[gentoo-user] Seamonkey automatic email download after switch to Oauth2

[gentoo-user] Seamonkey automatic email download after switch to Oauth2

[Dale]

[-- Attachment #1: Type: text/plain, Size: 1314 bytes --]

Howdy,

Early this morning Seamonkey could no longer fetch emails.  It wouldn't
accept the username and password.  I did some searching and it seems
that Google is disabling plain text username and password.  Honestly,
sounds like a good idea really.  During my searches, most recommended
OAuth2 so I switched to it.  I'd never heard of it before but dove in
head first.  Turns out, easy enough.  When I hit Get Msgs after changing
the settings, it asked for the password and it started downloading
emails.  My first thought, yeppie!! 

After a while, I noticed it wasn't downloading new emails
automatically.  I have it set to check for new messages every 10 minutes
or so.  I had to hit the Get Msgs button each time.  I'd prefer it to do
it automatically.  I tried restarting Seamonkey and even changing the
settings for doing it automatically, in case a config file needed
updating after the switch, still doesn't do it automatically.  I'm
attaching a screenshot of the settings. 

Does using OAuth2 disable automatically fetching messages or am I
missing some other setting?  It worked fine until I switched to OAuth2
so I don't know what else it could be.  Is there something better than
OAuth2 that gmail supports?  I just picked the first option I found. 

Thoughts??

Dale

:-)  :-) 

[-- Attachment #2: 2022-06-02-19-21-43-0001-scale.JPG --]
[-- Type: image/jpeg, Size: 191808 bytes --]

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[Michael]

[-- Attachment #1: Type: text/plain, Size: 2878 bytes --]

On Friday, 3 June 2022 02:45:11 BST Dale wrote:
> Howdy,
> 
> Early this morning Seamonkey could no longer fetch emails.  It wouldn't
> accept the username and password.  I did some searching and it seems
> that Google is disabling plain text username and password.  Honestly,
> sounds like a good idea really.  During my searches, most recommended
> OAuth2 so I switched to it.

Err ... perhaps not?  The use of a browser to delegate sign on is not 
necessarily a good idea, because it introduces layers of complication and with 
it potential vulnerabilities.  Random explainer here:

https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611

I recall some IMAP4 devs complaining about it, but Google pushed on 
regardless.  From the end of May if you want to login to Gmail you have no 
option but to use OAuth2.  I expect this will break some users login if they 
have not disabled what Google calls "Less secure application access" and 
shared with Google their mobile phone number and what other *private* 
information Google wants to know, before it allows you to access your email 
messages.


> After a while, I noticed it wasn't downloading new emails
> automatically.  I have it set to check for new messages every 10 minutes
> or so.  I had to hit the Get Msgs button each time.  I'd prefer it to do
> it automatically.  I tried restarting Seamonkey and even changing the
> settings for doing it automatically, in case a config file needed
> updating after the switch, still doesn't do it automatically.  I'm
> attaching a screenshot of the settings. 
> 
> Does using OAuth2 disable automatically fetching messages or am I
> missing some other setting?  It worked fine until I switched to OAuth2
> so I don't know what else it could be.  Is there something better than
> OAuth2 that gmail supports?  I just picked the first option I found. 
> 
> Thoughts??

The OAuth2 mechanism will refresh exchange of tokens between client and server 
when they expire, but this should be seamless and transparent to the user.  If 
there is a breakdown in the connection for some time and a token expires, then 
depending on the mail client it may pop up a window asking for your login 
credentials to be resubmitted.  It does this occasionally on Kmail, but I have 
not noticed it on T'bird, which I believe is similar/same to the mail client 
of Seamonkey.

Checking for emails every so often on a timer, is separate to authentication/
authorization.  Whether you check for email manually, or after a timer 
triggers it, OAuth2 will kick in on each occasion as the next step.  There may 
be some bug in Seamonkey.  You could try a later version or try T'bird.  If 
that works with the same settings, but Seamonkey doesn't, then by a process of 
elimination the issue would be with Seamonkey's implementation.

