Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2
On Fri, 2022-06-03 at 12:57 +0100, Peter Humphrey wrote: > Would a practical alternative be to have all gmail messages forwarded to > another account? I did this for years before I decided to finally close that google account. Ironically I can't close this one (yet) because the gentoo mailing list won't allow me to subscribe with an email address with a .tech TLD :(
Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2
On Friday, 3 June 2022 09:53:22 BST Michael wrote: > On Friday, 3 June 2022 02:45:11 BST Dale wrote: > > Howdy, > > > > Early this morning Seamonkey could no longer fetch emails. It wouldn't > > accept the username and password. I did some searching and it seems > > that Google is disabling plain text username and password. Honestly, > > sounds like a good idea really. During my searches, most recommended > > OAuth2 so I switched to it. > > Err ... perhaps not? The use of a browser to delegate sign on is not > necessarily a good idea, because it introduces layers of complication and > with it potential vulnerabilities. Random explainer here: > > https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-shou > ld-not-use-it-for-authentication-5f47597b2611 > > I recall some IMAP4 devs complaining about it, but Google pushed on > regardless. From the end of May if you want to login to Gmail you have no > option but to use OAuth2. I expect this will break some users login if they > have not disabled what Google calls "Less secure application access" and > shared with Google their mobile phone number and what other *private* > information Google wants to know, before it allows you to access your email > messages. Would a practical alternative be to have all gmail messages forwarded to another account? I haven't looked into this, but I have a gmail account, which perhaps I could set up to forward (relay?) all incoming mail to my Zen account. -- Regards, Peter.
Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2
On Friday, 3 June 2022 12:15:53 BST spareproject776 wrote: > How did you even enable the oauth thing ? only had security device or > push to an authenticated device available. Then lied and forced enabling > sms as a 'recovery' option. When I enabled OAuth2 it was early days and Google did not ask for 2FA as a prerequisite back then. All you had to provide, for account recovery, was another email address. So I set up a second Google email address for this purpose and cross referenced the two accounts. Some months thereafter Google started asking for 2FA via SMS, before you could access the page to set up app access. More recently they also started asking for DOB, "... for legal purposes". Soon they will be asking for digital ID and a DNA test, or whatever. :p I noticed whenever I tried to login from a remote location Google would block the mail client and also block webmail login if I tried to use a browser. Evidently, geolocation/IP address was being used as a security check. To acknowledge this was not an attempt by some remote and nefarious actor to compromise my account, I had to connect to Google by tunneling via a VPN connection to my home and from there to the Google webmail. After that I was able to login remotely. The question about privacy is a moot point. Privacy is often conflated with identity and consequently with security. All a mail service provider *need* to know is if the person trying to login is the same person who set up/owns the account. A single or multiple challenge-response mechanism over an encrypted network connection is enough to identify the owner of the account via the credentials exchanged between client and server. No sharing of any other private and personally identifiable information needs to be part of it. signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2
On Fri, Jun 03, 2022 at 10:54:06AM +0100, Michael wrote: > On Friday, 3 June 2022 11:07:47 BST spareproject776 wrote: > > They only forced turning 2fa on. > > There used to be a period a few years ago now, when you could enable less > secure app access plus OAuth2 without giving your DOB, mobile phone 2FA, etc. > > They have since stopped this. I had enabled OAuth2 on one PC, but was not > able to do the same on a second PC I tried to connect from. I can't recall > the error now. > > Thankfully, other email providers are available. :-) Is the privacy thing really that bad ? My plans to send a load of e2e messages through a mix net just to wind them up. More worried about someone picking my phone up popping the sim card out. Then requesting account recovery from it and plugging it back in now : / sort of defeated the point in having tpm backed devices. How did you even enable the oauth thing ? only had security device or push to an authenticated device available. Then lied and forced enabling sms as a 'recovery' option. --
Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2
On Friday, 3 June 2022 11:07:47 BST spareproject776 wrote: > They only forced turning 2fa on. There used to be a period a few years ago now, when you could enable less secure app access plus OAuth2 without giving your DOB, mobile phone 2FA, etc. They have since stopped this. I had enabled OAuth2 on one PC, but was not able to do the same on a second PC I tried to connect from. I can't recall the error now. Thankfully, other email providers are available. :-) signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2
They turned off the ability to use smtp pop3 or imap over cleartext a while ago. They only expose it over tls wrapped ports. Your client wouldn't even be able to get as far as sending it. Also forces SASL which is tldr for echo 'username password'|base64 before sending it. Once you enable 2fa for the account, you can recreate an application password. Funnily enough my old password was stronger than a 16 char string : / all in all they just force reduced password length. Whilst forcing sms verification allowing account take over from sim swapping :'( For the record this is sent from mutt using app password without oauth. --
Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2
