Get the top HN stories in your inbox every day.
interroboink
leipert
Shouldn't be _too_ hard to convert your scripts.
I ran into the same problem and one workspace disallows App passwords. You can simply get the OAuth token with a little python script and then use it as the password: https://github.com/google/gmail-oauth2-tools/blob/master/pyt...
(see for example https://github.com/lefcha/imapfilter/issues/186)
booi
and then have to reauthenticate it every 2 weeks because the refresh token seemingly expires for no reason...
justinc8687
If you set your app to "production", the refresh token works properly. Ignore the verification steps. It'll yell at you, but it'll work.
nunez
The refresh token shouldn't expire.
ojosilva
I just hope that Gmail itself (as client) becomes something other than a Less Secure App. Right now I have to keep that LSA switch going so that my main Gmail account can SMTP send mail with credentials from my other many Gmail accounts. I've never understood why Gmail itself is a LSA in the eyes of other Gmail accounts.
chimeracoder
> I've never understood why Gmail itself is a LSA in the eyes of other Gmail accounts.
Because Google isn't special-casing itself (which is a good thing).
You can enable 2FA on the other accounts and then use app-specific passwords, which will allow you to disable the switch.
Arnt
I don't know why it is that, but I know why it was that at one time, quite long ago: One team had set terms for what avoids LSAness, another team hadn't updated some code to match the new terms.
_Algernon_
Problem seems that you cannot set app passwords yourself and they seem laughably insecure.
16 lowercase letters (in groups of 4 separated by space), no numbers, no special characters.
Keepass evaluates this as a weak password with 65 bits of entropy (if spaces are removed)
How is this an improvement?
LeoPanthera
16 letters is ~75 bits of entopy (if they are randomly selected), not 65. The usual recommendation is 80, but it's not as bad as you say. I don't know how Keepass is doing its math, but 65 is wrong.
rhplus
KeePass considers letter runs and common words to lower entropy. So “pass word pass word” fits the scheme above but demonstrates lower entropy.
The examples in their docs show that a run of characters “aaaa…” only has an estimate of 7 bits:
https://keepass.info/help/kb/pw_quality_est.html
Obviously the estimate is wrong when the password will always have a fixed length and a randomized character set. But KeePass doesn’t know that “pass word pass word” is following set rule. Perhaps parent commenter ran the calculation on an example with a run or common word within it.
You’re right it’s 75 bits for the format used by Google here.
vbezhenar
65 bits is incredible amount of entropy. Why do you think that's not enough? I'm using 10 characters passwords of lowercase letters almost everywhere and I think that's absolutely enough.
2 ^ 65 / 20 / 365 / 86400 = 58 494 241 735
I don't think Google would allow you to bruteforce account using 58 billions of attempts per second for 20 years.
johndough
Whether 65 bits is sufficient depends on your attack scenario. I agree that Google won't allow you to try that many passwords, but for other scenarios, 65 bits might not be enough.
For example, imagine that OP is reusing passwords across different websites as most people are doing. One server gets hacked and the SHA256 password hashes get leaked, which unfortunately is still common. Currently, the best bitcoin miners can hash in the order of 10^14 hashes per second, which amounts to just 2^65 / 10^14 / 86400 ≈ 4 days of hashing. To be fair, bitcoin miners usually are not suitable for password hashing, but I'd be surprised if the NSA does not have 1000s of similar devices somewhere. Is that a realistic scenario? Probably not. But it is certainly a technical possibility.
A lower case password with 10 characters is not sufficient at all. Anycone could bruteforce that in a day with just one modern GPU.
jeroenhd
They're more secure than "Welcome2024!", which is what you can expect most people to use. 16 letters is more than secure enough, you can't brute force that. They're guaranteed to be unique passwords that aren't used on other services, so credential stuffing is no longer a threat.
This is an inconsequential change to people who use password managers, but it'll help against credential stuffing attacks for the common user.
SpaghettiCthulu
That should be plenty seeing as Google would lock your account before an attacker were ever able to bruteforce an app password, right?
_Algernon_
Assuming the attacker doesn't have a leaked database of hashed passwords and therefore can't run the brute force on a local database. I want my account to be secure even if there is a leak which has been the standard for authentication for more than a decade.
jabart
It's not a password, it's an API Key. A GUID is 16 bytes represented as 36 characters with hypens but we consider those secure. Even Stripe's private keys are kinda short but their restricted keys are not.
