Discussion:
Fetchmail, gmail and 2fa.
(too old to reply)
Marco Moock
2021-12-07 19:13:14 UTC
Permalink
Am Tue, 7 Dec 2021 12:26:44 -0600
Does this signal the end of my current mail service and force us to
use webmail? If not, how can I satisfy gmail's need for 2FA via
fetchmail? Is there an alternative to fetchmail that will provide
this authentication requirement?
As I know, you need to use OAuth2 with 2FA to make it work, but I can't
try it, I got rid off all my Google accounts.
root
2021-12-08 05:24:34 UTC
Permalink
I'm currently using fetchmail to draw from various POP accounts and
distribute on my server using fetchmail, procmail, and dovecot. It has
worked flawlessly for several years going back to when imapd was the
serving daemon.
I received notification that Gmail will be going to 2FA (two factor
authentication) as of December 14.
Switching to 2FA at gmail results in a fetchmail authentication error.
Obviously the challenge/response required to log in is missing in
fetchmail, just the POP password is submitted.
Does this signal the end of my current mail service and force us to use
webmail? If not, how can I satisfy gmail's need for 2FA via fetchmail?
Is there an alternative to fetchmail that will provide this
authentication requirement?
Rinaldi
Very important to me too. If you find a workaround please post back.
Ralph Spitzner
2021-12-08 15:49:01 UTC
Permalink
I'm currently using fetchmail to draw from various POP accounts and distribute on my server using fetchmail, procmail, and dovecot.  It has worked flawlessly for several years going back to when imapd was the serving daemon.
I received notification that Gmail will be going to 2FA (two factor authentication) as of December 14.
Switching to 2FA at gmail results in a fetchmail authentication error. Obviously the challenge/response required to log in is missing in fetchmail, just the POP password is submitted.
Does this signal the end of my current mail service and force us to use webmail?  If not, how can I satisfy gmail's need for 2FA via fetchmail? Is there an alternative to fetchmail that will provide this authentication requirement?
Rinaldi
all good just generate an "application-specific" password an use that instead of "your" password


-rasp
Chris Vine
2021-12-09 00:23:12 UTC
Permalink
On Wed, 8 Dec 2021 16:49:01 +0100
Post by Ralph Spitzner
I'm currently using fetchmail to draw from various POP accounts and distribute on my server using fetchmail, procmail, and dovecot.  It has worked flawlessly for several years going back to when imapd was the serving daemon.
I received notification that Gmail will be going to 2FA (two factor authentication) as of December 14.
Switching to 2FA at gmail results in a fetchmail authentication error. Obviously the challenge/response required to log in is missing in fetchmail, just the POP password is submitted.
Does this signal the end of my current mail service and force us to use webmail?  If not, how can I satisfy gmail's need for 2FA via fetchmail? Is there an alternative to fetchmail that will provide this authentication requirement?
Rinaldi
all good just generate an "application-specific" password an use that instead of "your" password
Would you care to elaborate?
Rinaldi
2021-12-09 01:27:08 UTC
Permalink
Post by Chris Vine
On Wed, 8 Dec 2021 16:49:01 +0100
Post by Ralph Spitzner
I'm currently using fetchmail to draw from various POP accounts and distribute on my server using fetchmail, procmail, and dovecot.  It has worked flawlessly for several years going back to when imapd was the serving daemon.
I received notification that Gmail will be going to 2FA (two factor authentication) as of December 14.
Switching to 2FA at gmail results in a fetchmail authentication error. Obviously the challenge/response required to log in is missing in fetchmail, just the POP password is submitted.
Does this signal the end of my current mail service and force us to use webmail?  If not, how can I satisfy gmail's need for 2FA via fetchmail? Is there an alternative to fetchmail that will provide this authentication requirement?
Rinaldi
all good just generate an "application-specific" password an use that instead of "your" password
Would you care to elaborate?
Got app specific passwords for fetchmail and t-bird. This stanza is
working for gmail in ~/.fetchmailrc.

poll pop.gmail.com with proto POP3 service 995
user '$USER' there with password '$2FAPWD' is '$USER' here ssl

Thanks for the tip.

Rinaldi
Chris Vine
2021-12-09 11:56:45 UTC
Permalink
On Wed, 8 Dec 2021 19:27:08 -0600
Post by Rinaldi
Post by Chris Vine
On Wed, 8 Dec 2021 16:49:01 +0100
Post by Ralph Spitzner
I'm currently using fetchmail to draw from various POP accounts and distribute on my server using fetchmail, procmail, and dovecot.  It has worked flawlessly for several years going back to when imapd was the serving daemon.
I received notification that Gmail will be going to 2FA (two factor authentication) as of December 14.
Switching to 2FA at gmail results in a fetchmail authentication error. Obviously the challenge/response required to log in is missing in fetchmail, just the POP password is submitted.
Does this signal the end of my current mail service and force us to use webmail?  If not, how can I satisfy gmail's need for 2FA via fetchmail? Is there an alternative to fetchmail that will provide this authentication requirement?
Rinaldi
all good just generate an "application-specific" password an use that instead of "your" password
Would you care to elaborate?
Got app specific passwords for fetchmail and t-bird. This stanza is
working for gmail in ~/.fetchmailrc.
poll pop.gmail.com with proto POP3 service 995
user '$USER' there with password '$2FAPWD' is '$USER' here ssl
Thanks. I use fetchmail for receiving from pop.gmail.com and for
sending I generally use postfix as a local server on localhost with
smtp.gmail.com as relay, or sometimes mailx and sylpheed directly
forwarding to smtp.gmail.com as relay. I also have two or three
different laptops which I use with my gmail account.

