[Alpine-info] O365 XOAUTH2 via fetchmail

[Carlos E. R.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Tuesday, 2022-04-19 at 16:50 -0600, Eduardo Chappa wrote:

> On Tue, 19 Apr 2022, Andrew C Aitchison wrote:

>

>>>  Has anyone gotten something like this working with fetchmail + XOAUTH2

>>>  for O365?  A big thank you in advance if anyone has any links, or

>>>  personal tips, etc on getting this working...

>>

>>  This is somewhat off-topic.

>>  https://lists.sourceforge.net/lists/listinfo/fetchmail-users

>>  would be an appropriate place to ask.

>

> I thought initially the same but then i realized that Alpine users might look 

> for answers to their questions about Alpine in an Alpine list instead of a 

> fetchmail list. There are many programs that relate to the use of Alpine and 

> this is one of them, so I reconsidered and thought it was appropriate too.

>

>>  [...]

>>  Matthias Andree, the fetchmail maintainer, is unhappy with the hoops

>>  gmail make him jump through to "register" fetchmail

>>  https://sourceforge.net/p/fetchmail/mailman/fetchmail-users/?viewmonth=202204&viewday=16

>>  If he cannot get fetchmail to use XOAUTH2 *without* registering the "app"

>>  he would appear to be considering whether dropping the feature is an

>>  option.

>

> This portion is both related and unrelated to Alpine.

>

> There is nothing to register when you register really. Let me say it this 

> way. Anyone can go to Google and register Alpine or fetchmail or mutt or 

> firefox, etc. because they are open source applications and what you need is 

> a client-id and client-secret to run your app. That is all.

>

> I went through the process of registering Alpine not because I like Google 

> but because Alpine users need it. It does not matter how I feel about the 

> abuses of Google, Alpine users care about reading their email and not my 

> feelings about Google. I ended up giving Alpine users the chance the get 

> their own client-id and client-secret because that is what a Google employee 

> told me that we were going to come down to.

>

> The real problem with Google is not the registration. It is the verification 

> (of the app). It costs $75000 to verify an app every year. That is the 

> minimum. I do not make money to give it to Google. I do not make money out of 

> selling anything Alpine related to give it to Google.

> Worse, no other company requires this. This is an abuse.


Indeed :-(


> On the Google side they told me that it was the lawyers who did this, as if 

> it was a logical conclusion of some sort and it could not be therefore 

> modified. It guarantees security, they said, which is something that Google 

> sells (in its advertisements). By now it is too late to do anything. No one 

> can go against the giant, and above all I am sorry people support Google by 

> using their products. However, despite my despise for Google, I will not make 

> Alpine users make my feelings be part of their experience, and I think the 

> same should be said about other programs that people depend on, such as 

> fetchmail.

>

> If there is one thing that I think XOAUTH2 is doing to programs like Alpine, 

> fetchmail, etc., is that they are being replaced by other commercial apps 

> completely. The requirement that a users authorizes an app to access their 

> email also is trumped by the requirement that the administrator authorizes 

> the app to access their server, and that is a big issue today as many 

> administrators prefer not to allow apps with which they are unfamiliar for 

> the sake of security and privacy.


I have not changed my use of Alpine one iota. I use fetchmail much less, 
yes, but not because of gmail, it happened before the oauth nonsense.

I stopped using fetchmail because of actually using imap and having more 
than one computer: I changed to leaving email on the upstream server 
instead of in my machine. Once a month I move old email out of the 
upstream imap server to my own machine, using Alpine instead of fetchmail 
because I have to select what to download.


As alternative, some times I "move" email from an upstream imap folder to 
a local imap server in my machine, using imapsync:

imapsync --errorsmax 150 --addheader --no-modulesversion   \
   --host1 imap.telefonica.net --user1 USER --passfile1 ~/keys/.secret_tesa_L_imapsync  \
   --host2 telcontar.valinor --user2 cer --passfile2 .secret_imapsync --delete1         \
   --folder temp_l  --f1f2 temp_l=Tesa_L_tmp

(you may remember that I have problems with my ISP and one account: 
connections break, and this breaks alpine in the middle of moving mail. 
However, it does not break imapsync. I have no explanation for this)





> The real issue is that IMAP and SMTP are being deprecated by the fact that 

> OAUTH2 over HTTPS is sold as a secure/modern authentication, while IMAP and 

> SMTP are not. While it makes no sense to have this discussion in this forum, 

> it is an argument being used today to not to allow users to turn on IMAP and 

> SMTP, and that is an issue for Alpine users.


There is a troll in Usenet that says something interesting (you know that 
some trolls are not trolling full time and may say interesting things now 
and then).

He says that the real thing about oauth2 is that it permits Google to 
track us. Google gets to know which application you are using to read 
email each time, and in which computer.

This is possibly true. Fits as well with having to use 2FA/2SV and 
associating the account with a phone number.


Reminds me. This troll also says that it is possible that Google will 
change something about those of us using application passwords instead of 
oauth2, because Google is starting to see this as a method to bypass 
oauth2. This comes from seeing an error message from gmail that says this, 
but I can not locate it now for pasting here.


Another data point: gmail for groups does not force people to use oauth2 
or 2FA/2SV. Example: ieee.org accounts. Apparently the decission is up to 
the administrator of the group, not gmail itself.



> Let me say it differently. The world is changing with the excuse of security 

> and privacy. With that excuse programs like Alpine are being left out. It is 

> important that all of us communicate to other people that Alpine is a safe 

> program to use, that respects your privacy and makes no effort to track you 

> or steal information from anyone. I am working on modernizing Alpine, but the 

> real issue is not if IMAP and SMTP will be killed, the real issue is if 

> Alpine will be given access to IMAP and SMTP by administrators, and that is a 

> bigger issue, because chances are that the administrator that you have to ask 

> this question to will say no.


That's sad. Has not happened to me, fortunately.


>

> I hope the maintainer of fetchmail decides to include OAUTH2 support. We need 

> programs like fetchmail, mutt, alpine, etc. to keep working in the future. 

> Some Alpine users prefer fecthmail and I hope they will be able to continue 

> using it for many years to come.


We'll tell him to read this post of yours :-)

- -- 
Cheers,
        Carlos E. R.
        (from openSUSE 15.3 x86_64 at Telcontar)

-----BEGIN PGP SIGNATURE-----

iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCYl/cixwccm9iaW4ubGlz
dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfV/ZYAn1iVlHdpJmXxnjY7wnCn
EkUI5IvGAJwNuvb7pXwLq/w5WRuIJqEIWd0IZw==
=k80n
-----END PGP SIGNATURE-----