Dylan16807
> It's not a password, it's an API Key.
I don't see the difference.
> A GUID is 16 bytes represented as 36 characters with hypens but we consider those secure.
That's about twice as many bytes. That's an exponential difference in security.
xxpor
Part of it is that app passwords are locked once used - you can't move them to a new user agent is my understanding.
sfink
16 is a lot.
Uppercase + numbers + special characters will only give 1.3 more bits per character. 26 possibilities is 4.7 bits, so each additional lowercase letter adds enough entropy to make up for the alphabet size of 4.7/1.3=3.6 characters.
So roughly speaking, 16 lowercase letters has about the entropy of 12 characters with a larger alphabet. That seems ok to me; 12 characters is pretty decent. Certainly not laughable.
With an alphabet of 64 possible characters, you have 12lg(64)=72 bits for 12 random characters.
With an alphabet of 26 possible characters, you have 16lg(26)=75 bits for 16 random characters.
And the "random" part that allows the lg(possibilities) calculation is enabled by not allowing you to set the passwords yourself.
Of course, 75 bits only gives you about 100 billion users × apps before you start hitting birthdays—er, collisions—so hopefully they're not using the passwords as unique keys anywhere! (But why would they?)
e12e
> weak password with 65 bits of entropy
That's not weak?
flanked-evergl
https://github.com/smallstep/cli implements some OAuth flows from the CLI, it may be helpful for you.
boiler_up800
Wow thanks for clarifying. Heavy user of app passwords here.
firecall
Me too!
I have a few scripts and dev environments that use App Passwords to send email via Gmail SMTP!
systems
CPAN , the jewel , the original, the king , may raku find your success
blinkingled
I had been wanting to read a document on OAuth as I have several things in pipeline where OAuth would be involved and the link you posted is just timely and perfect - so thank you!
sir
If you can’t switch to OAuth, you can use my proxy to allow any IMAP (or POP/SMTP) client to be used with a “modern” email provider, regardless of whether the client supports OAuth 2.0 natively: https://github.com/simonrob/email-oauth2-proxy. No need for your client to know about OAuth at all.
rfoo
Submitted title is misleading. Turns out, it's not "all but OAuth", it's "all but OAuth and app password".
If you can't switch to OAuth, you can simply create an app password and continue using that as your IMAP password as usual.
fps_doug
This is surprisingly non-shitty by Google. I must admit that I didn't know that before. Can you limit such a passcode to just IMAP/SMTP, or can it be used to log in to other parts of Google?
bandrami
They provide full access to your entire google account, but you can create as many as you want and revoke them whenever you feel like it.
rfoo
This passcode is inherently limited to the service it bound to (IMAP or POP3), that's the whole point: don't expose your account password to something which only needs a finer-grained access.
Edit: that's incorrect, see replies.
nanna
Brilliant. So this is how you could keep a client like mu/mu4e functional for Gmail and outlook365.
yashasolutions
actually app password will keep working. Which is basically all you need for mu4e
emersion
Unfortunately this requires users to setup their own OAuth client, which is a pretty manual/cumbersome process.
sir
There's no good way around that unfortunately. The proxy could build in an OAuth client for the major providers, but it's unlikely that this would be trusted by default without significant effort being put into review processes.
As the readme explains, there's nothing to stop you using the existing OAuth client details from another source (such as the many already trusted open source email clients that exist).
emersion
Yes. I'd argue the problem is not on the project's side, it's on the Google side (they have ridiculously high requirements for registering OAuth clients for IMAP/SMTP use, especially for a small open-source project).
rollcat
Same if you're building any OAuth-enabled client from source.
(Remind me, what's stopping me from extracting the client secrets from the compiled binary, and re-using them elsewhere?)
yrro
The provider might notice that their key is being used in an unauthorized way and terminate your account, prosecute you for computer fraud and abuse, etc.
gaius_baltar
I think this is the only assured way to interop, as I expect Google may try to kill other competing apps (specially in mobile) that does not capture user data or generate data points for its ads.
I wonder if any intentional limitation here should not trigger some of the EU Digital Services Act provisions for interoperability ... in this list [1] I see Google Play, Maps, and Shopping but not GMail!
