Artica can relay your outbound e-mail through Microsoft 365, Google Workspace / Gmail, or any OAuth 2.0-capable SMTP provider
Authenticating with OAuth 2.0 / XOAUTH2 bearer tokens instead of a static password.Microsoft and Google have deprecated password-based SMTP authentication ("basic auth"). This feature lets your Artica SMTP service keep sending through those providers, with tokens that are minted and refreshed automatically — no cron scripts, no manual token pasting, no service interruption when a token expires.
This feature is available Artica v4.50 Service Pack 7 or Artica v4.50 Service Pack 6 Hotfix 20260704-16.
The feature is managed from the web console: SMTP Router > Outgoing rules > OAuth.

smtp.office365.com using a licensed mailbox, without storing a mailbox password anywhere.smtp.gmail.com with a Gmail API OAuth client, including for domains where "less secure apps" access is disabled (which is now always the case).@old-domain senders through one provider account and @new-domain through another, from a single relay.client_credentials grant supports Microsoft's high-volume mode (requires tenant-side enablement by a Global Admin).Before creating an account, you need OAuth credentials from your provider:
SMTP.Send permission, a client secret, a refresh token for the sending mailbox, and SMTP AUTH enabled on that mailbox.The setup assistant lists these prerequisites for the selected provider, in order, with links to the provider portals.
You do not need to leave the console to know what to prepare.
On the OAuth relay page, click OAuth setup assistant in the header. The wizard walks you through five steps.
Step 1 — Provider and grant type
Choose your mail provider and how the account authenticates:

Step 2 — Provider prerequisites
The assistant shows the ordered provider-side preparation steps, the operational caveats that commonly break setups later, and links to the provider portal and documentation.
For Microsoft 365:

For Google Workspace / Gmail (note the 7-day expiry warning for OAuth apps left in Testing status):

Step 3 — Credentials
Paste the credentials obtained from the provider.
The token endpoint and scope are pre-filled for Microsoft 365 and Gmail
You only adjust them for a generic provider.
Every field carries a plain-language explanation of what it is and where it comes from.

When editing an existing account, secret fields are shown empty — leave them blank to keep the stored value.
Step 4 — Routing
Name the account, set the upstream SMTP server (pre-suggested per provider), the SASL username (the sending mailbox), and the match rules deciding which mail uses this account:
sender_exact:user@example.com — a specific envelope sendersender_domain:example.com — any sender in a domainrecipient_exact: / recipient_domain: — recipient-based routing
If an account has no match rule and is not the default, the assistant warns you that it will never receive any mail.
Step 5 — Review and validate
The summary shows every routing value. Secrets are shown only as provided
Their values are never displayed.
Clicking Validate and save performs a live token mint against the provider.
If the provider rejects the credentials, the account is not saved and you get a plain-language explanation of what went wrong (credentials rejected, endpoint unreachable, invalid values…)
never a cryptic error code.

The Accounts tab lists all configured accounts with their server, username, provider, STARTTLS status, match rules and token state. Each row offers:

The Dry run button lets you ask, without sending anything:
"Which account would this sender/recipient pair use?"
ideal for verifying match rules before going live.

Artica applies a strict defer-over-bounce policy:
Network problem, provider 4xx/5xx, timeoutToken expiredProvider rejects the credentialsConfiguration errorreason=bad_config, reason=auth_rejected, …).Every delivery attempt writes exactly one structured key=value record to the mail log (/var/log/mail.log, tag postfix-oauth)
Sender, recipient, account, status, duration and a classified reason. Raw provider responses and secrets are never logged.