They only forced turning 2fa on.
Once you turn it on click the app password button
it generates a 16 character passphrase.
Then works exactly the same way it used to.

--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, 3 June 2022 02:45:11 BST Dale wrote:

Howdy,

Early this morning Seamonkey could no longer fetch emails. It wouldn't accept the username and password. I did some searching and it seems
that Google is disabling plain text username and password. Honestly,
sounds like a good idea really. During my searches, most recommended
OAuth2 so I switched to it.

Err ... perhaps not? The use of a browser to delegate sign on is not necessarily a good idea, because it introduces layers of complication and with it potential vulnerabilities. Random explainer here:

https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611

I recall some IMAP4 devs complaining about it, but Google pushed on
regardless. From the end of May if you want to login to Gmail you have no option but to use OAuth2. I expect this will break some users login if they have not disabled what Google calls "Less secure application access" and
shared with Google their mobile phone number and what other *private* information Google wants to know, before it allows you to access your email messages.

After a while, I noticed it wasn't downloading new emails
automatically. I have it set to check for new messages every 10 minutes
or so. I had to hit the Get Msgs button each time. I'd prefer it to do
it automatically. I tried restarting Seamonkey and even changing the settings for doing it automatically, in case a config file needed
updating after the switch, still doesn't do it automatically. I'm
attaching a screenshot of the settings.

Does using OAuth2 disable automatically fetching messages or am I
missing some other setting? It worked fine until I switched to OAuth2
so I don't know what else it could be. Is there something better than
OAuth2 that gmail supports? I just picked the first option I found.

Thoughts??

The OAuth2 mechanism will refresh exchange of tokens between client and server when they expire, but this should be seamless and transparent to the user. If there is a breakdown in the connection for some time and a token expires, then depending on the mail client it may pop up a window asking for your login credentials to be resubmitted. It does this occasionally on Kmail, but I have not noticed it on T'bird, which I believe is similar/same to the mail client
of Seamonkey.

Checking for emails every so often on a timer, is separate to authentication/ authorization. Whether you check for email manually, or after a timer
triggers it, OAuth2 will kick in on each occasion as the next step. There may be some bug in Seamonkey. You could try a later version or try T'bird. If that works with the same settings, but Seamonkey doesn't, then by a process of elimination the issue would be with Seamonkey's implementation.

HTH.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmKZzAIACgkQseqq9sKV ZxlWmg//Z5mL5xoH0tUe6Hh/EvkCYI36ye7J7fjYhhNz03hfk+ECXA0PDSg0m3K+ /WoG+6P1FKrMxO6WvYkazfUP1PGFJ4aGDt6DeptgRtFoCzUiNMAcSRSDYvqpgmFl 9esZ4+Vg25zSXqiMojq2H4oCTD+VdfMl+vIudVubIAxJt0H/zYwCntKPY3iRBBZd We27UAf8+q0JS8Hsg7eSgQPdpEeVI81h4cpxMCsMMoeNno7g9Wtc4nFLyUQQp4Fw 8yVkJ/r5oUWftCh98x211K9w1OERPL6I+OKyIJ+fWHKDlf/KDkQI2lSp/PA4mGJt nWh4Q5XBLoj6OUyVvPSlICA06tE562DxQJNnyLZa0Wf9V0gtk54pqsbm8MSP+k9Z +jz8ecJePH4E7YUMdZJxd2LatnD0aRjA2Msg/jOLCyUyIvyG2HCNf93P1GvcmWeV nuHEiYUM+8Djnm3MlFdsXW0tVoWHrZ5jVLuHYvoc5kOySZvvgxNdf5OvF/ACxiqU UGBEnR1gAlbGOlJr5aoE6P/SDzJgH0+1RZR+ipZC17XErlZ8KFmS38zFokmI/cRh hj2M+XEjoK/wYIsjv2pTlulOs98zwjo2/+XrBz6UIcE3VBwJ+WFLwNFv6Cc4LvkZ KPYZw2eyi81s9UrcKVu9gF20ga9qVmzSVFEhj9ppSJXM42nu+Vw=
=wv5S
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael wrote:

On Friday, 3 June 2022 02:45:11 BST Dale wrote:

Howdy,

Early this morning Seamonkey could no longer fetch emails. It wouldn't
accept the username and password. I did some searching and it seems
that Google is disabling plain text username and password. Honestly,
sounds like a good idea really. During my searches, most recommended
OAuth2 so I switched to it.