[1] https://en.wikipedia.org/wiki/Digital_Services_Act#Very_larg...
polski-g
I ended up ripping the app ID out of Thunderbird and using that for my OAuth process to Gmail.
mschuster91
Thank you for writing that, really helped me out back when Microsoft pushed OAuth for Office 365.
codepoet80
Thank you for making this. I'd been puzzling through how to build something similar. Starred and downloaded, I'll definitely be using!
londons_explore
It's because IMAP, SMTP and POP allow substantial access to your google account and life, yet none have the ability to do 2 factor. Nor do they allow any kind of anti-robot verification.
That means it's super easy to do credential stuffing attacks, and at google-scale, that sort of attack is going to let an attacker ruin a lot of lives.
This is a good thing, and they should have done it years ago (they kinda did by defaulting IMAP/POP/SMTP access to off - that protects most users - this is just for the rest)
gtech1
It's trivial to add 2fa to smtp/pop/imap.
Take your preferred auth module in Dovecot and modify it to read the input password as: pwd+otp code. If the user is 2fa enabled, read last 6 digits and compare against totp.
If match, allow the IP through for x minutes or whatever other policy you want.
It works surprisingly well
1000thVisitor
Which email clients support sending the input password as: pwd+top code?
8organicbits
It's transparent to the client, so if the server adds support, every client gains 2FA support. The server needs to check if 2FA is enabled, and if so, try the last 6 characters of the user provided text as the OTP and the rest as the password.
It's a pretty commonly used, and works very well, but requires user education on how to fill in their combined password. A proper API with distinct fields for password and OTP is cleaner, but requires protocol support.
gtech1
all of them.
instead of sending your password as johndoe, you send johndoe123456 where 123456 is the code
jer0me
Apple does this for older devices signing into iCloud!
TacticalCoder
I take it if someone really still want to fetch all his emails the old way, he could configure GMail to forward every single email to another address (not a GMail one): one still allowing IMAP/POP. Not a panacea but it may be an acceptable workaround for some usecases.
londons_explore
You can still use app-specific passwords, so your 1992 mail client will still work... Although sending even an app-specific password in cleartext over the internet seems like a bad plan.
mcv
But why are those more secure than other passwords? How can they know that this 1992 app is the app it claims to be?
pmontra
I use Thunderbird which already had a release this year. It's been using encryption since forever.
Luckily I don't use GMail for my mail.
jojobas
It's because old school passwords allow reasonable security, yet don't allow planting a user-identifiable cookie on the client machine.
jonathanstrange
You shouldn't have been voted down. I've been using IMAP, SMTP, and Pop3 for the past 30 years without a single security incident. Meanwhile, I've had many accidental lockout problems and even had to abandon accounts because of 2-factor authentication and other paranoid security measures like arbitrary "device identification" algorithms. I swear to God the goal of this security theater is only to force customers into web-based logins so contents of emails and user behavior can be tracked in an Orwellian fashion.
Dylan16807
They said just identifiable though, and passwords are definitely user identifyable.
And most users only have a couple devices so tracking that once you already know the user is usually very easy even without a cookie.
minitech
App passwords are useless to Google as a tracking measure and are a much more secure option, especially across the entire user base.
gsich
>Nor do they allow any kind of anti-robot verification.
This is a feature.
undefined
kylehotchkiss
This is all about getting users off of the fantastic native mail apps and onto googles own. You can’t get realtime mail notifications without gmail.app or the soon to be deprecated Google sync. I hate it. I pay Google for workspace and I hate it. At least Mimestream still works on desktop but I bet they’re coming for that soon too.
josephg
They should get on it and adopt jmap already.
It’s a good, standard protocol with unreasonably low adoption because of the chicken and egg problem between mail providers and mail applications. If Gmail supported jmap it would encourage implementers everywhere to support it. And jmap supports notifications and all the rest.
paholg
I agree, but why would Google adopt it when they have their own proprietary protocol with similar functionality? Companies love anything that makes them more "sticky", whether it's good for the user or not.
bluish29
Does any service use it beside fastmail on a large scale?
gsich
IMAP does too.
jeroenhd
Oauth isn't that hard to implement. It requires a WebView as part of the setup process, but after that the mail app just needs to store a token as a password and it'll keep working.
Oauth for email is part of the various RFCs pertaining to email authentication and has been around for years.
