some of you might have seen bjoern's post regarding the current problematics with
below i'll inline a post on the Thunderbird-mailing list which is also
discussing Gmail/IMAP policy trajectories. Some folks claimed on that list that
Gmail would be actively discouraging mail apps from using imap and instead
use Gmail-special APIs. There are rumors but no announcements/links.
FYI, since beginning August DC saw a constant flow of people complaining
on twitter, DC contact addresses and other channels, about DC not working
with Gmail anymore. We had submitted a DC application (end july) to Google to be allowed
to continue to use OAUTH (it worked since Feb 2019) but despite multiple contact
attempts we have not heart a human reply, and got an initial "rejected" without
any reasons. Bjoern even tried to phone a german Google phone number but only
found a machine voice speaking some very generic 0800 numbers to try next.
Apart from taking a lot of time, this situations already damaged early adoption of
Delta Chat so it's more than unfortunate that Google's policy-makers apparently
Kafka's Castle as an inspiration for designing social interactions.
----- Forwarded message from Ben Bucksch <ben.bucksch(a)beonex.com> -----
Date: Fri, 30 Aug 2019 16:44:47 +0200
From: Ben Bucksch <ben.bucksch(a)beonex.com>
Subject: Re: [Maildev] Google stopping IMAP and SMTP access an moving to proprietary
Joshua Cranmer 🐧 wrote on 30.08.19 01:26:
On 8/29/2019 3:50 PM, Ben Bucksch wrote:
Concrete things that I'm missing in our case:
* Definition of the specific SASL scheme, so that I can connect IMAP
with OAUTH2. (As said, this must work 100% identical for all
... Every protocol that implements SASL is required to list the
supported mechanisms, and OAUTHBEARER is the correct SASL scheme.
Right. Just that Google, who we're talking about here, doesn't use it.
* CAPABILITY IMAP4rev1 UNSELECT LITERAL+ IDLE NAMESPACE QUOTA ID XLIST CHILDREN
Note the complete absense of any SASL mechanisms, not even AUTH=PLAIN or
the old AUTH=XOAUTH2. Which underlines my statement that Google doesn't
implement the standards properly, or the standards are lacking. In any
case, it's not discoverable for a generic client. You cannot support
Google without special hacks for Google. That's not a standard.
* OK [CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN AUTH=XOAUTH2
AUTH=OAUTHBEARER ID MOVE NAMESPACE XYMHIGHESTMODSEQ UIDPLUS LITERAL+
CHILDREN X-MSG-EXT OBJECTID] IMAP4rev1 Hello
They do it properly.
* CAPABILITY IMAP4rev1 CHILDREN ENABLE ID IDLE LIST-EXTENDED LIST-STATUS
LITERAL- MOVE NAMESPACE QUOTA SASL-IR SORT SPECIAL-USE
THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN AUTH=LOGIN AUTH=PLAIN
They are the best, because they require OAuth2 and support all interesting
and latest extensions, like LIST-EXTENDED (instead of XLIST).
* Knowing how I get the JSON result, given that I'm in an
interactive browser session.
* Google says I should use the system web browser for their OAUTH2
login. I can launch a URL there, but wouldn't know how to follow
which URL we're at or get the JSON result from that, given that
there is no defined API that works cross-browser. Obviously, we'd
need an API for all of Windows, Mac, Linux, Android and iOS.
* The "scope" is currently completely up to the ISP to define, yet I
need to pass the right scope in. I'm dead already with this little
detail. This would need to be defined in a standard.
* Google, Microsoft and others want me to register my application
and authenticate the calls from my app. That poses 3 concrete
* ... It's practically impossible to get the secrets from all
ISPs in the world, because there are thousands. Note that all
app authors would need to get the secrets for all ISPs.
Imagine I just want to make an open-source "mail check" app.
That's practically impossible....
There are mechanisms to register the client ID dynamically, and
mechanisms for the authentication process to tell you where to find the
OAuth parameters to do the request (including endpoint locations).
However, these mechanisms are optional. We should have made
implementation in Thunderbird contingent on providers actually
supporting these flows as an incentive to get them to do the work.
If Google requires OAuth2 and doesn't support these mechanisms (could you
provide links, please?), that's not helping us, is it?
As long as I need to have special code or hardcoded values for Google,
they are not using standards. They support standards, if I can simply code
against IETF specs, without additional information for Google, and it
For almost all ISPs in the world, it works without special cases. Google
and Microsoft are the big exceptions. Apple works just fine out of the box
without any special code whatsoever.
Maildev mailing list
----- End forwarded message -----