[Alpine-info] O365 XOAUTH2 via fetchmail

[Eduardo Chappa]

On Tue, 19 Apr 2022, Andrew C Aitchison wrote:


>> Has anyone gotten something like this working with fetchmail + XOAUTH2 

>> for O365?  A big thank you in advance if anyone has any links, or 

>> personal tips, etc on getting this working...

>

> This is somewhat off-topic.

> https://lists.sourceforge.net/lists/listinfo/fetchmail-users

> would be an appropriate place to ask.


I thought initially the same but then i realized that Alpine users might 
look for answers to their questions about Alpine in an Alpine list instead 
of a fetchmail list. There are many programs that relate to the use of 
Alpine and this is one of them, so I reconsidered and thought it was 
appropriate too.


> [...]

> Matthias Andree, the fetchmail maintainer, is unhappy with the hoops

> gmail make him jump through to "register" fetchmail

> https://sourceforge.net/p/fetchmail/mailman/fetchmail-users/?viewmonth=202204&viewday=16

> If he cannot get fetchmail to use XOAUTH2 *without* registering the "app"

> he would appear to be considering whether dropping the feature is an

> option.


This portion is both related and unrelated to Alpine.

There is nothing to register when you register really. Let me say it this 
way. Anyone can go to Google and register Alpine or fetchmail or mutt or 
firefox, etc. because they are open source applications and what you need 
is a client-id and client-secret to run your app. That is all.

I went through the process of registering Alpine not because I like Google 
but because Alpine users need it. It does not matter how I feel about the 
abuses of Google, Alpine users care about reading their email and not my 
feelings about Google. I ended up giving Alpine users the chance the get 
their own client-id and client-secret because that is what a Google 
employee told me that we were going to come down to.

The real problem with Google is not the registration. It is the 
verification (of the app). It costs $75000 to verify an app every year. 
That is the minimum. I do not make money to give it to Google. I do not 
make money out of selling anything Alpine related to give it to Google.
Worse, no other company requires this. This is an abuse.

On the Google side they told me that it was the lawyers who did this, as 
if it was a logical conclusion of some sort and it could not be therefore 
modified. It guarantees security, they said, which is something that 
Google sells (in its advertisements). By now it is too late to do 
anything. No one can go against the giant, and above all I am sorry people 
support Google by using their products. However, despite my despise for 
Google, I will not make Alpine users make my feelings be part of their 
experience, and I think the same should be said about other programs that 
people depend on, such as fetchmail.

If there is one thing that I think XOAUTH2 is doing to programs like 
Alpine, fetchmail, etc., is that they are being replaced by other 
commercial apps completely. The requirement that a users authorizes an app 
to access their email also is trumped by the requirement that the 
administrator authorizes the app to access their server, and that is a big 
issue today as many administrators prefer not to allow apps with which 
they are unfamiliar for the sake of security and privacy.

The real issue is that IMAP and SMTP are being deprecated by the fact that 
OAUTH2 over HTTPS is sold as a secure/modern authentication, while IMAP 
and SMTP are not. While it makes no sense to have this discussion in this 
forum, it is an argument being used today to not to allow users to turn on 
IMAP and SMTP, and that is an issue for Alpine users.

Let me say it differently. The world is changing with the excuse of 
security and privacy. With that excuse programs like Alpine are being left 
out. It is important that all of us communicate to other people that 
Alpine is a safe program to use, that respects your privacy and makes no 
effort to track you or steal information from anyone. I am working on 
modernizing Alpine, but the real issue is not if IMAP and SMTP will be 
killed, the real issue is if Alpine will be given access to IMAP and SMTP 
by administrators, and that is a bigger issue, because chances are that 
the administrator that you have to ask this question to will say no.

I hope the maintainer of fetchmail decides to include OAUTH2 support. We 
need programs like fetchmail, mutt, alpine, etc. to keep working in the 
future. Some Alpine users prefer fecthmail and I hope they will be able to 
continue using it for many years to come.

-- 
Eduardo