Oauth2, GMail, and Thunderbird

In another thread, someone mentioned that enabling OAuth2 in
Thunderbird made Google happy (ie, fewer security warnings received).

I use Thunderbird to access my GMail account via IMAP. I
occassionally get a warning from GMail that my account is more
vulnerable to attacks because I have a less secure access method
enabled. I ignore those warnings because I thought that was necessary
in order to receive mail via IMAP. But, the OAuth2 comment in the
other thread made me question that. I checked my settings and found I
am using OAuth2 in Thunderbird. However, I am still getting the
warnings from Google that I am less secure than I need to be. They
give me a single "Fix this" button but no technical explanation of
what that will do. If I press that button, will IMAP still work?
(Note that I also access my gmail account from an iOS phone so that
needs to continue working, too. Finally, I use Thunderbird to access
accounts on a number of different servers and accounts, so I have no
desire to switch to GMail's web interface or their iOS app. I like
having all my eamil come to one place - Thunderbird on my PC and
Apple's Mail app on the phone.) Any advice is appreciated.

Pat

"Pat" wrote

| I use Thunderbird to access my GMail account via IMAP. I
| occassionally get a warning from GMail that my account is more
| vulnerable to attacks because I have a less secure access method
| enabled.

I don't use gmail, but are you aware of Google's
obsession with 2 factor validation? They like to
send a text message to your phone rather than just
trusting your password!
I found that out when my very elderly father
couldn't get his email. He complained that Google
wanted his phone number, but it that hadn't helped.
(He'd entered his landline number, and I'm guessing
Google didn't explain it clearly. As with the messages
you're seeing, they don't seem to think their customers
do or should care about the details.)
I don't remember the solution but I seem to remember
that it was possible to tell Google to simply shut up and
get the mail.

Pat wrote:

I use Thunderbird to access my GMail account via IMAP. I
occassionally get a warning from GMail that my account is more
vulnerable to attacks because I have a less secure access method
enabled.

If you're sure all devices are using https/oath instead of imap/pop,
then you can disable the "less secure" option

https://support.google.com/a/answer/6260879

On 11/29/2018 8:25 AM, Pat wrote:
Finally, I use Thunderbird to access
accounts on a number of different servers and accounts, so I have no
desire to switch to GMail's web interface or their iOS app.
I use ATT Yahoo, and normally get my email from multiple accounts with
Thunderbird. However I use the ATT Yahoo filters to eliminate most of
the spam.

I mention this as I use the web email interface and Thunderbird
interchangeably with no problems.


I assume the the Yahoo web email interface and the ATT Yahoo email
interface are the same. However I am not sure if email going to the ATT
email server, inbound.att.net, is handled the same as the one at Yahoo.

--
2018: The year we learn to play the great game of Euchre

On 11/29/18 5:25 AM, Pat wrote:
In another thread, someone mentioned that enabling OAuth2 in
Thunderbird made Google happy (ie, fewer security warnings received).

I use Thunderbird to access my GMail account via IMAP. I
occassionally get a warning from GMail that my account is more
vulnerable to attacks because I have a less secure access method
enabled. I ignore those warnings because I thought that was necessary
in order to receive mail via IMAP. But, the OAuth2 comment in the
other thread made me question that. I checked my settings and found I
am using OAuth2 in Thunderbird. However, I am still getting the
warnings from Google that I am less secure than I need to be. They
give me a single "Fix this" button but no technical explanation of
what that will do. If I press that button, will IMAP still work?
(Note that I also access my gmail account from an iOS phone so that
needs to continue working, too. Finally, I use Thunderbird to access
accounts on a number of different servers and accounts, so I have no
desire to switch to GMail's web interface or their iOS app. I like
having all my eamil come to one place - Thunderbird on my PC and
Apple's Mail app on the phone.) Any advice is appreciated.

Pat


Hi Pat,

I support Thunderbird. I see this all the time. I just ignore them.
Some customers don't seem to get bothered by this and some do, so
I can't put my finger on it.

Yahoo eMail is a pain in the a*** over this too. Use OAuth2
or get harassed endlessly.

Several of my customer eMail backup reports through gMail and
need to turn on less secure apps as these backup programs usually
do not support OAuth2. (You are lucky is they support SSL/TLS.)

Also, Google makes a lot of money off of scanning your eMail and
popping up adds. Thunderbird blocks all this, so I am suspicious
that Google is messing with Thunderbird at times, but I
can't prove it.

To administer less secure apps:
https://www.google.com/settings/security/lesssecureapps

You will eventually need to unlocking captcha too:
https://www.google.com/accounts/DisplayUnlockCaptcha

-T

Mayayana wrote:
"Pat" wrote

| I use Thunderbird to access my GMail account via IMAP. I
| occassionally get a warning from GMail that my account is more
| vulnerable to attacks because I have a less secure access method
| enabled.

