gmail oauth2 authorization

[root]

I have been trying to authorize fetchmail via popserver.

The instructions provided by google for oauth2 authorization simply do not
work. My best guess is that they did work once - while password authorization
was possible - but now you have to get into your gmail account to authorize
your gmail account.

It has taken me 7.5 hours to confirm this.

For those interested you should read:

http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

[Chris Vine]

Go to your google settings, choose 2 factor authentication and then get
an app password. Enter that app password in your fetchmailrc file.

[Rinaldi]

I can confirm this works. Seemed rather silly when I was doing it.

.fetchmailrc stanza:

poll pop.gmail.com with proto POP3 service 995
user '$USER' there with password '$PASSWD' is 'me' here ssl

rinaldi
--
Critic, n.:
A person who boasts himself hard to please because nobody tries
to please him. -- Ambrose Bierce, "The Devil's Dictionary"

[root]

Chris Vine <chris@cvine--nospam--.freeserve.co.uk> wrote:
> On Thu, 2 Jun 2022 20:41:34 -0000 (UTC)
> root <NoE...@home.org> wrote:
>> I have been trying to authorize fetchmail via popserver.
>

> Go to your google settings, choose 2 factor authentication and then get
> an app password. Enter that app password in your fetchmailrc file.

Could you please be more specific: I have chose 2 factor authorization,
I have enabled it on my android phone. What I don't follow is
"get an app password".

BTW, during the process of enabling the android phone, it
says you can skip this on reliable devices (such as your computer)
but that is not true.

Thanks.

[root]

Rinaldi <r...@nunya.inv> wrote:
>
> I can confirm this works. Seemed rather silly when I was doing it.
>
> .fetchmailrc stanza:
>
> poll pop.gmail.com with proto POP3 service 995
> user '$USER' there with password '$PASSWD' is 'me' here ssl
>
> rinaldi

Thanks rinaldi, that's what I had before the oauth2 was enabled.
It no longer works for me.

[root]

Rinaldi <r...@nunya.inv> wrote:
> On 6/2/22 16:16, Chris Vine wrote:
>
> poll pop.gmail.com with proto POP3 service 995
> user '$USER' there with password '$PASSWD' is 'me' here ssl
>
> rinaldi

Rinaldi please note:
the oauth2 was supposed to start a few days ago. My name is
early in the alphabet and I was hit this morning. It may be
that your account, while now active, may be shut down soon.

To be on the safe side, try to enable oauth2 now while
you still have working account.

[Bit Twister]

Went through the google auth procedure to get app password.
logged into my google email account, brought to settings, show all
and set google mail to use imap. Configured it to do whatever the
client says to do with mail message.

installed dovecot on my system so I can use imap in claws-mail and
thunderbird apps. I did have to change my old google email login password
to new google app password.

Works for me. I did change from pop to imap.
# cat ~just_me/.fetchmailrc
#***************************************
# /accounts/just_me/.fetchmailrc
#***************************************

#********************
#* get any ISP email
#********************
poll "imap.gmail.com" with proto IMAP port 993
user "just_...@gmail.com" there with password "16_digit_google_app_pw_here"
is just_me here
options
ssl # download "seen" and "unseen" messages
fetchall # retrieve old and new messages
stripcr # Strip carriage returns from ends of lines
nokeep # delete new messages after retrieval


#****************************
#* get any credit card email
#****************************

poll "imap.gmail.com" with proto IMAP port 993
user "just_...@gmail.com" there with password "16_digit_google_app_pw_here"
is just_me here
options
ssl # download "seen" and "unseen" messages
fetchall # retrieve old and new messages
stripcr # Strip carriage returns from ends of lines
nokeep # delete new messages after retrieval


#*********** end accounts/hotmail/.fetchmailrc *******************

Did all the above for my
# grep mail /etc/passwd | wc -l
7
email accounts each of which runs fetchmail cron job hourly.

I also have a root cron which checks all linux mail boxs and
uses xmessage to tell me who needs to read any new mail.

With this setup there is no reason to log into gmail's email website.

