Re: [mailop] G-Suite removing LSA functionality
Dnia 19.12.2019 o godz. 13:02:00 Philip Paeps via mailop pisze: > > Hrm. So potentially, if Davmail jumps through Google's hoops, one > could point fetchmail at Davmail... Definitely Davmail in it's current state can't do it, as it's targeted to talk to Exchange only. It would need an additional development to be able to talk to Gmail. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On 2019-12-18 18:57:09 (+0800), Ken O'Driscoll via mailop wrote: On Mon, 2019-12-16 at 17:45 -0800, Brandon Long via mailop wrote: If you wanted something, you'd probably want a proxy, something that speaks enough IMAP to do LOGIN/AUTHENTICATE, then re-login to Gmail with OAUTHBEARER, and then just be a pass through. We do something similar for the reverse proxy for IMAP at Gmail, though again, not really code that can be shared... though maybe someday someone will write an Envoy module for that. You could probably write something like that in a couple hundred lines of code. For people looking for a proxy to sit in front of G Suite's OAuth, I'd recommend taking a look at Davmail[1]. Davmail has been letting "traditional" clients talk to Exchange for ages, providing them with good ol' IMAP, SMTP, CardDAV and CalDAV interfaces. It already supports OAuth for O365. Since the dev team have already done a lot of the heavy lifting, contributing to that project and extending it might not be the worst idea for people looking for a proxy. Hrm. So potentially, if Davmail jumps through Google's hoops, one could point fetchmail at Davmail... Circuitous to be sure, but it's good to have options. Thanks for the suggestion. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On Mon, 2019-12-16 at 17:45 -0800, Brandon Long via mailop wrote: > If you wanted something, you'd probably want a proxy, something that > speaks enough IMAP to do LOGIN/AUTHENTICATE, then re-login to > Gmail with OAUTHBEARER, and then just be a pass through. We do something > similar for the reverse proxy for IMAP at Gmail, though again, > not really code that can be shared... though maybe someday someone will > write an Envoy module for that. You could probably write > something like that in a couple hundred lines of code. For people looking for a proxy to sit in front of G Suite's OAuth, I'd recommend taking a look at Davmail[1]. Davmail has been letting "traditional" clients talk to Exchange for ages, providing them with good ol' IMAP, SMTP, CardDAV and CalDAV interfaces. It already supports OAuth for O365. Since the dev team have already done a lot of the heavy lifting, contributing to that project and extending it might not be the worst idea for people looking for a proxy. Ken. [1] http://davmail.sourceforge.net/index.html ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
Dnia 18.12.2019 o godz. 10:18:33 Ken O'Driscoll via mailop pisze: > > I've used Evolution (which talks GOA) for years with multiple G Suite > accounts and it works like a treat. And that's in a work capacity, not as a > home user/hobbyist so I'm unforgiving of problems. Nice to hear that. Until now I was still using a very old Evolution version that knows nothing about OAuth (well, it can't even use TLS higher than 1.0 so I have to use stunnel as a proxy to connect to mail servers that have dropped TLS 1.0, like Google did). But it's nice to know that once I finally configure my new OS and move to new Evolution version, it will support that :) -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On Mon, 2019-12-16 at 22:30 +0100, Jaroslaw Rafa via mailop wrote: > Do any Windows/Linux/MacOS email clients currently support OAuth "out of > the box"? > If not, that's basically cutting nearly everybody using regular IMAP > email clients off of G Suite... For Linux, the Gnome Online Accounts supports OAuth for Google, and has done for quite a while. Which means that any client that can talk to that framework, gets email, contacts and calendar/tasks. It also provides access to Google Drive. I've used Evolution (which talks GOA) for years with multiple G Suite accounts and it works like a treat. And that's in a work capacity, not as a home user/hobbyist so I'm unforgiving of problems. KDE have their own authentication framework which Kontact (KMail etc.) talks to but I have no idea of how stable the Oauth stuff is. Ken. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
App Passwords weren't mentioned and so will still be usable, I guess, for folks who can't use OAuth. https://support.google.com/accounts/answer/185833?hl=en On Mon, Dec 16, 2019 at 01:20:04PM -0600, Al Iverson via mailop wrote: > Google is announcing that in the future, G-Suite accounts will not > support LSA (Less Secure Access) account connection functionality. > This will put an end to accessing your Gmail account via POP3 or old > school IMAP, unless your email client supports OAuth. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
