Mailing List Archive

Seamonkey automatic email download after switch to Oauth2
Howdy,

Early this morning Seamonkey could no longer fetch emails.  It wouldn't
accept the username and password.  I did some searching and it seems
that Google is disabling plain text username and password.  Honestly,
sounds like a good idea really.  During my searches, most recommended
OAuth2 so I switched to it.  I'd never heard of it before but dove in
head first.  Turns out, easy enough.  When I hit Get Msgs after changing
the settings, it asked for the password and it started downloading
emails.  My first thought, yeppie!! 

After a while, I noticed it wasn't downloading new emails
automatically.  I have it set to check for new messages every 10 minutes
or so.  I had to hit the Get Msgs button each time.  I'd prefer it to do
it automatically.  I tried restarting Seamonkey and even changing the
settings for doing it automatically, in case a config file needed
updating after the switch, still doesn't do it automatically.  I'm
attaching a screenshot of the settings. 

Does using OAuth2 disable automatically fetching messages or am I
missing some other setting?  It worked fine until I switched to OAuth2
so I don't know what else it could be.  Is there something better than
OAuth2 that gmail supports?  I just picked the first option I found. 

Thoughts??

Dale

:-)  :-) 
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
On Friday, 3 June 2022 02:45:11 BST Dale wrote:
> Howdy,
>
> Early this morning Seamonkey could no longer fetch emails. It wouldn't
> accept the username and password. I did some searching and it seems
> that Google is disabling plain text username and password. Honestly,
> sounds like a good idea really. During my searches, most recommended
> OAuth2 so I switched to it.

Err ... perhaps not? The use of a browser to delegate sign on is not
necessarily a good idea, because it introduces layers of complication and with
it potential vulnerabilities. Random explainer here:

https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611

I recall some IMAP4 devs complaining about it, but Google pushed on
regardless. From the end of May if you want to login to Gmail you have no
option but to use OAuth2. I expect this will break some users login if they
have not disabled what Google calls "Less secure application access" and
shared with Google their mobile phone number and what other *private*
information Google wants to know, before it allows you to access your email
messages.


> After a while, I noticed it wasn't downloading new emails
> automatically. I have it set to check for new messages every 10 minutes
> or so. I had to hit the Get Msgs button each time. I'd prefer it to do
> it automatically. I tried restarting Seamonkey and even changing the
> settings for doing it automatically, in case a config file needed
> updating after the switch, still doesn't do it automatically. I'm
> attaching a screenshot of the settings.
>
> Does using OAuth2 disable automatically fetching messages or am I
> missing some other setting? It worked fine until I switched to OAuth2
> so I don't know what else it could be. Is there something better than
> OAuth2 that gmail supports? I just picked the first option I found.
>
> Thoughts??

The OAuth2 mechanism will refresh exchange of tokens between client and server
when they expire, but this should be seamless and transparent to the user. If
there is a breakdown in the connection for some time and a token expires, then
depending on the mail client it may pop up a window asking for your login
credentials to be resubmitted. It does this occasionally on Kmail, but I have
not noticed it on T'bird, which I believe is similar/same to the mail client
of Seamonkey.

Checking for emails every so often on a timer, is separate to authentication/
authorization. Whether you check for email manually, or after a timer
triggers it, OAuth2 will kick in on each occasion as the next step. There may
be some bug in Seamonkey. You could try a later version or try T'bird. If
that works with the same settings, but Seamonkey doesn't, then by a process of
elimination the issue would be with Seamonkey's implementation.

HTH.
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
They only forced turning 2fa on.
Once you turn it on click the app password button
it generates a 16 character passphrase.
Then works exactly the same way it used to.

