[MlMt] MailMate, Gmail, & OAUTH2 verification

Benny Kjær Nielsen mailinglist at freron.com
Fri May 20 02:16:29 EDT 2022

Previous message (by thread): [MlMt] MailMate, Gmail, & OAUTH2 verification
Next message (by thread): [MlMt] MailMate, Gmail, & OAUTH2 verification
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 19 May 2022, at 23:34, Antonio Leding wrote:

> A few days ago, I ran across a post discussing the upcoming Google mandate that all Gmail users must use OAUTH2.  My understanding is that this has been working in MM for quite a while so no issue there.

Yes, the mandate might be new but password-based access to Gmail accounts has not worked well for many years. I never found out the exact triggers, but users would often have to sign in to webmail to “unlock” an account for IMAP/SMTP access. I also think default Gmail settings changed to not allowing it by default (I might be wrong on that one).

MailMate has worked with Gmail/OAuth2 for almost seven years. I wrote about my concerns at the time and that's basically how I still feel about the subject: https://blog.freron.com/2015/is-oauth2-support-a-good-thing/

In that blog post I write: “If the provider stops supporting other authentication schemes (which is almost true for Google) then the provider has the power to decide which email clients are allowed to access Gmail.”

This is no longer an “if” statement, but in practice it doesn't change much since password-access did not work well anyways (in my experience).

> The part that got me wondering is this - this post stated that some apps may need to undergo an annual Google verification process and that this could cost the devs several hundred or thousands of dollars per year.

Initially, Google told me the same thing 7 years ago after I went through a long and tedious series of steps to “verify” MailMate. Fortunately, a desktop email application like MailMate does not match the conditions stated by Google for the security assessment requirement (see the end of this email).

> I have no idea if this applies to Mailmate but since I had not seen anything about this specific topic, I thought I would raise it if only to have the feedback be “No concern - we’re  all good to go.”

I don't have statistics, but I assume most MailMate users have OAuth2 enabled for Gmail (it's the default behavior).

In general, I cannot say “No concern” since that would contradict my blog post :)

> https://support.google.com/cloud/answer/9110914

The important part of what you linked to is this: “To help keep user data safe, every app that requests access to restricted scope Google user’s data and has the ability to access data from or through a third party server is required to go through a security assessment from Google empanelled security assessors.”

MailMate does not have the ability to “access data from or through a third party server”.

-- 
Benny

Previous message (by thread): [MlMt] MailMate, Gmail, & OAUTH2 verification
Next message (by thread): [MlMt] MailMate, Gmail, & OAUTH2 verification
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the mailmate mailing list