Err ... perhaps not? The use of a browser to delegate sign on is not necessarily a good idea, because it introduces layers of complication and with
it potential vulnerabilities. Random explainer here:

https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611

I recall some IMAP4 devs complaining about it, but Google pushed on regardless. From the end of May if you want to login to Gmail you have no option but to use OAuth2. I expect this will break some users login if they have not disabled what Google calls "Less secure application access" and shared with Google their mobile phone number and what other *private* information Google wants to know, before it allows you to access your email messages.

I read a portion of your link.  It lost me pretty quick.  I seem to
recall that the old way, the username and password was sent in plain
text.  In other words, anyone could grab it between me and google,
including my ISP plus who knows who else.  I'd think that about anything
would be more secure than plain text.  There may be better options but I
have to work with what Google supports.  If it supports something
better, I'd switch to that.  I'm open to better options.  I just want to
be able to fetch my emails in a reasonably secure way.  BTW, the
password I use for email is not used anywhere else.  I use Bitwarden
now, used LastPass before that. 

After a while, I noticed it wasn't downloading new emails
automatically. I have it set to check for new messages every 10 minutes
or so. I had to hit the Get Msgs button each time. I'd prefer it to do
it automatically. I tried restarting Seamonkey and even changing the
settings for doing it automatically, in case a config file needed
updating after the switch, still doesn't do it automatically. I'm
attaching a screenshot of the settings.

Does using OAuth2 disable automatically fetching messages or am I
missing some other setting? It worked fine until I switched to OAuth2
so I don't know what else it could be. Is there something better than
OAuth2 that gmail supports? I just picked the first option I found.

Thoughts??

The OAuth2 mechanism will refresh exchange of tokens between client and server
when they expire, but this should be seamless and transparent to the user. If
there is a breakdown in the connection for some time and a token expires, then
depending on the mail client it may pop up a window asking for your login credentials to be resubmitted. It does this occasionally on Kmail, but I have
not noticed it on T'bird, which I believe is similar/same to the mail client of Seamonkey.

Checking for emails every so often on a timer, is separate to authentication/ authorization. Whether you check for email manually, or after a timer triggers it, OAuth2 will kick in on each occasion as the next step. There may
be some bug in Seamonkey. You could try a later version or try T'bird. If that works with the same settings, but Seamonkey doesn't, then by a process of
elimination the issue would be with Seamonkey's implementation.

HTH.

I wouldn't think the two would have any effect on each other either but
the only change I made was how it sends username and password.  Heck, at first, I didn't even restart Seamonkey.  When I hit the Get Msg button,
it asked for the password and starting downloading several hours worth
of emails.  It hasn't asked for it again since I entered it the first
time so it should be able to trigger itself.  Your logic makes sense but reality has thrown a wrench into the gearbox.  I thought about switching
back but the old way wasn't allowed anymore.  So, I can't revert and
test.  BTW, I'm using POP3 I think.  I actually store my emails locally.

I'm not sure where to go on this.  It may be a bug but even that would
be odd since sending username and password should be separate from
triggering a timer.  It just doesn't make sense. 

Thanks.

Dale

:-)  :-) 

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

They turned off the ability to use smtp pop3 or imap over cleartext
a while ago. They only expose it over tls wrapped ports. Your client
wouldn't even be able to get as far as sending it.

Also forces SASL which is tldr for echo 'username password'|base64
before sending it.

Once you enable 2fa for the account, you can recreate an application
password.

Funnily enough my old password was stronger than a 16 char string : /
all in all they just force reduced password length. Whilst forcing
sms verification allowing account take over from sim swapping :'(

For the record this is sent from mutt using app password without oauth.

--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, 3 June 2022 11:07:47 BST spareproject776 wrote:

They only forced turning 2fa on.

There used to be a period a few years ago now, when you could enable less secure app access plus OAuth2 without giving your DOB, mobile phone 2FA, etc. They have since stopped this. I had enabled OAuth2 on one PC, but was not
able to do the same on a second PC I tried to connect from. I can't recall
the error now.