[Chris Vine]

On Thu, 2 Jun 2022 21:51:48 -0000 (UTC)

root <NoE...@home.org> wrote:
> Chris Vine <chris@cvine--nospam--.freeserve.co.uk> wrote:
> > On Thu, 2 Jun 2022 20:41:34 -0000 (UTC)
> > root <NoE...@home.org> wrote:
> >> I have been trying to authorize fetchmail via popserver.
> >
> > Go to your google settings, choose 2 factor authentication and then get
> > an app password. Enter that app password in your fetchmailrc file.
>
> Could you please be more specific: I have chose 2 factor authorization,
> I have enabled it on my android phone. What I don't follow is
> "get an app password".
>
> BTW, during the process of enabling the android phone, it
> says you can skip this on reliable devices (such as your computer)
> but that is not true.

Start up your browser on your slackware computer and go to google, click
on "Manage your google account", click on "Security", make sure you
hve selected 2 factor authentication and look for the "App passwords"
entry, choose a name (which can be anything and is just something to
identify it for you) and generate a password. I use the same app
password for fetchmail, postmail and mailx.

I can't say what you have done wrong and your last paragraph makes
no sense. Just relax. It looks as if you are working yourself up.

[Chris Vine]

On Fri, 3 Jun 2022 00:21:03 +0100

Chris Vine <chris@cvine--nospam--.freeserve.co.uk> wrote:

> On Thu, 2 Jun 2022 21:51:48 -0000 (UTC)
> root <NoE...@home.org> wrote:
> > Chris Vine <chris@cvine--nospam--.freeserve.co.uk> wrote:
> > > On Thu, 2 Jun 2022 20:41:34 -0000 (UTC)
> > > root <NoE...@home.org> wrote:
> > >> I have been trying to authorize fetchmail via popserver.
> > >
> > > Go to your google settings, choose 2 factor authentication and then get
> > > an app password. Enter that app password in your fetchmailrc file.
> >
> > Could you please be more specific: I have chose 2 factor authorization,
> > I have enabled it on my android phone. What I don't follow is
> > "get an app password".
> >
> > BTW, during the process of enabling the android phone, it
> > says you can skip this on reliable devices (such as your computer)
> > but that is not true.
>
> Start up your browser on your slackware computer and go to google, click
> on "Manage your google account", click on "Security", make sure you
> hve selected 2 factor authentication and look for the "App passwords"
> entry, choose a name (which can be anything and is just something to
> identify it for you) and generate a password. I use the same app
> password for fetchmail, postmail and mailx.

^^^^^^^^
postfix

[Chris Vine]

Nonsense. Instead of encouraging others to go down your dead end
which you say you have spent 7.5 hours on, accept that what people have
told you is right and get yourself an app password. You will not get
fetchmail to work any more with gmail without it. If you want true 2
factor authentication then you need to use a client like evolution or
thunderbird, which support it.

[root]

FIXED fetchmail. Many thanks for that help, but mailx still does
not work.

When I got the Generated app password (set of four 4 character strings)
there was an email entry: secur...@gmail.com with a dotted out
password. Did that have meaning?

Mailx is not fetchmail, does it require its own app password.

What makes me ask is that the password entry in .mailrc
set mta=smtps://MYNAME:MYOLDP...@smtp.gmail.com:465

where the server and password is set for mailx doesn't work
with either old or new entries.

[root]

I was not saying that anything I did was right. I am saying that
yesterday Rinaldi's pop entry worked for me. Today it did not.
If you follow Google's instructions, you get to a point where
you can't access your account.

I only urged Rinaldi to get the oauth2 work done now.

I say here that your instructions for oauth2 DO WORK for
fetchmail.

Maybe you can show me your line in .mailrc which includes
the new 16 character password?

[Bit Twister]

On Fri, 3 Jun 2022 00:29:07 -0000 (UTC), root wrote:
> Chris Vine <chris@cvine--nospam--.freeserve.co.uk> wrote:
>>
>> Start up your browser on your slackware computer and go to google, click
>> on "Manage your google account", click on "Security", make sure you
>> hve selected 2 factor authentication and look for the "App passwords"
>> entry, choose a name (which can be anything and is just something to
>> identify it for you) and generate a password. I use the same app
>> password for fetchmail, postmail and mailx.
>>
>> I can't say what you have done wrong and your last paragraph makes
>> no sense. Just relax. It looks as if you are working yourself up.
>
>
>
> FIXED fetchmail. Many thanks for that help, but mailx still does
> not work.

As I misunderstand it I thought mailx just reads your local system mail
box file and has nothing to do with outside the system mail.