Yes, in order to use oauth for mail scopes, you need a token by registering with the Google API console. That token can be used by a limited number of users (who will go through a scarey interstitial) unless your app passes the security approval process. It's currently limited to 100 users. Mail apps are definitely allowed to exist, and may or may not require a vendor security audit. if they do require an audit, ugh, that's expensive and annoying. Often (but not always), audits are only required for services, installable code with no centralized service are usually exempt, but you still need to carefully file the request, often with a "video" of usage of the app. I can see how that might be complicated for things like fetchmail, automated tools without much to look at. That said, every user can just get their own token for themselves, high barrier but not insurmountable. Also, iirc, GSuite Admins can whitelist tokens for their own use outside of the approval flow, ie if a company develops an internal app to access their own users mailboxes, they don't need to go through the approval flow. FAQ here: https://support.google.com/cloud/answer/9110914 Brandon On Tue, Dec 17, 2019 at 1:56 AM Andris Reinman via mailop wrote: > It is not that you could just somehow easily add OAuth support to things. > To get valid client ids for the OAuth to work you have to go through > excessive verification process first as IMAP scope is something that Gmail > considers restricted. > > Regards, > Andris > > > On 17. Dec 2019, at 11:40, Philip Paeps via mailop > wrote: > > > > On 2019-12-17 03:20:04 (+0800), Al Iverson via mailop wrote: > >> Google is announcing that in the future, G-Suite accounts will not > support LSA (Less Secure Access) account connection functionality. This > will put an end to accessing your Gmail account via POP3 or old school > IMAP, unless your email client supports OAuth. > > > > So someone will have to implement OATH support in fetchmail or I will > lose access to customer email addresses on G-Suite. > > > > (Sure, I could fetch the email using Mailmate but 1. I don't want Google > to follow my laptop around the world - that's creepy - and 2. I have my > mailserver fetch my mail so it's more easily backed up.) > > > >> 2. February 15, 2021 - Access to LSAs will be turned off for all G > Suite accounts. > > > > Clear deadline at least. > > > >> This isn't a bad thing, of course. > > > > I'm not sure I share that particular view... > > > > Philip > > > > -- > > Philip Paeps > > Senior Reality Engineer > > Alternative Enterprises > > > > ___ > > mailop mailing list > > mailop@mailop.org > > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On Tue, Dec 17, 2019, at 08:56, Brandon Long via mailop wrote: > On Mon, Dec 16, 2019 at 1:30 PM Jaroslaw Rafa wrote: >> Dnia 16.12.2019 o godz. 12:42:29 Brandon Long via mailop pisze: >> > Here's the announcement post: >> > >> https://gsuiteupdates.googleblog.com/2019/12/less-secure-apps-oauth-google-username-password-incorrect.html >> > >> > Note this is more than just unencrypted access, this is using password >> > based login at all. Looks like it doesn't apply to SMTP, yet, probably >> > because of the number of printers and other embedded devices that don't >> > support oauth. >> > >> > As for tools, last year I added support for OAUTHBEARER to mutt but by >> > shelling out to >> > https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py >> for >> > generating tokens. The sasl level code to send the tokens is pretty >> > trivial, the annoying part is launching a browser and getting the token >> > back from it. >> >> Do any Windows/Linux/MacOS email clients currently support OAuth "out of the >> box"? >> If not, that's basically cutting nearly everybody using regular IMAP email >> clients off of G Suite... > > The blog post specifically calls out Outlook, Mail.app and Thunderbird as > supporting OAuth, > once you add iOS Mail and various common Android Mail apps, that probably > covers 90+% of > the third party mail clients used to access Gmail. I don't know if all of the > Android Mail apps support > OAuth these days, but there tools built into Google Services on Android to > handle oauth grants very > easily (certainly the easiest of the platforms besides web apps). > > For terminal apps, doing something like I did with Mutt is probably the right > choice and pretty straightforward. > For gui apps, it's obviously more complicated if you need to embed a web > browser, not to mention > the inherent insecurity of logging into Google from an embedded web > browser... but I guess you would have given > that app your password anyways prior to oauth, so whatever. This is one of the cases where JMAP authentication (as seen in https://datatracker.ietf.org/doc/draft-ietf-jmap-core/00/ and removed afterwards due to not wanting to mix the mail protocol with considerations of a new authentication mechanism) would have been quite nice. Basically, you try to log in and get told "please load up this URL in a your normal web browser and do stuff until the web browser tells you that the session is alive, then come back here and all will be good". Or even "you have an authenticated connection now that can't see any accounts, go sign in however many accounts you like over the web with this magic link and they will get added to this connection". I'm quite interested in that actually, because JMAP already supports having multiple accounts inside a single authenticated connection - you could have each session start off "empty" and authenticate accounts into it! Bron. -- Bron Gondwana br...