Comments on: Fetchmail and Google’s OAuth 2.0 enforcement

By: Dave

Dave — Sun, 16 Mar 2025 01:36:57 +0000

Other than the requirement to use the Google ‘random’ generated App Password which is only 16 characters and lower-case alpha it has worked great for years in my fetchmail SSL enabled configs.

So despite all the FUD, I consider it as secure as Google.

But you’d think they would want more security and use mixed case alpha-numerics and extended punctuation symbols… Go figure.

By: bill

bill — Tue, 23 Apr 2024 21:03:09 +0000

use “app passwords”. See https://support.google.com/accounts/answer/185833?hl=en for details. Not as secure but works w/o changes to fetchmail.

By: Tired

Tired — Fri, 19 Apr 2024 08:22:48 +0000

„This is a fight against spammers, scammers and account hijackers, so paranoia is the name of the game.”

It should be completely optional; it could be even switched on by default — but keeping the option to switch it off by „advanced user”.

The password itself is (was?) the protection „against spammers, scammers and account hijackers”. Just keep your password „strong enough” (and don’t show it to anyone) and you’re protected. No need for Google’s „very sophisticated” tools.

By: Lucio C

Lucio C — Mon, 22 Jan 2024 13:16:12 +0000

I was recently forced to use 2FA with Gsuite, and as expected it broke my fetchmail/procmail arrangement with local storage. Easiest immediate solution (prepared in advance) was to forward all Gsuite to another provider, and fetch from there. However Gsuite does not honour deletion of fetched or forwarded mail (it saves in Bin), so I still need access from my favourite client (Alpine) to cleanup Bin. An app password is the simplest way to do it (and it could work with Alpine *and* fetchmail).

By: Phil

Phil — Mon, 24 Jul 2023 03:31:21 +0000

Thoughtful article. “Worse problems on this planet” indeed. Having been around since web 1.0, and worked with many different access control systems (Netegrity Siteminder, anyone?), I actually think Google could have done worse than settle on OAuth2. I also hope that fetchmail can continue to be the useful tool it has been for so long.

By: myl

myl — Fri, 17 Feb 2023 16:53:56 +0000

Must say I agree with Fetchmail opinion on this. Governments build laws to enforce users rights towards internet services providers, but they should probably take care of other ways to technically set a microscope in their asshole like such over-engineered authentification stuff.

Just can’t figure-out the added benefit compared to a good password + still allowing mail clients without Oauth2 support to use long/complex application passwords generated by google just indirectly means that highly severing password setup rules could just have been done, with much less user hassle.

As you said, google may someday stop application passwords (+ you can setup just one & use it for several clients, I did so and nothing looks really verified there). But if they do this, they’ll screw almost all home automation software, IP cameras, home written stuff working since years, etc… There’s IMO a benefit/risk balance here to avoid loosing users!

Issue is I tried several alternative free mail providers between the warning message and the planned end for good old login+passwd auth: All caused issues (reliability, various usage quotas…) after a few days to a few weeks. So I gave my phone nb to google to allow 2 factor setup & being able to setup app passwd. Really tried to avoid this, but in the end that’s what I did.

We all know providing free services that are (almost) always connected was a way for google to identify who & when is using a networked device and not only the device: You can get rid of your locally stored data (cookies etc), but you can’t erase user behavior data google stores under your account (so carefully verified)!

Let’s hope politics will soon put another stop in their gallop.

By: Jason

Jason — Tue, 12 Jul 2022 01:29:56 +0000

The spammers, scammers, and hackers are usually humans too. I am curious how you expect to stop them without effecting the rest of us. I have done extensive firewall work and I have run into too many false-positives and false-negatives. The gray area can be difficult to judge if you donot have the experience.

By: Ghengis M.

Ghengis M. — Thu, 07 Jul 2022 19:24:51 +0000

Thanks Eli, I came looking for a resource on fixing my GMail issues with fetchmail, and as well as that, had an easier solution, I’m just gonna setup some forwards, Google is no longer worth the aggravation.

By: Michael Uplawski

Michael Uplawski — Tue, 14 Jun 2022 08:22:45 +0000

It is oftentimes a good idea to wait a few weeks after the uproar and *then* read some concise summary of facts and conclusions.

Thank you Eli, I bookmark this page.

Although I am myself not affected by OAuth2, I do use fetchmail. Your text is very clear as well as a good starting point, should I need to dig deeper into some specific aspects. “There are worse problems on this planet”, but I have underestimated the scope of the problem …

Cheers from France.

Michael