Thunderbird and various mobile apps support Gmail just fine using Oauth. I think the bigger problem is that many desktop apps seem to have stopped implementing changes to IMAP and SMTP about ten years ago.
If you have an email app that's no longer maintained, use app passwords (generated per-app passwords), like Google is indicating in the linked article. Those will still work. It's just the hardcoded username/password for the main account that's going away.
This will be a major pain for the Office 2016 users, as 30 september is still about nine months before their Outlook goes out of support, but for most users this will be quite a easy fix.
palata
> It requires a WebView as part of the setup process
Why does it require a WebView, btw? Is there a good technical reason for that, or is it just what they happened to do?
michaelt
They want the power to add arbitrary extra steps in the login flow.
For example, maybe they want to force the user to change a compromised password, or hand over their phone number, or complete a captcha, or accept a load of legalese.
You can do this without a webview in your application, but it usually means giving the user an URL to open in their own browser.
notatoad
Doesn't google explicitly forbid a WebView for oauth?
The point is to not have users entering their google credentials into third-party apps, and a WebView is still entering your credentials into a third-party app. The app has to open the google login page in a real browser, not a WebView.
nottorp
> Why does it require a WebView, btw?
So you can't read your mail from a platform that doesn't have a web browser installed...
Edit: to be more clear: so you can't read your mail from a platform that can't run or embed a modern web browser. For example... a command line only system without a GUI.
jeroenhd
I suppose it technically doesn't require a WebViee, but that's the easiest solution in most cases.
I'm not sure how you're going to implement Google's 2FA in a non-WebView solution, but if you can get the right UI and data flows to work, I'm sure you can do without.
RedShift1
What's the point of an app password?
undefined
jeroenhd
It's a password that allows access to email, but not to the "change my Google password" page, or to push app installation to the Play Store, or to invite other people into Google Meet links. These passwords are contained to very specific APIs surrounding email and Caldav and such.
That means you're not completely screwed when your Outlook password database gets stolen by malware.
As a user, it also allows you to revoke an application remotely without having to change your password and log in to every device again. One click of a button and new emails won't appear on a lost laptop or phone, even if they manage to bypass the screen lock. It's all about risk management.
patrakov
Your account password is too powerful, for example, it allows anyone who knows it and can provide the 2FA to change non-email settings, such as the preferred languages, the list of bank cards attached to the account, see the places visited, read and modify Google docs, or change the password. The app-specific password has a scope attached to it, and can thus be used only to do what the app needs to do, without any possibility to take your entire account over.
dikei
It's a long, random password, that you generate anew for each application that needs it: one compromised app can be revoke quickly without affecting other.
But more importantly, app password can only be used for email, not other Google's service, so even if it gets leaked, the impact is severely reduced.
rezonant
App specific passwords will continue to work, and will work fine if your native app does not support the usual OAuth flow.
eastern
"will continue" can't really be said about anything Google with any degree of confidence.
mcv
This is good to know, because I think I already use those everywhere (except on my latest machine; I should fix that).
Even so, I will also be using this as a reminder to move my stuff away from Google.
theodric
I appreciate that we all have different bugbears, but realtime mail notification isn't going to get me off Thunderbird. Email is asynchronous, and therefore finding out 10 minutes later about a message coming in shouldn't be a problem. If I'm expecting the message then I'll be mashing refresh until it arrives, anyway.
If you need me more urgently, text me. Don't call. I don't like calls.
Aerbil313
Same, native iOS Mail app in my case. I get Gmail notifications only when connected to power and Wi-Fi (can be set to a time interval too but I’d rather conserve my battery). When I expect a mail, I open the app and it auto refreshes until the mail comes.
kylehotchkiss
My use case is OTP. Either through email or via SMS/google voice. Real time really helps with those, especially if you use Safari's OTP prefill.
I'd really rather use 1password for OTP but so few non-tech services support that.
esskay
Fully agree. Also paying for my gmail account and hate every moment of it but nobody seems to be able to get remotely close to gmail for spam handling.
Hard_Space
After two years of using Fastmail as my primary account, in my effort to de-Google in 2022, spam recognition at Fastmail seems to me to be on a par with Gmail, if not better. I still use both.
dbrgn
I use Fastmail for 5+ years now. Initially I feared that the experience would be worse than Gmail (with regards to the Web UI, to spam filtering, etc). It is not. It really is much better!