I don't use gmail, but are you aware of Google's
obsession with 2 factor validation? They like to
send a text message to your phone rather than just
trusting your password!

Yeah, 2FA via SMS is ever so handy!

For example when you're in another country, use a local SIM to avoid
ridiculous roaming charges and Google locked you out from (POP/IMAP)
Gmail, because you're on a different IP and that can't be right, can
it!? So you want to log into your Google Account to undo Google's
paranoia, but Google send its 2FA SMS to your 'home' SIM, which is not
in your phone, so you don't get the SMS. Catch-22!

Why are all my four other MSPs (Mail SPs) so stupid that they can't
come up with such a brilliant If-it-ain't-broken-we'll-break-it scheme!?

One of said MSPs is even my recovery email address for my Google
Account, so Google's lock-up messages *do* still come through! What's
the fun in *that*!?

I found that out when my very elderly father
couldn't get his email. He complained that Google
wanted his phone number, but it that hadn't helped.
(He'd entered his landline number, and I'm guessing
Google didn't explain it clearly. As with the messages
you're seeing, they don't seem to think their customers
do or should care about the details.)

Minor nit/addition: Using a landline number is fine (FSVSVO 'fine').
Google will do a voice call to that number.

I don't remember the solution but I seem to remember
that it was possible to tell Google to simply shut up and
get the mail.

On Thu, 29 Nov 2018 08:25:30 -0500, Pat wrote:

In another thread, someone mentioned that enabling OAuth2 in
Thunderbird made Google happy (ie, fewer security warnings received).

Not exactly.

1. Google want you to turn off "allow less secure apps"
in your Google account settings. That is how you get
the fewer security warnings.

2. The OAuth2 setting allows you to keep using Thunderbird
with Gmail when "allow less secure apps" is turned off.


I use Thunderbird to access my GMail account via IMAP. I
occassionally get a warning from GMail that my account is more
vulnerable to attacks because I have a less secure access method
enabled. I ignore those warnings because I thought that was necessary
in order to receive mail via IMAP. But, the OAuth2 comment in the
other thread made me question that. I checked my settings and found I
am using OAuth2 in Thunderbird. However, I am still getting the
warnings from Google that I am less secure than I need to be.

This probably means that "allow less secure apps" is turned on.

They
give me a single "Fix this" button but no technical explanation of
what that will do.

My guess is that the button you are seeing is a button to turn off
"allow less secure apps" in your Google account settings.


If I press that button, will IMAP still work?

So long as you are using OAuth2 with Gmail, and not "normal password".


(Note that I also access my gmail account from an iOS phone so that
needs to continue working, too.

If the iOS Mail app uses OAuth2 then it will keep working.
I haven't tried to find out.

Finally, I use Thunderbird to access
accounts on a number of different servers and accounts, so I have no
desire to switch to GMail's web interface or their iOS app.

The "allow less secure apps" setting will not affect your other mail
accounts, not unless those other mail accounts are actually managed by
Gmail. I mention this because a few ISPs have outsourced their email
service to Gmail.


I like
having all my eamil come to one place - Thunderbird on my PC and
Apple's Mail app on the phone.) Any advice is appreciated.

Pat


--
Kind regards
Ralph

Pat wrote:

In another thread, someone mentioned that enabling OAuth2 in
Thunderbird made Google happy (ie, fewer security warnings received).

You didn't bother to identify the other thread by its Subject or
Message-ID. You sure the other thread didn't note the server-side
option to disable the OAUTH2 requirement (enable "less secure apps")?

I use Thunderbird to access my GMail account via IMAP. I
occassionally get a warning from GMail that my account is more
vulnerable to attacks because I have a less secure access method
enabled. I ignore those warnings because I thought that was necessary
in order to receive mail via IMAP. But, the OAuth2 comment in the
other thread made me question that. I checked my settings and found I
am using OAuth2 in Thunderbird. However, I am still getting the
warnings from Google that I am less secure than I need to be. They
give me a single "Fix this" button but no technical explanation of
what that will do. If I press that button, will IMAP still work?

I suspect the problem is your account defined within Thunderbird doesn't
have an OAUTH2 (how they track you by your client with its key). You
may have to delete the Gmail account in Thunderbird and create a new
one. At the time you create the new one, have it use OAUTH2. Then the
Gmail server will give Thunderbird an OAUTH2 key.

Note that I also access my gmail account from an iOS phone so that
needs to continue working, too.

Don't know if it is the same for the iOS app, but the Gmail app on
Android doesn't use standard e-mail protocols. It isn't using IMAP. It
is using commands in Google's Gmail API. That is Google's protocol.

https://developers.google.com/gmail/api/

When using Google's Gmail app on your iOS device, have you EVER gotten a
prompt there about that app being insecure?

