jaugustine wrote:
> I logged into my email account at Yahoo's web site, selected
> "Account Information", Turned on, "Allow apps that use less secure
> sign in...".
>
> That "worked".
>
> Note: Since this email source (Yahoo) is less important than my
> "main" email source, "less secure" doesn't bother me.
Any e-mail client that does not support OAUTH2 is considered insecure by
Google (and other e-mail providers that were lemmings and followed
Google). This is because Google got involved in OAUTH1 but ruined it in
OAUTH2 (by making it easier but less secure than version 1 and also
incompatible with version 1).
https://en.wikipedia.org/wiki/OAuth#OAuth_2.0
OAUTH2 is not a protocol. It is a framework and why anyone implementing
it may come up with their own proprietary protocol. OAUTH2 became not
security protocol for your connection to their server but instead a
means of identifying (aka fingerprinting) who is connecting to their
server (i.e., authentication via identity verus authentication via
credentials). It's not about securing you. It's about securing them.
One of the primary authors involved in OAUTH1 left the OAUTH2 project
because he was disgusted how Google mangled the spec for their own
purposes. Here's a video of the main OAUTH editor, Eran Hammer, until
Google got in the way. He apologizes in a video for the fuckup that
became OAUTH2 and why it sucks:
https://vimeo.com/52882780
(gee, I wonder why this video isn't at Google's Youtube)
Other e-mail providers embraced OAUTH1 or decided to naively follow
Google and went to OAUTH2. That means you cannot use a local e-mail
client unless it supports OAUTH2. If your client does not support
OAUTH2, and as with G[oogle]Mail, you need to go into Yahoo's
server-side settings in your account to disable the wrongly description
option "allow insecure client". You need to configure your account to
allow an "insecure" client connect using their insecure OAUTH2 protocol.