail/Outlook accounts](https://support.microsoft.com/en-us/office/modern-authentication-methods-now-needed-to-continue-syncing-outlook-email-in-non-microsoft-email-apps-c5d65390-9676-4763-b41f-d7986499a90d); [September 2025 for O365 SMTP](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-retire-basic-auth-for-client-submission-smtp/ba-p/4114750)).
+The email client you like doesn't support OAuth 2.0, which became mandatory for IMAP/POP [in January 2023](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437) ([September 2024 for personal Hotmail/Outlook accounts](https://support.microsoft.com/en-us/office/modern-authentication-methods-now-needed-to-continue-syncing-outlook-email-in-non-microsoft-email-apps-c5d65390-9676-4763-b41f-d7986499a90d); [April 2026 for O365 SMTP](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-retire-basic-auth-for-client-submission-smtp/ba-p/4114750)).
 - You used to use Gmail via IMAP/POP/SMTP with your raw account credentials (i.e., your real password), but cannot do this now that Google has disabled this method, and don't want to use an [App Password](https://support.google.com/accounts/answer/185833) (or cannot enable this option).
 - You have an account already set up in an email client, and you need to switch it to OAuth 2.0 authentication.
 You can edit the server details, but the client forces you to delete and re-add the account to enable OAuth 2.0, and you don't want to do this.
@@ -254,7 +250,7 @@ See the [documentation and examples](https://github.com/simonrob/email-oauth2-pr
 ## Potential improvements (pull requests welcome)<a id="potential-improvements-pull-requests-welcome"></a>
 - Full feature parity on different platforms (e.g., live menu updating; monitoring network status; clickable notifications)
 - Switch to asyncio? (with Python 3.12, [PEP 594](https://peps.python.org/pep-0594/) removed the asyncore package that the proxy is built upon – currently mitigated by the use of [pyasyncore](https://pypi.org/project/pyasyncore/))
-- Remote STARTTLS for IMAP/POP?
+- Local and/or remote STARTTLS for IMAP/POP?
 
 
 ## Related projects and alternatives<a id="related-projects-and-alternatives"></a>

emailproxy.config

@@ -139,7 +139,7 @@ documentation = Accounts are specified using your email address as the section h
 
 	- Office 365 shared mailboxes are supported: add an account entry here using the email address of the shared
 	mailbox as the account name. When asked to authenticate, log in as the user that access has been delegated to.
-	Note that Office 365 no-longer supports the `[email protected]/delegated.mailbox` username syntax.
+	Note that Office 365 no-longer supports the `[email protected]\delegated.mailbox` username syntax.
 
 	- It is possible to create Office 365 / Outlook OAuth 2.0 clients that do not require a secret to be sent. If this
 	is the case for your setup, delete the `client_secret` line from your account's configuration entry (do not leave

emailproxy.py

@@ -6,7 +6,7 @@
 __author__ = 'Simon Robinson'
 __copyright__ = 'Copyright (c) 2025 Simon Robinson'
 __license__ = 'Apache 2.0'
-__package_version__ = '2025.6.25'  # for pyproject.toml usage only - needs to be ast.literal_eval() compatible
+__package_version__ = '2025.10.4'  # for pyproject.toml usage only - needs to be ast.literal_eval() compatible
 __version__ = '-'.join('%02d' % int(part) for part in __package_version__.split('.'))  # ISO 8601 (YYYY-MM-DD)
 
 import abc
@@ -2163,8 +2163,8 @@ def process_data(self, byte_data):
             updated_response = re.sub('( AUTH=%s)+' % capability, ' AUTH=PLAIN', str_response, flags=re.IGNORECASE)
             if not re.search(' AUTH=PLAIN', updated_response, re.IGNORECASE):
                 # cannot just replace e.g., one 'CAPABILITY ' match because IMAP4 must be first if present (RFC 1730)
-                updated_response = re.sub('(CAPABILITY)( IMAP%s)?' % capability, r'\1\2 AUTH=PLAIN', updated_response,
-                                          count=1, flags=re.IGNORECASE)
+                updated_response = re.sub('(CAPABILITY)((?: IMAP%s)*)' % capability, r'\1\2 AUTH=PLAIN',
+                                          updated_response, count=1, flags=re.IGNORECASE)
             updated_response = updated_response.replace(' AUTH=PLAIN', '', updated_response.count(' AUTH=PLAIN') - 1)
             if not re.search(' SASL-IR', updated_response, re.IGNORECASE):
                 updated_response = updated_response.replace(' AUTH=PLAIN', ' AUTH=PLAIN SASL-IR')
@@ -2313,11 +2313,6 @@ def process_data(self, byte_data):
             updated_response = re.sub(r'250([ -])AUTH(?: [A-Z\d_-]{1,20})+', r'250\1AUTH PLAIN LOGIN', str_data,
                                       flags=re.IGNORECASE)
             updated_response = re.sub(r'250([ -])STARTTLS(?:\r\n)?', r'', updated_response, flags=re.IGNORECASE)
-            if ehlo_end and self.ehlo.lower().startswith(b'ehlo'):
-                if 'AUTH PLAIN LOGIN' not in self.ehlo_response:
-                    self.ehlo_response += '250-AUTH PLAIN LOGIN\r\n'
-                if self.custom_configuration['local_starttls'] and not self.client_connection.ssl_connection:
-                    self.ehlo_response += '250-STARTTLS\r\n'  # we always remove STARTTLS; re-add if permitted
             self.ehlo_response += '%s\r\n' % updated_response if updated_response else ''
 
             if ehlo_end:
@@ -2327,10 +2322,19 @@ def process_data(self, byte_data):
                     self.starttls_state = self.STARTTLS.NEGOTIATING
 
                 elif self.starttls_state is self.STARTTLS.COMPLETE:
-                    # we replay the original EHLO response to the client after server STARTTLS completes
-                    split_response = self.ehlo_response.split('\r\n')
-                    split_response[-1] = split_response[-1].replace('250-', '250 ')  # fix last item if modified
-                    super().process_data('\r\n'.join(split_response).encode('utf-8'))
+                    # we modify and replay the original EHLO response to the client after server STARTTLS completes
+                    self.ehlo_response = self.ehlo_response.rstrip('\r\n')
+                    if self.ehlo.lower().startswith(b'ehlo'):
+                        if 'AUTH PLAIN LOGIN' not in self.ehlo_response:
+                            self.ehlo_response += '\r\n250-AUTH PLAIN LOGIN'
+                        if self.custom_configuration['local_starttls'] and not self.client_connection.ssl_connection:
+                            self.ehlo_response += '\r\n250-STARTTLS'  # we always remove STARTTLS; re-add if permitted
+
+                        # correct the last line where needed (250- vs 250 )
+                        self.ehlo_response = self.ehlo_response.replace('\r\n250 ', '\r\n250-')
+                        self.ehlo_response = '250 '.join(self.ehlo_response.rsplit('250-', 1))
+
+                    super().process_data(b'%s\r\n' % self.ehlo_response.encode('utf-8'))
                     self.ehlo = None  # only clear on completion - we need to use for any repeat calls
                 self.ehlo_response = ''