[MlMt] MailMate passed the CASA tier 2 security assessment (hurrah?)

[Benny Kjær Nielsen]

On 9 Apr 2025, at 16:13, Steven M. Bellovin wrote:

> Depressing, but thanks. One pain point: those of us who work for large organizations that have outsourced email to Google. Trying to get the admins of a large organization to approve something non-standard is, umm, painful…

Understandable and I don't really know how this works. Maybe all verified apps are allowed by default for Google Workspace and app specific passwords are then completely disabled, that is, the only simple way to get MailMate working is to get it on the allowed list, but I don't know if this is how it actually works.

It might not help, but if you get into a discussion with them then you can tell them that they were not doing their jobs properly if they relied on the Google verified state to ensure that an app is safe to use.

And if they really want to restrict which apps have access via IMAP/SMTP then they should not allow any desktop/mobile apps because that will implicitly allow them all to be used. They should only allow cloud-to-cloud services which are (ironically) often much harder to implement in a safe way (which is really why CASA exists).

Just to be clear: If the organization allows any app to be used (in particular, an open source app) then any other app can also be used (directly via settings for some apps and via a proxy for others). We'll cross that bridge if we really have to. I'm hoping admin settings and app specific passwords will be sufficient.

-- 
Benny