Freak_NL
I really have no qualms about Fastmail spam handling either. It's fine; don't let that stop anyone from switching away from Google.
kiwijamo
Agreed, Fastmail is pretty good at spam filtering. My Gmail account is pretty much full of spam nowdays which seems to suggest Gmail's spam filtering isn't that great.
RockRobotRock
I love it. I can sync my Gmail to it seamlessly as I slowly transition all my accounts to my new email address.
esskay
Interesting, might have to give it another shot!
tallanvor
Strangely O365 handles most spam pretty well. I don't know why they can't do the same for outlook/hotmail/live accounts.
bboygravity
Hotmail is truly mind-blowing to me.
In my case ALL spam goes to inbox (a LOT) and ALL uselfull real emails go to the junk folder (very few).
I truly wonder how they do it. I can't get my head around it.
dotnet00
I've been gradually shifting over to protonmail over the past years and haven't seen any spam at all.
cbg0
Yes, it's pretty obvious this is what's going on. The solution to these "less secure apps" was to simply generate stronger passwords for them instead of making the user jump through hoops by using oauth2 proxies, especially for older hardware/software.
rezonant
Which is actually supported already with App specific Passwords...
nolist_policy
No this is about getting users off fucking Outlook 2007 or worse.
SirMaster
Yeah, I am sad. I still use the Microsoft Exchange option to access my Gmail account on my iPhone in Mail.app so that I get push notifications.
Perseids
> An app password is a 16-digit passcode that gives a less secure app or device permission to access your Google Account. App passwords can only be used with accounts that have 2-Step Verification turned on. [1]
Isn't it funny, how the "less secure app or device" is completely on par with OAuth-capable apps regarding security just by using a server-side mechanism Google could have promoted since… forever? Almost as if it technically isn't a feature of the app at all.
(Yeah, I get it, "apps where the secure workflow is less convenient" doesn't have the same ring to it, so the simplification is justifiable for easy communication – you will say. The greater problem is that it is kind of Google's thing to always interpret security concerns in such a way that it furthers Googles agenda and this puzzle piece is no exception.)
happyopossum
> just by using a server-side mechanism Google could have promoted since… forever?
Google has been pushing 2FA and App Specific Passwords for many many years. They’re just now making it mandatory for apps that can’t update to support oauth
joshuamorton
> Isn't it funny, how the "less secure app or device" is completely on par with OAuth-capable apps regarding security just by using a server-side mechanism Google could have promoted since… forever?
They aren't on part though, Oauth is vastly less phishable and has vastly more control over specific permissions. App passwords are functionally all-or-nothing, whereas with OAuth you can configure whether something can read, modify, change settings, etc.
greatgib
To be noted, the most annoying thing with Oauth2 and Google on Android is that you can't login with an email client or calendar with your Google account without your full phone to be associated with this Google account. Also giving policy right on your device by this Google account. That is totally insane in my opinion.
And you can't easily bypass that as oauth2 usage in WebView inside apps are easily restricted by Google on Android.
ysleepy
Can't alternative clients like k9 implement OAuth on their own? I believe I set up Thunderbird on my desktop with OAuth and it works (With office365).
Sadly the number of email clients I would trust is limited, many send off your credentials to some remote server.
EDIT: k9 already supports oauth for imap.
greatgib
On a computer your are ok but not on an Android device.
To perform the oauth2 login, the app is forced to send the user to a specific Google webpage. There are only 2 ways to do that, load it inside a WebView within the app or send to an external url to be opened by the phone browser.
In both cases, Android (/Google) will capture that and use the "add account to Android" provider.
Now, let's suppose that you want to use your own custom WebView to avoid that, then the oauth2 page on Google server will perform a check against that and will refuse to load. Officially "for security reason for the user".
:-(
dmw_ng
The trouble with OAuth is to get a production client ID you must pass a third party security audit.. this is in excess of $20k and AIUI must be repeated periodically. Using a developer client ID is already heavily limited, and I have no doubt now that this ladder has been pulled up, developer IDs will see further restrictions in future.
IMAP/POP passwords have long defaulted to disabled in Gmail, Gmail survived 20 years without need for these new restrictions, I can't imagine attack techniques have improved and Google's internal technical staff have regressed so substantially that they are now essential. This change seems more motivated by creating frictions for escaping the Google vortex than anything to do with security.
rrdharan
> I can't imagine attack techniques have improved and Google's internal technical staff have regressed so substantially
I can definitely imagine, and I in fact believe, both of those things to be true.