Finally, I use Thunderbird to access accounts on a number of different
servers and accounts, so I have no desire to switch to GMail's web
interface or their iOS app. I like having all my eamil come to one
place - Thunderbird on my PC and Apple's Mail app on the phone.

Each client on each host will need to get its own OAUTH2 key.

IMAP synchronizes each client to whatever is on the server. In effect,
the server is the backup to which all the IMAP clients will sync. That
way, you could uninstall your IMAP client and install it again, install
a new OS and then install an IMAP client, install an IMAP client on a
different host, and each will see the same content when they all connect
to the same IMAP account.

The Android (and probably the iOS) GMail apps don't use IMAP or any
standard e-mail protocol. They sync to the account using Google's Gmail
API.

Both IMAP and Gmail API sync to what is on the server, so all those
clients will see the same content.

If "Apple Mail app" means something other than Google's Gmail app, my
guess is the Apple app uses standard e-mail protocols, like IMAP, to
your Gmail account; however, any programmer can implement the Gmail API,
so it's possible the Apple app uses that API when connecting to Gmail.
This is a Windows 10 newsgroup. If you want to find out how the Apple
Mail app connects to Gmail, ask in an Apple newsgroup. I happen to use
an Android smartphone, so I know how Google's Gmail app works with their
Gmail service (but there is a newsgroup for Android users, too).

On 29/11/2018 14.25, Pat wrote:
In another thread, someone mentioned that enabling OAuth2 in
Thunderbird made Google happy (ie, fewer security warnings received).

I use Thunderbird to access my GMail account via IMAP. I
occassionally get a warning from GMail that my account is more
vulnerable to attacks because I have a less secure access method
enabled. I ignore those warnings because I thought that was necessary
in order to receive mail via IMAP. But, the OAuth2 comment in the
other thread made me question that. I checked my settings and found I
am using OAuth2 in Thunderbird. However, I am still getting the
warnings from Google that I am less secure than I need to be. They
give me a single "Fix this" button but no technical explanation of
what that will do. If I press that button, will IMAP still work?
(Note that I also access my gmail account from an iOS phone so that
needs to continue working, too. Finally, I use Thunderbird to access
accounts on a number of different servers and accounts, so I have no
desire to switch to GMail's web interface or their iOS app. I like
having all my eamil come to one place - Thunderbird on my PC and
Apple's Mail app on the phone.) Any advice is appreciated.

What google wants is you disable "less secure" connections at their web
page. At the server side, not at you client side.

If you only use "approved" applications on all your devices, then you
can do it. Else ignore the message.

--
Cheers, Carlos.

"Frank Slootweg" wrote

| Why are all my four other MSPs (Mail SPs) so stupid that they can't
| come up with such a brilliant If-it-ain't-broken-we'll-break-it scheme!?
|
It sounds like you're having no end of fun. Color
me jealous.

| I found that out when my very elderly father
| couldn't get his email. He complained that Google
| wanted his phone number, but it that hadn't helped.
| (He'd entered his landline number, and I'm guessing
| Google didn't explain it clearly. As with the messages
| you're seeing, they don't seem to think their customers
| do or should care about the details.)
|
| Minor nit/addition: Using a landline number is fine (FSVSVO 'fine').
| Google will do a voice call to that number.
|

I'm impressed the Googlites know about landlines.
Maybe they did call my father after all, while he was
at the senior center, trying and failing to get his gmail
from the only machine and IP he ever uses.

But I can rest easier knowing there are no snoops at
the senior center who managed to eavesdrop on
his chats with his WW2 buddies by using his password.
I thought that Ethel with the leopard print walker
and the blue hair looked suspicious.

On Thu, 29 Nov 2018 14:00:22 +0000, Andy Burns
wrote:

Pat wrote:

I use Thunderbird to access my GMail account via IMAP. I
occassionally get a warning from GMail that my account is more
vulnerable to attacks because I have a less secure access method
enabled.

If you're sure all devices are using https/oath instead of imap/pop,
then you can disable the "less secure" option

https://support.google.com/a/answer/6260879

Interesting. I found a lot of info at that link, but I'm more
confused than before.
1. I didn't know I had a google admin account. I'll have to look
into that. 2. Regarding your "if you are sure..." sentence above, I
thought I was using IMAP but the OAuth2 checkbox is checked. Is that
https/oath or imap/pop?

Thanks,
Pat

On Fri, 30 Nov 2018 06:16:14 +1300, Ralph Fox
wrote:

On Thu, 29 Nov 2018 08:25:30 -0500, Pat wrote:

In another thread, someone mentioned that enabling OAuth2 in
Thunderbird made Google happy (ie, fewer security warnings received).

Not exactly.

1. Google want you to turn off "allow less secure apps"
in your Google account settings. That is how you get
the fewer security warnings.
I understand and agree. But, your following point is what I was
unsure about.

