[conspire] Third-party (IMAP4, SMTP, OAUTH2) code access to GMail

Rick Moen rick at linuxmafia.com
Wed Apr 20 15:51:11 PDT 2022 

For year, I've been hearing that Google's been putting more and
more technical obstacles in the way of using your own mail client
as your interface for a GMail account.  I honestly don't care much;
GMail can live or die and I really don't care how its users are
mistreate and why.

Old-school mail-client access is IMAP4 (downwards) and SMTP (upwards),
with any of a variety of authentication mechanisms.  The progressive
_technical_ difficulty for (specifically) GMail turns out to be Google's 
implementation of the IETF "OAuth 2.0" (crypto token) authentication
suite, popular for trendy implementations of "single sign on".  Google's 
extra-sauce implementation of OAuth 2.0 is called XOAUTH2 -- covered
here, and basically their way of wrapping OAuth 2.0 tokens into IMAP:
https://developers.google.com/gmail/imap/xoauth2-protocol

But what's news to me, in the following posting to the "alpine-info"
mailing list for the Alpine mail client (the modern rewrite of the Pine
mailer) is -- hullo! -- it is claimed Google, Inc. is also requiring a
(claimed but not _quite_ accurate --  investigated below) US $75,000 fee
to Google to "verify" any app (such as fetchmail) that wants to do this.

Below is archived at
http://mailman12.u.washington.edu/pipermail/alpine-info/2022-April/001162.html

Why an OAuth 2.0 implementation?  GMail is a _huge_ target for scammers 
of various sorts, e.g., for phishing and other online crime, so Google's
insistence on strong authentication is just common sense.

I tracked down the "$75,000/year" thing to
https://support.google.com/cloud/answer/9110914#zippy=%2Csteps-to-prepare-for-verification%2Csteps-to-submit-your-app%2Csecurity-assessment
:

  Every app that requests access to restricted scope Google user’s data
  and has the ability to access data from or through a third party server
  is required to go through a security assessment from Google empanelled
  security assessors. This assessment helps keep Google users’ data safe
  by verifying that all apps that access Google user data demonstrate
  capability in handling data securely and deleting user data upon user
  request. In order to maintain access to restricted scopes, the app will
  need to undergo this security assessment on an annual basis, this
  process is called the security reassessment, also known as annual
  recertification. The cost of the assessment typically varies between
  $10,000 -$75,000 (or more) depending on the size and complexity of the
  application; smaller applications may see costs at a lower threshold of
  $4,500. This fee may be required whether or not your app passes the
  assessment and will be payable by the developer. We expect that fees
  will include a remediation assessment if needed.

Following a link from there to "How long is the security assessment
valid for?":

  Apps accessing restricted scopes are required to reverify their app
  for compliance and complete a security assessment every 12 months from
  your Google LOA approval date to keep access to any verified restricted
  scopes. If your app is adding a new restricted scope, your app might
  need to be reassessed to cover the additional scope if it was not
  included in a prior security assessment.

  The Google review team will reach out to you via email once it’s time
  for your app to recertify. Keeping your Project Owner and Project Editor
  information up-to-date in your Cloud Console will ensure the right
  members of your team are notified of this annual enforcement.

{shrug}  Bottom line:  Them Googley people basically don't really _want_
you to use third-party mail apps for GMail, and are passive-aggressive
in saying so.

Easist solution:  Don't outsource your key personal computing to the
second-nosiest corporation in the world.  Problem solved.  Somehow, the
planet will continue to rotate, and the alleged threat to open source 
turns out to not exist.

Proprietary hosted software company being asshats.  Shocked, shocked!



Date: Tue, 19 Apr 2022 16:50:33 -0600 (MDT)
From: Eduardo Chappa <alpine.chappa at yandex.com>
To: Andrew C Aitchison <andrew at aitchison.me.uk>, Carl Edquist <gatetman at gmail.com> Cc: alpine-info at u.washington.edu
Subject: Re: [Alpine-info] O365 XOAUTH2 via fetchmail

On Tue, 19 Apr 2022, Andrew C Aitchison wrote:

>> Has anyone gotten something like this working with fetchmail +
>> XOAUTH2 for O365?  A big thank you in advance if anyone has any
>> links, or personal tips, etc on getting this working...  
>
> This is somewhat off-topic.
> https://lists.sourceforge.net/lists/listinfo/fetchmail-users
> would be an appropriate place to ask.  