Ferret7446
Those things being separate is annoying to the average person who doesn't know the distinction between Google and Android (and Chrome for that matter).
andris9
The wording is kind of ambiguous, but it seems that App-Specific Passwords will continue working
> If you have scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails, you’ll need to either: configure them to use OAuth, use an alternative method, or configure an App Password for use with the device.
> All Other Applications. If the app you are using does not support OAuth, you will need to switch to an app that offers OAuth or create an app password to access these apps.
yau8edq12i
The excerpt you quote doesn't sound ambiguous at all. App passwords will clearly still be supported.
khorne
The titles of both the HN post as well as the original blog post are ambiguous however.
notpushkin
Yeah. The HN submission title is incorrect though.
mugs
It wasn't 100% clear to me either. The wording clearly says SMTP will support app passwords, but no clear indication if IMAP will still support them.
But I asked Google Workspace Support specifically about this yesterday, and they said:
> The application passwords will support IMAP, POP, and all SMTP configurations. Rest assured that OAuth serves as an alternative, offering a straightforward configuration process for any third-party application.
The second sentence was just them continually pushing adopting OAuth. I'd love to, but the cost of the (recurring) security review is not feasible for our small SaaS app, so we'll be sticking with app passwords (thankfully).
jsnell
This is just about Workspace accounts, the change already happened to normal Gmail accounts years ago.
SirMaster
Not entirely true.
I still access my personal Gmail account via the Microsoft Exchange option in my iPhone's Mail.app and I get push notifications this way rather than being stuck with Fetch.
The reason it still works is that connections made to Google Sync for personal accounts prior to the discontinuation date like 10 years ago are still honored and "grandfathered" if you will.
So to get it to work I just need to modify the Exchange GUID in my iPhone to what the GUID was on my phone back when I logged into Google Sync before they discontinued new logins.
Fortunately changing this GUID is possible by taking an iPhone backup, modifying a plist file in the backup, and restoring that backup to the phone.
So right now, on my iPhone 14 Pro, I am still using Mail.app with push notifications to my personal Gmail account.
undefined
d99kris
I understand their announcement says app passwords will stay (for now). But should Google eventually also deprecate app passwords, it would really restrict the use of third-party clients with GMail, given the self-paid security assessment OAuth clients must undergo. It would be a sad development given that email is one of the last popular "open messaging protocols" in use, where one can choose what client to use.
magicalhippo
Been dealing with Microsofts OAuth transition at work, and it's been a bit of a PITA.
Part of the problem is that it's just so opaque. You send the token and the server replies "nope", with no further explanation.
I spent literal days trying to figure out why Client Credentials-flow didn't work until I found an answer buried on their help forum saying oh yeah, client credentials flow isn't supported yet. It is now for IMAP/POP, but still not for SMTP IIRC (though OAuth is not requiredfor SMTP yet).
Next it was figuring out the right scopes, which at the time was not very well documented. Again not very helpful error messages by the servers.
Google's mail servers any better?
xtajv
> Part of the problem is that it's just so opaque. You send the token and the server replies "nope", with no further explanation.
Catch-all HTTP 401s and 403s are there to thwart https://en.wikipedia.org/wiki/Oracle_attack - unfortunately, servers cannot afford to be "helpful" when it comes to unauthenticated clients.
mmbop
They should have a debug mode that is user-activated for stuff like this.
I also have burned too many hours trying to get various OAuth flows working.
magicalhippo
Yeah some development servers that didn't actually send the mail anywhere but did give usable error messages for example would be amazing.
To avoid it being used as an attack vector they could be tied to special app registrations that had to be registered with the mail development system in advance.
datadrivenangel
Microsoft is amazingly good at those opaque error messages. Such a mess of UX
purpleidea
I haven't been able to get `offlineimap` working with gmail in at least the last six months. If anyone has been successful, please let me know. The blog posts I've found all have out of date information. If I'm locked into their cloud, I'd at least like to have a backup of my data--
and no, I don't want the takeout service, the Maildir format and features of offlineimap are what work great!
terinjokes
I use mbsync/isync instead of offlineimap, but I've had no issues using mailctl to handle the OAuth2 tokens and refresh.
