Google Mail

[Brian May]

I just received an email from Google saying that they will stop
supporting username/password authentication for protocols like IMAP in
June 15, 2020. Or maybe February 15, 2021, I am a bit unclear here.
Curiously, POP isn't mentioned, I assume it will be affected too.
Presumably this means Application Specific Passwords will stop working,
although that term isn't mentioned once in the email.

I believe SMTP should continue working.

Are there any alternatives to fetching mail with something like
fetchmail that support Google's OAuth?

Or maybe I should switch email providers to one that is actually
friendly to open source software (unfortunately not always on option,
e.g. for work email).

=== cut ===

G Suite logo

Beginning June 15, 2020, non-Google apps that use only a password to access  
Google accounts will no longer be supported.

Starting February 15, 2021, G Suite accounts will only allow access to apps  
using OAuth. Password-based access will no longer be supported.

Dear Administrator,

We're constantly working to improve the security of your organization's  
Google accounts. As part of this effort, and in consideration of the  
current threat landscape, we'll be turning off access to less secure apps  
(LSA) — non-Google apps that can access your Google account with only a  
username and password, without requiring any additional verification steps.  
Access through only a username and password makes your account more  
vulnerable to hijacking attempts. Moving forward, only apps that support a  
more modern and secure access method called OAuth will be able to access  
your G Suite account.

Access to LSAs will be turned off in two stages:

June 15, 2020 - Users who try to connect to an LSA for the first time will  
no longer be able to do so. This includes third-party apps that allow  
password-only access to Google calendars, contacts, and email via protocols  
such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to  
this date will be able to continue using them until usage of all LSAs is  
turned off.
February 15, 2021 - Access to LSAs will be turned off for all G Suite  
accounts.

What do I need to do?

To continue using a specific app with your G Suite accounts, users in your  
organization must switch to a more secure type of access called OAuth. This  
connection method allows apps to access accounts with a digital key instead  
of requiring a user to reveal their username and password. We recommend  
that you share the user instructions (included below) with individuals in  
your organization to help them make the necessary changes. Alternatively,  
if your organization is using custom tools, you can ask the developer of  
the tool to update it to use OAuth. Developer instructions are also  
included below.

MDM configuration

If your organization uses a mobile device management (MDM) provider to  
configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles,  
these services will be phased out according to the timeline below:

June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync  
(Google Sync) will no longer work for new users.
February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange  
ActiveSync (Google Sync) will no longer work for existing users. Admins  
will need to push a Google Account using their MDM provider, which will  
re-add their Google accounts to iOS devices using OAuth.

Other less secure apps

For any other LSA, ask the developer of the app you are using to start  
supporting OAuth.
If you use other apps on iOS or MacOS that access your G Suite account  
information through only a password, most access issues can be resolved by  
removing then re-adding your account. When you add it back, make sure to  
select Google as the account type to automatically use OAuth.

Scanners and other devices

No change is required for scanners or other devices using simple mail  
transfer protocol (SMTP) or LSAs to send emails. If you replace your  
device, look for one that sends email using OAuth.

User instructions

If you are using an app that accesses your Google account with only a  
username and password, take one of the following actions to switch to a  
more secure method and continue to access your email, calendar, or  
contacts. If you do not take one of the following actions, when LSA access  
is discontinued after February 15, 2021, you will begin receiving an error  
message that your username-password combination is incorrect.

Email

If you are using stand-alone Outlook 2016 or earlier, move to Office 365 (a  
web-based version of Outlook) or Outlook 2019, both of which support OAuth  
access. Alternatively you can use G Suite Sync for Microsoft Outlook.
If you are using Thunderbird or another email client, re-add your Google  
Account and configure it to use IMAP with OAuth.
If you are using the mail app on iOS or MacOS, or Outlook for Mac, and use  
only a password to login, you'll need to remove and re-add your account.  
When you add it back, select “sign in with Google” to automatically use  
OAuth.

Mac OS iOS

mail app view Mac OS

mail app view iOS

Calendar

If you use CalDAV to give an app or device access to your calendar, switch  
to a method that supports OAuth. We recommend the Google Calendar app  
[Web/iOS/Android] as the most secure app to use with your G Suite account.
If your G Suite account is linked to the calendar app in iOS or MacOS and  
uses only a password to login, you'll need to remove and re-add your  
account to your device. When you add it back, select “sign in with Google”  
to automatically use OAuth. Read more

Contacts

If your G Suite account is syncing contacts to iOS or MacOS via CardDAV and  
uses only a password to login, you'll need to remove your account. When you  
add it back, select “sign in with Google” to automatically use OAuth. Read  
More
If your G Suite account is syncing contacts to any other platform or app  
via CardDAV and uses only a password to login, switch to a method that  
supports OAuth.

Note: If the app you are using does not support OAuth, you will need to  
switch to an app that offers OAuth, or ask your admin to contact the  
supplier of your app and request that they add OAuth as a way of connecting  
your Google account.

Developer instructions

To maintain compatibility with G Suite accounts, update your app to use  
OAuth 2.0 as a connection method. To get started, follow our developer  
guide on using OAuth 2.0 to access Google APIs. You can also refer to our  
guide on OAuth 2.0 for mobile & desktop apps.

How can I get help?

If you have additional questions or need assistance, please contact G Suite  
support. When you call or submit your support case, reference issue number  
145694552.

Thanks for choosing G Suite.

—The G Suite Team

Was this information helpful?
YES NO

© 2019 Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043

You have received this important update about your G Suite account because  
you designated this email address as a primary or secondary contact for  
mandatory service communications in your Google Admin console profile.

-- 
Brian May <brian at linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/