2. The OAuth2 setting allows you to keep using Thunderbird
with Gmail when "allow less secure apps" is turned off.
That is my real question. Of all the responses, you are the only one
to word it that way. I guess I'll give it a try and see what happens.



I use Thunderbird to access my GMail account via IMAP. I
occassionally get a warning from GMail that my account is more
vulnerable to attacks because I have a less secure access method
enabled. I ignore those warnings because I thought that was necessary
in order to receive mail via IMAP. But, the OAuth2 comment in the
other thread made me question that. I checked my settings and found I
am using OAuth2 in Thunderbird. However, I am still getting the
warnings from Google that I am less secure than I need to be.

This probably means that "allow less secure apps" is turned on.

They
give me a single "Fix this" button but no technical explanation of
what that will do.

My guess is that the button you are seeing is a button to turn off
"allow less secure apps" in your Google account settings.


If I press that button, will IMAP still work?

So long as you are using OAuth2 with Gmail, and not "normal password".


(Note that I also access my gmail account from an iOS phone so that
needs to continue working, too.

If the iOS Mail app uses OAuth2 then it will keep working.
I haven't tried to find out.

Finally, I use Thunderbird to access
accounts on a number of different servers and accounts, so I have no
desire to switch to GMail's web interface or their iOS app.

The "allow less secure apps" setting will not affect your other mail
accounts, not unless those other mail accounts are actually managed by
Gmail. I mention this because a few ISPs have outsourced their email
service to Gmail.


I like
having all my eamil come to one place - Thunderbird on my PC and
Apple's Mail app on the phone.) Any advice is appreciated.

Pat

On Thu, 29 Nov 2018 23:14:49 +0100, "Carlos E.R."
wrote:

On 29/11/2018 14.25, Pat wrote:
In another thread, someone mentioned that enabling OAuth2 in
Thunderbird made Google happy (ie, fewer security warnings received).

I use Thunderbird to access my GMail account via IMAP. I
occassionally get a warning from GMail that my account is more
vulnerable to attacks because I have a less secure access method
enabled. I ignore those warnings because I thought that was necessary
in order to receive mail via IMAP. But, the OAuth2 comment in the
other thread made me question that. I checked my settings and found I
am using OAuth2 in Thunderbird. However, I am still getting the
warnings from Google that I am less secure than I need to be. They
give me a single "Fix this" button but no technical explanation of
what that will do. If I press that button, will IMAP still work?
(Note that I also access my gmail account from an iOS phone so that
needs to continue working, too. Finally, I use Thunderbird to access
accounts on a number of different servers and accounts, so I have no
desire to switch to GMail's web interface or their iOS app. I like
having all my eamil come to one place - Thunderbird on my PC and
Apple's Mail app on the phone.) Any advice is appreciated.

What google wants is you disable "less secure" connections at their web
page. At the server side, not at you client side.
I understand.

If you only use "approved" applications on all your devices, then you
can do it. Else ignore the message.
But, are the latest iOS mail app (not the gmail specific iOS app) and
the latest Thunderbird windows build "approved applications"? I guess
I need to try it and find out.

Thanks to everyone who responded.
Pat

Pat wrote:

1. I didn't know I had a google admin account. I'll have to look
into that.

Actually that link was one for those using gsuite (e.g. businesses) the
link for individuals is

https://support.google.com/accounts/answer/6010255

2. Regarding your "if you are sure..." sentence above, I
thought I was using IMAP but the OAuth2 checkbox is checked. Is that
https/oath or imap/pop?

Sounds like you're using IMAP with Oauth2, what I was trying to avoid
was the situation where you used POP or IMAP with "insecure"
authentication on some other device, then disabled the insecure access
and broke that other device's email.

If you only use gmail in a browser (over https) or in a mail client with
IMAP and Oauth2 then you're safe to disable the insecure option.

On Fri, 30 Nov 2018 12:53:28 +0000, Andy Burns wrote:

Pat wrote:

1. I didn't know I had a google admin account. I'll have to
look into that.

Actually that link was one for those using gsuite (e.g. businesses) the
link for individuals is

https://support.google.com/accounts/answer/6010255

2. Regarding your "if you are sure..." sentence above, I
thought I was using IMAP but the OAuth2 checkbox is checked. Is
that https/oath or imap/pop?

Sounds like you're using IMAP with Oauth2, what I was trying to
avoid was the situation where you used POP or IMAP with
"insecure" authentication on some other device, then disabled the
insecure access and broke that other device's email.

If you only use gmail in a browser (over https) or in a mail
client with IMAP and Oauth2 then you're safe to disable the
insecure option.

What's insecure about using TCL/SSL for transmission and the usual
account name/password to access IMAP? This OAuth2 stuff seems
targeted at HTML APIs.