[Alpine-info] Gmail IMAP with username+password (was: Instructions to configure XOAUTH2 in Gmail have changed)

Eduardo Chappa alpine.chappa at yandex.com
Thu Jun 9 14:30:04 PDT 2022

Previous message: [Alpine-info] Gmail IMAP with username+password (was: Instructions to configure XOAUTH2 in Gmail have changed)
Next message: [Alpine-info] Gmail IMAP with username+password (was: Instructions to configure XOAUTH2 in Gmail have changed)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 9 Jun 2022, Robert Wolf wrote:

>> with the upcoming change in gmail whereas username/passwords

>> combination will stop working many users are attempting to configure

>> Alpine woth XOAUTH2.

>

> This change affected me yesterday - I have found that offlineimap cannot

> sync the emails from gmail to my dovecot server (I don't know why, but

> my dovecot IMAP is faster than Gmail IMAP in alpine, therefore I sync

> extern IMAPs to my IMAP).

That's interesting. I have found directions to use xoauth with offline
email

https://hobo.house/2017/07/17/using-offlineimap-with-the-gmail-imap-api/

I suppose these will be useful for anything.

> A few months ago, when this change has been announced, I have found in

> the google account the possibility to generate special application

> password. So I have tested it on one low-prio account. I had to activate

> 2-step verification and then I could generate special password for Mail.

> With this password and my email I was able to login to IMAP using simple

> username+password authentication.

This is interesting. While the use of XOAUTH2 over app generated passwords
might be a matter of personal preference, I wonder why Google allows these
still. Do you have to generate a password for different machines or can
you use the same password for two different machines? (say a user needs
access from office computer and from home computer). If the answer is that
the same password generated in one machine can be used to access in
another machine, then I do not see much of a gain in security. Refresh
tokens cannot be moved from one machine to another. Typically any attempt
to move a refresh token from one machine to another will make the refresh
token lose its effectiveness (this is a problem that people find when they
attempt to authorize Alpine in one machine and do the authorization
process in another). What this potentially means is that if someone
decodes a password file that contains an app generated password they will
gain access to that account, but not if they decode such password file
containing a refresh token.

Thanks for the information. It is very useful.

--
Eduardo

Previous message: [Alpine-info] Gmail IMAP with username+password (was: Instructions to configure XOAUTH2 in Gmail have changed)
Next message: [Alpine-info] Gmail IMAP with username+password (was: Instructions to configure XOAUTH2 in Gmail have changed)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Alpine-info mailing list