* Mick <michaelkintz...@gmail.com> [2015-06-25 17:07:37]: > On Thursday 25 Jun 2015 16:13:35 Grant Edwards wrote: > > On 2015-06-25, Ben Fitzgerald <benfi...@gmail.com> wrote: > > > I recently updated my google preferences and limited set "allow > > > unsecure apps" to "off". > > > > > > Later I tried to login to gmail with mutt and found it no longer > > > worked as imap attempted AUTHENTICATE PLAIN over port 993 (SSL). > > > > > > I'm a little confused about why google consider this unsafe. > > > > Ah, I think you've misunderstood what Google means by "secure". > > > > Consider the usage "the prisoner is secure, sir!" > > > > It means "closed, shut, locked, under control". As in closed, shut, > > and locked _by_Google_, and 100% under control _of_Google_. > > > > Mutt has not be "secured" by Google, therefore it is not secure. > > > > 1/2 ;) > > > > I still use Google for e-mail, because it sucks less that all the > > other options I've tried... > > Yes, I think Grant is right, but there may be more to it ... > > After some googling, but please correct me if I got it wrong, I came to the > conclusion that Google considers a single step authentication insecure. > Since > mail clients typically use a username + passwd they will be deemed as "less > secure". > > If you use a 2 step authentication you will need to create an "application > specific password" as described here: > > https://support.google.com/mail/answer/1173270?hl=en > > then use this in mutt accordingly: > > set imap_pass = "GOOGLE_APPLICATION_PASSWORD" > set smtp_pass = "GOOGLE_APPLICATION_PASSWORD" > > > I suspect that this approach will no longer cause a problem if "Access for > less secure apps" is turned off. > > If however it still blocks login by mutt, then Google will expect that the > mail client complies with XOAUTH2: > > https://developers.google.com/gmail/oauth_overview > > So the question probably is: > > Does mutt comply with XOAUTH2 and will it send OAuth 2.0 Access Tokens to the > server? > > A paragraph in the above link states: > > "As long as these libraries support the Simple Authentication and Security > Layer (SASL), they should be compatible with the SASL XOAUTH2 mechanism > supported by Gmail." > > I suspect that "secure" mobile client apps use the Google API directly with > OAuth 2.0 Access Tokens when they authenticate with Gmail/Calendar/etc. but I > haven't looked into it any more than this. > > -- > Regards, > Mick
I have just tested. It works. In order to begin the game You have to switch on two-stage verification, being in Your Gmail account. After verification using code snet to You via SMS You are able to set application passwords. I have set three passwords, for Thunderbird, for my old Galaxy phone and for mutt of course. Setting the password for Galaxy Tab was not needed, during login verification code was sent via SMS , it means orginal gmail password is preserved. And all three passwords work. This operation has to be done only once. In the case of mutt You simply modify imap_pass. So now we can say mutt is secure in the sense of google two-stage verfication. I like it. Andrzej