@fastmail.fm ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On 2019-12-17 18:08:03 (+0800), Andrew C Aitchison wrote: On Tue, 17 Dec 2019, Philip Paeps via mailop wrote: On 2019-12-17 03:20:04 (+0800), Al Iverson via mailop wrote: Google is announcing that in the future, G-Suite accounts will not support LSA (Less Secure Access) account connection functionality. This will put an end to accessing your Gmail account via POP3 or old school IMAP, unless your email client supports OAuth. So someone will have to implement OATH support in fetchmail or I will lose access to customer email addresses on G-Suite. (Sure, I could fetch the email using Mailmate but 1. I don't want Google to follow my laptop around the world - that's creepy - and 2. I have my mailserver fetch my mail so it's more easily backed up.) Fetchmail is indeed a significant issue and https://sourceforge.net/p/fetchmail/mailman/message/34628292/ suggests that the fetchmail devels aren't going to turn it into a web browser. They're not wrong... One other option is for gmail to forward your mail to your server. I've been doing this for a few months without any problems. Thanks for the suggestion. I'll look into doing that. I've got two years to put off poking around at the web interface. :-) Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On Tue, 17 Dec 2019, Philip Paeps via mailop wrote: On 2019-12-17 03:20:04 (+0800), Al Iverson via mailop wrote: Google is announcing that in the future, G-Suite accounts will not support LSA (Less Secure Access) account connection functionality. This will put an end to accessing your Gmail account via POP3 or old school IMAP, unless your email client supports OAuth. So someone will have to implement OATH support in fetchmail or I will lose access to customer email addresses on G-Suite. (Sure, I could fetch the email using Mailmate but 1. I don't want Google to follow my laptop around the world - that's creepy - and 2. I have my mailserver fetch my mail so it's more easily backed up.) Fetchmail is indeed a significant issue and https://sourceforge.net/p/fetchmail/mailman/message/34628292/ suggests that the fetchmail devels aren't going to turn it into a web browser. One other option is for gmail to forward your mail to your server. I've been doing this for a few months without any problems. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On 2019-12-17 17:53:48 (+0800), andris.rein...@gmail.com wrote: On 17. Dec 2019, at 11:40, Philip Paeps wrote: On 2019-12-17 03:20:04 (+0800), Al Iverson via mailop wrote: Google is announcing that in the future, G-Suite accounts will not support LSA (Less Secure Access) account connection functionality. This will put an end to accessing your Gmail account via POP3 or old school IMAP, unless your email client supports OAuth. So someone will have to implement OATH support in fetchmail or I will lose access to customer email addresses on G-Suite. (Sure, I could fetch the email using Mailmate but 1. I don't want Google to follow my laptop around the world - that's creepy - and 2. I have my mailserver fetch my mail so it's more easily backed up.) 2. February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. Clear deadline at least. This isn't a bad thing, of course. I'm not sure I share that particular view... It is not that you could just somehow easily add OAuth support to things. To get valid client ids for the OAuth to work you have to go through excessive verification process first as IMAP scope is something that Gmail considers restricted. That's convenient! So basically anyone using fetchmail is (or will be) SOL? Unless fetchmail can somehow pass the "excessive verification process"... Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
It is not that you could just somehow easily add OAuth support to things. To get valid client ids for the OAuth to work you have to go through excessive verification process first as IMAP scope is something that Gmail considers restricted. Regards, Andris > On 17. Dec 2019, at 11:40, Philip Paeps via mailop wrote: > > On 2019-12-17 03:20:04 (+0800), Al Iverson via mailop wrote: >> Google is announcing that in the future, G-Suite accounts will not support >> LSA (Less Secure Access) account connection functionality. This will put an >> end to accessing your Gmail account via POP3 or old school IMAP, unless your >> email client supports OAuth. > > So someone will have to implement OATH support in fetchmail or I will lose > access to customer email addresses on G-Suite. > > (Sure, I could fetch the email using Mailmate but 1. I don't want Google to > follow my laptop around the world - that's creepy - and 2. I have my > mailserver fetch my mail so it's more easily backed up.) > >> 2. February 15, 2021 - Access to LSAs will be turned off for all G Suite >> accounts. > > Clear deadline at least. > >> This isn't a bad thing, of course. > > I'm not sure I share that particular view... > > Philip > > -- > Philip Paeps > Senior Reality Engineer > Alternative Enterprises > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On 2019-12-17 