Michael wrote: > On Friday, 3 June 2022 02:45:11 BST Dale wrote: >> Howdy, >> >> Early this morning Seamonkey could no longer fetch emails. It wouldn't >> accept the username and password. I did some searching and it seems >> that Google is disabling plain text username and password. Honestly, >> sounds like a good idea really. During my searches, most recommended >> OAuth2 so I switched to it. > Err ... perhaps not? The use of a browser to delegate sign on is not > necessarily a good idea, because it introduces layers of complication and > with > it potential vulnerabilities. Random explainer here: > > https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611 > > I recall some IMAP4 devs complaining about it, but Google pushed on > regardless. From the end of May if you want to login to Gmail you have no > option but to use OAuth2. I expect this will break some users login if they > have not disabled what Google calls "Less secure application access" and > shared with Google their mobile phone number and what other *private* > information Google wants to know, before it allows you to access your email > messages. I read a portion of your link. It lost me pretty quick. I seem to recall that the old way, the username and password was sent in plain text. In other words, anyone could grab it between me and google, including my ISP plus who knows who else. I'd think that about anything would be more secure than plain text. There may be better options but I have to work with what Google supports. If it supports something better, I'd switch to that. I'm open to better options. I just want to be able to fetch my emails in a reasonably secure way. BTW, the password I use for email is not used anywhere else. I use Bitwarden now, used LastPass before that. > >> After a while, I noticed it wasn't downloading new emails >> automatically. I have it set to check for new messages every 10 minutes >> or so. I had to hit the Get Msgs button each time. I'd prefer it to do >> it automatically. I tried restarting Seamonkey and even changing the >> settings for doing it automatically, in case a config file needed >> updating after the switch, still doesn't do it automatically. I'm >> attaching a screenshot of the settings. >> >> Does using OAuth2 disable automatically fetching messages or am I >> missing some other setting? It worked fine until I switched to OAuth2 >> so I don't know what else it could be. Is there something better than >> OAuth2 that gmail supports? I just picked the first option I found. >> >> Thoughts?? > The OAuth2 mechanism will refresh exchange of tokens between client and > server > when they expire, but this should be seamless and transparent to the user. > If > there is a breakdown in the connection for some time and a token expires, > then > depending on the mail client it may pop up a window asking for your login > credentials to be resubmitted. It does this occasionally on Kmail, but I > have > not noticed it on T'bird, which I believe is similar/same to the mail client > of Seamonkey. > > Checking for emails every so often on a timer, is separate to authentication/ > authorization. Whether you check for email manually, or after a timer > triggers it, OAuth2 will kick in on each occasion as the next step. There > may > be some bug in Seamonkey. You could try a later version or try T'bird. If > that works with the same settings, but Seamonkey doesn't, then by a process > of > elimination the issue would be with Seamonkey's implementation. > > HTH. I wouldn't think the two would have any effect on each other either but the only change I made was how it sends username and password. Heck, at first, I didn't even restart Seamonkey. When I hit the Get Msg button, it asked for the password and starting downloading several hours worth of emails. It hasn't asked for it again since I entered it the first time so it should be able to trigger itself. Your logic makes sense but reality has thrown a wrench into the gearbox. I thought about switching back but the old way wasn't allowed anymore. So, I can't revert and test. BTW, I'm using POP3 I think. I actually store my emails locally. I'm not sure where to go on this. It may be a bug but even that would be odd since sending username and password should be separate from triggering a timer. It just doesn't make sense. Thanks. Dale :-) :-)
Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2
They only forced turning 2fa on. Once you turn it on click the app password button it generates a 16 character passphrase. Then works exactly the same way it used to. --
Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2
On Friday, 3 June 2022 02:45:11 BST Dale wrote: > Howdy, > > Early this morning Seamonkey could no longer fetch emails. It wouldn't > accept the username and password. I did some searching and it seems > that Google is disabling plain text username and password. Honestly, > sounds like a good idea really. During my searches, most recommended > OAuth2 so I switched to it. Err ... perhaps not? The use of a browser to delegate sign on is not necessarily a good idea, because it introduces layers of complication and with it potential vulnerabilities. Random explainer here: https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611 I recall some IMAP4 devs complaining about it, but Google pushed on regardless. From the end of May if you want to login to Gmail you have no option but to use OAuth2. I expect this will break some users login if they have not disabled what Google calls "Less secure application access" and shared with Google their mobile phone number and what other *private* information Google wants to know, before it allows you to access your email messages. > After a while, I noticed it wasn't downloading new emails > automatically. I have it set to check for new messages every 10 minutes > or so. I had to hit the Get Msgs button each time. I'd prefer it to do > it automatically. I tried restarting Seamonkey and even changing the > settings for doing it automatically, in case a config file needed > updating after the switch, still doesn't do it automatically. I'm > attaching a screenshot of the settings. > > Does using OAuth2 disable automatically fetching messages or am I > missing some other setting? It worked fine until I switched to OAuth2 > so I don't know what else it could be. Is there something better than > OAuth2 that gmail supports? I just picked the first option I found. > > Thoughts?? The OAuth2 mechanism will refresh exchange of tokens between client and server when they expire, but this should be seamless and transparent to the user. If there is a breakdown in the connection for some time and a token expires, then depending on the mail client it may pop up a window asking for your login credentials to be resubmitted. It does this occasionally on Kmail, but I have not noticed it on T'bird, which I believe is similar/same to the mail client of Seamonkey. Checking for emails every so often on a timer, is separate to authentication/ authorization. Whether you check for email manually, or after a timer triggers it, OAuth2 will kick in on each occasion as the next step. There may be some bug in Seamonkey. You could try a later version or try T'bird. If that works with the same settings, but Seamonkey doesn't, then by a process of elimination the issue would be with Seamonkey's implementation. HTH. signature.asc Description: This is a digitally signed message part.
