Gmail SMTP authentication

JonB

@artwaw said in Gmail SMTP authentication:

follow the help page https://support.google.com/accounts/answer/185833?hl=en-GB

Under "Signing in to Google," select App Passwords. You may need to sign in. If you don’t have this option, it might be because:

2-Step Verification is not set up for your account.

For my own Gmail I do not see any "App Passwords". That may be because I personally do not have 2-step active, and don't wish to do so/try it out....

At the bottom, choose Select app and choose the app you using and then Select device and choose the device you’re using and then Generate.

If I (the end user) got this far, I don't know how "our app" would appear as one to be selected. Sounds more like a list of apps registered with Google?

Let's say this does all work. Now that means 2-step verification with mobile is enabled. An end user does something in our desktop app which causes it to want to send SMTP email. That might mean Google wants to send a code to mobile and have user enter it? Would that authentication appear on the desktop OK when run from a non-web desktop Python Qt program?

artwaw

@JonB said in Gmail SMTP authentication:

, I don't know how "our app" would appear as one to be selected

it does not matter. Select "custom", provide recognisable name:

After providing the name you'll see something like this:

The yellow is the password (no spaces). Make a copy as this disappears forever as you hit "done". Then just use the users full email and that password to login to smtp.

This circumvents 2FA, so nothing will be sent anywhere in that regard. As this hampers the security aspect of the account take special care not to share those credentials.

JonB

@artwaw
Thanks, this looks great!

I note it says "from Apps on devices that don't support 2-step". As I said earlier, I never get to see what you show

For my own Gmail I do not see any "App Passwords". That may be because I personally do not have 2-step active, and don't wish to do so/try it out....

so still not sure how I'm supposed to get to the screenshot you show, unfortunately....

artwaw

@JonB I am afraid that rolling 2FA is unavoidable for this.
(A side note outside of the topic is that 2FA should be mandatory wherever possible for obvious security reasons, but that's just my sysadmin persona speaking).

JonB

@artwaw said in Gmail SMTP authentication:

@JonB I am afraid that rolling 2FA is unavoidable for this.

OK, but the text says "for devices which do not support 2FA"! That's pretty confusing! Does it mean "You will need to use 2FA enabled on your account in order to set this up for your app, but then an end user will not need 2FA to use this way of connecting to Gmail SMTP once you have set it up"?

artwaw

@JonB said in Gmail SMTP authentication:

You will need to use 2FA enabled on your account in order to set this up for your app, but then an end user will not need 2FA to use this way of connecting to Gmail SMTP once you have set it up"?

That is my understanding of the situation, yes. (Please bear in mind that I did not work outside 2FA Google environment for quite some years now)

artwaw

@JonB
Take a look at the original message you've got from google:

"On May 30, you may lose access to apps that are using less secure sign-in technology. To help keep your account secure, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password. Instead, you’ll need to sign in using Sign in with Google or other more secure technologies, like OAuth 2.0."

That implies that logging in with google functionality will cease to work without 2FA challenge enabled. But in order to keep the functionality you have now, you need to enable 2FA and generate the "less secure app" credentials. That's the scope of the changes you face, if I read the situation correctly.

JonB

@artwaw
All good, thank you very much for your time. I will have to try this out --- or rather, get others to try it out.

I cannot be sure but am marking this topic as solved.

mchinand

I'm not sure how it works in the background for initiating this request for access, but for my Synology NAS I recently set up email notifications. In the process of configuring it, it went to a Google page asking to authorize access to send emails on my behalf. Going to the Security page of my Google account and viewing the 'Third-Party Apps with Account Access', I now have Synology listed; perhaps your app will have to obtain the same authorization.

JonB

@mchinand
Yeah, that (the need to "register" anything about the app with Google) is precsiely what I am hoping to avoid, which I believe/hope @artwaw's suggestions will allow me to do. The app is not released, not for sale, not for general consumption, so we don't need such hassles!

mchinand

I'm not entirely sure just ensuring 2FA is enabled will work. In Google's message, they mention using either Sign In With Google or OAuth2. 'Sign In With Google' is one of their APIs, I don't think they are using it in the generic sense, sign-in with Google. https://developers.google.com/identity/gsi/web

artwaw

@mchinand But this is SAML/OAuth authentication. It is a different mechanism than the one we try to workout here.