Hi MailMate users,
if you use the latest test version of MailMate (r5150) with a Gmail or
an Outlook account then you should read this email.
Google continues to push for the adoption of
[OAuth2](http://oauth.net/2/) via the
protocol. In my opinion, they do that using a lot of FUD as seen in
that does not mean that XOAUTH2 is necessarily a bad idea. Especially
not for something like Google for which a single password provides
access to all kinds of services.
A bit simplified, it works like this: Using an embedded web browser in
MailMate, the user is sent to a hardcoded Google address (using a secure
connection). The user is then asked by Google to allow MailMate to
access the emails of the Gmail account. If accepted then MailMate
receives a special code. Using this code MailMate can then obtain a
so-called access token. This access token can then be used when
authenticating via IMAP or SMTP. In other words, the real password is
never known to[^1] or used by MailMate itself. It is naturally also not
stored by MailMate. An access token expires, but MailMate can obtain a
new one when needed. The access token only provides access to emails and
the user can revoke the access at any time on [this
Now, MailMate has had experimental support for XOAUTH2, but I think I
now have to make it the default behavior (at least for Gmail). This made
me change a few things:
* Previously, MailMate used an external web browser, but this does not
work well and requires the user to copy/paste a code. An embedded
browser is now used instead.
* Using OAuth2 is now an option in the IMAP account settings. It is
enabled by default, but it'll only be used when the corresponding IMAP
server is actually supported by MailMate.
* MailMate also supports XOAUTH2 for Outlook email addresses.
* Tokens are stored in the keychain similar to how OS X stores them.
Previously, a token was simply saved as if it was a password.
The last item means that users of the experimental support are going to
be asked to authenticate MailMate again.
I'm looking for feedback on how well this works, both for Gmail and
Outlook. I'm sure you'll tell me if it doesn't work at all.
One known issue: I've seen the initial authentication fail for Outlook,
but it seems to be a temporary problem. At least I have not been able to
figure out what triggers it.
Various other notes:
* The old hidden preference is now obsolete.
* XOAUTH2 requires me to register MailMate with the service provider
(Google/Microsoft). If the provider stops supporting other
authentication schemes (which is almost true for Google) then Google has
the power to decide which email clients are allowed to work with Gmail.
quite comfortable with that. It reminds me of what happened to [third
* Maybe this is a good time to reiterate that
* iCloud appears to have a similar authentication scheme, but it's
undocumented and cannot be used by third party email clients.
[^1]: Since MailMate embeds the web browser itself then this is not
strictly true. This is also why OAuth2 doesn't provide as much security
for desktop applications as it does for web services.
mailmate mailing list