03:20:04 (+0800), Al Iverson via mailop wrote: Google is announcing that in the future, G-Suite accounts will not support LSA (Less Secure Access) account connection functionality. This will put an end to accessing your Gmail account via POP3 or old school IMAP, unless your email client supports OAuth. So someone will have to implement OATH support in fetchmail or I will lose access to customer email addresses on G-Suite. (Sure, I could fetch the email using Mailmate but 1. I don't want Google to follow my laptop around the world - that's creepy - and 2. I have my mailserver fetch my mail so it's more easily backed up.) 2. February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. Clear deadline at least. This isn't a bad thing, of course. I'm not sure I share that particular view... Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
Dnia 16.12.2019 o godz. 17:45:03 Brandon Long pisze: > > (and I think there is > > absolutely no doubt that for professional use *any* email client - even > > many years old Outlook Express ;) - works better than Gmail's web > > interface). > > Consider doubt expressed. :)) Well, maybe my case is specific, but I could quote here many use cases that happen to me literally countless times, that I can do very quickly in Outlook and I either couldn't do at all or it will be much more complicated, required a lot of clicking and took more time in Gmail's web interface. But I don't think it's worth to waste list members' time on reading that :). I would note only one crucial thing, without which it's impossible for me to use email: being able to instantly scroll through all messages in my inbox (no matter how many there are) and visually identify the message I'm looking for. Search feature won't help me, because I don't know *exactly* any search term I could use in a query, but I know for sure that I will instantly recognize the needed message once I see it, because I remember all the broad context (which includes pretty much everything outside of email itself :)) related to it. > For one, Google already maintains internal systems for translating IMAP to > the internal APIs, why would they > attempt to duplicate that effort? Also, the challenge of mapping IMAP to > Gmail's mailstore model is complicated, > why have two different versions (or N versions given the long tail of > software updates). [...] > If you wanted something, you'd probably want a proxy, something that speaks > enough IMAP to do LOGIN/AUTHENTICATE, then re-login to > Gmail with OAUTHBEARER, and then just be a pass through. We do something > similar for the reverse proxy for IMAP at Gmail, though again, > not really code that can be shared... though maybe someday someone will > write an Envoy module for that. You could probably write > something like that in a couple hundred lines of code. I was talking specifically about the case when the domain admin has disabled IMAP completely (they claim IMAP on a mobile device is insecure in general - it is possible somehow to bypass any local authentication and access email by anyone who gets hold of the device that has IMAP configured. I can't verify these claims). In that case G Suite Sync remains the only way to access. That's why I thought about moving IMAP to internal APIs translation to client side (similarly to G Suite Sync). But I understand if you say that you have no resources to do that or consider that not worth doing. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
Will app passwords still be allowed or do they fall into the same category as LSA? https://support.google.com/accounts/answer/185833?hl=en#app-passwords On Mon, Dec 16, 2019, at 6:45 PM, Brandon Long via mailop wrote: > > On Mon, Dec 16, 2019 at 2:43 PM Jaroslaw Rafa via mailop > wrote: >> Dnia 16.12.2019 o godz. 21:43:45 Jody Belka pisze: >> > * Outlook 2016 and earlier with the G-Suite Sync for Microsoft Outlook >> > tool (Windows-only) support it >> >> By the way, a company I work for uses G Suite Sync and turned off IMAP >> access >> completely for their domain. In that case Outlook with G Suite Sync is the >> only way to access G Suite email with any email client (and I think there is >> absolutely no doubt that for professional use *any* email client - even >> many years old Outlook Express ;) - works better than Gmail's web >> interface). > > Consider doubt expressed. > >> However, the limitation to Outlook in this case is quite an obstacle. I >> always thought it would be nice to have such a tool as G Suite Sync for >> other email clients as well. The best would be something that acts as a >> proxy running on localhost; you connect to it the old fashioned way via >> IMAP/SMTP, and it translates the requests to Gmail's API (G Suite Sync does >> something like this, but on the local side there is proprietary Microsoft's >> MAPI instead of IMAP/SMTP). >> >> Taking into account the coming changes we are talking about in this thread, >> can we expect Google to release such a tool? It would be a great help to all >> email clients users and would keep G Suite email universally accessible >> without giving up on security. > > No, I wouldn't expect that at all. > > For one, Google already maintains internal systems for