OAuth SMTP Support
Ares supports OAuth 2.0 Client Credentials authentication for outbound SMTP email delivery. This allows institutions to use modern authentication with Microsoft 365, Google Workspace, or any custom OAuth-compatible email provider, replacing or supplementing traditional username/password SMTP authentication.
Many organizations are disabling basic authentication for SMTP in favor of OAuth to comply with security requirements. This feature enables Ares to continue delivering email notifications through these providers. For background on the Microsoft 365 transition, see Impact of End of Support for Microsoft/Office 365 Basic Authentication on Ares.
Prerequisites​
- Ares Server version 5.0.19.0 or later
- An OAuth application registration with your email provider (e.g., an Azure AD App Registration for Microsoft 365, or a Google Cloud project for Google Workspace)
- The following credentials from your provider:
- Client ID
- Client Secret
- Tenant ID (Microsoft 365 only)
- Token Endpoint URL
- Scope
Configuring an OAuth SMTP Profile​
OAuth SMTP profiles are managed through the Ares Customization Manager under System > Email > OAuthProfiles.
Creating a New Profile​
- Open the Ares Customization Manager.
- Navigate to System > Email in the tree and select OAuthProfiles.
- Click the New Profile dropdown button in the ribbon toolbar.
- Select a provider template:
- Microsoft 365 — Pre-populates the token endpoint template and scope for Office 365.
- Google Workspace — Pre-populates the token endpoint and scope for Gmail/Google SMTP.
- Custom — Starts with blank fields for any other OAuth-compatible provider.
- Fill in the required fields:
- TokenEndpoint — The OAuth token URL. For Microsoft 365, the pre-populated template contains a
{tenantId}placeholder — enter your Azure AD tenant ID in the TenantId field and it will be substituted at runtime. - Scope — The OAuth scope required by your provider (pre-populated for Microsoft 365 and Google Workspace).
- TenantId — Your Azure AD tenant ID (Microsoft 365 only).
- ClientId — The application/client ID from your OAuth app registration.
- ClientSecret — The client secret from your OAuth app registration. This value is encrypted at rest in the database and is never displayed after saving.
- TokenEndpoint — The OAuth token URL. For Microsoft 365, the pre-populated template contains a
- Click Save.
Editing an Existing Profile​
- Select the profile row in the OAuthProfiles grid.
- Modify any fields as needed.
- To update the ClientSecret, click the Replace Secret button that appears in the Client Secret field. This clears the existing secret and allows you to enter a new one.
- Click Save.
The ClientSecret is encrypted in the database and cannot be retrieved or viewed after it is saved. If you need to change it, you must replace it with a new value.
How It Works​
When the Ares System Manager processes outbound email, it checks whether an OAuth profile exists in the OAuthProfiles table. If a profile is configured, Ares uses the OAuth 2.0 Client Credentials flow to obtain an access token from the configured token endpoint and authenticates to the SMTP server using that token. If no OAuth profile is configured, Ares falls back to traditional basic (username/password) authentication using the EmailUsername and EmailPassword customization keys.
Reply-To Address for Email Templates​
A new Reply-To Address field has been added to email templates. This allows administrators to specify a reply-to address that differs from the "From" address on outgoing emails.
Configuring Reply-To​
- Open the Ares Customization Manager.
- Navigate to the Email Templates section.
- Select the template you want to modify.
- Enter the desired address in the Reply-To Address field.
- The Reply-To Address field supports template tags, just like other address fields.
- Click Save.
When a recipient replies to an email sent by Ares, their email client will direct the reply to the Reply-To address instead of the From address.
New Customization Key​
| Key | Category | Description |
|---|---|---|
DatabaseUniqueID | System > System | A unique identifier used internally for OAuth credential encryption. This key is auto-generated by the server installer and should not be modified. |
New Database Tables​
| Table | Purpose |
|---|---|
OAuthProfileDefaults | Stores predefined provider templates (Microsoft 365, Google Workspace, Custom) with default token endpoints and scopes. |
OAuthProfiles | Stores the configured OAuth credentials (token endpoint, scope, tenant ID, client ID, and encrypted client secret). |
New Database Columns​
| Table | Column | Description |
|---|---|---|
EmailTemplates | ReplyToAddress | The reply-to email address for the template. |
EmailCopies | ReplyTo | The reply-to email address stored on sent email copies. |