You may lose access to some of your third-party apps...

[PKTKS]

Does anyone knows with some degree of confidence ...

How it will be the situation of email agents like FETCHMAIL  when this change takes place ?

I use FETCHMAIL by default to centralize and filter my stuff for decades..
it will be a real tragic loss if they cut fetchmail without a solution 

Thanks
Paul

[SilverSolder]

"You may lose access to some of your third-party apps"   on what device / OS,  and why?

[PKTKS]

"You may lose access to some of your third-party apps"   on what device / OS,  and why?

ops sorry not to post that ...

but by now every google user received or will receive their broadcast email warning with these titles..

On May 30, you may lose access to apps that are using less secure sign-in technology

A simple google search with this title tells that several  email clients as Outlook 2006, thunderbirds as well... and others will not be able to access gmail..

I was wondering if mail transport agents will be penalized with this paranoid settings  as well

I use fetchmail to organize things for decades...
Paul

[SiliconWizard]

Yep, got the same.

From what I gathered, third-party apps *should* still be usable if they implement OAuth 2.0. Note the *should* - as what Google will actually enforce is not crystal clear at this point.

I don't know how difficult it is to add OAuth 2.0 and what exactly are the implications (meaning: what kind of applications just could never implement it?)

[PKTKS]

Yep, got the same.

From what I gathered, third-party apps *should* still be usable if they implement OAuth 2.0. Note the *should* - as what Google will actually enforce is not crystal clear at this point.

I don't know how difficult it is to add OAuth 2.0 and what exactly are the implications (meaning: what kind of applications just could never implement it?)

geez for automated email transport agents  which does not and never will use those captchas and ati-robots paranoias...  i guess... never... 

They exist for the purpose of automation .. so far the challenge response authentication was enough for POP and IMAP...

WTF  now ?

Paul

[SilverSolder]

Making life more difficult and/or more expensive, one step at a time, seems to be the story of information technology over the last 10 years...

[magic]

I have never done that but there is supposedly OAuth support in some mail clients like Thunderbird.

Depending on the level of support in the application, it seems you will either need to log in to Goolag's web interface, generate some magic keys manually and put them in the application's config, or the application may pop up a web browser window asking you to log in to Goolag and handle all the key exchange behind the scenes with a single click.

Not sure what stops the application from trying to phish you
Hopefully it's not a problem with a desktop mail client.

[pqass]

Don't everyone get yer panties in a bunch.   

I got the same email this morning.  Just log-on to your Google account, change your security setting to 2-Step and then create an App Password for "mail".   It will generate a random 16-alphanumeric password for you. Dump that in your .fetchmailrc in place of your old password.  Works for me.

https://support.google.com/accounts/answer/185833?hl=en

EDIT: You'll need to create another App Password (use: "Other (custom name)" then name it) for the SMTP (outbound) mail.

[janoc]

Don't everyone get yer panties in a bunch.   

I got the same email this morning.  Just log-on to your Google account, change your security setting to 2-Step and then create an App Password for "mail".   It will generate a random 16-alphanumeric password for you. Dump that in your .fetchmailrc in place of your old password.  Works for me.

https://support.google.com/accounts/answer/185833?hl=en

I was just going to write this but you were faster.

The e-mail concerns only applications that use your gmail login/password for accessing your e-mail.

For those all you have to do is to generate the app password if you didn't already. That is unique for each app - so even if one app gets compromised, your account doesn't. Also app passwords allow only e-mail access but not other things normal GMail login does - e.g. GDrive, Youtube, etc.

This works completely fine in desktop e-mail clients like Thunderbird or fetchmail since years.

Nobody is going to implement OAUTH 2.0 in automated tools like fetchmail - that requires logging in through the web site and going through the rather complex authentication flow to obtain a token that has to be given to the server on each access in lieu of login/password.

It is more secure because unlike passwords, the tokens are temporary, unique to each session, easily revocable and likely generated after the user has been authenticated with 2 factor authentication (you do have that set up right?) - but also very impractical to retrofit to older tooling that doesn't use the http protocol.

