Gmail and Claws

Sun Apr 26 02:00:44 IDT 2020

Thanks for your very detailed answer. You make many valid points, but
to summarize, I understand that you suggest I set up an app password
and that may be what I'll have to do.

BUT, as far as I've read, there IS a connection between the 2fa and
app passwords settings. The Google support sites says:

On the "Signing in to Google" panel, choose App Passwords. If you
don’t see this option:
- 2-Step Verification is not set up for your account.
- 2-Step Verification is set up for security keys only.
- Your account is through work, school, or other organization.
- You’ve turned on Advanced Protection for your account.

So setting this up may force me to use 2-factor to access other
things, such as Google Drive.

Just to be clear, I do not keep any sensitive data on Drive, so I
really don't care if it's secure and adding 2 factor will be really
inconvenient if it forces me to have my phone handy any time I want to
access Drive on my desktop computer.

BTW - concerning your mention of being out of the country, etc, that's
certainly not the problem in these crazy Covid-19 days :-(.
And I do not use tor or a VPN to access mail on Gmail or Claws.

On Sun, Apr 26, 2020 at 12:50 AM Ori Berger <linux-il at orib.net> wrote:
>
> On 25/04/2020 22:22, shlomo solomon wrote:
>
> > Google/Gmail has decided to drive me crazy and I hope someone can help.
> >
> > 5 - to allow this, I have Gmail set up to allow POP access and my
> > Google account set up to allow "Less secure app access" (Google-speak
> > for anything not provided or controlled by Google).
>
> No, that's not what allowing "Less secure app access" means.
>
> It used to be, that you had one password to an account (say, your gmail
> account), and knowing that password would automatically give every
> permission to whoever provided it. But as more and more things need to
> interface these things today, it is now common to break the security
> such that:
>
> a) There is still indeed one main account password (potentially aided by
> a 2nd factor), however ...
>
> b) That account password is ONLY used with the main interface - in
> Google's case, the "accounts.google.com" domain; and that once you log
> in there
>
> c) You can delegate specific, limited access to different applications
> through that interface.
>
> Now, as long as you're within the Google system (e.g. YouTube, Calendar,
> Hangouts, etc.), this is all handled internally. But as soon as you exit
> that system, e.g. by using Thunderbird or Claws, you have some friction
> with the delegation step (c).
>
> One way supported by Google (and Facebook, and Apple, and others) is
> OAuth2 - that app makes a request to Google for specific permissions;
> You log in to accounts.google.com (after being redirected into it by
> that app), and Google asks you to approve the specific permissions
> requested by that app or website. If you do, that app/site gets a
> "token" (for all practical purposes, a username+password for that
> app/site uniquely generated for that approval process) that they can
> use, but that is limited to exactly those permissions that the app
> requested and that you approved. Thunderbird has a "Google" connector
> these days which does exactly that.
>
> For older applications which do not support OAuth2, you can just go in
> and generate an "App specific password" and specify those permissions
> yourself; That's what you need to do for Claws. What you get is a
> password that (assuming you asked for smtp/imap access) only works for
> smtp/imap, and cannot be used to e.g. log into the Gmail web
> applications and set up new forwards/filters. I do not know, but I
> suspect, that they expect this password to be strictly used by one app -
> e.g., I expect them to reject it if one day they see it being used from
> Claws and the next day by Outlook; this information is sometimes
> available directly in the protocol itself - e.g. claws and thunderbird
> put a "User-Agent" mime header when they send a message - and is
> sometimes inferred - e.g., if you have an X-MS-TNEF header, it's Outlook)
>
> The rationale behind this system is not to give Google more control
> (it's not like you previously could add forwarding setup through
> imap/pop3) - but rather to limit the probability that your main,
> all-powerful, password would leak from systems like Thunderbird or Claws
> or PEBKAC which Google cannot directly secure. (There is, of course, a
> very busniessy reason here as well - sites like LinkedIn and Facebook
> used to ask you for your mail username/password, "so we could make it
> easier for you to see who of your contacts is in our system and send
> them invites", which is a bad idea for everyone involved except
> LinkedIn/Facebook - especially Google who competes with them; The speed
