Community Discussions and Support
Gmail, OAuth, and "Less secure" apps

I've been trying to understand the ramifications of Google's drive towards Oauth. I'm still a Eudora user, and I've been looking for alternatives, including Pegasus and Pandora.


No one could accuse Google of trying very hard to describe the upcoming May 30 changes consistently, or with clarity. In common with many, including David, I took their warnings to indicate that Oauth will become mandatory.


However a closer reading of at least some of their help pages does not support that conclusion. Look for example at https://support.google.com/accounts/answer/6010255


I think it's quite reasonable to conclude from the above that 1) turning on 2-Step Verification, and 2) creating app-specific passwords will be sufficient.


Naturally all will become clear in 2 weeks, and perhaps we'll all lose access then, but maybe there is some light at the end of this particular depressingly poorly documented tunnel?


I will say that I don't see why having Google accept an app-specific password instead of the one I used to use provides any security benefit whatsoever. But there again maybe I was atypical by already using a long randomized password.


I've been trying to understand the ramifications of Google's drive towards Oauth. I'm still a Eudora user, and I've been looking for alternatives, including Pegasus and Pandora. No one could accuse Google of trying very hard to describe the upcoming May 30 changes consistently, or with clarity. In common with many, including David, I took their warnings to indicate that Oauth will become mandatory. However a closer reading of at least some of their help pages does not support that conclusion. Look for example at https://support.google.com/accounts/answer/6010255 I think it's quite reasonable to conclude from the above that 1) turning on 2-Step Verification, and 2) creating app-specific passwords will be sufficient. Naturally all will become clear in 2 weeks, and perhaps we'll all lose access then, but maybe there is some light at the end of this particular depressingly poorly documented tunnel? I will say that I don't see why having Google accept an app-specific password instead of the one I used to use provides any security benefit whatsoever. But there again maybe I was atypical by already using a long randomized password.
edited May 18 '22 at 10:04 pm

I think most folks here agree with you whole heartedly. Several have commented their app password is less complex than what they previously had.


You are also correct that Google has not been very clear about their enforcement of OAuth2. Their email to users about losing access to third-party apps contained the following suggestions.


To continue using your Google Account with this app or device:
•App - Remove your Google Account from the app or device and sign in again using Sign in with Google
•Device - Change your device’s settings so you’re using more secure sign-in technology


There is no reference to an app password yet I have not been able to find any indication that Google is doing away with app passwords. I found the opposite, as you found. For now, an app password appears to be the answer to keeping Pegasus Mail working with GMail. How long Google will support app passwords is unknown. That is a concern.


I think most folks here agree with you whole heartedly. Several have commented their app password is less complex than what they previously had. You are also correct that Google has not been very clear about their enforcement of OAuth2. Their email to users about losing access to third-party apps contained the following suggestions. _To continue using your Google Account with this app or device: •App - Remove your Google Account from the app or device and sign in again using Sign in with Google •Device - Change your device’s settings so you’re using more secure sign-in technology_ There is no reference to an app password yet I have not been able to find any indication that Google is doing away with app passwords. I found the opposite, as you found. For now, an app password appears to be the answer to keeping Pegasus Mail working with GMail. How long Google will support app passwords is unknown. That is a concern.

I've seen the various recent messages about using an app password to enable Pegasus Mail's ongoing access to GMail after Google's insistence on using OAUTH2 after the end of May, but it's not at all clear to me how to go about configuring an app password on both GMail and in Pegasus Mail.


Is there a kind person (or persons) out there who could provide a step-by-step idiots' guide to configuring GMail and Pegasus Mail to use an app password so that I, and potentially a significant number of other PM users, will be able to continue to use PM in conjunction with GMail after the end of May?


Regards to all in the community, and (hopefully!) thanks in advance for any help that can be provided!


--
Martin Davies


I've seen the various recent messages about using an app password to enable Pegasus Mail's ongoing access to GMail after Google's insistence on using OAUTH2 after the end of May, but it's not at all clear to me how to go about configuring an app password on both GMail and in Pegasus Mail. Is there a kind person (or persons) out there who could provide a step-by-step idiots' guide to configuring GMail and Pegasus Mail to use an app password so that I, and potentially a significant number of other PM users, will be able to continue to use PM in conjunction with GMail after the end of May? Regards to all in the community, and (hopefully!) thanks in advance for any help that can be provided! -- Martin Davies

Take a look at Brian's post here .


Take a look at [Brian's post here](https://community.pmail.com/index.php?u=/topic/11571/connecting-to-my-account-at-gmail-com/1#post-53490) .
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

https://support.google.com/accounts/answer/185833?hl=en
And then you use normally the app password instead of your google password in PMail.


Here I found a good step by step instruction:
https://devanswers.co/create-application-specific-password-gmail/


https://support.google.com/accounts/answer/185833?hl=en And then you use normally the app password instead of your google password in PMail. Here I found a good step by step instruction: https://devanswers.co/create-application-specific-password-gmail/

Pegasus v4.81 Beta

edited May 18 '22 at 2:50 pm

I admit to not having dived into the topic.
But now i seem to understand, the problem appears ONLY if YOUR mailhoster is Google?
Could someone confirm is this is correct?


I admit to not having dived into the topic. But now i seem to understand, the problem appears ONLY if YOUR mailhoster is Google? Could someone confirm is this is correct?
edited May 19 '22 at 2:36 pm

I have heard Google, Yahoo, and Microsoft. Google has been our emphasis because of their May 30 deadline and their "security assessment" requirements in order for an OAUTH2 implementation to work in Pegasus Mail. For now, only folks with gmail accounts need to understand the implications of their May 30 deadline for stopping support of what they consider less secure apps.


I have heard Google, Yahoo, and Microsoft. Google has been our emphasis because of their May 30 deadline and their "security assessment" requirements in order for an OAUTH2 implementation to work in Pegasus Mail. For now, only folks with gmail accounts need to understand the implications of their May 30 deadline for stopping support of what they consider less secure apps.

For now, only folks with gmail accounts need to understand the implications of their May 30 deadline for stopping support of what they consider less secure apps.



Unfortunately, this may not be correct. Users of non-Gmail accounts hosted by Google may be most impacted.


If you have an"@gmail.com" account, you will probably, at least for now, be able to continue to use it with Pegasus Mail by (1) enabling "two-step verification" in your Google account settings for that account, and then (2) requesting an "app password". Note that you don't actually have to go through the two-factor authentication every time Pegasus Mail connects to Google's servers, only once when you set up the app password to enter in Pegasus Mail and/or other e-mail clients. Google has been less than clear, has made no commitments, and can do whatever it wants, whenever it wants. But it appears that, at least for now, this will remain an option.

But many other organizations and companies outsource hosting of their email (using their own domains) to Google. So your "foo@bar.org" accounts might actually be hosted by Google. These accounts are subject to the same Google procedures. But for these accounts, whether 2-fastor authentication is enabled (which Google has made a prerequisite for app passwords) is set by the domain administrator (for e.g. the "bar.org" account with Google), not the individual user. Individual users may have little ability to persuade their organization or company to change its domain-level Google settings just to enable them to use Pegasus Mail or other third-party e-mail clients with their organizational e-mail addresses.


You might be able to forward all e-mail from a Google-hosted account to another account, and then use Pegasus Mail or many other client to access that other account. This option is among the suggestions in a long Hacker News discussion thread on this topic:
https://news.ycombinator.com/item?id=31420433


But this will fail if you need to send e-mail from that Google-hosted address. (You could send e-mail as though from that address without going through Google's SMTP servers, but it would fail SPF and DKIM, causing it to be rejected as presumptively spam with forged headers).


It's possible that Google doesn't intend its policy change to apply to standalone POP/SMTP/IMAP clients. Even if that wasn't Google's original plan, it might be possible to lobby Google to make such an exception.


Lobbying of Google will be most effective if it involves users and developers of other e-mail clients.