[magic]

Just log-on to your Google account, change your security setting to 2-Step and then create an App Password for "mail".

Just turn on another pile of idiocy and you will be happy
Plus they say "app passwords" are not recommended, so guess what's next to go the way of the dodo.

Nobody is going to implement OAUTH 2.0 in automated tools like fetchmail - that requires logging in through the web site and going through the rather complex authentication flow to obtain a token that has to be given to the server on each access in lieu of login/password.

Wrong.
http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

[pqass]

Just turn on another pile of idiocy and you will be happy
Plus they say "app passwords" are not recommended, so guess what's next to go the way of the dodo.

Of course they would say that!  They won't be happy until only Google/Facebook/Apple are allowed to authenticate you. By taking it out of their hands entirely, it guarantees users can only use hard passwords.  Nevertheless, said can is down the road a few more years.

[magic]

More info on how to implement OAuth in native clients and recommended "best practices".
Quite an entertaining read, particularly section 8.12

https://datatracker.ietf.org/doc/html/rfc8252

[Rick Law]

I too am planning action to deal with this "You may lose access to some of your third-party apps..."

Now that I am retired, email is the only "app" I need from google.  Currently, gmail is hosting my domain's email.  I pickup email using SSL POP and send using SMTP via older outlook with mere logon password security.    My domain has about a dozen email ID/logons.

I am thinking best to do is to move my MX and use another service to host my domain's email.  Anyone has a suggestion on a low cost mail host with SSL POP and SMTP capability?  Ability to manage the domain's email accounts is necessary.  Mere single digit gb storage (for the entire domain) is plenty just to store mail until pickup by outlook.

Thanks for any suggestion.

[PKTKS]

I too am planning action to deal with this "You may lose access to some of your third-party apps..."

Now that I am retired, email is the only "app" I need from google.  Currently, gmail is hosting my domain's email.  I pickup email using SSL POP and send using SMTP via older outlook with mere logon password security.    My domain has about a dozen email ID/logons.

I am thinking best to do is to move my MX and use another service to host my domain's email.  Anyone has a suggestion on a low cost mail host with SSL POP and SMTP capability?  Ability to manage the domain's email accounts is necessary.  Mere single digit gb storage (for the entire domain) is plenty just to store mail until pickup by outlook.

Thanks for any suggestion.

Me too and that having any alternative would be great..

Problem is ... these couple of mega corps are acting and grouping more like a guild

And a kind of guild I have never seen.. close to the financial guilds or even more specialized.

We just can not run from them .. having our social financial private and even health data into their total surveilled eyes... 

The folks for sure even have their guild own representatives law makers w/ their agendas..
Which ultimately are privatizing the Internet as we know it...

Alternatives are urgently required..

Paul

[SilverSolder]

It's not that hard to find an email provider, or even run an email server yourself if you like?

[tggzzz]

The last time I tried using the new mechanism, it worked in the simple case but failed dismally in my use case.

Key points:

• seamonkey/thunderbird
• IMAP, with local copy and copy left on server
• extensive use of gmail labels, which appear as folders in seamonkey/thunderbird

I could login to the inbox as expected, but each time I changed to a different folder (i.e. label), I had to login again. Aargh!

Has anyone else experienced that?
What's the workaround?

[PKTKS]

It's not that hard to find an email provider, or even run an email server yourself if you like?

I already rumn my own mail servers internally  but the problem is the totality of accounts i have are already set with my gmail account

So..  instead of going against the flow.. my internal servers just relay the accounts to  qmail...

We just can not run that easy from such guild privatizing the base internet services

Paul

[MuseChaser]

Protonmail.com

/thread

[PKTKS]

Protonmail.com

/thread

That was a nice addition... 

Paul

[SiliconWizard]

I have never done that but there is supposedly OAuth support in some mail clients like Thunderbird.

Depending on the level of support in the application, it seems you will either need to log in to Goolag's web interface, generate some magic keys manually and put them in the application's config, or the application may pop up a web browser window asking you to log in to Goolag and handle all the key exchange behind the scenes with a single click.

