[conspire] (forw) Re: [Golugtech] Fw: [Alpine-info] O365 XOAUTH2 via fetchmail

Rick Moen rick at linuxmafia.com
Wed Apr 20 19:26:37 PDT 2022 

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Wed, 20 Apr 2022 19:24:32 -0700
From: Rick Moen <rick at linuxmafia.com>
To: golugtech at diypython.us
Subject: Re: [Golugtech] Fw: [Alpine-info] O365 XOAUTH2 via fetchmail
Organization: If you lived here, you'd be $HOME already.

Quoting Steve Litt (slitt at troubleshooters.com):

> Hey, wait a minute. I was envisioning not being able to receive email
> from gmail users, or to send email to gmail users. But, if I read your
> post correctly, all I need to do is go with an email vendor who doesn't
> require OAUTH2. I just hope there are more email vendors not requiring
> OAUTH2 than there are not requiring DMARC and DCOM and DWHATEVER.

Basically.  Kind of.

OAuth 2.0 is not (AFAIK) actually implemented anywhere else (other than
GMail) as an authentications protocol for IMAP/SMTP.  It was actually
_designed_ by the IETF OAuth Working Group as an authentication layer
for HTTP/HTTPS, and ordinarily used in _that_ context.  And, as such,
there's nothing at all wrong with it, except that (IMO) it's a bit of a
ponderous, complicated (open-spec) standard.  
https://oauth.net/2/
https://www.rfc-editor.org/rfc/rfc6749

The Wellington, NZ-based World Science Fiction Convention ("Worldcon") 
of 2020, which was suddenly obliged by the world breaking to convert
from an in-person convention to one entirely online (and I was the
staffer who designed and created the Jitsi Meet portion of the
infrastructure) used for single sign-on among its many Web applications
an implementation of OAuth 2.0 furnished by a company called GLUU.
Every Web app, scant available volunteer convention staff time & effort
permitting, was shimmed to authenticate against GLUU's OAuth 2.0 
authentication services.

Author Eduardo Chappa (author of that post to alpine-info, and, I
gather, main developer of Alpine) clarified what has happened at GMail,
pretty clearly, so you should perhaps review what he said.  He said that
Google, Inc. _adapted_ OAuth 2.0's security token spec, and bundled it
into IMAP (and SMTP?) using an open spec of their design called XOAUTH2.
XOAUTH2 is an adapted-to-mail application of OAuth 2.0 featuring
Google-designed protocol glue.  It's (probably?) unique to GMail.

However, Chappa is far-sighted, and _anticipates_ Google and potentially
others passive-aggressively using "secure/modern authentication" going
forward to phase out IMAP and SMTP entirely as a commercially provided
service to ISP customers.  Chappa sees how HTTPS keeps being pushed as
the solution to all problems by various big vendors, and thinks such
vendors will push customers to migrate to Web-based doohickies instead
of "legacy" commodity protocols like IMAP.  Of course, the vendors
themselves would in that scenario continue to use modern variants of
SMTP for smarthost-to-smarthost communication, as has always been the
case.

That wouldn't affect _me_, because I run my own SMTP smarthost that is a
peer with all the rest around the world, and am not using a "mail
vendor".  E.g., if I ever decided to use Alpine instead of mutt, 
it would just (as does my mutt setup) "receive" inbound mail by directly
reading /var/mail/*, and would send outbound mail by handing it off to
the local MTA smarthost.

What Chappa's saying is that you guys who depend on _vendors_ to sell
you "mail services" accessible using IMAP/SMTP may have a longer-term
problem if the various mail providers decide they'd rather coax you into
using Web stuff instead, and cease to offer services to users at the
IMAP/SMTP ports.

In a way, I long ago did something similar to the (non-paying) users on
my server:  Back in the 1990s, when I determined that POP3's security
exposure was no longer tolerable, I switched off UW's in.pop3d _and didn't_ 
substitute any IMAP4 daemon.  Instead, I told users "No more mail
delivery agent (MDA) here, sorry.  Either learn to love my nice
command-line mailers via ssh (mutt, Pine, elm, mailx, etc.) or feel free
to simulate and MDA by rsync'ing your /var/mail/$USERNAME file over ssh
transport."  One of the users threw a fit and left, even though I handed
her an rsync setup for her MS-Windows Eudora thing.  The rest stayed.

On the point 2 paragraphs back, Chappa said:

  I am working on modernizing Alpine, but the real issue is not if 
  IMAP and SMTP will be killed, the real issue is if Alpine will be 
  given access to IMAP and SMTP by administrators, and that is a 
  bigger issue, because chances are that the administrator that you 
  have to ask this question to will say no. 

And he may be absolutely correct.  As the Cluetrain Manifesto put it, 
"Markets are conversations."  Sometimes, the seller is saying "no".


_Separately_, Chappa and the fetchmail maintainer balked at the
expensive annual security audit Google is now requiring of any "app"
that wishes to use XOAUTH2 to talk to GMail.

-- 
GolugTech mailing list
GolugTech at diypython.us
http://diypython.us/mailman/listinfo/golugtech_diypython.us

----- End forwarded message -----

More information about the conspire mailing list