Mozilla has implemented OATH2 in Thunderbird. Probably they can afford the audit fee:
https://support.mozilla.org/en-US/questions/1369790


Another widely-used third-party client is K-9, perhaps the most widely-used open-source POP/IMAP/SMTP client for Android. As with Pegasus Mail, the focus of K-9 development is on OATH2 for Google:
https://forum.k9mail.app/t/the-plan-for-k-9-mail-6-200/4590



With large email providers making it hard to impossible to use password authentication, the sole focus for the next stable version will be to turn K-9 Mail into what the providers like to call a “more secure app”. The hope is that this focus on just one new feature will mean that the next stable version can be released rather soon.



I wonder if K-9 is paying for a Google-approved audit, or has run into the same cost problem as Pegasus Mail? It might be worthwhile for the Pegasus Mail team to contact the K-9 developers.


I hope these suggestions are of some use to the Pegasus Mail team and other users of Pmail and other e-mail clients.


> For now, only folks with gmail accounts need to understand the implications of their May 30 deadline for stopping support of what they consider less secure apps. Unfortunately, this may not be correct. Users of non-Gmail accounts *hosted by Google* may be most impacted. If you have an"@gmail.com" account, you will *probably*, at least for now, be able to continue to use it with Pegasus Mail by (1) enabling "two-step verification" in your Google account settings for that account, and then (2) requesting an "app password". Note that you don't actually have to go through the two-factor authentication every time Pegasus Mail connects to Google's servers, only once when you set up the app password to enter in Pegasus Mail and/or other e-mail clients. Google has been less than clear, has made no commitments, and can do whatever it wants, whenever it wants. But it appears that, at least for now, this will remain an option. But many other organizations and companies outsource hosting of their email (using their own domains) to Google. So your "foo@bar.org" accounts might actually be hosted by Google. These accounts are subject to the same Google procedures. But for these accounts, whether 2-fastor authentication is enabled (which Google has made a prerequisite for app passwords) is set by the domain administrator (for e.g. the "bar.org" account with Google), not the individual user. Individual users may have little ability to persuade their organization or company to change its domain-level Google settings just to enable them to use Pegasus Mail or other third-party e-mail clients with their organizational e-mail addresses. You *might* be able to forward all e-mail from a Google-hosted account to another account, and then use Pegasus Mail or many other client to access that other account. This option is among the suggestions in a long Hacker News discussion thread on this topic: https://news.ycombinator.com/item?id=31420433 But this will fail if you need to send e-mail *from* that Google-hosted address. (You could send e-mail as though from that address without going through Google's SMTP servers, but it would fail SPF and DKIM, causing it to be rejected as presumptively spam with forged headers). It's possible that Google doesn't intend its policy change to apply to standalone POP/SMTP/IMAP clients. Even if that wasn't Google's original plan, it might be possible to lobby Google to make such an exception. Lobbying of Google will be most effective if it involves users and developers of other e-mail clients. Mozilla has implemented OATH2 in Thunderbird. Probably they can afford the audit fee: https://support.mozilla.org/en-US/questions/1369790 Another widely-used third-party client is K-9, perhaps the most widely-used open-source POP/IMAP/SMTP client for Android. As with Pegasus Mail, the focus of K-9 development is on OATH2 for Google: https://forum.k9mail.app/t/the-plan-for-k-9-mail-6-200/4590 > With large email providers making it hard to impossible to use password authentication, the sole focus for the next stable version will be to turn K-9 Mail into what the providers like to call a “more secure app”. The hope is that this focus on just one new feature will mean that the next stable version can be released rather soon. I wonder if K-9 is paying for a Google-approved audit, or has run into the same cost problem as Pegasus Mail? It might be worthwhile for the Pegasus Mail team to contact the K-9 developers. I hope these suggestions are of some use to the Pegasus Mail team and other users of Pmail and other e-mail clients.
edited May 19 '22 at 10:21 pm

Thx for the thorough explanation.
What a mess, what hybris on Googles side. Sad.


OTOH, i'm glad my assumption holds, as my hoster is a german company with it's own data center...


Thx for the thorough explanation. What a mess, what hybris on Googles side. Sad. OTOH, i'm glad my assumption holds, as my hoster is a german company with it's own data center...
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft