Re: Mutt on ssl gmail allow unsecure apps == off = webalert
* Ben Fitzgerald benfi...@gmail.com [2015-06-26 17:16:20]: On Fri, Jun 26, 2015 at 10:28:45PM +0200, Andrzej Popielewicz wrote: * Mick michaelkintz...@gmail.com [2015-06-25 17:07:37]: I have just tested. It works. In order to begin the game You have to switch on two-stage verification, being in Your Gmail account. After verification using code snet to You via SMS You are able to set application passwords. I have set three passwords, for Thunderbird, for my old Galaxy phone and for mutt of course. Setting the password for Galaxy Tab was not needed, during login verification code was sent via SMS , it means orginal gmail password is preserved. And all three passwords work. This operation has to be done only once. In the case of mutt You simply modify imap_pass. So now we can say mutt is secure in the sense of google two-stage verfication. I like it. Hi Andrzej yes just followed your instructions and I'm happily writing this from mutt. As you say you just need to update imap_pass, setting smtp_pass (at least for me) was not required. What a great response from this mailing list. Ben. Well, I did not test sending yesterday yet. I did it today. The result is , that one has to use application password also for smtp folder too. In fact I do not use imap_pass. Because I have many imap accounts I have to use folder hooks, and I set password using the syntax user:pass@host. If You use single variable for imap and smtp pass You have to modify only in once place. In any case sending works. On the other hand one could ask why not add to mutt the capability of sending verification code, obtained via SMS. I think it is the question rather to implementers of sasl library. Andrzej
Re: Mutt on ssl gmail allow unsecure apps == off = webalert
On Fri, Jun 26, 2015 at 10:28:45PM +0200, Andrzej Popielewicz wrote: * Mick michaelkintz...@gmail.com [2015-06-25 17:07:37]: I have just tested. It works. In order to begin the game You have to switch on two-stage verification, being in Your Gmail account. After verification using code snet to You via SMS You are able to set application passwords. I have set three passwords, for Thunderbird, for my old Galaxy phone and for mutt of course. Setting the password for Galaxy Tab was not needed, during login verification code was sent via SMS , it means orginal gmail password is preserved. And all three passwords work. This operation has to be done only once. In the case of mutt You simply modify imap_pass. So now we can say mutt is secure in the sense of google two-stage verfication. I like it. Hi Andrzej yes just followed your instructions and I'm happily writing this from mutt. As you say you just need to update imap_pass, setting smtp_pass (at least for me) was not required. What a great response from this mailing list. Ben.
Re: Mutt on ssl gmail allow unsecure apps == off = webalert
* Mick michaelkintz...@gmail.com [2015-06-25 17:07:37]: On Thursday 25 Jun 2015 16:13:35 Grant Edwards wrote: On 2015-06-25, Ben Fitzgerald benfi...@gmail.com wrote: I recently updated my google preferences and limited set allow unsecure apps to off. Later I tried to login to gmail with mutt and found it no longer worked as imap attempted AUTHENTICATE PLAIN over port 993 (SSL). I'm a little confused about why google consider this unsafe. Ah, I think you've misunderstood what Google means by secure. Consider the usage the prisoner is secure, sir! It means closed, shut, locked, under control. As in closed, shut, and locked _by_Google_, and 100% under control _of_Google_. Mutt has not be secured by Google, therefore it is not secure. 1/2 ;) I still use Google for e-mail, because it sucks less that all the other options I've tried... Yes, I think Grant is right, but there may be more to it ... After some googling, but please correct me if I got it wrong, I came to the conclusion that Google considers a single step authentication insecure. Since mail clients typically use a username + passwd they will be deemed as less secure. If you use a 2 step authentication you will need to create an application specific password as described here: https://support.google.com/mail/answer/1173270?hl=en then use this in mutt accordingly: set imap_pass = GOOGLE_APPLICATION_PASSWORD set smtp_pass = GOOGLE_APPLICATION_PASSWORD I suspect that this approach will no longer cause a problem if Access for less secure apps is turned off. If however it still blocks login by mutt, then Google will expect that the mail client complies with XOAUTH2: https://developers.google.com/gmail/oauth_overview So the question probably is: Does mutt comply with XOAUTH2 and will it send OAuth 2.0 Access Tokens to the server? A paragraph in the above link states: As long as these libraries support the Simple Authentication and Security Layer (SASL), they should be compatible with the SASL XOAUTH2 mechanism supported by Gmail. I suspect that secure mobile client apps use the Google API directly with OAuth 2.0 Access Tokens when they authenticate with Gmail/Calendar/etc. but I haven't looked into it any more than this. -- Regards, Mick I have just tested. It works. In order to begin the game You have to switch on two-stage verification, being in Your Gmail account. After verification using code snet to You via SMS You are able to set application passwords. I have set three passwords, for Thunderbird, for my old Galaxy phone and for mutt of course. Setting the password for Galaxy Tab was not needed, during login verification code was sent via SMS , it means orginal gmail password is preserved. And all three passwords work. This operation has to be done only once. In the case of mutt You simply modify imap_pass. So now we can say mutt is secure in the sense of google two-stage verfication. I like it. Andrzej
Re: Mutt on ssl gmail allow unsecure apps == off = webalert
On Wed, Jun 24, 2015 at 10:48:37PM -0400, Ben Fitzgerald wrote: I'm a little confused about why google consider this unsafe. I'd like to understand this better so if anyone has pointers to reading up do please post, however my primary reason for posting is to ask if it's possible to use mutt to comply with gmail security *without* having to turn on allow insecure apps. Not just mutt, they consider any third party email application insecure. I have no idea why. -- Suvayu Open source is the future. It sets us free.