HTH.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[Dale]

Michael wrote:
> On Friday, 3 June 2022 02:45:11 BST Dale wrote:
>> Howdy,
>>
>> Early this morning Seamonkey could no longer fetch emails.  It wouldn't
>> accept the username and password.  I did some searching and it seems
>> that Google is disabling plain text username and password.  Honestly,
>> sounds like a good idea really.  During my searches, most recommended
>> OAuth2 so I switched to it.
> Err ... perhaps not?  The use of a browser to delegate sign on is not 
> necessarily a good idea, because it introduces layers of complication and with 
> it potential vulnerabilities.  Random explainer here:
>
> https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611
>
> I recall some IMAP4 devs complaining about it, but Google pushed on 
> regardless.  From the end of May if you want to login to Gmail you have no 
> option but to use OAuth2.  I expect this will break some users login if they 
> have not disabled what Google calls "Less secure application access" and 
> shared with Google their mobile phone number and what other *private* 
> information Google wants to know, before it allows you to access your email 
> messages.

I read a portion of your link.  It lost me pretty quick.  I seem to
recall that the old way, the username and password was sent in plain
text.  In other words, anyone could grab it between me and google,
including my ISP plus who knows who else.  I'd think that about anything
would be more secure than plain text.  There may be better options but I
have to work with what Google supports.  If it supports something
better, I'd switch to that.  I'm open to better options.  I just want to
be able to fetch my emails in a reasonably secure way.  BTW, the
password I use for email is not used anywhere else.  I use Bitwarden
now, used LastPass before that. 


>
>> After a while, I noticed it wasn't downloading new emails
>> automatically.  I have it set to check for new messages every 10 minutes
>> or so.  I had to hit the Get Msgs button each time.  I'd prefer it to do
>> it automatically.  I tried restarting Seamonkey and even changing the
>> settings for doing it automatically, in case a config file needed
>> updating after the switch, still doesn't do it automatically.  I'm
>> attaching a screenshot of the settings. 
>>
>> Does using OAuth2 disable automatically fetching messages or am I
>> missing some other setting?  It worked fine until I switched to OAuth2
>> so I don't know what else it could be.  Is there something better than
>> OAuth2 that gmail supports?  I just picked the first option I found. 
>>
>> Thoughts??
> The OAuth2 mechanism will refresh exchange of tokens between client and server 
> when they expire, but this should be seamless and transparent to the user.  If 
> there is a breakdown in the connection for some time and a token expires, then 
> depending on the mail client it may pop up a window asking for your login 
> credentials to be resubmitted.  It does this occasionally on Kmail, but I have 
> not noticed it on T'bird, which I believe is similar/same to the mail client 
> of Seamonkey.
>
> Checking for emails every so often on a timer, is separate to authentication/
> authorization.  Whether you check for email manually, or after a timer 
> triggers it, OAuth2 will kick in on each occasion as the next step.  There may 
> be some bug in Seamonkey.  You could try a later version or try T'bird.  If 
> that works with the same settings, but Seamonkey doesn't, then by a process of 
> elimination the issue would be with Seamonkey's implementation.
>
> HTH.


I wouldn't think the two would have any effect on each other either but
the only change I made was how it sends username and password.  Heck, at
first, I didn't even restart Seamonkey.  When I hit the Get Msg button,
it asked for the password and starting downloading several hours worth
of emails.  It hasn't asked for it again since I entered it the first
time so it should be able to trigger itself.  Your logic makes sense but
reality has thrown a wrench into the gearbox.  I thought about switching
back but the old way wasn't allowed anymore.  So, I can't revert and
test.  BTW, I'm using POP3 I think.  I actually store my emails locally.

I'm not sure where to go on this.  It may be a bug but even that would
be odd since sending username and password should be separate from
triggering a timer.  It just doesn't make sense. 

Thanks.

Dale

:-)  :-) 

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[spareproject776]

They turned off the ability to use smtp pop3 or imap over cleartext
a while ago. They only expose it over tls wrapped ports. Your client
wouldn't even be able to get as far as sending it.

Also forces SASL which is tldr for echo 'username password'|base64
before sending it.

Once you enable 2fa for the account, you can recreate an application
password.

Funnily enough my old password was stronger than a 16 char string : /
all in all they just force reduced password length. Whilst forcing
sms verification allowing account take over from sim swapping :'(

For the record this is sent from mutt using app password without oauth.

-- 

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[spareproject776]

They only forced turning 2fa on.
Once you turn it on click the app password button
it generates a 16 character passphrase.
Then works exactly the same way it used to.

