The HUGE problem with OAuth is there is no common way to specify authentication links, so authentication must be manually configured for every mail service with OAuth support. We use IMAP/SMTP+Oauth to collect mail from Gmail/Yahoo/Hotmail/Outlook/Yandex and we prefer for everyone to use OAuth to collect mail from Mail.Ru to prevent cleartext passwords storage.
Because anyway everyone is using Google's proprietary XOAUTH, it could be nice for Google to add some extension for authentication service detection to indicate URI user should be sent to authenticate. It can help to make OAuth more universal without the need to have manual settings for every mail server and to solve the problem with cleartext password storage for everyone, including Google itself. P.S. There RFC 7628/RFC 7591/draft-ietf-oauth-discovery but it doesn't solve the problem either, because there is still no clear instructions on how to discover OAuth links for SMTP/IMAP servers and there are no BCPs due to lack of implementations. Creating BCPs with XOAUTH can help to improve/extend this set of standards in future. 11.11.2017 0:52, Brandon Long via mailop пишет: > > > > On Fri, Nov 10, 2017 at 8:11 AM Rob Nagler <mailop-bp...@q33.us > <mailto:mailop-bp...@q33.us>> wrote: > > > Does Gmail ask for the POP3 password every time, or do they > store it ? > > > They store it. Just like they do with SMTP passwords. > > > On the one hand, I totally sympathize with that position, though the > difference between having it on some device that can be lost/hacked vs > a cloud service... I guess cloud services can be hacked in bulk, but > chances are your users are already just re-using their email password, > and so that ship has sailed. > > I haven't kept up with oauth recently, have they solved the discovery > problem? If so, I can file a bug to have our pop fetcher switch to > support oauth, but that would come with a bunch of work on your end to > support that (I don't think anything supports that out of the box yet). > > There's also Gmailify instead of pop fetch. It uses IMAP and oauth, > but it has a small whitelist of services it works with, partially due > to oauth, partially due to IMAP being a more complicated protocol, and > mostly just being overly cautious. > > Brandon > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Vladimir Dubrovin @Mail.Ru
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