Mutt on ssl gmail allow unsecure apps == off = webalert
Hi I recently updated my google preferences and limited set allow unsecure apps to off. Later I tried to login to gmail with mutt and found it no longer worked as imap attempted AUTHENTICATE PLAIN over port 993 (SSL). I'm a little confused about why google consider this unsafe. I'd like to understand this better so if anyone has pointers to reading up do please post, however my primary reason for posting is to ask if it's possible to use mutt to comply with gmail security *without* having to turn on allow insecure apps. Perhaps someone will post telling me google are wrong and it's fine to turn this off. I'm open to hearing this also provided I understand why. Regards, Ben F
Re: [Dovecot] Trying to explain mutt+dovecot(ssl) to myself :(
On Mon, Apr 23, 2007 at 09:37:38PM +0800, Wilkinson, Alex wrote: Hi all, I have recently migrated my mail from courier-imap to dovecot. In doing so, I finally configured mutt to connect to imaps (SSL). In the end I got it all working. I then sat back and thought: I kinda don't understand the SSL/TLS part even though it works. And I hate setting stuff up and not truely understanding the mechanics of it. So I started to write about it and am stuck. Can those that _understand_ mutt+ssl have a read of what I wrote to myself and give me your $00.02 worth (corrections etc). Trying to explain mutt+ssl and getting it all wrong --- * mutt(with openssl support built in) initiates with a SSL-Client-Hello to SSL on port 993 i.e. mutt's capabilities (algorithms, SSL version etc). * dovecot:993 compares mutt's CipherSuites with its own. Of the CipherSuites mutt and dovecot have in common, dovecot:993 chooses the _most_ secure algorithm. * Dovecot:993 will then tell mutt what it has decided to use and assigns a Unique session ID. From now on all communication is via this ID. * Now that the CipherSuite is set between mutt and dovecot, dovecot sends its SSL certificate to mutt [/usr/local/share/dovecot/certs/dovecot.pem]. mutt then uses dovecot's corresponding public key [/usr/local/share/dovecot/private/dovecot.pem] to verify that the ceritificate is authentic. * once mutt has verified that the certificate is authentic ... and here I got unstuck. I'm doing a similar migration, and am interested in this thread. Presumably its not just Mutt which would need to operate in this fashion, it's everything which uses openSSL as the basis of its secure communication. What I *think* *should* happen thereafter is: The Client generates a 'one-time' key based on a random number and the negotiated encryption algorithm The key is encrypted using the server's public key, and transmitted to the server (its too costly to do bulk encryption using public-key methods) The server decrypts this encrypted 'one-time' key (which only the server can do) All further traffic between client and server is encrypted using this 'one-time' key. (There can be periodic new 'one-time' keys generated as an extra means of helping to prevent man-in-the-middle attacks) That's how I understand things to work in openSSL, but I too find the whole business difficult to grasp. Cheers, Terry Cheers -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. --
Re: mutt and ssl
Hi! ...and then [EMAIL PROTECTED] said... % Why build with ssl? Well, I assume you're not looking for an answer like "so it's available", so... SSL stands for something like Secure Socket Layer, and it's a method of encryption for your network traffic between you and a server. It's what web browsers use to make an https: connection, and what people who don't like to send passwordss in the clear use to make the equivalent of a telnet connection. For more info on this sort of thing, check out www.openssh.org and follow a few links. :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.bigfoot.com/~davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! The "new millennium" starts at the beginning of 2001. There was no year 0. Note: If bigfoot.com gives you fits, try sector13.org in its place. *sigh* PGP signature
Re: mutt and ssl