> bump and warning "they can READ YOUR MAIL" significantly decreased the
> viability of this spying method, to the point that LinkedIn and Facebook
> dropped it - opting instead to ask for those permissions on their mobile
> app.....)
>
> So, disabling "less secure app access" basically means "I will only use
> my main google password on the google web site, not in any other way",
> which is generally good for you.
>
> > BUT, in the past few weeks, Gmail has randomly refused to let Claws
> > access my mail. Sometimes this lasts for a short time and sometimes
> > for hours or even a day or more.
> >
> > The Claws log shows:
> >
> > * Account 'GMail': Connecting to POP3 server: pop.gmail.com:995...
> > [21:49:25] POP< +OK Gpop ready for requests from 89.237.110.180
> > s20mb165349719wra
> > [21:49:25] POP> USER shlomo.solomon at gmail.com
> > [21:49:25] POP< +OK send PASS
> > [21:49:25] POP> PASS ********
> > [21:49:25] POP< -ERR [AUTH] Web login required:
> > https://support.google.com/mail/answer/78754
> > *** error occurred on authentication
> > *** Authentication failed.
>
> I have experienced this before several times, and 95% of the time it is
> when I am outside Israel, which likely triggers the Google hacking/fraud
> detection system, as I am using an IP that doesn't fit my standard usage
> profile. If you have changed your ISP recently, either your home or
> mobile, or occasionally use a VPN or Tor and have used your account in
> non-standard (for you) context, that is a likely cause.
>
> Gmail accounts are highly sought by spammers as they have virtually no
> deliverability problems, and thus creating or stealing Google accounts
> is continuously attempted on a mass scale; Google spends a lot of effort
> fighting against this, and they have more false hacking positives than
> ideal, especially for people outside the Win+Chrome norm such as yourself.
> > The only thing I HAVE NOT tried (because I'm afraid it will make
> > things worse rather than better) is to  set up two-factor
> > authentication and use an app password - I also have no idea how this
> > works (or doesn't work) in Claws mail.
>
> Last I used it, the 2fa and app passwords were independent settings; You
> should be able to disable "less secure app access" and set up
> application specific passwords without setting up 2fa. Once it works,
> it's actually better - generate an app password for e.g. your phone, and
> one for your laptop, and if one of them is lost you can revoke only that
> one -- while at the same time, be sure that even if you didn't revoke it
> in time, and a bad actor was able to retrieve the password from your
> mail program before you realized the device was lost -- they still could
> not use that app password to change your main password and lock you out
> from your account, or other bad things - only read/send mail (which is
> bad enough, granted, but not nearly as bad).
>
> > And as I wrote above, after a while, the problem solves itself.
> >
> > And one more thing - I have additional Gmail accounts with the same
> > setup and Gmail DOES allow Claws mail access, while denying access to
> > my main account. So that's also weird.
>
> No specific knowledge, but my inference is that Google has a "probable
> use profile" for every account, which includes a list of devices,
> browser versions, geographical locations, isps, times of day,
> distribution of emails replied per day, distribution of emails
> originated per day, average number of new contacts/addresses per day,
> etc -- that's useful both for targeted advertising and to figure out of
> the account has been hacked. For whatever reason, if my model is right
> then, from your description, this specific account seems to occasionally
> step outside of its "probable use profile" - either because of things
> *you* do (such as VPN, Tor, travel, etc) or because it's on the model's
> boundary all the time but *Google* tweaks some parameters (as they do
> often) and sometimes you end up on the improbable side.
>
> Additionally, you wrote you're forwarding *out* of Google and into your
> own domain - from what I gather, this should be fine. However, if you
> also have a catchall (or otherwise many accounts) that forward *into* a
> google account, I suspect based on my previous research that this would
> push you toward the hacked/spammer/improbable category.
>
> And last but not least - do not assume that no one is trying to hack
> into your account. It's possible that Google's hacking detection was
> actually triggered by a hacking attempt you are not aware of, and that
> they ask you to do a web login because they have much better control and
> authentication on that front.
>
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il