Google stopping IMAP and SMTP access an moving to proprietary protocols?
On Thu Aug 29 2019 15:50:36 GMT-0400 (Eastern Standard Time), Ben
Bucksch ben.bucksch@beonex.com wrote:
I'd be in favor for a replacement of IMAP, but any new standard should
first be widely accepted by everybody before the old one is disabled.
Repeat after me... JMAP.
Add support for new JMAP protocol
bug 1322991 - https://bugzilla.mozilla.org/show_bug.cgi?id=1322991
Dovecot is close to supporting it, as is Cyrus, and Fastmail already is
and has been using it on their server for a long time.
On Thu Aug 29 2019 20:31:34 GMT-0400 (Eastern Standard Time), Matt
Harris unicorn.consulting@gmail.com wrote:
On 29-Aug-19 10:17 PM, Tanstaafl wrote:
On Wed Aug 28 2019 18:38:54 GMT-0400 (Eastern Standard Time), Ben
Bucksch ben.bucksch@beonex.com wrote:
You cannot use IMAP without a web browser (!) anymore.
? I do it all the time.
Oh, Thunderbird acts as a web browser when doing oAuth
authentication,
Of course, but that is only for the AUTH aspect, which has nothing to do
with IMAP except that it happens to be riding on top of it.
OAUTH2 is an auth framework, and can work with lots of different kinds
of application, it is not limited to being used for IMAP authentication.
Joshua Cranmer 🐧 wrote on 30.08.19 01:26:
On 8/29/2019 3:50 PM, Ben Bucksch wrote:
Concrete things that I'm missing in our case: - Definition of the specific SASL scheme, so that I can connect IMAP with OAUTH2. (As said, this must work 100% identical for all ISPs.)
... Every protocol that implements SASL is required to list the supported mechanisms, and OAUTHBEARER is the correct SASL scheme.
Right. Just that Google, who we're talking about here, doesn't use it.
1 CAPABILITY:
Google imap.google.com:
<pre class="prettyprint">```
<span class="pun">*</span><span class="pln"> CAPABILITY IMAP4rev1 UNSELECT LITERAL</span><span class="pun">+</span><span class="pln"> IDLE NAMESPACE QUOTA ID XLIST CHILDREN X</span><span class="pun">-</span><span class="pln">GM</span><span class="pun">-</span><span class="pln">EXT</span><span class="pun">-</span><span class="lit">1</span><span class="pln">
</span>
<https://developers.google.com/gmail/imap/imap-extensions>
<https://developers.google.com/gmail/imap/imap-smtp>
Note the complete absense of any SASL mechanisms, not even AUTH=PLAIN or the old AUTH=XOAUTH2. Which underlines my statement that Google doesn't implement the standards properly, or the standards are lacking. In any case, it's not discoverable for a generic client. You cannot support Google without special hacks for Google. That's not a standard.
Yahoo imap.mail.yahoo.com:
\* OK \[CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN AUTH=XOAUTH2 AUTH=OAUTHBEARER ID MOVE NAMESPACE XYMHIGHESTMODSEQ UIDPLUS LITERAL+ CHILDREN X-MSG-EXT OBJECTID\] IMAP4rev1 Hello
They do it properly.
web.de imap.web.de:
\* CAPABILITY IMAP4rev1 CHILDREN ENABLE ID IDLE LIST-EXTENDED LIST-STATUS LITERAL- MOVE NAMESPACE QUOTA SASL-IR SORT SPECIAL-USE THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN AUTH=LOGIN AUTH=PLAIN
They are the best, because they require OAuth2 and support all interesting and latest extensions, like LIST-EXTENDED (instead of XLIST).
> > - Knowing how I get the JSON result, given that I'm in an interactive browser session.
> > - Google says I should use the system web browser for their OAUTH2 login. I can launch a URL there, but wouldn't know how to follow which URL we're at or get the JSON result from that, given that there is no defined API that works cross-browser. Obviously, we'd need an API for all of Windows, Mac, Linux, Android and iOS.
> > - The "scope" is currently completely up to the ISP to define, yet I need to pass the right scope in. I'm dead already with this little detail. This would need to be defined in a standard.
> > - Google, Microsoft and others want me to register my application and authenticate the calls from my app. That poses 3 concrete problems:
> > - ... It's practically impossible to get the secrets from all ISPs in the world, because there are thousands. Note that all app authors would need to get the secrets for all ISPs. Imagine I just want to make an open-source "mail check" app. That's practically impossible....
>
> There are mechanisms to register the client ID dynamically, and mechanisms for the authentication process to tell you where to find the OAuth parameters to do the request (including endpoint locations). However, these mechanisms are optional. We should have made implementation in Thunderbird contingent on providers actually supporting these flows as an incentive to get them to do the work.
If Google requires OAuth2 and doesn't support these mechanisms (could you provide links, please?), that's not helping us, is it?
As long as I need to have special code or hardcoded values for Google, they are not using standards. They support standards, if I can simply code against IETF specs, without additional information for Google, and it works.
For almost all ISPs in the world, it works without special cases. Google and Microsoft are the big exceptions. Apple works just fine out of the box without any special code whatsoever.
On Fri Aug 30 2019 10:44:47 GMT-0400 (Eastern Standard Time), Ben
Bucksch ben.bucksch@beonex.com wrote:
If Google requires OAuth2 and doesn't support these mechanisms (could
you provide links, please?), that's not helping us, is it?
