On 25/04/2020 22:22, shlomo solomon wrote:
Google/Gmail has decided to drive me crazy and I hope someone can help.
5 - to allow this, I have Gmail set up to allow POP access and my
Google account set up to allow "Less secure app access" (Google-speak
for anything not provided or controlled by Google).
No, that's not what allowing "Less secure app access" means.
It used to be, that you had one password to an account (say, your gmail
account), and knowing that password would automatically give every
permission to whoever provided it. But as more and more things need to
interface these things today, it is now common to break the security
such that:
a) There is still indeed one main account password (potentially aided by
a 2nd factor), however ...
b) That account password is ONLY used with the main interface - in
Google's case, the "accounts.google.com" domain; and that once you log
in there
c) You can delegate specific, limited access to different applications
through that interface.
Now, as long as you're within the Google system (e.g. YouTube, Calendar,
Hangouts, etc.), this is all handled internally. But as soon as you exit
that system, e.g. by using Thunderbird or Claws, you have some friction
with the delegation step (c).
One way supported by Google (and Facebook, and Apple, and others) is
OAuth2 - that app makes a request to Google for specific permissions;
You log in to accounts.google.com (after being redirected into it by
that app), and Google asks you to approve the specific permissions
requested by that app or website. If you do, that app/site gets a
"token" (for all practical purposes, a username+password for that
app/site uniquely generated for that approval process) that they can
use, but that is limited to exactly those permissions that the app
requested and that you approved. Thunderbird has a "Google" connector
these days which does exactly that.
For older applications which do not support OAuth2, you can just go in
and generate an "App specific password" and specify those permissions
yourself; That's what you need to do for Claws. What you get is a
password that (assuming you asked for smtp/imap access) only works for
smtp/imap, and cannot be used to e.g. log into the Gmail web
applications and set up new forwards/filters. I do not know, but I
suspect, that they expect this password to be strictly used by one app -
e.g., I expect them to reject it if one day they see it being used from
Claws and the next day by Outlook; this information is sometimes
available directly in the protocol itself - e.g. claws and thunderbird
put a "User-Agent" mime header when they send a message - and is
sometimes inferred - e.g., if you have an X-MS-TNEF header, it's Outlook)
The rationale behind this system is not to give Google more control
(it's not like you previously could add forwarding setup through
imap/pop3) - but rather to limit the probability that your main,
all-powerful, password would leak from systems like Thunderbird or Claws
or PEBKAC which Google cannot directly secure. (There is, of course, a
very busniessy reason here as well - sites like LinkedIn and Facebook
used to ask you for your mail username/password, "so we could make it
easier for you to see who of your contacts is in our system and send
them invites", which is a bad idea for everyone involved except
LinkedIn/Facebook - especially Google who competes with them; The speed
bump and warning "they can READ YOUR MAIL" significantly decreased the
viability of this spying method, to the point that LinkedIn and Facebook
dropped it - opting instead to ask for those permissions on their mobile
app.....)
So, disabling "less secure app access" basically means "I will only use
my main google password on the google web site, not in any other way",
which is generally good for you.
BUT, in the past few weeks, Gmail has randomly refused to let Claws
access my mail. Sometimes this lasts for a short time and sometimes
for hours or even a day or more.
The Claws log shows:
* Account 'GMail': Connecting to POP3 server: pop.gmail.com:995...
[21:49:25] POP< +OK Gpop ready for requests from 89.237.110.180
s20mb165349719wra
[21:49:25] POP> USER shlomo.solo...@gmail.com
[21:49:25] POP< +OK send PASS
[21:49:25] POP> PASS ********
[21:49:25] POP< -ERR [AUTH] Web login required:
https://support.google.com/mail/answer/78754
*** error occurred on authentication
*** Authentication failed.
I have experienced this before several times, and 95% of the time it is
when I am outside Israel, which likely triggers the Google hacking/fraud
detection system, as I am using an IP that doesn't fit my standard usage
profile. If you have changed your ISP recently, either your home or
mobile, or occasionally use a VPN or Tor and have used your account in
non-standard (for you) context, that is a likely cause.
Gmail accounts are highly sought by spammers as they have virtually no
deliverability problems, and thus creating or stealing Google accounts
is continuously attempted on a mass scale; Google spends a lot of effort
fighting against this, and they have more false hacking positives than
ideal, especially for people outside the Win+Chrome norm such as yourself.
The only thing I HAVE NOT tried (because I'm afraid it will make
things worse rather than better) is to set up two-factor
authentication and use an app password - I also have no idea how this
works (or doesn't work) in Claws mail.
Last I used it, the 2fa and app passwords were independent settings; You
should be able to disable "less secure app access" and set up
application specific passwords without setting up 2fa. Once it works,
it's actually better - generate an app password for e.g. your phone, and
one for your laptop, and if one of them is lost you can revoke only that
one -- while at the same time, be sure that even if you didn't revoke it
in time, and a bad actor was able to retrieve the password from your
mail program before you realized the device was lost -- they still could
not use that app password to change your main password and lock you out
from your account, or other bad things - only read/send mail (which is
bad enough, granted, but not nearly as bad).
And as I wrote above, after a while, the problem solves itself.
And one more thing - I have additional Gmail accounts with the same
setup and Gmail DOES allow Claws mail access, while denying access to
my main account. So that's also weird.
No specific knowledge, but my inference is that Google has a "probable
use profile" for every account, which includes a list of devices,
browser versions, geographical locations, isps, times of day,
distribution of emails replied per day, distribution of emails
originated per day, average number of new contacts/addresses per day,
etc -- that's useful both for targeted advertising and to figure out of
the account has been hacked. For whatever reason, if my model is right
then, from your description, this specific account seems to occasionally
step outside of its "probable use profile" - either because of things
*you* do (such as VPN, Tor, travel, etc) or because it's on the model's
boundary all the time but *Google* tweaks some parameters (as they do
often) and sometimes you end up on the improbable side.
Additionally, you wrote you're forwarding *out* of Google and into your
own domain - from what I gather, this should be fine. However, if you
also have a catchall (or otherwise many accounts) that forward *into* a
google account, I suspect based on my previous research that this would
push you toward the hacked/spammer/improbable category.
And last but not least - do not assume that no one is trying to hack
into your account. It's possible that Google's hacking detection was
actually triggered by a hacking attempt you are not aware of, and that
they ask you to do a web login because they have much better control and
authentication on that front.
_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