Thankfully, other email providers are available. :-)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmKZ2j4ACgkQseqq9sKV ZxkDGxAAwrmi24ONlsN393htBj1RAf/OXrDazGpGuq5bp8Vh7eqfYworaX8LkYVV Tbn2au2yJ0WTGmOL9qxAjyAV2K599SGNKQwrtfzOA3yKXVrJCKwCVdhtG4hT5yXT 4lL4mlskjR4+TQuIACJc0HEVOHbsslvQ60zIvK+9Nw31r21AvESrPv9YEuKus3dO zlG6zDi6n/rRQr3wy7qK3QSXb/qDsv/gCUGoWhxeMg16fzIN4sUezAyvB2kxoRS8 rGmaexnrNPReOt7QL0Taa5K6C3cAfLUDJ6GgjuEHmwJrr9SHWqWJIJDAKw09lBZ6 KBs0WJ+6JOYbAktUGKYy0DOy+lGwunnhWNKnOQRujwo5n+SDxPcAodKKDN+gASFZ RlM5ReNX0jnITe+3QbC4cCUeO83sqNpH2JaHT1nzbFox2h+DOUasBqpoBIjM2WEd V06Ne1FqUZzt8bNocET5CODWUtbWCOrDEmhpJKI/+RlNiHl/w8LwCQKUNrlBatq5 xT8pPLHylGc4cCYlwYbVbcpSJrykTS2G1OxN0c4ZpIF1Hlty/82xfwv5P+gk9rRw V/0QVpF5qci148v2yYavdu1KKMytvjqUnFVcjpzExmiHYoM0Z3Q0w2XTRvLQu/gm LW8t7+fQjto6bkNuXSNoP0pxyV/SJGsfUT5yCVZP/2U72tdstp4=
=D3V0
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, 3 June 2022 12:15:53 BST spareproject776 wrote:

How did you even enable the oauth thing ? only had security device or
push to an authenticated device available. Then lied and forced enabling
sms as a 'recovery' option.

When I enabled OAuth2 it was early days and Google did not ask for 2FA as a prerequisite back then. All you had to provide, for account recovery, was another email address. So I set up a second Google email address for this purpose and cross referenced the two accounts. Some months thereafter Google started asking for 2FA via SMS, before you could access the page to set up app access. More recently they also started asking for DOB, "... for legal purposes". Soon they will be asking for digital ID and a DNA test, or whatever. :p

I noticed whenever I tried to login from a remote location Google would block the mail client and also block webmail login if I tried to use a browser. Evidently, geolocation/IP address was being used as a security check. To acknowledge this was not an attempt by some remote and nefarious actor to compromise my account, I had to connect to Google by tunneling via a VPN connection to my home and from there to the Google webmail. After that I was able to login remotely.

The question about privacy is a moot point. Privacy is often conflated with identity and consequently with security. All a mail service provider *need*
to know is if the person trying to login is the same person who set up/owns
the account. A single or multiple challenge-response mechanism over an encrypted network connection is enough to identify the owner of the account
via the credentials exchanged between client and server. No sharing of any other private and personally identifiable information needs to be part of it. -----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmKZ54IACgkQseqq9sKV ZxkfQA//XwPvqPIs3ZXW5ZZEm1rhxKkEzPdJExPBFVrxSPdrPPXpc8C2qLKWZqE+ hLbeZ9YIEJCh/PUTmVXZp4fnkNXuGRCwoQu6U/u/fd5oNGPjlypMC6FYc1Qj5btv mvQRJdZPWgdstugNmB9w01O7o8toa9N9s5XjDT72cqQ+C25FxsiuI2eMWNGdKuRb NIcIb0S0erKXh7bFrCdQcDHDoRuu1GuOngdrLlF5vAKhlVx3ZkcMh5CNgrTglLpg msapW6+PSjOfJsG+cHfgNhYwWv16l2N3olVvMQZBPYlhrUcuDi8gIr2HBxX3kQgk UQXIXEyJZoWEtafouwZ2diluFydcJXkjL2xTeg5yuoI+U6TMwscNRnLli7wn8llY 1jCbqv2p2x0vfy1JW8+Dk5As9Q0djN4KcjeZdJ/gUd2aVr+tl+3pDyYKCDvBCmqr 7mi33kIE42trhYUI98RlbEFo5sjz+3XJ+fUQzPMzub5rhltZJj0iADOdDfZXSfcq sPsh5mrv+yiVmdrBMl19rhl+M/91mlEUTDPBeTAfXraXYaWqzt55L2oD4tZlozEi GvPQgE/1ZE9xQd6wW4AwAqOHL9WWbNVux1TA4jCJAbVv9HZJUeaa0Np/DKIFCL0Q gLl33Ttz7124ElHIv+7HJJgrBp3O7N8WQ0CjqDh9Wl6OYytiihA=
=fxTI
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Jun 03, 2022 at 10:54:06AM +0100, Michael wrote:

On Friday, 3 June 2022 11:07:47 BST spareproject776 wrote:

They only forced turning 2fa on.