translating IMAP to > the internal APIs, why would they > attempt to duplicate that effort? Also, the challenge of mapping IMAP to > Gmail's mailstore model is complicated, > why have two different versions (or N versions given the long tail of > software updates). > > For two, Outlook is one of the most used email clients in the world, the rest > of the clients which > don't support (and aren't willing to add support for) OAuth are the long tail. > > For three, MAPI supports more than just email, it also supports calendar and > contacts, so that's one > stop shopping. > > If you wanted something, you'd probably want a proxy, something that speaks > enough IMAP to do LOGIN/AUTHENTICATE, then re-login to > Gmail with OAUTHBEARER, and then just be a pass through. We do something > similar for the reverse proxy for IMAP at Gmail, though again, > not really code that can be shared... though maybe someday someone will write > an Envoy module for that. You could probably write > something like that in a couple hundred lines of code. > > Brandon > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On Mon, Dec 16, 2019 at 2:43 PM Jaroslaw Rafa via mailop wrote: > Dnia 16.12.2019 o godz. 21:43:45 Jody Belka pisze: > > * Outlook 2016 and earlier with the G-Suite Sync for Microsoft Outlook > > tool (Windows-only) support it > > By the way, a company I work for uses G Suite Sync and turned off IMAP > access > completely for their domain. In that case Outlook with G Suite Sync is the > only way to access G Suite email with any email client (and I think there > is > absolutely no doubt that for professional use *any* email client - even > many years old Outlook Express ;) - works better than Gmail's web interface). > Consider doubt expressed. > However, the limitation to Outlook in this case is quite an obstacle. I > always thought it would be nice to have such a tool as G Suite Sync for > other email clients as well. The best would be something that acts as a > proxy running on localhost; you connect to it the old fashioned way via > IMAP/SMTP, and it translates the requests to Gmail's API (G Suite Sync does > something like this, but on the local side there is proprietary Microsoft's > MAPI instead of IMAP/SMTP). > > Taking into account the coming changes we are talking about in this thread, > can we expect Google to release such a tool? It would be a great help to > all > email clients users and would keep G Suite email universally accessible > without giving up on security. > No, I wouldn't expect that at all. For one, Google already maintains internal systems for translating IMAP to the internal APIs, why would they attempt to duplicate that effort? Also, the challenge of mapping IMAP to Gmail's mailstore model is complicated, why have two different versions (or N versions given the long tail of software updates). For two, Outlook is one of the most used email clients in the world, the rest of the clients which don't support (and aren't willing to add support for) OAuth are the long tail. For three, MAPI supports more than just email, it also supports calendar and contacts, so that's one stop shopping. If you wanted something, you'd probably want a proxy, something that speaks enough IMAP to do LOGIN/AUTHENTICATE, then re-login to Gmail with OAUTHBEARER, and then just be a pass through. We do something similar for the reverse proxy for IMAP at Gmail, though again, not really code that can be shared... though maybe someday someone will write an Envoy module for that. You could probably write something like that in a couple hundred lines of code. Brandon ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On 16 Dec 2019, at 13:30, Jaroslaw Rafa via mailop wrote: Do any Windows/Linux/MacOS email clients currently support OAuth "out of the box"? I can report that MailMate on MacOS works perfectly with OAuth. And it's also much better for email geeks. Not free, but well worth the license. Best regards -lem ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
Dnia 16.12.2019 o godz. 13:20:04 Al Iverson via mailop pisze: > Alternatively you can use G Suite Sync for > Microsoft Outlook. By the way, a company I work for uses G Suite Sync and turned off IMAP access completely for their domain. In that case Outlook with G Suite Sync is the only way to access G Suite email with any email client (and I think there is absolutely no doubt that for professional use *any* email client - even many years old Outlook Express ;) - works better than Gmail's web interface). However, the limitation to Outlook in this case is quite an obstacle. I always thought it would be nice to have such a tool as G Suite Sync for other email clients as well. The best would be something that acts as a proxy running on localhost; you connect to it the old fashioned way via IMAP/SMTP, and it translates the requests to Gmail's API (G Suite Sync does something like this, but on the local side there is proprietary Microsoft's MAPI instead of IMAP/SMTP). Taking into account the coming changes we are talking about in this thread, can we expect Google to release such a tool? It would be a great help to all email clients users and would keep G Suite email universally accessible without giving up on security. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