--
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
Michael wrote:
> On Friday, 3 June 2022 02:45:11 BST Dale wrote:
>> Howdy,
>>
>> Early this morning Seamonkey could no longer fetch emails. It wouldn't
>> accept the username and password. I did some searching and it seems
>> that Google is disabling plain text username and password. Honestly,
>> sounds like a good idea really. During my searches, most recommended
>> OAuth2 so I switched to it.
> Err ... perhaps not? The use of a browser to delegate sign on is not
> necessarily a good idea, because it introduces layers of complication and with
> it potential vulnerabilities. Random explainer here:
>
> https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611
>
> I recall some IMAP4 devs complaining about it, but Google pushed on
> regardless. From the end of May if you want to login to Gmail you have no
> option but to use OAuth2. I expect this will break some users login if they
> have not disabled what Google calls "Less secure application access" and
> shared with Google their mobile phone number and what other *private*
> information Google wants to know, before it allows you to access your email
> messages.

I read a portion of your link.  It lost me pretty quick.  I seem to
recall that the old way, the username and password was sent in plain
text.  In other words, anyone could grab it between me and google,
including my ISP plus who knows who else.  I'd think that about anything
would be more secure than plain text.  There may be better options but I
have to work with what Google supports.  If it supports something
better, I'd switch to that.  I'm open to better options.  I just want to
be able to fetch my emails in a reasonably secure way.  BTW, the
password I use for email is not used anywhere else.  I use Bitwarden
now, used LastPass before that. 


>
>> After a while, I noticed it wasn't downloading new emails
>> automatically. I have it set to check for new messages every 10 minutes
>> or so. I had to hit the Get Msgs button each time. I'd prefer it to do
>> it automatically. I tried restarting Seamonkey and even changing the
>> settings for doing it automatically, in case a config file needed
>> updating after the switch, still doesn't do it automatically. I'm
>> attaching a screenshot of the settings.
>>
>> Does using OAuth2 disable automatically fetching messages or am I
>> missing some other setting? It worked fine until I switched to OAuth2
>> so I don't know what else it could be. Is there something better than
>> OAuth2 that gmail supports? I just picked the first option I found.
>>
>> Thoughts??
> The OAuth2 mechanism will refresh exchange of tokens between client and server
> when they expire, but this should be seamless and transparent to the user. If
> there is a breakdown in the connection for some time and a token expires, then
> depending on the mail client it may pop up a window asking for your login
> credentials to be resubmitted. It does this occasionally on Kmail, but I have
> not noticed it on T'bird, which I believe is similar/same to the mail client
> of Seamonkey.
>
> Checking for emails every so often on a timer, is separate to authentication/
> authorization. Whether you check for email manually, or after a timer
> triggers it, OAuth2 will kick in on each occasion as the next step. There may
> be some bug in Seamonkey. You could try a later version or try T'bird. If
> that works with the same settings, but Seamonkey doesn't, then by a process of
> elimination the issue would be with Seamonkey's implementation.
>
> HTH.


I wouldn't think the two would have any effect on each other either but
the only change I made was how it sends username and password.  Heck, at
first, I didn't even restart Seamonkey.  When I hit the Get Msg button,
it asked for the password and starting downloading several hours worth
of emails.  It hasn't asked for it again since I entered it the first
time so it should be able to trigger itself.  Your logic makes sense but
reality has thrown a wrench into the gearbox.  I thought about switching
back but the old way wasn't allowed anymore.  So, I can't revert and
test.  BTW, I'm using POP3 I think.  I actually store my emails locally.

I'm not sure where to go on this.  It may be a bug but even that would
be odd since sending username and password should be separate from
triggering a timer.  It just doesn't make sense. 

Thanks.

Dale

:-)  :-) 
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
On Friday, 3 June 2022 11:07:47 BST spareproject776 wrote:
> They only forced turning 2fa on.

There used to be a period a few years ago now, when you could enable less
secure app access plus OAuth2 without giving your DOB, mobile phone 2FA, etc.
They have since stopped this. I had enabled OAuth2 on one PC, but was not
able to do the same on a second PC I tried to connect from. I can't recall
the error now.