Currently fetchmail sucks down any email and automagically sends to
my local username account mail and will be in /var/mail/local_user_login_here
.
easy enough to test for local mail for me by doing a
mail -s "local testshot" $LOGNAME < /dev/null
/var/mail/will have the testshot message and mail

I run Mageia Release 8 amd mailx is linked to mail
$ ls -l /usr/bin/mailx
lrwxrwxrwx 1 root root 14 Feb 13 2020 /usr/bin/mailx -> ../../bin/mail

> When I got the Generated app password (set of four 4 character strings)
> there was an email entry: secur...@gmail.com with a dotted out
> password. Did that have meaning?
>
> Mailx is not fetchmail, does it require its own app password.
>
> What makes me ask is that the password entry in .mailrc
> set mta=smtps://MYNAME:MYOLDP...@smtp.gmail.com:465

Cannot help there I have no ~/.mailrc
going to guess the set mta command would be used to get user mail from
another system.

Again. fetchmail pulls down your email from gmail.com and should be in
your local mailbox. No need for the .mailrc to also use gmail.com

And Yes. any "insecure" app will have to provide you gamial id and 16 digit
application gmail password to access its mail server.

[root]

Bit Twister <BitTw...@mouse-potato.com> wrote:
> On Fri, 3 Jun 2022 00:29:07 -0000 (UTC), root wrote:
>>
>> FIXED fetchmail. Many thanks for that help, but mailx still does
>> not work.
>
> As I misunderstand it I thought mailx just reads your local system mail
> box file and has nothing to do with outside the system mail.

For me .mailrc configures my outgoing mail.
fetchmail works for incoming mail.

>
> Currently fetchmail sucks down any email and automagically sends to
> my local username account mail and will be in /var/mail/local_user_login_here

Yes, that is what happens for me.

> .
> easy enough to test for local mail for me by doing a
> mail -s "local testshot" $LOGNAME < /dev/null
> /var/mail/will have the testshot message and mail
>
> I run Mageia Release 8 amd mailx is linked to mail
> $ ls -l /usr/bin/mailx
> lrwxrwxrwx 1 root root 14 Feb 13 2020 /usr/bin/mailx -> ../../bin/mail
>
>
>

> Cannot help there I have no ~/.mailrc
> going to guess the set mta command would be used to get user mail from
> another system.
>

> And Yes. any "insecure" app will have to provide you gamial id and 16 digit
> application gmail password to access its mail server.

Chris Vine said the one password worked for fetchmail,postfix,and mailx.
I need a peek at the correct line in his .mailrc.

Thanks for responding BT.

[root]

OK, all is well. Whereas the password with four strings
of four characters each separated by spaces works for
fetchmail, the spaces must be eliminated in .mailrc.

Just another google POS.

[Bit Twister]

On Fri, 3 Jun 2022 01:26:54 -0000 (UTC), root wrote:
> Bit Twister <BitTw...@mouse-potato.com> wrote:
>> On Fri, 3 Jun 2022 00:29:07 -0000 (UTC), root wrote:
>>>
>>> FIXED fetchmail. Many thanks for that help, but mailx still does
>>> not work.
>>
>> As I misunderstand it I thought mailx just reads your local system mail
>> box file and has nothing to do with outside the system mail.
>
> For me .mailrc configures my outgoing mail.
> fetchmail works for incoming mail.

HA ha. that would not work for me. I run a 3 node lan and batch jobs
send problems to me. gmail would not know my node's email address.

I use postfix as my MTA and if it cannot resolve the target address it
just forwards it to gmail.com from my node. For the other nodes I have
postfix configured to forward non-local email to my node.

> Chris Vine said the one password worked for fetchmail,postfix,and mailx.
> I need a peek at the correct line in his .mailrc.

Going to guess Chris configured postfix to be able to do the secret smtp
handshake with gmail's smtp server.

[Bit Twister]

Weird, when google gave me the app pw, I just pasted it into files
needing it. None of which have spaces.

Yours might have worked if password was enclosed with/in quotes.

[root]

Bit Twister <BitTw...@mouse-potato.com> wrote:
>
> Weird, when google gave me the app pw, I just pasted it into files
> needing it. None of which have spaces.
>
> Yours might have worked if password was enclosed with/in quotes.
>

Nope, I tried that. My wife found out that when she cut and
pasted the spaces disappeared. I just typed them as they
were shown.