I have one Google mail account that I access through Thunderbird using OAuth 2.0. It works fine. Problem is, there is indeed a pop up window, but not everytime you connect. Apparently just the first time you connect with a particular application on a particular device. I had to do this only once that I can remember, when I set up the account.

I don't know the details of OAuth enough to understand how that really works. But that could certainly be annoying/or even unworkable with some fully automated tools.

Of course, the wisest move would probably just to get rid of anything Google.

[tggzzz]

I have one Google mail account that I access through Thunderbird using OAuth 2.0. It works fine. Problem is, there is indeed a pop up window, but not everytime you connect. Apparently just the first time you connect with a particular application on a particular device. I had to do this only once that I can remember, when I set up the account.

Could you do me a favour and try that with gmail labels, which appear as folders in the thunderbird/seamonkey email client.

I've had problems with that, as per https://www.eevblog.com/forum/networking/you-may-lose-access-to-some-of-your-third-party-apps/msg4049557/#msg4049557

Thanks in advance

[magic]

I don't know the details of OAuth enough to understand how that really works. But that could certainly be annoying/or even unworkable with some fully automated tools.

1. The application sends you to Google login page with some magic URL parameters.
2. You log in, Google generates a magic code ("refresh token") which it prints on the screen for you to type into the application or uses some MalwareScript to transfer it from the browser to the application over http://127.0.0.1/ or similar means.
3. The application sends some HTTP requests with the refresh token to obtain an access token valid for a short time each time it needs to do something.
4. Google may revoke the refresh token and any derived access tokens when you change your account password, revoke Thunderbird access or if it simply feels like doing so.

It's not even a bad scheme, but the implementation is kinda stupid because it's designed solely with idiots in mind and built on all those webshit technologies. In particular, nothing stops the application from showing you something that looks like a browser but is not a browser, taking your password and using it to handle conversion into refresh tokens fully automatically. Or using that password for some other purposes. There may be captcha on Google login page to prevent the former at least. It would also be nice to have a simple UI for manually generating such tokens for applications that don't fully support all that HTTP/OAuth nonsense.

If something goes wrong and you get a new login request each time you view a different directory, have fun debugging it
Maybe Thunderbird forgets its tokens or screws something, maybe GMail is buggy and revokes the token.
Try customer support

[Rick Law]

It's not that hard to find an email provider, or even run an email server yourself if you like?

I already rumn my own mail servers internally  but the problem is the totality of accounts i have are already set with my gmail account

So..  instead of going against the flow.. my internal servers just relay the accounts to  qmail...

We just can not run that easy from such guild privatizing the base internet services

Paul

I used to run my own email server.  I was about to switch back to my own server during the virus crisis, but then it occur to me: if I kick the bucket, there would be no one to support the system and within weeks, my family's email (and home server) would be running into difficulties. 

Virus or no virus, I have long since reached retirement age.  Not waking up is a distinct possibility and the probability is only increasing as the clock ticks.  So, I begun re-organizing my home systems to minimize dependence on my being here.  Don't get me wrong, I don't have a dark outlook in life.  I am happy to be around - but I am just being realistic.

[PKTKS]

I used to run my own email server.  I was about to switch back to my own server during the virus crisis, but then it occur to me: if I kick the bucket, there would be no one to support the system and within weeks, my family's email (and home server) would be running into difficulties. 

Virus or no virus, I have long since reached retirement age.  Not waking up is a distinct possibility and the probability is only increasing as the clock ticks.  So, I begun re-organizing my home systems to minimize dependence on my being here.  Don't get me wrong, I don't have a dark outlook in life.  I am happy to be around - but I am just being realistic.

Nothing odd about that..

I run the internal servers several decades straight..
And having them relaying all external accounts is like having the grunt part delegated..

kinda hope for the best prepare for the odds..

Even if their greed change things ahead I have the whole thing locally and switch  the delegated part...

Worked fine so far..

but these latest paranoid settings are not good..

Paul

[Ed.Kloonk]

Protonmail.com

/thread

That was a nice addition... 

Paul

Dangerous. Single point of failure.

Be careful.