Thankfully, other email providers are available. :-)
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
They turned off the ability to use smtp pop3 or imap over cleartext
a while ago. They only expose it over tls wrapped ports. Your client
wouldn't even be able to get as far as sending it.

Also forces SASL which is tldr for echo 'username password'|base64
before sending it.

Once you enable 2fa for the account, you can recreate an application
password.

Funnily enough my old password was stronger than a 16 char string : /
all in all they just force reduced password length. Whilst forcing
sms verification allowing account take over from sim swapping :'(

For the record this is sent from mutt using app password without oauth.

--
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
On Friday, 3 June 2022 12:15:53 BST spareproject776 wrote:

> How did you even enable the oauth thing ? only had security device or
> push to an authenticated device available. Then lied and forced enabling
> sms as a 'recovery' option.

When I enabled OAuth2 it was early days and Google did not ask for 2FA as a
prerequisite back then. All you had to provide, for account recovery, was
another email address. So I set up a second Google email address for this
purpose and cross referenced the two accounts. Some months thereafter Google
started asking for 2FA via SMS, before you could access the page to set up app
access. More recently they also started asking for DOB, "... for legal
purposes". Soon they will be asking for digital ID and a DNA test, or
whatever. :p

I noticed whenever I tried to login from a remote location Google would block
the mail client and also block webmail login if I tried to use a browser.
Evidently, geolocation/IP address was being used as a security check. To
acknowledge this was not an attempt by some remote and nefarious actor to
compromise my account, I had to connect to Google by tunneling via a VPN
connection to my home and from there to the Google webmail. After that I was
able to login remotely.

The question about privacy is a moot point. Privacy is often conflated with
identity and consequently with security. All a mail service provider *need*
to know is if the person trying to login is the same person who set up/owns
the account. A single or multiple challenge-response mechanism over an
encrypted network connection is enough to identify the owner of the account
via the credentials exchanged between client and server. No sharing of any
other private and personally identifiable information needs to be part of it.
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
On Fri, Jun 03, 2022 at 10:54:06AM +0100, Michael wrote:
> On Friday, 3 June 2022 11:07:47 BST spareproject776 wrote:
> > They only forced turning 2fa on.
>
> There used to be a period a few years ago now, when you could enable less
> secure app access plus OAuth2 without giving your DOB, mobile phone 2FA, etc.
> They have since stopped this. I had enabled OAuth2 on one PC, but was not
> able to do the same on a second PC I tried to connect from. I can't recall
> the error now.
>
> Thankfully, other email providers are available. :-)

Is the privacy thing really that bad ? My plans to send a load of e2e messages
through a mix net just to wind them up.

More worried about someone picking my phone up popping the sim card out.
Then requesting account recovery from it and plugging it back in now : /
sort of defeated the point in having tpm backed devices.

How did you even enable the oauth thing ? only had security device or
push to an authenticated device available. Then lied and forced enabling
sms as a 'recovery' option.

--
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
On Friday, 3 June 2022 09:53:22 BST Michael wrote:
> On Friday, 3 June 2022 02:45:11 BST Dale wrote:
> > Howdy,
> >
> > Early this morning Seamonkey could no longer fetch emails. It wouldn't
> > accept the username and password. I did some searching and it seems
> > that Google is disabling plain text username and password. Honestly,
> > sounds like a good idea really. During my searches, most recommended
> > OAuth2 so I switched to it.
>
> Err ... perhaps not? The use of a browser to delegate sign on is not
> necessarily a good idea, because it introduces layers of complication and
> with it potential vulnerabilities. Random explainer here:
>
> https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-shou
> ld-not-use-it-for-authentication-5f47597b2611
>
> I recall some IMAP4 devs complaining about it, but Google pushed on
> regardless. From the end of May if you want to login to Gmail you have no
> option but to use OAuth2. I expect this will break some users login if they
> have not disabled what Google calls "Less secure application access" and
> shared with Google their mobile phone number and what other *private*
> information Google wants to know, before it allows you to access your email
> messages.