[root]

Bit Twister <BitTw...@mouse-potato.com> wrote:
> Going to guess Chris configured postfix to be able to do the secret smtp
> handshake with gmail's smtp server.
>

Chris can clarify that. I know nothing about postfix, never used it.

Thanks for responding.

[Bit Twister]

It comes installed configured to run locally. There you configure it by
hand to do whatever features you want enabled. For instance I have 7
user email accounts. If they send to anyone from the command line
I have configured postfix to change the from/reply address to their
gmail address then forward it to gmail.com.

For anyone curious there is https://www.postfix.org/documentation.html

[Chris Vine]

For postfix it is very much like mailx: the generated google password
becomes the sasl/tls password, and it doesn't actually use 2 factor
authentication. Because my postfix setup has a default relay which is
not smtp.gmail.com and only uses smtp.gmail.com for email coming from a
gmail address, I also use postfix's sender dependent authentication.
That won't be necessary if you always use gmail - just use the google
password as your sasl/tls password and set relayhost to
[smtp.gmail.com]:587

So my main.cf has amongst other things the following in it:

relayhost = my.default.relay:587
smtp_sasl_auth_enable = yes
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_tls_security_level = encrypt
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous

The sender_relay file has in it the relay for gmail mail, which takes
precedence over the default relay for mail with a m...@gmail.com from
address:

m...@gmail.com [smtp.gmail.com]:587

The sasl_passwd file has in it the username and password for the
default relay and the gmail relay. In the case of gmail this is the 16
letter google generated one.

m...@gmail.com m...@gmail.com:password
my.default.relay:587 username:password

[andrew]

On 2022-06-02, Chris Vine <chris@cvine--nospam--.freeserve.co.uk> wrote:

> Start up your browser on your slackware computer and go to google, click
> on "Manage your google account", click on "Security", make sure you
> hve selected 2 factor authentication and look for the "App passwords"
> entry, choose a name (which can be anything and is just something to
> identify it for you) and generate a password. I use the same app
> password for fetchmail, postmail and mailx.

You can add getmail and msmtp to that list, all works well here...

Andrew
--
You think that's air you're breathing now?

[Jim Diamond]

On 2022-06-03 at 06:45 ADT, Chris Vine <chris@cvine--nospam--.freeserve.co.uk> wrote:

<snip>

> So my main.cf has amongst other things the following in it:
>
> relayhost = my.default.relay:587
> smtp_sasl_auth_enable = yes
> smtp_sender_dependent_authentication = yes
> sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
> smtp_tls_security_level = encrypt
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_sasl_tls_security_options = noanonymous

<snip>

Chris,

thanks for the details. I could not get outgoing email to gmail
without adding
smtp_sasl_mechanism_filter = login
to main.cf.

Just out of curiosity, do you already have that in your main.cf?

Thanks.
Jim

[Chris Vine]

I have 'smtp_sasl_mechanism_filter = plain' in mine. I don't know
what the difference between 'plain' and 'login' SASL authentication is,
but from your results 'smtp_sasl_mechanism_filter = plain, login' may be
better.

[Jim Diamond]

On 2022-06-06 at 20:54 ADT, Chris Vine <chris@cvine--nospam--.freeserve.co.uk> wrote:
> On Mon, 6 Jun 2022 20:00:43 -0300
> Jim Diamond <JimDi...@ns.sympatico.ca> wrote:

>> On 2022-06-03 at 06:45 ADT, Chris Vine <chris@cAvine--nospam--.freeserve.co.uk> wrote:

<snip>

>> Chris,
>>
>> thanks for the details. I could not get outgoing email to gmail
>> without adding
>> smtp_sasl_mechanism_filter = login
>> to main.cf.
>>
>> Just out of curiosity, do you already have that in your main.cf?
>
> I have 'smtp_sasl_mechanism_filter = plain' in mine. I don't know
> what the difference between 'plain' and 'login' SASL authentication is,
> but from your results 'smtp_sasl_mechanism_filter = plain, login' may be
> better.

Thanks again. I see that just "plain" works for me as well. I guess
the default is something gmail finds unpalatable.

Jim

[Poprocks]

Just wanted to say thanks for this -- here I was, thinking I'd have to
spend hours researching how to get mutt to cooperate with gmail after
the big recent changes. With app passwords it's very easy.