Why build with ssl? On Sun, May 28, 2000 at 10:14:03PM -0400, David T-G muttered: | Norbert -- | | ...and then Norbert Tretkowski said... | % On Sun, May 28, 2000 at 04:03:36PM +0200, Stephan Seitz wrote: | % | % On Son, Mai 28, 2000 at 01:26:36 +0200, Norbert Tretkowski wrote | % ../keymap.h:112: keymap_defs.h: No such file or directory | % | % Gnagnagna ;-) | % | % Wus? ;) | | I have a feeling that other folks might spell that "nyah nyah nyah". | Imagine thumbs in his ears, too, as his hands wave around. | | | % | % That has nothing to do with IMAP and SSL. | % | % That problem does not exist when I compile mutt without SSL. | | Could it be because you did a make clean preparing for SSL, or because | you didn't do one preparing your original mutt build? I forgot to look | at your version, but this bug came up a while back. | | | % | % The file "keymap_defs.h" is missing. You can build it with "make | % keymap_defs.h" after the configure-run. | % | % Anyway, now it works. Thanks! | | Glad to hear that :-) | | | :-D | -- | David T-G * It's easier to fight for one's principles | (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie | (work) [EMAIL PROTECTED] | http://www.bigfoot.com/~davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! | The "new millennium" starts at the beginning of 2001. There was no year 0. | Note: If bigfoot.com gives you fits, try sector13.org in its place. *sigh* | -- /helfman "At any given moment, you may find the ticket to the circus that has always been in your possession." Fingerprint: 2F76 2856 776A 3E07 9F3E 452A 17D9 9B28 D75E 0A36 GnuPG http://www.gnupg.org Get Private! 1024D/D75E0A36
mutt and ssl
Hello, I tried to compile Mutt 1.3.1i with --with-ssl and --enable-imap. But the following happend: gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../intl -I/usr/include/ncurses -I/usr/local/ssl/include -I../intl -Wall -pedantic -g -O2 -c util.c gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../intl -I/usr/include/ncurses -I/usr/local/ssl/include -I../intl -Wall -pedantic -g -O2 -c imap_ssl.c In file included from ../mutt_menu.h:23, from imap_ssl.c:35: ../keymap.h:112: keymap_defs.h: No such file or directory make[2]: *** [imap_ssl.o] Error 1 make[2]: Leaving directory `/usr/src/mutt-1.3.1/imap' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/src/mutt-1.3.1' make: *** [all-recursive-am] Error 2 I am using OpenSSL 0.9.4, but I don't have that file on my Harddisk. Any hints? Regards/Gruesse, Norbert -- Norbert Tretkowski, http://nexus.nobse.de pub 1024D/0F7A8D01 1999-11-24 Norbert Tretkowski [EMAIL PROTECTED] Fingerprint = 4A6B 2543 679D 43B0 2B63 5439 AFF4 670B 0F7A 8D01 PGP signature
Re: mutt and ssl
Hi! On Son, Mai 28, 2000 at 01:26:36 +0200, Norbert Tretkowski wrote ../keymap.h:112: keymap_defs.h: No such file or directory Gnagnagna ;-) That has nothing to do with IMAP and SSL. The file "keymap_defs.h" is missing. You can build it with "make keymap_defs.h" after the configure-run. Shade and sweet water! Stephan -- | Stephan SeitzE-Mail: [EMAIL PROTECTED] | | WWW: http://fsing.fs.uni-sb.de/~stse/| | PGP Public Keys: http://fsing.fs.uni-sb.de/~stse/pgp.html | PGP signature
Re: mutt and ssl
On Sun, May 28, 2000 at 04:03:36PM +0200, Stephan Seitz wrote: Hi! On Son, Mai 28, 2000 at 01:26:36 +0200, Norbert Tretkowski wrote ../keymap.h:112: keymap_defs.h: No such file or directory Gnagnagna ;-) Wus? ;) That has nothing to do with IMAP and SSL. That problem does not exist when I compile mutt without SSL. The file "keymap_defs.h" is missing. You can build it with "make keymap_defs.h" after the configure-run. Anyway, now it works. Thanks! Regards/Gruesse, Norbert -- Norbert Tretkowski, http://nexus.nobse.de pub 1024D/0F7A8D01 1999-11-24 Norbert Tretkowski [EMAIL PROTECTED] Fingerprint = 4A6B 2543 679D 43B0 2B63 5439 AFF4 670B 0F7A 8D01
Re: mutt and ssl
Norbert -- ...and then Norbert Tretkowski said... % On Sun, May 28, 2000 at 04:03:36PM +0200, Stephan Seitz wrote: % % On Son, Mai 28, 2000 at 01:26:36 +0200, Norbert Tretkowski wrote % ../keymap.h:112: keymap_defs.h: No such file or directory % % Gnagnagna ;-) % % Wus? ;) I have a feeling that other folks might spell that "nyah nyah nyah". Imagine thumbs in his ears, too, as his hands wave around. % % That has nothing to do with IMAP and SSL. % % That problem does not exist when I compile mutt without SSL. Could it be because you did a make clean preparing for SSL, or because you didn't do one preparing your original mutt build? I forgot to look at your version, but this bug came up a while back. % % The file "keymap_defs.h" is missing. You can build it with "make % keymap_defs.h" after the configure-run. % % Anyway, now it works. Thanks! Glad to hear that :-) :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.bigfoot.com/~davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! The "new millennium" starts at the beginning of 2001. There was no year 0. Note: If bigfoot.com gives you fits, try sector13.org in its place. *sigh* PGP signature