Thanks for your very detailed answer. You make many valid points, but to summarize, I understand that you suggest I set up an app password and that may be what I'll have to do.
BUT, as far as I've read, there IS a connection between the 2fa and app passwords settings. The Google support sites says: On the "Signing in to Google" panel, choose App Passwords. If you don’t see this option: - 2-Step Verification is not set up for your account. - 2-Step Verification is set up for security keys only. - Your account is through work, school, or other organization. - You’ve turned on Advanced Protection for your account. So setting this up may force me to use 2-factor to access other things, such as Google Drive. Just to be clear, I do not keep any sensitive data on Drive, so I really don't care if it's secure and adding 2 factor will be really inconvenient if it forces me to have my phone handy any time I want to access Drive on my desktop computer. BTW - concerning your mention of being out of the country, etc, that's certainly not the problem in these crazy Covid-19 days :-(. And I do not use tor or a VPN to access mail on Gmail or Claws. On Sun, Apr 26, 2020 at 12:50 AM Ori Berger <linux...@orib.net> wrote: > > On 25/04/2020 22:22, shlomo solomon wrote: > > > Google/Gmail has decided to drive me crazy and I hope someone can help. > > > > 5 - to allow this, I have Gmail set up to allow POP access and my > > Google account set up to allow "Less secure app access" (Google-speak > > for anything not provided or controlled by Google). > > No, that's not what allowing "Less secure app access" means. > > It used to be, that you had one password to an account (say, your gmail > account), and knowing that password would automatically give every > permission to whoever provided it. But as more and more things need to > interface these things today, it is now common to break the security > such that: > > a) There is still indeed one main account password (potentially aided by > a 2nd factor), however ... > > b) That account password is ONLY used with the main interface - in > Google's case, the "accounts.google.com" domain; and that once you log > in there > > c) You can delegate specific, limited access to different applications > through that interface. > > Now, as long as you're within the Google system (e.g. YouTube, Calendar, > Hangouts, etc.), this is all handled internally. But as soon as you exit > that system, e.g. by using Thunderbird or Claws, you have some friction > with the delegation step (c). > > One way supported by Google (and Facebook, and Apple, and others) is > OAuth2 - that app makes a request to Google for specific permissions; > You log in to accounts.google.com (after being redirected into it by > that app), and Google asks you to approve the specific permissions > requested by that app or website. If you do, that app/site gets a > "token" (for all practical purposes, a username+password for that > app/site uniquely generated for that approval process) that they can > use, but that is limited to exactly those permissions that the app > requested and that you approved. Thunderbird has a "Google" connector > these days which does exactly that. > > For older applications which do not support OAuth2, you can just go in > and generate an "App specific password" and specify those permissions > yourself; That's what you need to do for Claws. What you get is a > password that (assuming you asked for smtp/imap access) only works for > smtp/imap, and cannot be used to e.g. log into the Gmail web > applications and set up new forwards/filters. I do not know, but I > suspect, that they expect this password to be strictly used by one app - > e.g., I expect them to reject it if one day they see it being used from > Claws and the next day by Outlook; this information is sometimes > available directly in the protocol itself - e.g. claws and thunderbird > put a "User-Agent" mime header when they send a message - and is > sometimes inferred - e.g., if you have an X-MS-TNEF header, it's Outlook) > > The rationale behind this system is not to give Google more control > (it's not like you previously could add forwarding setup through > imap/pop3) - but rather to limit the probability that your main, > all-powerful, password would leak from systems like Thunderbird or Claws > or PEBKAC which Google cannot directly secure. (There is, of course, a > very busniessy reason here as well - sites like LinkedIn and Facebook > used to ask you for your mail username/password, "so we could make it > easier for you to see who of your contacts is in our system and send > them invites", which is a bad idea for everyone involved except > LinkedIn/Facebook - especially Google who competes with them; The speed > bump and warning "they can READ YOUR MAIL" significantly decreased the > viability of this spying method, to the point that LinkedIn and Facebook > dropped it - opting instead to ask for those permissions on their mobile > app.....) > > So, disabling "less secure app access" basically means "I will only use > my main google password on the google web site, not in any other way", > which is generally good for you. > > > BUT, in the past few weeks, Gmail has randomly refused to let Claws > > access my mail. Sometimes this lasts for a short time and sometimes > > for hours or even a day or more. > > > > The Claws log shows: > > > > * Account 'GMail': Connecting to POP3 server: pop.gmail.com:995... > > [21:49:25] POP< +OK Gpop ready for requests from 89.237.110.180 > > s20mb165349719wra > > [21:49:25] POP> USER shlomo.solo...@gmail.com > > [21:49:25] POP< +OK send PASS > > [21:49:25] POP> PASS ******** > > [21:49:25] POP< -ERR [AUTH] Web login required: > > https://support.google.com/mail/answer/78754 > > *** error occurred on authentication > > *** Authentication failed. > > I have experienced this before several times, and 95% of the time it is > when I am outside Israel, which likely triggers the Google hacking/fraud > detection system, as I am using an IP that doesn't fit my standard usage > profile. If you have changed your ISP recently, either your home or > mobile, or occasionally use a VPN or Tor and have used your account in > non-standard (for you) context, that is a likely cause. > > Gmail accounts are highly sought by spammers as they have virtually no > deliverability problems, and thus creating or stealing Google accounts > is continuously attempted on a mass scale; Google spends a lot of effort > fighting against this, and they have more false hacking positives than > ideal, especially for people outside the Win+Chrome norm such as yourself. > > The only thing I HAVE NOT tried (because I'm afraid it will make > > things worse rather than better) is to set up two-factor > > authentication and use an app password - I also have no idea how this > > works (or doesn't work) in Claws mail. > > Last I used it, the 2fa and app passwords were independent settings; You > should be able to disable "less secure app access" and set up > application specific passwords without setting up 2fa. Once it works, > it's actually better - generate an app password for e.g. your phone, and > one for your laptop, and if one of them is lost you can revoke only that > one -- while at the same time, be sure that even if you didn't revoke it > in time, and a bad actor was able to retrieve the password from your > mail program before you realized the device was lost -- they still could > not use that app password to change your main password and lock you out > from your account, or other bad things - only read/send mail (which is > bad enough, granted, but not nearly as bad). > > > And as I wrote above, after a while, the problem solves itself. > > > > And one more thing - I have additional Gmail accounts with the same > > setup and Gmail DOES allow Claws mail access, while denying access to > > my main account. So that's also weird. > > No specific knowledge, but my inference is that Google has a "probable > use profile" for every account, which includes a list of devices, > browser versions, geographical locations, isps, times of day, > distribution of emails replied per day, distribution of emails > originated per day, average number of new contacts/addresses per day, > etc -- that's useful both for targeted advertising and to figure out of > the account has been hacked. For whatever reason, if my model is right > then, from your description, this specific account seems to occasionally > step outside of its "probable use profile" - either because of things > *you* do (such as VPN, Tor, travel, etc) or because it's on the model's > boundary all the time but *Google* tweaks some parameters (as they do > often) and sometimes you end up on the improbable side. > > Additionally, you wrote you're forwarding *out* of Google and into your > own domain - from what I gather, this should be fine. However, if you > also have a catchall (or otherwise many accounts) that forward *into* a > google account, I suspect based on my previous research that this would > push you toward the hacked/spammer/improbable category. > > And last but not least - do not assume that no one is trying to hack > into your account. It's possible that Google's hacking detection was > actually triggered by a hacking attempt you are not aware of, and that > they ask you to do a web login because they have much better control and > authentication on that front. > > > _______________________________________________ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
