[Alpine-info] O365 XOAUTH2 via fetchmail

[Sewell, David R (drs2n)]

I hadn't been paying close enough attention to the list to realize that I could now get Alpine to work with my university's Exchange server. So I followed the instructions, got the token for Microsoft, successfully authenticated—and hit a window saying "Administrator approval required" with a form for me to submit a justification for allowing Alpine to access my account. So I guess someone somewhere in my university's IT division might or might be getting a request and might or might not do anything about it. Just when the technical hurdle is solved, a social/political hurdle crops up.

I'll file a help desk ticket in a few days if I don't hear anything and maybe let the list know how it goes—in particular, if the request is denied and what the reasoning might be in that case.

David S.

--
David Sewell
Manager of Digital Initiatives and the Rotunda Imprint
The University of Virginia Press
Email: dsewell at virginia.edu   Tel: +1 434 924 9973

From: Alpine-info <alpine-info-bounces at mailman12.u.washington.edu> on behalf of Eduardo Chappa <alpine.chappa at yandex.com>
Date: Wednesday, April 20, 2022 at 9:06 PM
To: Andrew C Aitchison <andrew at aitchison.me.uk>, "alpine-info at u.washington.edu" <alpine-info at u.washington.edu>
Subject: Re: [Alpine-info] O365 XOAUTH2 via fetchmail

On Wed, 20 Apr 2022, Andrew C Aitchison wrote:

OAUTH2 support has been has been in the contrib section of fetchmail 7
for at least 4 years. On Saturday (16 April 2022) Matthias Andree, the
fetchmail maintainer, wrote
https://sourceforge.net/p/fetchmail/mailman/fetchmail-users/?viewmonth=202204&viewday=16

    So if the abomination of hundreds of pages of a "standard" just for
    authentication by itself does NOT suffice to implement OAuth2, then
    we should probably leave it out and remove the experimental bits that
    are in fetchmail's code before a release, even from contrib, and
    replace them with a document README.OAuth2 that starts with "why does
    fetchmail not implement OAuth2".

    Or else somebody show me to a mail service that is not just some SOHO
    site and that *does* implement OAuth2 without requiring jumping
    through arbitrary hoops and showing dressage tricks or play sit up
    and beg or something, then we can implement it and document "why you
    cannot use OAuth2 with Google" instead.

so I fear that the reluctance to support OAUTH2 has not gone away :-(

This worries me because fetchmail, mutt, alpine, etc. are all in the same
boat. Our survival partly depends on the existence of our competitors,
because having a mutt user access a server tells administrators to take
care of a need that later might come from an Alpine user, and so having a
bunch of programs that need access to user data, that respect privacy and
security helps all of us.

In addition, we (mutt, fetchmail, alpine, etc.) all have to move to
modernize our clients, and this is one of the ways in which we have to do
it. There are other steps that need to be taken to modernize Alpine that
need to be done, which will come later. I accept that IMAP and SMTP access
will be gone from some of my accounts but I still need access to that data
through Alpine, so lots of work still remains to be done for that to
happen and what I hope is that other clients (mutt, fetchmail, etc.) will
do the same. Alpine has a robust library to access remote mailboxes and
lacks support for some modern access methods. I am working on bringing
those to Alpine too, and I hope people will realize that we might have to
leave IMAP and SMTP behind some day too, and that that's okay, because we
will still have everything we had in the past without these protocols.

We are not there yet. We still live in the world of IMAP and SMTP, but it
is starting to go away with companies like Google and Microsoft pushing
their products and methods and restricting access to their services to
competitors like Alpine for reasons of privacy and security concerns. We
have to be ready and we will be ready. We will get there, and I hope that
other developers like those of Mutt and Fetchmail realize about this now
so we can all continue coexisting when the world (or Google and Microsoft)
have turned the page on IMAP and SMTP and they do not support these
protocols anymore.

--
Eduardo
_______________________________________________
Alpine-info mailing list
Alpine-info at u.washington.edu<mailto:Alpine-info at u.washington.edu>
http://mailman12.u.washington.edu/mailman/listinfo/alpine-info

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman12.u.washington.edu/pipermail/alpine-info/attachments/20220421/57771b75/attachment.html>