| 1 |
Michael wrote: |
| 2 |
> On Friday, 3 June 2022 02:45:11 BST Dale wrote: |
| 3 |
>> Howdy, |
| 4 |
>> |
| 5 |
>> Early this morning Seamonkey could no longer fetch emails. It wouldn't |
| 6 |
>> accept the username and password. I did some searching and it seems |
| 7 |
>> that Google is disabling plain text username and password. Honestly, |
| 8 |
>> sounds like a good idea really. During my searches, most recommended |
| 9 |
>> OAuth2 so I switched to it. |
| 10 |
> Err ... perhaps not? The use of a browser to delegate sign on is not |
| 11 |
> necessarily a good idea, because it introduces layers of complication and with |
| 12 |
> it potential vulnerabilities. Random explainer here: |
| 13 |
> |
| 14 |
> https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611 |
| 15 |
> |
| 16 |
> I recall some IMAP4 devs complaining about it, but Google pushed on |
| 17 |
> regardless. From the end of May if you want to login to Gmail you have no |
| 18 |
> option but to use OAuth2. I expect this will break some users login if they |
| 19 |
> have not disabled what Google calls "Less secure application access" and |
| 20 |
> shared with Google their mobile phone number and what other *private* |
| 21 |
> information Google wants to know, before it allows you to access your email |
| 22 |
> messages. |
| 23 |
|
| 24 |
I read a portion of your link. It lost me pretty quick. I seem to |
| 25 |
recall that the old way, the username and password was sent in plain |
| 26 |
text. In other words, anyone could grab it between me and google, |
| 27 |
including my ISP plus who knows who else. I'd think that about anything |
| 28 |
would be more secure than plain text. There may be better options but I |
| 29 |
have to work with what Google supports. If it supports something |
| 30 |
better, I'd switch to that. I'm open to better options. I just want to |
| 31 |
be able to fetch my emails in a reasonably secure way. BTW, the |
| 32 |
password I use for email is not used anywhere else. I use Bitwarden |
| 33 |
now, used LastPass before that. |
| 34 |
|
| 35 |
|
| 36 |
> |
| 37 |
>> After a while, I noticed it wasn't downloading new emails |
| 38 |
>> automatically. I have it set to check for new messages every 10 minutes |
| 39 |
>> or so. I had to hit the Get Msgs button each time. I'd prefer it to do |
| 40 |
>> it automatically. I tried restarting Seamonkey and even changing the |
| 41 |
>> settings for doing it automatically, in case a config file needed |
| 42 |
>> updating after the switch, still doesn't do it automatically. I'm |
| 43 |
>> attaching a screenshot of the settings. |
| 44 |
>> |
| 45 |
>> Does using OAuth2 disable automatically fetching messages or am I |
| 46 |
>> missing some other setting? It worked fine until I switched to OAuth2 |
| 47 |
>> so I don't know what else it could be. Is there something better than |
| 48 |
>> OAuth2 that gmail supports? I just picked the first option I found. |
| 49 |
>> |
| 50 |
>> Thoughts?? |
| 51 |
> The OAuth2 mechanism will refresh exchange of tokens between client and server |
| 52 |
> when they expire, but this should be seamless and transparent to the user. If |
| 53 |
> there is a breakdown in the connection for some time and a token expires, then |
| 54 |
> depending on the mail client it may pop up a window asking for your login |
| 55 |
> credentials to be resubmitted. It does this occasionally on Kmail, but I have |
| 56 |
> not noticed it on T'bird, which I believe is similar/same to the mail client |
| 57 |
> of Seamonkey. |
| 58 |
> |
| 59 |
> Checking for emails every so often on a timer, is separate to authentication/ |
| 60 |
> authorization. Whether you check for email manually, or after a timer |
| 61 |
> triggers it, OAuth2 will kick in on each occasion as the next step. There may |
| 62 |
> be some bug in Seamonkey. You could try a later version or try T'bird. If |
| 63 |
> that works with the same settings, but Seamonkey doesn't, then by a process of |
| 64 |
> elimination the issue would be with Seamonkey's implementation. |
| 65 |
> |
| 66 |
> HTH. |
| 67 |
|
| 68 |
|
| 69 |
I wouldn't think the two would have any effect on each other either but |
| 70 |
the only change I made was how it sends username and password. Heck, at |
| 71 |
first, I didn't even restart Seamonkey. When I hit the Get Msg button, |
| 72 |
it asked for the password and starting downloading several hours worth |
| 73 |
of emails. It hasn't asked for it again since I entered it the first |
| 74 |
time so it should be able to trigger itself. Your logic makes sense but |
| 75 |
reality has thrown a wrench into the gearbox. I thought about switching |
| 76 |
back but the old way wasn't allowed anymore. So, I can't revert and |
| 77 |
test. BTW, I'm using POP3 I think. I actually store my emails locally. |
| 78 |
|
| 79 |
I'm not sure where to go on this. It may be a bug but even that would |
| 80 |
be odd since sending username and password should be separate from |
| 81 |
triggering a timer. It just doesn't make sense. |
| 82 |
|
| 83 |
Thanks. |
| 84 |
|
| 85 |
Dale |
| 86 |
|
| 87 |
:-) :-) |
Archives