Does the example on the ArchWiki[0] work for you?
[0]: https://wiki.archlinux.org/title/OfflineIMAP#OAuth2_access_t...
fifteen1506
App passwords worked for me like 3 or 4 months ago.
jonathanstrange
I will do everything in my power to pressure my university to migrate their email accounts to another service.
This is anti-competitive behavior designed to make it as hard as possible to use email client software. For example, check the procedures needed to set up oauth2 in my preferred client claws-mail.[1] That's insane.
alisonsandy
> This is anti-competitive behavior designed to make it as hard as possible to use email client software
Use App password. They are not blocking any 3rd party clients. Are you advocating using real password in every random client that may or may not transmit it in full text elsewhere?
I do assume you know security essentials.
jonathanstrange
I will do that if our university decides to switch on 2-factor authentication (which would be total chaos), but my trust in Google's ability to make this effortless and easy in third-party email clients is zero. See my other post why.
Regarding security: Google had physical fiber optics connections to the NSA and claimed they didn't know about them. It's not a very credible claim but if if was true, then it would be proof that Google has no competence in security at all.
alisonsandy
Any decent 3rd party client does this already. Take for example, thunderbird or k9-mail - major open source ones. Even Mail (from Apple, macOS) does this. What else you need? Sure if you use mutt or ALPINE read the related forums for help.
while anyone can criticise any large company one should do it for the correct reasons.
forwardemail
Happy to help onboard your university!
We currently serve UMD, Tufts, Swarthmore, and more.
ericjmorey
I read through your website and I don't understand what your service is. You sorta seem like an email host but seem to very intentionally and carefully not advertise as an email host.
forwardemail
[dead]
forwardemail
[dead]
alwayslikethis
It's shameful how far we've gone down this path. My university is using Microsoft Exchange and they refuse to allow IMAP access even with Oauth2, only allowing you to use proprietary protocols. So far I've only seen Evolution and Thunderbird working (with a paid plugin for the latter). I think it's a means to exert control on your email usage. For example, most sane clients do not show images by default, which prevents various types of tracking pixels from working, whereas Outlook doesn't do this afaik.
warkdarrior
Here's updated info on Outlook:
"Microsoft Outlook is configured by default to block automatic picture downloads from the Internet. You can, however, unblock pictures that you think are safe to download."
From https://support.microsoft.com/en-us/office/block-or-unblock-...
speleding
Perhaps the headline is a bit hard to parse, but OAuth will NOT be required for email, IMAP and POP will continue to work with App Passwords
jonathanstrange
From Google's own official documentation:
"Tip: App passwords aren’t recommended and are unnecessary in most cases."
"Tip: Don’t create an app password unless the app or device you want to connect to your account doesn’t have 'Sign in with Google.'"
"To help protect your account, we revoke your app passwords when you change your Google Account password."
"Tip: If the app offers 'Sign in with Google,' we recommend you use that feature to connect the app to your Google Account."
"If you use a non-Google app and can't sign in, the app's sign-in process might not be secure. Try to update to the latest version of the app and use 'Sign in with Google,' if it’s an option."
Yeah, no problem at all. I'm sure it's going to work flawlessly and effortlessly.
anthk
My SO uses GMail and anything but Thunderbird it's a hellish nightmare to setup. On the HN comments about "but my secUrity"... who cares. Get a good and long password and use TLS everywhere. This is enshittification and pure EEE tactics against public standards and free sofware email clients and yet these careless users applaud it.
rwmj
For now. They've been threatening to remove App passwords for a long time.
dotancohen
Thank you, where have they mentioned a possible removal of App passwords?
Jenda_
Why is there AFAIK no tutorial on how to steal the "app token" (sorry, I don't know the proper term) from Thunderbird or other mail clients?
Get the top HN stories in your inbox every day.
My heart skipped a beat when I read this — I have various scripts and things that interact with Gmail.
But it's okay. App passwords will still work, it seems. This is just removal of "Less Secure Apps" support, using the account's plain account user/password.
I shudder to think how much automation would die if Google truly killed off everything but OAuth.
I don't like the complexity OAuth. I enjoyed this Perl module documentation[1] that breaks down how the dang thing works, clearly written by someone as exasperated as me (:
[1] https://metacpan.org/dist/LWP-Authen-OAuth2/view/lib/LWP/Aut...