Re: [MlMt] MailMate, Gmail, & OAUTH2 verification
iCloud similarly uses 3ᴿᴰ party app passwords in their (Apple ID) account structure. Keep in mind that in the case of multiple accounts, you (may) need specific passwords per account and per application. In my case, there are two apps which access iCloud server accounts - one for Mail (MM), the other for Contacts (Busy Contacts). Respectfully, Henry Seiden - - Techworks Pro Co. E: infotechworksprocom W: http://techworkspro.com On 20 May 2022, at 14:27, Sam Birch wrote: They use app passwords for third party clients rather than OAuth.___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
Re: [MlMt] MailMate, Gmail, & OAUTH2 verification
Don’t wanna dig into this very much here but in those cases, I would personally give a warning to the user and if they didn’t take heed, then disable forwarding for them or the entire organization. I haven’t had to do this myself but I have seen it discussed… - - - On 20 May 2022, at 11:48, Sam Birch wrote: On 20 May 2022, at 14:37, Antonio Leding wrote: “…how much of a hassle maintaining an email server is…” I would disagree here - I’ve been running my own Postfix + Dovecot server for over 9 years with very little maintenance or headache. I will concede a small bit of an initial learning curve but that exists with any tech so I chalk that up to education. Once I got it up and running, maintenance has been minimal as it pretty much just runs… I’m glad you’ve had an easy time of things. I administrate an Exim + SpamAssassin + ClamAV + Dovecot system with around sixty users. For me the biggest source of problems is when my users configure their accounts to forward messages to one of the big webmail providers. As I’m sure you know, this inevitably results in spam being forwarded, despite pretty aggressive filtering at SMTP time. Despite my best efforts, Google or Microsoft wake up some days and decide to blackball my mail server, and their policies are so opaque that it’s impossible to understand how to get back into their good graces. It’s shit like that that’s worth $5/month to me, and why I don’t use my own mail service any more. Cheers, -sam ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
Re: [MlMt] MailMate, Gmail, & OAUTH2 verification
On 20 May 2022, at 14:37, Antonio Leding wrote: > “…how much of a hassle maintaining an email server is…” > > I would disagree here - I’ve been running my own Postfix + Dovecot server for > over 9 years with very little maintenance or headache. I will concede a > small bit of an initial learning curve but that exists with any tech so I > chalk that up to education. Once I got it up and running, maintenance has > been minimal as it pretty much just runs… I’m glad you’ve had an easy time of things. I administrate an Exim + SpamAssassin + ClamAV + Dovecot system with around sixty users. For me the biggest source of problems is when my users configure their accounts to forward messages to one of the big webmail providers. As I’m sure you know, this inevitably results in spam being forwarded, despite pretty aggressive filtering at SMTP time. Despite my best efforts, Google or Microsoft wake up some days and decide to blackball my mail server, and their policies are so opaque that it’s impossible to understand how to get back into their good graces. It’s shit like that that’s worth $5/month to me, and why I don’t use my own mail service any more. Cheers, -sam ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
Re: [MlMt] MailMate, Gmail, & OAUTH2 verification
“…how much of a hassle maintaining an email server is…” I would disagree here - I’ve been running my own Postfix + Dovecot server for over 9 years with very little maintenance or headache. I will concede a small bit of an initial learning curve but that exists with any tech so I chalk that up to education. Once I got it up and running, maintenance has been minimal as it pretty much just runs… - - - On 20 May 2022, at 11:27, Sam Birch wrote: On 20 May 2022, at 2:16, Benny Kjær Nielsen wrote: In that blog post I write: “If the provider stops supporting other authentication schemes (which is almost true for Google) then the provider has the power to decide which email clients are allowed to access Gmail.” I’d like to remind folks that there are several other top-tier email service providers that have less motivation for user lock-in. They generally charge a few dollars a month, which IMO is a bargain given how much of a hassle maintaining an email server is. And it’s nice to be the customer rather than the product being sold once in a while. My personal favorite is Fastmail. They use app passwords for third party clients rather than OAuth. Cheers, -sam ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
Re: [MlMt] MailMate, Gmail, & OAUTH2 verification
On 20 May 2022, at 2:16, Benny Kjær Nielsen wrote: > In that blog post I write: “If the provider stops supporting other > authentication schemes (which is almost true for Google) then the provider > has the power to decide which email clients are allowed to access Gmail.” I’d like to remind folks that there are several other top-tier email service providers that have less motivation for user lock-in. They generally charge a few dollars a month, which IMO is a bargain given how much of a hassle maintaining an email server is. And it’s nice to be the customer rather than the product being sold once in a while. My personal favorite is Fastmail. They use app passwords for third party clients rather than OAuth. Cheers, -sam ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
Re: [MlMt] MailMate, Gmail, & OAUTH2 verification
Thanks Benny - great feedback… - - - On 19 May 2022, at 23:16, Benny Kjær Nielsen wrote: On 19 May 2022, at 23:34, Antonio Leding wrote: A few days ago, I ran across a post discussing the upcoming Google mandate that all Gmail users must use OAUTH2. My understanding is that this has been working in MM for quite a while so no issue there. Yes, the mandate might be new but password-based access to Gmail accounts has not worked well for many years. I never found out the exact triggers, but users would often have to sign in to webmail to “unlock” an account for IMAP/SMTP access. I also think default Gmail settings changed to not allowing it by default (I might be wrong on that one). MailMate has worked with Gmail/OAuth2 for almost seven years. I wrote about my concerns at the time and that's basically how I still feel about the subject: https://blog.freron.com/2015/is-oauth2-support-a-good-thing/ In that blog post I write: “If the provider stops supporting other authentication schemes (which is almost true for Google) then the provider has the power to decide which email clients are allowed to access Gmail.” This is no longer an “if” statement, but in practice it doesn't change much since password-access did not work well anyways (in my experience). The part that got me wondering is this - this post stated that some apps may need to undergo an annual Google verification process and that this could cost the devs several hundred or thousands of dollars per year. Initially, Google told me the same thing 7 years ago after I went through a long and tedious series of steps to “verify” MailMate. Fortunately, a desktop email application like MailMate does not match the conditions stated by Google for the security assessment requirement (see the end of this email). I have no idea if this applies to Mailmate but since I had not seen anything about this specific topic, I thought I would raise it if only to have the feedback be “No concern - we’re all good to go.” I don't have statistics, but I assume most MailMate users have OAuth2 enabled for Gmail (it's the default behavior). In general, I cannot say “No concern” since that would contradict my blog post :) https://support.google.com/cloud/answer/9110914 The important part of what you linked to is this: “To help keep user data safe, every app that requests access to restricted scope Google user’s data and has the ability to access data from or through a third party server is required to go through a security assessment from Google empanelled security assessors.” MailMate does not have the ability to “access data from or through a third party server”. -- Benny ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
Re: [MlMt] MailMate, Gmail, & OAUTH2 verification
Hi Antonio, That was likely and either/or scenario, fully played out by Google. I’ve been using OAUTH2 for several accounts on Google. Others - iCloud(Apple), Outlook(MS), Yahoo have new methods of verifying accounts with SSL. Both adapt fairly well to email clients like MailMate for me. Yahoo! has one quirk I wish Benny would fix in MM. Don’t know if it’s related, but what happens is that Yahoo cannot verify the account if the laptop is moved to a new locale or IP address (not always a different router). It fails authorization/recognition by the server. Then requires me to take that account off line and re-register it (log it back in). Yahoo becomes happy again, until the next time. Benny, care to comment about this one and how you want me to report it as a bug? I’ve been seeing in all 1.14 releases tried on this server only, including Test Builds for a while now. Currently on 1.14 r5895, MacOS 12.1.3 (Monterey). Respectfully, Henry Seiden - - Techworks Pro Co. E: infotechworksprocom W: http://techworkspro.com On 19 May 2022, at 17:34, Antonio Leding wrote: Hell MM community, A few days ago, I ran across a post discussing the upcoming Google mandate that all Gmail users must use OAUTH2. My understanding is that this has been working in MM for quite a while so no issue there. The part that got me wondering is this - this post stated that some apps may need to undergo an annual Google verification process and that this could cost the devs several hundred or thousands of dollars per year. I have no idea if this applies to Mailmate but since I had not seen anything about this specific topic, I thought I would raise it if only to have the feedback be “No concern - we’re all good to go.” If I have overlooked a previous discussion on this topic, please accept my mea culpa. Thanks in advance for reading… https://support.google.com/cloud/answer/9110914 ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
Re: [MlMt] MailMate, Gmail, & OAUTH2 verification
On 19 May 2022, at 23:34, Antonio Leding wrote: > A few days ago, I ran across a post discussing the upcoming Google mandate > that all Gmail users must use OAUTH2. My understanding is that this has been > working in MM for quite a while so no issue there. Yes, the mandate might be new but password-based access to Gmail accounts has not worked well for many years. I never found out the exact triggers, but users would often have to sign in to webmail to “unlock” an account for IMAP/SMTP access. I also think default Gmail settings changed to not allowing it by default (I might be wrong on that one). MailMate has worked with Gmail/OAuth2 for almost seven years. I wrote about my concerns at the time and that's basically how I still feel about the subject: https://blog.freron.com/2015/is-oauth2-support-a-good-thing/ In that blog post I write: “If the provider stops supporting other authentication schemes (which is almost true for Google) then the provider has the power to decide which email clients are allowed to access Gmail.” This is no longer an “if” statement, but in practice it doesn't change much since password-access did not work well anyways (in my experience). > The part that got me wondering is this - this post stated that some apps may > need to undergo an annual Google verification process and that this could > cost the devs several hundred or thousands of dollars per year. Initially, Google told me the same thing 7 years ago after I went through a long and tedious series of steps to “verify” MailMate. Fortunately, a desktop email application like MailMate does not match the conditions stated by Google for the security assessment requirement (see the end of this email). > I have no idea if this applies to Mailmate but since I had not seen anything > about this specific topic, I thought I would raise it if only to have the > feedback be “No concern - we’re all good to go.” I don't have statistics, but I assume most MailMate users have OAuth2 enabled for Gmail (it's the default behavior). In general, I cannot say “No concern” since that would contradict my blog post :) > https://support.google.com/cloud/answer/9110914 The important part of what you linked to is this: “To help keep user data safe, every app that requests access to restricted scope Google user’s data and has the ability to access data from or through a third party server is required to go through a security assessment from Google empanelled security assessors.” MailMate does not have the ability to “access data from or through a third party server”. -- Benny ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
[MlMt] MailMate, Gmail, & OAUTH2 verification
Hell MM community, A few days ago, I ran across a post discussing the upcoming Google mandate that all Gmail users must use OAUTH2. My understanding is that this has been working in MM for quite a while so no issue there. The part that got me wondering is this - this post stated that some apps may need to undergo an annual Google verification process and that this could cost the devs several hundred or thousands of dollars per year. I have no idea if this applies to Mailmate but since I had not seen anything about this specific topic, I thought I would raise it if only to have the feedback be “No concern - we’re all good to go.” If I have overlooked a previous discussion on this topic, please accept my mea culpa. Thanks in advance for reading… https://support.google.com/cloud/answer/9110914 ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate