Hi MailMate users,

if you use the latest test version of MailMate (r5150) with a Gmail or an Outlook account then you should read this email.

Google continues to push for the adoption of [OAuth2](http://oauth.net/2/) via the [XOAUTH2](https://developers.google.com/gmail/xoauth2_protocol) protocol. In my opinion, they do that using a lot of FUD as seen in [this support article](https://support.google.com/accounts/answer/6010255?hl=en), but that does not mean that XOAUTH2 is necessarily a bad idea. Especially not for something like Google for which a single password provides access to all kinds of services.

A bit simplified, it works like this: Using an embedded web browser in MailMate, the user is sent to a hardcoded Google address (using a secure connection). The user is then asked by Google to allow MailMate to access the emails of the Gmail account. If accepted then MailMate receives a special code. Using this code MailMate can then obtain a so-called access token. This access token can then be used when authenticating via IMAP or SMTP. In other words, the real password is never known to[^1] or used by MailMate itself. It is naturally also not stored by MailMate. An access token expires, but MailMate can obtain a new one when needed. The access token only provides access to emails and the user can revoke the access at any time on [this page](https://security.google.com/settings/security/permissions).

Now, MailMate has had experimental support for XOAUTH2, but I think I now have to make it the default behavior (at least for Gmail). This made me change a few things:

* Previously, MailMate used an external web browser, but this does not work well and requires the user to copy/paste a code. An embedded browser is now used instead. * Using OAuth2 is now an option in the IMAP account settings. It is enabled by default, but it'll only be used when the corresponding IMAP server is actually supported by MailMate.
* MailMate also supports XOAUTH2 for Outlook email addresses.
* Tokens are stored in the keychain similar to how OS X stores them. Previously, a token was simply saved as if it was a password.

The last item means that users of the experimental support are going to be asked to authenticate MailMate again.

I'm looking for feedback on how well this works, both for Gmail and Outlook. I'm sure you'll tell me if it doesn't work at all.

One known issue: I've seen the initial authentication fail for Outlook, but it seems to be a temporary problem. At least I have not been able to figure out what triggers it.

Various other notes:

* The old hidden preference is now obsolete.
* XOAUTH2 requires me to register MailMate with the service provider (Google/Microsoft). If the provider stops supporting other authentication schemes (which is almost true for Google) then Google has the power to decide which email clients are allowed to work with Gmail. [I'm not sure](https://en.wikipedia.org/wiki/Embrace,_extend_and_extinguish) I'm quite comfortable with that. It reminds me of what happened to [third party Twitter clients](http://thenextweb.com/twitter/2012/08/17/twitter-4/). * Maybe this is a good time to reiterate that [alternatives](http://blog.freron.com/2013/alternative-email-providers/) do exist. * iCloud appears to have a similar authentication scheme, but it's undocumented and cannot be used by third party email clients.


[^1]: Since MailMate embeds the web browser itself then this is not strictly true. This is also why OAuth2 doesn't provide as much security for desktop applications as it does for web services.
mailmate mailing list

Reply via email to