[MlMt] MailMate, Gmail, & OAUTH2 verification

[Antonio Leding]

Thanks Benny - great feedback…

- - -

On 19 May 2022, at 23:16, Benny Kjær Nielsen wrote:

> On 19 May 2022, at 23:34, Antonio Leding wrote:
>
>> A few days ago, I ran across a post discussing the upcoming Google 
>> mandate that all Gmail users must use OAUTH2.  My understanding is 
>> that this has been working in MM for quite a while so no issue there.
>
> Yes, the mandate might be new but password-based access to Gmail 
> accounts has not worked well for many years. I never found out the 
> exact triggers, but users would often have to sign in to webmail to 
> “unlock” an account for IMAP/SMTP access. I also think default 
> Gmail settings changed to not allowing it by default (I might be wrong 
> on that one).
>
> MailMate has worked with Gmail/OAuth2 for almost seven years. I wrote 
> about my concerns at the time and that's basically how I still feel 
> about the subject: 
> https://blog.freron.com/2015/is-oauth2-support-a-good-thing/
>
> In that blog post I write: “If the provider stops supporting other 
> authentication schemes (which is almost true for Google) then the 
> provider has the power to decide which email clients are allowed to 
> access Gmail.”
>
> This is no longer an “if” statement, but in practice it doesn't 
> change much since password-access did not work well anyways (in my 
> experience).
>
>> The part that got me wondering is this - this post stated that some 
>> apps may need to undergo an annual Google verification process and 
>> that this could cost the devs several hundred or thousands of dollars 
>> per year.
>
> Initially, Google told me the same thing 7 years ago after I went 
> through a long and tedious series of steps to “verify” MailMate. 
> Fortunately, a desktop email application like MailMate does not match 
> the conditions stated by Google for the security assessment 
> requirement (see the end of this email).
>
>> I have no idea if this applies to Mailmate but since I had not seen 
>> anything about this specific topic, I thought I would raise it if 
>> only to have the feedback be “No concern - we’re  all good to 
>> go.”
>
> I don't have statistics, but I assume most MailMate users have OAuth2 
> enabled for Gmail (it's the default behavior).
>
> In general, I cannot say “No concern” since that would contradict 
> my blog post :)
>
>> https://support.google.com/cloud/answer/9110914
>
> The important part of what you linked to is this: “To help keep user 
> data safe, every app that requests access to restricted scope Google 
> user’s data and has the ability to access data from or through a 
> third party server is required to go through a security assessment 
> from Google empanelled security assessors.”
>
> MailMate does not have the ability to “access data from or through a 
> third party server”.
>
> -- 
> Benny
> _______________________________________________
> mailmate mailing list
> mailmate at lists.freron.com
> https://lists.freron.com/listinfo/mailmate
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20220520/95921f16/attachment.htm>