Do all these different applications require their own application
specific password? If so, given that each laptop would also seem to
require its own set of passwords, this all sounds somewhat tedious.

Chris
Ralph Spitzner
2021-12-09 13:14:54 UTC
Permalink
Chris Vine wrote on 12/9/21 12:56 PM:
[...]
Post by Chris Vine
Do all these different applications require their own application
specific password? If so, given that each laptop would also seem to
require its own set of passwords, this all sounds somewhat tedious.
Chris
I recently switched from a laptop to a mini-pc and it's still working, so my guess is no ....
-rasp
Chris Vine
2021-12-09 15:16:14 UTC
Permalink
On Thu, 9 Dec 2021 14:14:54 +0100
Post by Ralph Spitzner
[...]
Post by Chris Vine
Do all these different applications require their own application
specific password? If so, given that each laptop would also seem to
require its own set of passwords, this all sounds somewhat tedious.
Chris
I recently switched from a laptop to a mini-pc and it's still working, so my guess is no ....
Interesting. Possibly you could use the same "application specific
password" for all your gmail applications on all your computers. I had
assumed that google in some way hashed some characteristic of each
computer into the password, and maybe some characteristic of each
application, but apparently not.

If so, this makes using google's not very application specific passwords
more tractable. This would still address what appears to be google's
main concern, which is people re-using passwords on other (non-google)
sites.
Ralph Spitzner
2021-12-10 07:01:53 UTC
Permalink
Post by Chris Vine
On Thu, 9 Dec 2021 14:14:54 +0100
[...]
ll your computers. I had
Post by Chris Vine
assumed that google in some way hashed some characteristic of each
computer into the password, and maybe some characteristic of each
application, but apparently not.
If so, this makes using google's not very application specific passwords
more tractable. This would still address what appears to be google's
main concern, which is people re-using passwords on other (non-google)
sites.
I guess it's pretty hard to 'footprint' something connecting to port 995...

you could, of course just copy that pw and use it somewhere else :-/

I think it's more or less that you have to authenricate with 2fa with google
to get such a password,which THEY generate make it pretty safe to say that
it's either you, or someone using your credentials an phone that's logging in ....

-rasp

Ralph Spitzner
2021-12-09 05:50:40 UTC
Permalink
Post by Chris Vine
On Wed, 8 Dec 2021 16:49:01 +0100
Post by Ralph Spitzner
I'm currently using fetchmail to draw from various POP accounts and distribute on my server using fetchmail, procmail, and dovecot.  It has worked flawlessly for several years going back to when imapd was the serving daemon.
I received notification that Gmail will be going to 2FA (two factor authentication) as of December 14.
Switching to 2FA at gmail results in a fetchmail authentication error. Obviously the challenge/response required to log in is missing in fetchmail, just the POP password is submitted.
Does this signal the end of my current mail service and force us to use webmail?  If not, how can I satisfy gmail's need for 2FA via fetchmail? Is there an alternative to fetchmail that will provide this authentication requirement?
Rinaldi
all good just generate an "application-specific" password an use that instead of "your" password
Would you care to elaborate?
what happens if you google google ? :-)

gmail application specific password
first hit :

Sign in with App Passwords - Google Account Help
Mike Small
2021-12-09 01:00:59 UTC
Permalink
Post by Marco Moock
Am Tue, 7 Dec 2021 12:26:44 -0600
Does this signal the end of my current mail service and force us to
use webmail? If not, how can I satisfy gmail's need for 2FA via
fetchmail? Is there an alternative to fetchmail that will provide
this authentication requirement?
As I know, you need to use OAuth2 with 2FA to make it work, but I can't
try it, I got rid off all my Google accounts.
I'm not suggesting you ask them unless you're using nmh, but the nmh
people seem to know something about getting email out of gmail. Maybe
you can glean something useful from what they write about it. Or maybe
their inc command could be adapted to your use if fetchmail can't do it:

https://lists.nongnu.org/archive/html/nmh-workers/2020-09/msg00005.html
https://lists.nongnu.org/archive/html/nmh-workers/2020-07/msg00017.html
https://lists.nongnu.org/archive/html/nmh-workers/2019-12/msg00064.html
https://lists.nongnu.org/archive/html/nmh-workers/2019-06/msg00118.html
https://lists.nongnu.org/archive/html/nmh-workers/2019-06/msg00099.html

- Mike S.
Loading...