Gmail and Claws

[Ori Berger]

On 25/04/2020 22:22, shlomo solomon wrote:

> Google/Gmail has decided to drive me crazy and I hope someone can help.
>
> 5 - to allow this, I have Gmail set up to allow POP access and my
> Google account set up to allow "Less secure app access" (Google-speak
> for anything not provided or controlled by Google).

No, that's not what allowing "Less secure app access" means.

It used to be, that you had one password to an account (say, your gmail 
account), and knowing that password would automatically give every 
permission to whoever provided it. But as more and more things need to 
interface these things today, it is now common to break the security 
such that:

a) There is still indeed one main account password (potentially aided by 
a 2nd factor), however ...

b) That account password is ONLY used with the main interface - in 
Google's case, the "accounts.google.com" domain; and that once you log 
in there

c) You can delegate specific, limited access to different applications 
through that interface.

Now, as long as you're within the Google system (e.g. YouTube, Calendar, 
Hangouts, etc.), this is all handled internally. But as soon as you exit 
that system, e.g. by using Thunderbird or Claws, you have some friction 
with the delegation step (c).

One way supported by Google (and Facebook, and Apple, and others) is 
OAuth2 - that app makes a request to Google for specific permissions; 
You log in to accounts.google.com (after being redirected into it by 
that app), and Google asks you to approve the specific permissions 
requested by that app or website. If you do, that app/site gets a 
"token" (for all practical purposes, a username+password for that 
app/site uniquely generated for that approval process) that they can 
use, but that is limited to exactly those permissions that the app 
requested and that you approved. Thunderbird has a "Google" connector 
these days which does exactly that.

For older applications which do not support OAuth2, you can just go in 
and generate an "App specific password" and specify those permissions 
yourself; That's what you need to do for Claws. What you get is a 
password that (assuming you asked for smtp/imap access) only works for 
smtp/imap, and cannot be used to e.g. log into the Gmail web 
applications and set up new forwards/filters. I do not know, but I 
suspect, that they expect this password to be strictly used by one app - 
e.g., I expect them to reject it if one day they see it being used from 
Claws and the next day by Outlook; this information is sometimes 
available directly in the protocol itself - e.g. claws and thunderbird 
put a "User-Agent" mime header when they send a message - and is 
sometimes inferred - e.g., if you have an X-MS-TNEF header, it's Outlook)

The rationale behind this system is not to give Google more control 
(it's not like you previously could add forwarding setup through 
imap/pop3) - but rather to limit the probability that your main, 
all-powerful, password would leak from systems like Thunderbird or Claws 
or PEBKAC which Google cannot directly secure. (There is, of course, a 
very busniessy reason here as well - sites like LinkedIn and Facebook 
used to ask you for your mail username/password, "so we could make it 
easier for you to see who of your contacts is in our system and send 
them invites", which is a bad idea for everyone involved except 
LinkedIn/Facebook - especially Google who competes with them; The speed 
bump and warning "they can READ YOUR MAIL" significantly decreased the 
viability of this spying method, to the point that LinkedIn and Facebook 
dropped it - opting instead to ask for those permissions on their mobile 
app.....)

So, disabling "less secure app access" basically means "I will only use 
my main google password on the google web site, not in any other way", 
which is generally good for you.

> BUT, in the past few weeks, Gmail has randomly refused to let Claws
> access my mail. Sometimes this lasts for a short time and sometimes
> for hours or even a day or more.
>
> The Claws log shows:
>
> * Account 'GMail': Connecting to POP3 server: pop.gmail.com:995...
> [21:49:25] POP< +OK Gpop ready for requests from 89.237.110.180
> s20mb165349719wra
> [21:49:25] POP> USER shlomo.solomon at gmail.com
> [21:49:25] POP< +OK send PASS
> [21:49:25] POP> PASS ********
> [21:49:25] POP< -ERR [AUTH] Web login required:
> https://support.google.com/mail/answer/78754
> *** error occurred on authentication
> *** Authentication failed.

I have experienced this before several times, and 95% of the time it is 
when I am outside Israel, which likely triggers the Google hacking/fraud 
detection system, as I am using an IP that doesn't fit my standard usage 
profile. If you have changed your ISP recently, either your home or 
mobile, or occasionally use a VPN or Tor and have used your account in 
non-standard (for you) context, that is a likely cause.

Gmail accounts are highly sought by spammers as they have virtually no 
deliverability problems, and thus creating or stealing Google accounts 
is continuously attempted on a mass scale; Google spends a lot of effort 
fighting against this, and they have more false hacking positives than 
ideal, especially for people outside the Win+Chrome norm such as yourself.
> The only thing I HAVE NOT tried (because I'm afraid it will make
> things worse rather than better) is to  set up two-factor
> authentication and use an app password - I also have no idea how this
> works (or doesn't work) in Claws mail.

Last I used it, the 2fa and app passwords were independent settings; You 
should be able to disable "less secure app access" and set up 
application specific passwords without setting up 2fa. Once it works, 
it's actually better - generate an app password for e.g. your phone, and 
one for your laptop, and if one of them is lost you can revoke only that 
one -- while at the same time, be sure that even if you didn't revoke it 
in time, and a bad actor was able to retrieve the password from your 
mail program before you realized the device was lost -- they still could 
not use that app password to change your main password and lock you out 
from your account, or other bad things - only read/send mail (which is 
bad enough, granted, but not nearly as bad).

> And as I wrote above, after a while, the problem solves itself.
>
> And one more thing - I have additional Gmail accounts with the same
> setup and Gmail DOES allow Claws mail access, while denying access to
> my main account. So that's also weird.

No specific knowledge, but my inference is that Google has a "probable 
use profile" for every account, which includes a list of devices, 
browser versions, geographical locations, isps, times of day, 
distribution of emails replied per day, distribution of emails 
originated per day, average number of new contacts/addresses per day, 
etc -- that's useful both for targeted advertising and to figure out of 
the account has been hacked. For whatever reason, if my model is right 
then, from your description, this specific account seems to occasionally 
step outside of its "probable use profile" - either because of things 
*you* do (such as VPN, Tor, travel, etc) or because it's on the model's 
boundary all the time but *Google* tweaks some parameters (as they do 
often) and sometimes you end up on the improbable side.

Additionally, you wrote you're forwarding *out* of Google and into your 
own domain - from what I gather, this should be fine. However, if you 
also have a catchall (or otherwise many accounts) that forward *into* a 
google account, I suspect based on my previous research that this would 
push you toward the hacked/spammer/improbable category.

And last but not least - do not assume that no one is trying to hack 
into your account. It's possible that Google's hacking detection was 
actually triggered by a hacking attempt you are not aware of, and that 
they ask you to do a web login because they have much better control and 
authentication on that front.