[Alpine-info] O365 XOAUTH2 via fetchmail

[dan d.]

Eduardo, thank you for the effort you make to ensure alpine works well for all, especially as a screen reader user.  Your discussion is well
above my understanding of email transfer openness and security.  My concern is what happns to alpine users come may when gmail restricts
access? What must users such as myself do to prepare for it?

On Tue, 19 Apr 2022, Eduardo Chappa wrote:


> On Tue, 19 Apr 2022, Andrew C Aitchison wrote:

>

> >> Has anyone gotten something like this working with fetchmail + XOAUTH2

> >> for O365?  A big thank you in advance if anyone has any links, or

> >> personal tips, etc on getting this working...

> >

> > This is somewhat off-topic.

> > https://lists.sourceforge.net/lists/listinfo/fetchmail-users

> > would be an appropriate place to ask.

>

> I thought initially the same but then i realized that Alpine users might

> look for answers to their questions about Alpine in an Alpine list instead

> of a fetchmail list. There are many programs that relate to the use of

> Alpine and this is one of them, so I reconsidered and thought it was

> appropriate too.

>

> > [...]

> > Matthias Andree, the fetchmail maintainer, is unhappy with the hoops

> > gmail make him jump through to "register" fetchmail

> > https://sourceforge.net/p/fetchmail/mailman/fetchmail-users/?viewmonth=202204&viewday=16

> > If he cannot get fetchmail to use XOAUTH2 *without* registering the "app"

> > he would appear to be considering whether dropping the feature is an

> > option.

>

> This portion is both related and unrelated to Alpine.

>

> There is nothing to register when you register really. Let me say it this

> way. Anyone can go to Google and register Alpine or fetchmail or mutt or

> firefox, etc. because they are open source applications and what you need

> is a client-id and client-secret to run your app. That is all.

>

> I went through the process of registering Alpine not because I like Google

> but because Alpine users need it. It does not matter how I feel about the

> abuses of Google, Alpine users care about reading their email and not my

> feelings about Google. I ended up giving Alpine users the chance the get

> their own client-id and client-secret because that is what a Google

> employee told me that we were going to come down to.

>

> The real problem with Google is not the registration. It is the

> verification (of the app). It costs $75000 to verify an app every year.

> That is the minimum. I do not make money to give it to Google. I do not

> make money out of selling anything Alpine related to give it to Google.

> Worse, no other company requires this. This is an abuse.

>

> On the Google side they told me that it was the lawyers who did this, as

> if it was a logical conclusion of some sort and it could not be therefore

> modified. It guarantees security, they said, which is something that

> Google sells (in its advertisements). By now it is too late to do

> anything. No one can go against the giant, and above all I am sorry people

> support Google by using their products. However, despite my despise for

> Google, I will not make Alpine users make my feelings be part of their

> experience, and I think the same should be said about other programs that

> people depend on, such as fetchmail.

>

> If there is one thing that I think XOAUTH2 is doing to programs like

> Alpine, fetchmail, etc., is that they are being replaced by other

> commercial apps completely. The requirement that a users authorizes an app

> to access their email also is trumped by the requirement that the

> administrator authorizes the app to access their server, and that is a big

> issue today as many administrators prefer not to allow apps with which

> they are unfamiliar for the sake of security and privacy.

>

> The real issue is that IMAP and SMTP are being deprecated by the fact that

> OAUTH2 over HTTPS is sold as a secure/modern authentication, while IMAP

> and SMTP are not. While it makes no sense to have this discussion in this

> forum, it is an argument being used today to not to allow users to turn on

> IMAP and SMTP, and that is an issue for Alpine users.

>

> Let me say it differently. The world is changing with the excuse of

> security and privacy. With that excuse programs like Alpine are being left

> out. It is important that all of us communicate to other people that

> Alpine is a safe program to use, that respects your privacy and makes no

> effort to track you or steal information from anyone. I am working on

> modernizing Alpine, but the real issue is not if IMAP and SMTP will be

> killed, the real issue is if Alpine will be given access to IMAP and SMTP

> by administrators, and that is a bigger issue, because chances are that

> the administrator that you have to ask this question to will say no.

>

> I hope the maintainer of fetchmail decides to include OAUTH2 support. We

> need programs like fetchmail, mutt, alpine, etc. to keep working in the

> future. Some Alpine users prefer fecthmail and I hope they will be able to

> continue using it for many years to come.

>

>


-- 
ent-
XR