Dnia 16.12.2019 o godz. 21:43:45 Jody Belka pisze: > * Outlook 2016 and earlier with the G-Suite Sync for Microsoft Outlook > tool (Windows-only) support it By the way, a company I work for uses G Suite Sync and turned off IMAP access completely for their domain. In that case Outlook with G Suite Sync is the only way to access G Suite email with any email client (and I think there is absolutely no doubt that for professional use *any* email client - even many years old Outlook Express ;) - works better than Gmail's web interface). However, the limitation to Outlook in this case is quite an obstacle. I always thought it would be nice to have such a tool as G Suite Sync for other email clients as well. The best would be something that acts as a proxy running on localhost; you connect to it the old fashioned way via IMAP/SMTP, and it translates the requests to Gmail's API (G Suite Sync does something like this, but on the local side there is proprietary Microsoft's MAPI instead of IMAP/SMTP). Taking into account the coming changes we are talking about in this thread, can we expect Google to release such a tool? It would be a great help to all email clients users and would keep G Suite email universally accessible without giving up on security. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On Mon, Dec 16, 2019 at 1:30 PM Jaroslaw Rafa wrote: > Dnia 16.12.2019 o godz. 12:42:29 Brandon Long via mailop pisze: > > Here's the announcement post: > > > https://gsuiteupdates.googleblog.com/2019/12/less-secure-apps-oauth-google-username-password-incorrect.html > > > > Note this is more than just unencrypted access, this is using password > > based login at all. Looks like it doesn't apply to SMTP, yet, probably > > because of the number of printers and other embedded devices that don't > > support oauth. > > > > As for tools, last year I added support for OAUTHBEARER to mutt but by > > shelling out to > > > https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py > for > > generating tokens. The sasl level code to send the tokens is pretty > > trivial, the annoying part is launching a browser and getting the token > > back from it. > > Do any Windows/Linux/MacOS email clients currently support OAuth "out of > the > box"? > If not, that's basically cutting nearly everybody using regular IMAP email > clients off of G Suite... > The blog post specifically calls out Outlook, Mail.app and Thunderbird as supporting OAuth, once you add iOS Mail and various common Android Mail apps, that probably covers 90+% of the third party mail clients used to access Gmail. I don't know if all of the Android Mail apps support OAuth these days, but there tools built into Google Services on Android to handle oauth grants very easily (certainly the easiest of the platforms besides web apps). For terminal apps, doing something like I did with Mutt is probably the right choice and pretty straightforward. For gui apps, it's obviously more complicated if you need to embed a web browser, not to mention the inherent insecurity of logging into Google from an embedded web browser... but I guess you would have given that app your password anyways prior to oauth, so whatever. Brandon ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
removing Syed, sorry, didn't mean to add him to an external thread about this, please don't flood him about this. Brandon On Mon, Dec 16, 2019 at 1:49 PM Brandon Long wrote: > +Syed Albiz who was the last person to edit that on > the request to update to py3 > > Brandon > > On Mon, Dec 16, 2019 at 1:10 PM Stuart Henderson > wrote: > >> On 2019/12/16 12:42, Brandon Long via mailop wrote: >> > As for tools, last year I added support for OAUTHBEARER to mutt but by >> shelling out to https:// >> > github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py for >> generating tokens. The >> > sasl level code to send the tokens is pretty trivial, the annoying part >> is launching a browser >> > and getting the token back from it. >> >> This works fine, though it would be nice if one of the (so far) three PRs >> adding Python 3 support to gmail-oauth2-tools could be merged :-) >> >> ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
+Syed Albiz who was the last person to edit that on the request to update to py3 Brandon On Mon, Dec 16, 2019 at 1:10 PM Stuart Henderson wrote: > On 2019/12/16 12:42, Brandon Long via mailop wrote: > > As for tools, last year I added support for OAUTHBEARER to mutt but by > shelling out to https:// > > github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py for > generating tokens. The > > sasl level code to send the tokens is pretty trivial, the annoying part > is launching a browser > > and getting the token back from it. > > This works fine, though it would be nice if one of the (so far) three PRs > adding Python 3 support to gmail-oauth2-tools could be merged :-) > > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