As long as I need to have special code or hardcoded values for Google,
they are not using standards. They support standards, if I can simply
code against IETF specs, without additional information for Google, and
it works.
For almost all ISPs in the world, it works without special cases. Google
and Microsoft are the big exceptions. Apple works just fine out of the
box without any special code whatsoever.
Sadly, Google (and a few others) are big enough they can whatever they
want (to a point I guess) and get away with it, forcing us to just have
to deal with it.
On 30.08.19 16:44, Ben Bucksch wrote:
Joshua Cranmer 🐧 wrote on 30.08.19 01:26:
On 8/29/2019 3:50 PM, Ben Bucksch wrote:
Concrete things that I'm missing in our case:
- Definition of the specific SASL scheme, so that I can connect
IMAP with OAUTH2. (As said, this must work 100% identical for all
ISPs.)
... Every protocol that implements SASL is required to list the
supported mechanisms, and OAUTHBEARER is the correct SASL scheme.
Right. Just that Google, who we're talking about here, doesn't use it.
1 CAPABILITY:
Google imap.google.com:
|*CAPABILITY IMAP4rev1 UNSELECT LITERAL+IDLE NAMESPACE QUOTA ID XLIST
CHILDREN X-GM-EXT-1|
Can't confirm this, the documentation seems outdated:
Run
|openssl s_client -connect imap.gmail.com:imaps -crlf|
then type "? CAPABILITY" <enter>
and you'll see:
|* OK Gimap ready for requests from A.B.C.D. blablabla|
|? CAPABILITY|
|* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST|
| CHILDREN X-GM-EXT-1 XYZZY SASL-IR|
| AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN|
| AUTH=OAUTHBEARER AUTH=XOAUTH|
Close with Ctrl+d or Ctrl+c
The same for SMTP:
|openssl s_client -starttls smtp -connect imap.gmail.com:submission|
then type "EHLO <your FQDN host name>" <enter>
and you'll see:
|250 SMTPUTF8|
|EHLO <your FQDN>|
|250-smtp.gmail.com at your service, [A.B.C.D]|
|250-SIZE 35882577|
|250-8BITMIME|
|250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH|
|250-ENHANCEDSTATUSCODES|
|250-PIPELINING|
|250-CHUNKING|
|250 SMTPUTF8|
Close with Ctrl+d or Ctrl+c
So, both IMAPS and SMTP/submission advertise OAUTHBEARER.
Claudio
On 8/30/2019 10:44 AM, Ben Bucksch wrote:
Joshua Cranmer 🐧 wrote on 30.08.19 01:26:
On 8/29/2019 3:50 PM, Ben Bucksch wrote:
Concrete things that I'm missing in our case:
- Definition of the specific SASL scheme, so that I can connect
IMAP with OAUTH2. (As said, this must work 100% identical for
all ISPs.)
... Every protocol that implements SASL is required to list the
supported mechanisms, and OAUTHBEARER is the correct SASL scheme.
Right. Just that Google, who we're talking about here, doesn't use it.
1 CAPABILITY:
Google imap.google.com:
|*CAPABILITY IMAP4rev1 UNSELECT LITERAL+IDLE NAMESPACE QUOTA ID XLIST
CHILDREN X-GM-EXT-1|
|You're citing the capability list from the website. Using telnet -z ssl
imap.gmail.com 993:|
|* OK Gimap ready for requests from <redacted>
1 CAPABILITY
- CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN
X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN
AUTH=OAUTHBEARER AUTH=XOAUTH
1 OK Thats all she wrote!|
|Look, I know you're not stupid, so why didn't you attempt to actually
get the capability list from an IMAP session like you did for the other
servers you described? As a Thunderbird developer, you should be well
aware that any online documentation may not actually match the current
capabilities. :-) Running an AUTHENTICATE OAUTHBEARER manually shows
that the resulting struct on an error only has the scope and status
fields in the JSON struct, not the openid-configuration field.
|
- Knowing how I get the JSON result, given that I'm in an
interactive browser session. - Google says I should use the system web browser for their OAUTH2
login. I can launch a URL there, but wouldn't know how to follow
which URL we're at or get the JSON result from that, given that
there is no defined API that works cross-browser. Obviously,
we'd need an API for all of Windows, Mac, Linux, Android and iOS. - The "scope" is currently completely up to the ISP to define, yet
I need to pass the right scope in. I'm dead already with this
little detail. This would need to be defined in a standard. - Google, Microsoft and others want me to register my application
and authenticate the calls from my app. That poses 3 concrete
problems:
o ... It's practically impossible to get the secrets from all
ISPs in the world, because there are thousands. Note that
all app authors would need to get the secrets for all ISPs.
Imagine I just want to make an open-source "mail check" app.
That's practically impossible....
There are mechanisms to register the client ID dynamically, and
mechanisms for the authentication process to tell you where to find
the OAuth parameters to do the request (including endpoint
locations). However, these mechanisms are optional. We should have
made implementation in Thunderbird contingent on providers actually
supporting these flows as an incentive to get them to do the work.
If Google requires OAuth2 and doesn't support these mechanisms (could
you provide links, please?), that's not helping us, is it?
The links can be found in the references of RFC 7628, the specification
for OAuth SASL. Dynamic client regitration is RFC 7591, while the OpenID
discovery protocol is located at
http://openid.net/specs/openid-connect-discovery-1_0.html.
--
Joshua Cranmer
Thunderbird and DXR developer
Source code archæologist