[Alpine-info] FW: O365 XOAUTH2 via fetchmail

[Sewell, David R (drs2n)]

[Re-sending this to the list from my subscribed email address]

I finally got a reply from my university's manager of Microsoft Services to my request that Alpine be authorized as a client to connect with our Outlook services. This was the response:

Hi David,

Even if we were to authorize Alpine for use in our tenant its functionality wouldn’t work past August when Microsoft deprecates basic auth with SMTP auth.  I feel non outlook clients are not long for this world in the eyes of Microsoft.

Is he correct about this? I don't understand the technical details of the various authorization methods but based on what Eduardo says below, the deprecation of basic auth should not be a problem if Alpine is configured correctly? (Eduardo, should I just forward this admin your email below?)

David

--
David Sewell
Manager of Digital Initiatives and Rotunda Imprint
The University of Virginia Press
dsewell at virginia.edu   Tel: +1 434 924 9973

From: Alpine-info <alpine-info-bounces at mailman12.u.washington.edu> on behalf of Eduardo Chappa <alpine.chappa at yandex.com>
Date: Thursday, April 21, 2022 at 10:46 AM
To: Carl Edquist <gatetman at gmail.com>
Cc: "alpine-info at u.washington.edu" <alpine-info at u.washington.edu>
Subject: Re: [Alpine-info] O365 XOAUTH2 via fetchmail

On Thu, 21 Apr 2022, Carl Edquist wrote:

If they give you trouble, perhaps you can get a "doctor's note" from the
maintainer...

The main problem might be ignorance (not intentional) from the
administrator of the server. For them "Alpine" might sound like "Aunt
Mary's Magic Email Program", hence the fear of the unknown: I cannot trust
access to the server to something I have not heard of before.

Here are some arguments that can be used to advocate for allowing Alpine
access to a server.

1. Alpine respects your privacy: It uses your data only for the purposes
    intended by the user. This means that it will no access your data
    unless it needs to and only to accomplish the tasks that the user
    needs. Alpine does not share any of the information it collects with
    any other person or entity. The privacy policy is posted at

    https://alpine.x10host.com/legal/privacy.html

2. Alpine uses XOAUTH2 to login a user to their resources. Alpine does not
    need to use username/password (which is considered "less" safe) to
    access a server. If an administrator does not want a user to use
    username/password it can be disabled from the server side to make sure
    Alpine users never use their password.

3. Since Alpine supports XOAUTH2, it also supports two-factor
    authentication. Alpine opens a link to complete the XOAUTH2
    authorization stage, and while doing so it can complete two-factor
    authentication.

4. Alpine does not attempt to access data that it is not allowed to. This
    means that Alpine will not attempt to access contacts or calendar
    information that it is not allowed to. The only access that is required
    to run Alpine is to be able to fully manage email: read, delete, modify
    and send email.

5. Alpine is already widely deployed across the world. Alpine is
    distributed by all mayor linux distributions: Ubuntu, Debian, Fedora,
    Opensuse and many more. Its user basis comes mostly from North America
    and Europe, and internet searches show that it is used in universities
    across the world. Here are some links that show administrators at
    places around the world helping users configure Alpine to access their
    servers:

    https://kb.mit.edu/confluence/pages/viewpage.action?pageId=164758928
    https://engineering.purdue.edu/ECN/Support/KB/Docs/UsingAlpinewitho365
    https://espace.cern.ch/mmmservices-help/AccessingYourMailbox/Alpine/Pages/default.aspx

    There are many more.

6. The implementation of Alpine using XOAUTH2 has been available for
    years. This means it has also been tried and tested by many users
    around the world. If there had been any problems or security
    concerns with its implementation those problems would already by
    posted somewhere. The only problems that have been reported for Alpine
    in the last few years can be seen for example at this page:

    https://www.cvedetails.com/vulnerability-list/vendor_id-23410/product_id-86426/Alpine-Project-Alpine.html

    The fact that this page exists shows that Alpine is widely used around
    the world.

7. The developer of Alpine is active in forums, answers to personal
    email, takes bug reports seriously and addresses them. If any
    administrator wishes to contact me directly to address any concerns I
    am happy to speak to them by any means (email, phone, zoom, etc.)

8. Alpine is in constant development and its code is publicly available
    and can be found at

    https://repo.or.cz/alpine.git

    so anyone can review its code at any time.

9. Users have used Alpine for years and amassed a big amount of email
    distributed over many folders over years. They have been able to access
    that email and all information in it with Alpine and losing Alpine
    access might have a devastating effect over the user. This is
    particularly troublesome for users that do research in universities
    across the world that need that access.

I hope this helps all of us to talk to administrators and help them see
that Alpine is a safe email program. Its interface makes managing email
efficient and convenient and that is preferred by many users instead of
other more common alternatives that do not match the usage habits of some
users of the email service but still makes them efficient workers in their
institution.

--
Eduardo
_______________________________________________
Alpine-info mailing list
Alpine-info at u.washington.edu<mailto:Alpine-info at u.washington.edu>
http://mailman12.u.washington.edu/mailman/listinfo/alpine-info


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman12.u.washington.edu/pipermail/alpine-info/attachments/20220502/ec74612f/attachment.html>