I thought initially the same but then i realized that Alpine users
might look for answers to their questions about Alpine in an Alpine
list instead of a fetchmail list. There are many programs that relate
to the use of Alpine and this is one of them, so I reconsidered and
thought it was appropriate too.

> [...]
> Matthias Andree, the fetchmail maintainer, is unhappy with the hoops
> gmail make him jump through to "register" fetchmail
> https://sourceforge.net/p/fetchmail/mailman/fetchmail-users/?viewmonth=202204&viewday=16
> If he cannot get fetchmail to use XOAUTH2 *without* registering the
> "app" he would appear to be considering whether dropping the feature
> is an option.  

This portion is both related and unrelated to Alpine.

There is nothing to register when you register really. Let me say it
this way. Anyone can go to Google and register Alpine or fetchmail or
mutt or firefox, etc. because they are open source applications and
what you need is a client-id and client-secret to run your app. That is
all.

I went through the process of registering Alpine not because I like
Google but because Alpine users need it. It does not matter how I feel
about the abuses of Google, Alpine users care about reading their email
and not my feelings about Google. I ended up giving Alpine users the
chance the get their own client-id and client-secret because that is
what a Google employee told me that we were going to come down to.

The real problem with Google is not the registration. It is the 
verification (of the app). It costs $75000 to verify an app every year. 
That is the minimum. I do not make money to give it to Google. I do not 
make money out of selling anything Alpine related to give it to Google.
Worse, no other company requires this. This is an abuse.

On the Google side they told me that it was the lawyers who did this,
as if it was a logical conclusion of some sort and it could not be
therefore modified. It guarantees security, they said, which is
something that Google sells (in its advertisements). By now it is too
late to do anything. No one can go against the giant, and above all I
am sorry people support Google by using their products. However,
despite my despise for Google, I will not make Alpine users make my
feelings be part of their experience, and I think the same should be
said about other programs that people depend on, such as fetchmail.

If there is one thing that I think XOAUTH2 is doing to programs like 
Alpine, fetchmail, etc., is that they are being replaced by other 
commercial apps completely. The requirement that a users authorizes an
app to access their email also is trumped by the requirement that the 
administrator authorizes the app to access their server, and that is a
big issue today as many administrators prefer not to allow apps with
which they are unfamiliar for the sake of security and privacy.

The real issue is that IMAP and SMTP are being deprecated by the fact
that OAUTH2 over HTTPS is sold as a secure/modern authentication, while
IMAP and SMTP are not. While it makes no sense to have this discussion
in this forum, it is an argument being used today to not to allow users
to turn on IMAP and SMTP, and that is an issue for Alpine users.

Let me say it differently. The world is changing with the excuse of 
security and privacy. With that excuse programs like Alpine are being
left out. It is important that all of us communicate to other people
that Alpine is a safe program to use, that respects your privacy and
makes no effort to track you or steal information from anyone. I am
working on modernizing Alpine, but the real issue is not if IMAP and
SMTP will be killed, the real issue is if Alpine will be given access
to IMAP and SMTP by administrators, and that is a bigger issue, because
chances are that the administrator that you have to ask this question
to will say no.

I hope the maintainer of fetchmail decides to include OAUTH2 support.
We need programs like fetchmail, mutt, alpine, etc. to keep working in
the future. Some Alpine users prefer fecthmail and I hope they will be
able to continue using it for many years to come.

-- 
Eduardo
_______________________________________________
Alpine-info mailing list
Alpine-info at u.washington.edu
http://mailman12.u.washington.edu/mailman/listinfo/alpine-info

-- 
GolugTech mailing list
GolugTech at diypython.us
http://diypython.us/mailman/listinfo/golugtech_diypython.us

----- End forwarded message -----

More information about the conspire mailing list