4

Is there any way I can read mail with emacs that comes from a gmail account protected with compulsory 2-factor auth? Application-specific passwords are disabled for GMail by my employer. So I can't use the usual workaround of setting an application-specific password.

Google says that Apple Mail and iOS are able to do this, but doesn't explain how. And I know that Apple Mail works because one of my colleagues uses it.

Ideally I want to use IMAP, so that I can read emails from my phone too.

BTW, this is not Google's 2 factor auth but a third-party SSO provider.

Robin Green
  • 949
  • 7
  • 16

3 Answers3

6

Google Mail uses a proprietary—it doesn't appear to be standardised nor used anywhere else—SASL extension named XOAUTH2 to support OAuth 2.0 tokens for SMTP/IMAP authentication. See IMAP and SMTP for more information about these extensions. These OAuth tokens are supplied by the Google Identity Platform API which—among other things—provides the familiar Google Login screen you see everywhere Google is used for authentication.

All of this is proprietary, albeit publicly accessible. As such, I doubt that any Emacs mail client has support for SASL XOAUTH2, let alone for Google Identity signin.

I am afraid that without application specific passwords you'll not be able to use an Emacs mail client for Google Mail out of the box.

You'll have to sit down, work through the API documentation, and write a significant non-trivial amount of code to hook this authentication API into Gnus or whatever other mail client and MTA you use.

  • Well, while you've been doubting, gnus has been Oauth2 compatible like from day 2 of the specs publication (that's years from now) and basically all the current, maintained Emacs modules that use Gmail services (and that makes for quite a lot) are, too. A few random links: http://blog.jenkster.com/2013/10/an-oauth2-in-emacs-example.html https://stackoverflow.com/questions/26705979/ses-oauth-workflow-in-emacs https://julien.danjou.info/blog/2011/google-contacts-for-emacs https://github.com/kensanata/ggg – yPhil Aug 28 '17 at 04:14
  • @yPhil I'm happy to delete this answer if you can add one that shows how to use OAuth2 with GNUS and GMail. I can't find this in the links you shared. –  Aug 28 '17 at 08:24
  • You can also generate an "app password" in your google account dashboard, and use it as you imap and smtp password, thus "overriding" the 2 steps : See [my own mail client](https://bitbucket.org/yassinphilip/mail-bug) for a practical implementation. – yPhil Aug 29 '17 at 11:12
  • @yPhil Please be aware that the question asked for a way without app passwords: “Application-specific passwords are disabled for GMail by my employer. So I can't use the usual workaround of setting an application-specific password.” –  Aug 29 '17 at 15:03
  • @lunaryom I overlooked that, you're right. – yPhil Aug 31 '17 at 21:12
1

For those who find this question because of:

Warning: Opening nnimap server on gmail...failed: NO (ALERT) Application-specific password required: https://support.google.com/accounts/answer/185833 (Failure); Server nnimap+gmail previously determined to be down; not retrying

and don't try to go XOAUTH2 path (as OP wanted) following instructions in the error helps to avoid it.

So following https://myaccount.google.com/apppasswords I generated "Other" type password for Emacs IMAP/SMTP and updated my ~/.authinfo:

machine imap.gmail.com login me@gmail.com password ROBO
machine smtp.gmail.com login me@gmail.com password ROBO

You can force Gnus to reload configs with r (or M-x gnus-group-read-init-file).

gavenkoa
  • 3,352
  • 19
  • 36
0

It should be possible to use offlineimap master to download the mails, and then any emacs mail client that works with offlineimap, to view them. However, this will not allow sending emails using the correct SMTP server, so it is at best a partial solution.

Robin Green
  • 949
  • 7
  • 16