There used to be a period a few years ago now, when you could enable less secure app access plus OAuth2 without giving your DOB, mobile phone 2FA, etc. They have since stopped this. I had enabled OAuth2 on one PC, but was not able to do the same on a second PC I tried to connect from. I can't recall the error now.

Thankfully, other email providers are available. :-)

Is the privacy thing really that bad ? My plans to send a load of e2e messages through a mix net just to wind them up.

More worried about someone picking my phone up popping the sim card out.
Then requesting account recovery from it and plugging it back in now : /
sort of defeated the point in having tpm backed devices.

How did you even enable the oauth thing ? only had security device or
push to an authenticated device available. Then lied and forced enabling
sms as a 'recovery' option.

--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, 3 June 2022 09:53:22 BST Michael wrote:

On Friday, 3 June 2022 02:45:11 BST Dale wrote:

Howdy,

Early this morning Seamonkey could no longer fetch emails. It wouldn't accept the username and password. I did some searching and it seems
that Google is disabling plain text username and password. Honestly, sounds like a good idea really. During my searches, most recommended OAuth2 so I switched to it.

Err ... perhaps not? The use of a browser to delegate sign on is not necessarily a good idea, because it introduces layers of complication and with it potential vulnerabilities. Random explainer here:

https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-shou ld-not-use-it-for-authentication-5f47597b2611

I recall some IMAP4 devs complaining about it, but Google pushed on regardless. From the end of May if you want to login to Gmail you have no option but to use OAuth2. I expect this will break some users login if they have not disabled what Google calls "Less secure application access" and shared with Google their mobile phone number and what other *private* information Google wants to know, before it allows you to access your email messages.

Would a practical alternative be to have all gmail messages forwarded to another account? I haven't looked into this, but I have a gmail account, which perhaps I could set up to forward (relay?) all incoming mail to my Zen
account.

--
Regards,
Peter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 2022-06-03 at 12:57 +0100, Peter Humphrey wrote:

Would a practical alternative be to have all gmail messages forwarded to another account?

I did this for years before I decided to finally close that google
account.

Ironically I can't close this one (yet) because the gentoo mailing list
won't allow me to subscribe with an email address with a .tech TLD :(

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Dale wrote:

Howdy,

Early this morning Seamonkey could no longer fetch emails.  It wouldn't accept the username and password.  I did some searching and it seems
that Google is disabling plain text username and password.  Honestly,
sounds like a good idea really.  During my searches, most recommended
OAuth2 so I switched to it.  I'd never heard of it before but dove in
head first.  Turns out, easy enough.  When I hit Get Msgs after changing the settings, it asked for the password and it started downloading
emails.  My first thought, yeppie!! 

After a while, I noticed it wasn't downloading new emails
automatically.  I have it set to check for new messages every 10 minutes
or so.  I had to hit the Get Msgs button each time.  I'd prefer it to do
it automatically.  I tried restarting Seamonkey and even changing the settings for doing it automatically, in case a config file needed
updating after the switch, still doesn't do it automatically.  I'm
attaching a screenshot of the settings. 

Does using OAuth2 disable automatically fetching messages or am I
missing some other setting?  It worked fine until I switched to OAuth2
so I don't know what else it could be.  Is there something better than OAuth2 that gmail supports?  I just picked the first option I found. 

Thoughts??

Dale

:-)  :-) 

I was hoping a update to Seamonkey would fix this issue.  It was just a
bug and would be fixed.  Well, I updated the other day and it still
doesn't fetch email until I tell it to.  I've tested this numerous
times.  It just plain doesn't fetch on its own anymore. 

Anyone have ideas on how to fix this.  If anyone needs more info, just
let me know.  I'll either attach the text or a picture if it is a menu
type thing that can't be copied. 

Thanks.

Dale

:-)  :-) 

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 23/07/2022 19:58, Dale wrote:

Anyone have ideas on how to fix this.  If anyone needs more info, just
let me know.  I'll either attach the text or a picture if it is a menu
type thing that can't be copied.

Could something have messed up your settings? TB won't collect mail
unless you tell it to poll every 5 mins or so (it's configured by
default to do so).

But if it's accidentally been configured to only check when asked ...

Cheers,
Wol

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)