[Alpine-info] O365 XOAUTH2 via fetchmail

[Eduardo Chappa]

On Thu, 21 Apr 2022, Carl Edquist wrote:


> If they give you trouble, perhaps you can get a "doctor's note" from the 

> maintainer...


The main problem might be ignorance (not intentional) from the 
administrator of the server. For them "Alpine" might sound like "Aunt 
Mary's Magic Email Program", hence the fear of the unknown: I cannot trust 
access to the server to something I have not heard of before.

Here are some arguments that can be used to advocate for allowing Alpine 
access to a server.

1. Alpine respects your privacy: It uses your data only for the purposes
    intended by the user. This means that it will no access your data
    unless it needs to and only to accomplish the tasks that the user
    needs. Alpine does not share any of the information it collects with
    any other person or entity. The privacy policy is posted at

    https://alpine.x10host.com/legal/privacy.html

2. Alpine uses XOAUTH2 to login a user to their resources. Alpine does not
    need to use username/password (which is considered "less" safe) to
    access a server. If an administrator does not want a user to use
    username/password it can be disabled from the server side to make sure
    Alpine users never use their password.

3. Since Alpine supports XOAUTH2, it also supports two-factor
    authentication. Alpine opens a link to complete the XOAUTH2
    authorization stage, and while doing so it can complete two-factor
    authentication.

4. Alpine does not attempt to access data that it is not allowed to. This
    means that Alpine will not attempt to access contacts or calendar
    information that it is not allowed to. The only access that is required
    to run Alpine is to be able to fully manage email: read, delete, modify
    and send email.

5. Alpine is already widely deployed across the world. Alpine is
    distributed by all mayor linux distributions: Ubuntu, Debian, Fedora,
    Opensuse and many more. Its user basis comes mostly from North America
    and Europe, and internet searches show that it is used in universities
    across the world. Here are some links that show administrators at
    places around the world helping users configure Alpine to access their
    servers:

    https://kb.mit.edu/confluence/pages/viewpage.action?pageId=164758928
    https://engineering.purdue.edu/ECN/Support/KB/Docs/UsingAlpinewitho365
    https://espace.cern.ch/mmmservices-help/AccessingYourMailbox/Alpine/Pages/default.aspx

    There are many more.

6. The implementation of Alpine using XOAUTH2 has been available for
    years. This means it has also been tried and tested by many users
    around the world. If there had been any problems or security
    concerns with its implementation those problems would already by
    posted somewhere. The only problems that have been reported for Alpine
    in the last few years can be seen for example at this page:

    https://www.cvedetails.com/vulnerability-list/vendor_id-23410/product_id-86426/Alpine-Project-Alpine.html

    The fact that this page exists shows that Alpine is widely used around
    the world.

7. The developer of Alpine is active in forums, answers to personal
    email, takes bug reports seriously and addresses them. If any
    administrator wishes to contact me directly to address any concerns I
    am happy to speak to them by any means (email, phone, zoom, etc.)

8. Alpine is in constant development and its code is publicly available
    and can be found at

    https://repo.or.cz/alpine.git

    so anyone can review its code at any time.

9. Users have used Alpine for years and amassed a big amount of email
    distributed over many folders over years. They have been able to access
    that email and all information in it with Alpine and losing Alpine
    access might have a devastating effect over the user. This is
    particularly troublesome for users that do research in universities
    across the world that need that access.

I hope this helps all of us to talk to administrators and help them see 
that Alpine is a safe email program. Its interface makes managing email 
efficient and convenient and that is preferred by many users instead of 
other more common alternatives that do not match the usage habits of some 
users of the email service but still makes them efficient workers in their 
institution.

-- 
Eduardo