On Thursday 25 Jun 2015 16:13:35 Grant Edwards wrote: > On 2015-06-25, Ben Fitzgerald <benfi...@gmail.com> wrote: > > I recently updated my google preferences and limited set "allow > > unsecure apps" to "off". > > > > Later I tried to login to gmail with mutt and found it no longer > > worked as imap attempted AUTHENTICATE PLAIN over port 993 (SSL). > > > > I'm a little confused about why google consider this unsafe. > > Ah, I think you've misunderstood what Google means by "secure". > > Consider the usage "the prisoner is secure, sir!" > > It means "closed, shut, locked, under control". As in closed, shut, > and locked _by_Google_, and 100% under control _of_Google_. > > Mutt has not be "secured" by Google, therefore it is not secure. > > 1/2 ;) > > I still use Google for e-mail, because it sucks less that all the > other options I've tried...
Yes, I think Grant is right, but there may be more to it ... After some googling, but please correct me if I got it wrong, I came to the conclusion that Google considers a single step authentication insecure. Since mail clients typically use a username + passwd they will be deemed as "less secure". If you use a 2 step authentication you will need to create an "application specific password" as described here: https://support.google.com/mail/answer/1173270?hl=en then use this in mutt accordingly: set imap_pass = "GOOGLE_APPLICATION_PASSWORD" set smtp_pass = "GOOGLE_APPLICATION_PASSWORD" I suspect that this approach will no longer cause a problem if "Access for less secure apps" is turned off. If however it still blocks login by mutt, then Google will expect that the mail client complies with XOAUTH2: https://developers.google.com/gmail/oauth_overview So the question probably is: Does mutt comply with XOAUTH2 and will it send OAuth 2.0 Access Tokens to the server? A paragraph in the above link states: "As long as these libraries support the Simple Authentication and Security Layer (SASL), they should be compatible with the SASL XOAUTH2 mechanism supported by Gmail." I suspect that "secure" mobile client apps use the Google API directly with OAuth 2.0 Access Tokens when they authenticate with Gmail/Calendar/etc. but I haven't looked into it any more than this. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