Would a practical alternative be to have all gmail messages forwarded to
another account? I haven't looked into this, but I have a gmail account, which
perhaps I could set up to forward (relay?) all incoming mail to my Zen
account.

--
Regards,
Peter.
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
On Fri, 2022-06-03 at 12:57 +0100, Peter Humphrey wrote:
> Would a practical alternative be to have all gmail messages forwarded to
> another account?

I did this for years before I decided to finally close that google
account.

Ironically I can't close this one (yet) because the gentoo mailing list
won't allow me to subscribe with an email address with a .tech TLD :(
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
Dale wrote:
> Howdy,
>
> Early this morning Seamonkey could no longer fetch emails.  It wouldn't
> accept the username and password.  I did some searching and it seems
> that Google is disabling plain text username and password.  Honestly,
> sounds like a good idea really.  During my searches, most recommended
> OAuth2 so I switched to it.  I'd never heard of it before but dove in
> head first.  Turns out, easy enough.  When I hit Get Msgs after changing
> the settings, it asked for the password and it started downloading
> emails.  My first thought, yeppie!! 
>
> After a while, I noticed it wasn't downloading new emails
> automatically.  I have it set to check for new messages every 10 minutes
> or so.  I had to hit the Get Msgs button each time.  I'd prefer it to do
> it automatically.  I tried restarting Seamonkey and even changing the
> settings for doing it automatically, in case a config file needed
> updating after the switch, still doesn't do it automatically.  I'm
> attaching a screenshot of the settings. 
>
> Does using OAuth2 disable automatically fetching messages or am I
> missing some other setting?  It worked fine until I switched to OAuth2
> so I don't know what else it could be.  Is there something better than
> OAuth2 that gmail supports?  I just picked the first option I found. 
>
> Thoughts??
>
> Dale
>
> :-)  :-) 


I was hoping a update to Seamonkey would fix this issue.  It was just a
bug and would be fixed.  Well, I updated the other day and it still
doesn't fetch email until I tell it to.  I've tested this numerous
times.  It just plain doesn't fetch on its own anymore. 

Anyone have ideas on how to fix this.  If anyone needs more info, just
let me know.  I'll either attach the text or a picture if it is a menu
type thing that can't be copied. 

Thanks.

Dale

:-)  :-) 
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
On 23/07/2022 19:58, Dale wrote:
> Anyone have ideas on how to fix this.  If anyone needs more info, just
> let me know.  I'll either attach the text or a picture if it is a menu
> type thing that can't be copied.

Could something have messed up your settings? TB won't collect mail
unless you tell it to poll every 5 mins or so (it's configured by
default to do so).

But if it's accidentally been configured to only check when asked ...

Cheers,
Wol
Re: Seamonkey automatic email download after switch to Oauth2 [ In reply to ]
Wol wrote:
> On 23/07/2022 19:58, Dale wrote:
>> Anyone have ideas on how to fix this.  If anyone needs more info, just
>> let me know.  I'll either attach the text or a picture if it is a menu
>> type thing that can't be copied.
>
> Could something have messed up your settings? TB won't collect mail
> unless you tell it to poll every 5 mins or so (it's configured by
> default to do so).
>
> But if it's accidentally been configured to only check when asked ...
>
> Cheers,
> Wol
>
>


I attached a screenshot of the screen with original message but I'm
attaching it to this one too.  It's set to check at start up, and it
does check then as expected, and is set to check for new messages every
10 minutes and automatically download them.  I've had it set that way
for years and it worked fine until I had to switch to the Oauth2
thingy.  Since I had to switch to that, it no longer triggers the 10
minute check itself.  It's getting annoying having to click and then
wait for it to download them before knowing if I even have anything. 

I'd think this would be two separate things and shouldn't affect each
other but it is strange that it started right when I switched with no
other change to Seamonkey.  Same version even.  I guess it is possible
that something got messed up during the switch but no clue what it could
be. 

Dale

:-)  :-)