-- 

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[Michael]

[-- Attachment #1: Type: text/plain, Size: 472 bytes --]

On Friday, 3 June 2022 11:07:47 BST spareproject776 wrote:
> They only forced turning 2fa on.

There used to be a period a few years ago now, when you could enable less 
secure app access plus OAuth2 without giving your DOB, mobile phone 2FA, etc.  
They have since stopped this.  I had enabled OAuth2 on one PC, but was not 
able to do the same on a second PC I tried to connect from.  I can't recall 
the error now.

Thankfully, other email providers are available.  :-)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[spareproject776]

On Fri, Jun 03, 2022 at 10:54:06AM +0100, Michael wrote:
> On Friday, 3 June 2022 11:07:47 BST spareproject776 wrote:
> > They only forced turning 2fa on.
> 
> There used to be a period a few years ago now, when you could enable less 
> secure app access plus OAuth2 without giving your DOB, mobile phone 2FA, etc.  
> They have since stopped this.  I had enabled OAuth2 on one PC, but was not 
> able to do the same on a second PC I tried to connect from.  I can't recall 
> the error now.
> 
> Thankfully, other email providers are available.  :-)

Is the privacy thing really that bad ? My plans to send a load of e2e messages 
through a mix net just to wind them up.

More worried about someone picking my phone up popping the sim card out. 
Then requesting account recovery from it and plugging it back in now : / 
sort of defeated the point in having tpm backed devices.

How did you even enable the oauth thing ? only had security device or 
push to an authenticated device available. Then lied and forced enabling 
sms as a 'recovery' option.

-- 

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[Michael]

[-- Attachment #1: Type: text/plain, Size: 1806 bytes --]

On Friday, 3 June 2022 12:15:53 BST spareproject776 wrote:

> How did you even enable the oauth thing ? only had security device or
> push to an authenticated device available. Then lied and forced enabling
> sms as a 'recovery' option.

When I enabled OAuth2 it was early days and Google did not ask for 2FA as a 
prerequisite back then.  All you had to provide, for account recovery, was 
another email address.  So I set up a second Google email address for this 
purpose and cross referenced the two accounts.  Some months thereafter Google 
started asking for 2FA via SMS, before you could access the page to set up app 
access.  More recently they also started asking for DOB, "... for legal 
purposes".  Soon they will be asking for digital ID and a DNA test, or 
whatever.  :p

I noticed whenever I tried to login from a remote location Google would block 
the mail client and also block webmail login if I tried to use a browser.  
Evidently, geolocation/IP address was being used as a security check.  To 
acknowledge this was not an attempt by some remote and nefarious actor to 
compromise my account, I had to connect to Google by tunneling via a VPN 
connection to my home and from there to the Google webmail.  After that I was 
able to login remotely.

The question about privacy is a moot point.  Privacy is often conflated with 
identity and consequently with security.  All a mail service provider *need* 
to know is if the person trying to login is the same person who set up/owns 
the account.  A single or multiple challenge-response mechanism over an 
encrypted network connection is enough to identify the owner of the account 
via the credentials exchanged between client and server.  No sharing of any 
other private and personally identifiable information needs to be part of it.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[Peter Humphrey]

On Friday, 3 June 2022 09:53:22 BST Michael wrote:
> On Friday, 3 June 2022 02:45:11 BST Dale wrote:
> > Howdy,
> > 
> > Early this morning Seamonkey could no longer fetch emails.  It wouldn't
> > accept the username and password.  I did some searching and it seems
> > that Google is disabling plain text username and password.  Honestly,
> > sounds like a good idea really.  During my searches, most recommended
> > OAuth2 so I switched to it.
> 
> Err ... perhaps not?  The use of a browser to delegate sign on is not
> necessarily a good idea, because it introduces layers of complication and
> with it potential vulnerabilities.  Random explainer here:
> 
> https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-shou
> ld-not-use-it-for-authentication-5f47597b2611
> 
> I recall some IMAP4 devs complaining about it, but Google pushed on
> regardless.  From the end of May if you want to login to Gmail you have no
> option but to use OAuth2.  I expect this will break some users login if they
> have not disabled what Google calls "Less secure application access" and
> shared with Google their mobile phone number and what other *private*
> information Google wants to know, before it allows you to access your email
> messages.

Would a practical alternative be to have all gmail messages forwarded to 
another account? I haven't looked into this, but I have a gmail account, which 
perhaps I could set up to forward (relay?) all incoming mail to my Zen 
account.

-- 
Regards,
Peter.

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[Matt Connell (Gmail)]

On Fri, 2022-06-03 at 12:57 +0100, Peter Humphrey wrote:
> Would a practical alternative be to have all gmail messages forwarded to 
> another account?

I did this for years before I decided to finally close that google
account.

Ironically I can't close this one (yet) because the gentoo mailing list
won't allow me to subscribe with an email address with a .tech TLD :(

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[Dale]

Dale wrote:
> Howdy,
>
> Early this morning Seamonkey could no longer fetch emails.  It wouldn't
> accept the username and password.  I did some searching and it seems
> that Google is disabling plain text username and password.  Honestly,
> sounds like a good idea really.  During my searches, most recommended
> OAuth2 so I switched to it.  I'd never heard of it before but dove in
> head first.  Turns out, easy enough.  When I hit Get Msgs after changing
> the settings, it asked for the password and it started downloading
> emails.  My first thought, yeppie!! 
>
> After a while, I noticed it wasn't downloading new emails
> automatically.  I have it set to check for new messages every 10 minutes
> or so.  I had to hit the Get Msgs button each time.  I'd prefer it to do
> it automatically.  I tried restarting Seamonkey and even changing the
> settings for doing it automatically, in case a config file needed
> updating after the switch, still doesn't do it automatically.  I'm
> attaching a screenshot of the settings. 
>
> Does using OAuth2 disable automatically fetching messages or am I
> missing some other setting?  It worked fine until I switched to OAuth2
> so I don't know what else it could be.  Is there something better than
> OAuth2 that gmail supports?  I just picked the first option I found. 
>
> Thoughts??
>
> Dale
>
> :-)  :-) 


I was hoping a update to Seamonkey would fix this issue.  It was just a
bug and would be fixed.  Well, I updated the other day and it still
doesn't fetch email until I tell it to.  I've tested this numerous
times.  It just plain doesn't fetch on its own anymore. 

Anyone have ideas on how to fix this.  If anyone needs more info, just
let me know.  I'll either attach the text or a picture if it is a menu
type thing that can't be copied. 

Thanks.

Dale

:-)  :-) 

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[Wol]

On 23/07/2022 19:58, Dale wrote:
> Anyone have ideas on how to fix this.  If anyone needs more info, just
> let me know.  I'll either attach the text or a picture if it is a menu
> type thing that can't be copied.

Could something have messed up your settings? TB won't collect mail 
unless you tell it to poll every 5 mins or so (it's configured by 
default to do so).

But if it's accidentally been configured to only check when asked ...

Cheers,
Wol

Re: [gentoo-user] Seamonkey automatic email download after switch to Oauth2

[Dale]

[-- Attachment #1: Type: text/plain, Size: 1360 bytes --]

Wol wrote:
> On 23/07/2022 19:58, Dale wrote:
>> Anyone have ideas on how to fix this.  If anyone needs more info, just
>> let me know.  I'll either attach the text or a picture if it is a menu
>> type thing that can't be copied.
>
> Could something have messed up your settings? TB won't collect mail
> unless you tell it to poll every 5 mins or so (it's configured by
> default to do so).
>
> But if it's accidentally been configured to only check when asked ...
>
> Cheers,
> Wol
>
>


I attached a screenshot of the screen with original message but I'm
attaching it to this one too.  It's set to check at start up, and it
does check then as expected, and is set to check for new messages every
10 minutes and automatically download them.  I've had it set that way
for years and it worked fine until I had to switch to the Oauth2
thingy.  Since I had to switch to that, it no longer triggers the 10
minute check itself.  It's getting annoying having to click and then
wait for it to download them before knowing if I even have anything. 

I'd think this would be two separate things and shouldn't affect each
other but it is strange that it started right when I switched with no
other change to Seamonkey.  Same version even.  I guess it is possible
that something got messed up during the switch but no clue what it could
be. 

Dale

:-)  :-) 

[-- Attachment #2: 2022-06-02-19-21-43-0001-scale.JPG --]
[-- Type: image/jpeg, Size: 191808 bytes --]