Dnia 16.12.2019 o godz. 12:42:29 Brandon Long via mailop pisze: > Here's the announcement post: > https://gsuiteupdates.googleblog.com/2019/12/less-secure-apps-oauth-google-username-password-incorrect.html > > Note this is more than just unencrypted access, this is using password > based login at all. Looks like it doesn't apply to SMTP, yet, probably > because of the number of printers and other embedded devices that don't > support oauth. > > As for tools, last year I added support for OAUTHBEARER to mutt but by > shelling out to > https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py for > generating tokens. The sasl level code to send the tokens is pretty > trivial, the annoying part is launching a browser and getting the token > back from it. Do any Windows/Linux/MacOS email clients currently support OAuth "out of the box"? If not, that's basically cutting nearly everybody using regular IMAP email clients off of G Suite... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On 2019/12/16 12:42, Brandon Long via mailop wrote: > As for tools, last year I added support for OAUTHBEARER to mutt but by > shelling out to https:// > github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py for > generating tokens. The > sasl level code to send the tokens is pretty trivial, the annoying part is > launching a browser > and getting the token back from it. This works fine, though it would be nice if one of the (so far) three PRs adding Python 3 support to gmail-oauth2-tools could be merged :-) ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
Here's the announcement post: https://gsuiteupdates.googleblog.com/2019/12/less-secure-apps-oauth-google-username-password-incorrect.html Note this is more than just unencrypted access, this is using password based login at all. Looks like it doesn't apply to SMTP, yet, probably because of the number of printers and other embedded devices that don't support oauth. As for tools, last year I added support for OAUTHBEARER to mutt but by shelling out to https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py for generating tokens. The sasl level code to send the tokens is pretty trivial, the annoying part is launching a browser and getting the token back from it. I don't know if/when this will apply to consumer accounts. Brandon On Mon, Dec 16, 2019 at 11:53 AM Luis E. Muñoz via mailop wrote: > > > On 16 Dec 2019, at 11:20, Al Iverson via mailop wrote: > > > Question for the group -- [⋯] Are there other folks out there that > > will > > have to make code changes to comply with these changes? > > I will have to make code changes to more or less the same classes of > tools you mentioned. > > Best regards > > -lem > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
On 16 Dec 2019, at 11:20, Al Iverson via mailop wrote: Question for the group -- [⋯] Are there other folks out there that will have to make code changes to comply with these changes? I will have to make code changes to more or less the same classes of tools you mentioned. Best regards -lem ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] G-Suite removing LSA functionality
Thanks Al for posting this.. As a rule, everyone should be deprecating port 110/143 for authentication and using the SSL/TLS versions.. Hopefully, this will help convince all other ISP's to at least do that. -- Michael -- And of course, a quick pitch on email clients should consider supporting CLIENTID to ensure all your customers have access to simple 2FA. On 2019-12-16 11:20 a.m., Al Iverson via mailop wrote: Google is announcing that in the future, G-Suite accounts will not support LSA (Less Secure Access) account connection functionality. This will put an end to accessing your Gmail account via POP3 or old school IMAP, unless your email client supports OAuth. Google says: Access to LSAs will be turned off in two stages: 1. June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 2. February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. Email: - If you are using stand-alone Outlook 2016 or earlier, move to Office 365 (a web-based version of Outlook) or Outlook 2019, both of which support OAuth access. Alternatively you can use G Suite Sync for Microsoft Outlook. - If you are using Thunderbird or another email client, re-add your Google Account and configure it to use IMAP with OAuth. - If you are using the mail app on iOS or MacOS, or Outlook for Mac, and use only a password to login, you’ll need to remove and re-add your account. When you add it back, select “sign in with Google” to automatically use OAuth. Net: After this is implemented, G-Suite accounts will no longer have old school POP3 and IMAP support. This isn't a bad thing, of course. But it is a change. And I manage a bunch of deliverability test, spamtrap and seed address accounts that are going to be impacted by this-- my homegrown software used today does not yet have support for OAuth, so I need to decide what I'm going to do. Build an app module that supports OAuth? Move mailboxes to a different provider? Roll my own? Question for the group -- this clearly is being announced for G-Suite accounts. Does anyone know if Gmail.com user accounts are going to lose LSA access as well? Are there other folks out there that will have to make code changes to comply with these changes? TIA for your thoughts. Cheers, Al Iverson -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop