You need to set up an app specific password [1] and use that for IMAP.

[1] https://support.google.com/mail/answer/185833?hl=en

Or better yet use the IMAP / SMTP Oauth2 auth mechanism;

https://developers.google.com/gmail/imap/xoauth2-protocol

Guide to setting up OAuth2 in offlineimap:

https://hobo.house/2017/07/17/using-offlineimap-with-the-gma...

The problem with OAuth and Google is that Google requires from 3rd party vendors verification and it's very hard to obtain. Unsurprisingly, Google rejects requests for verification without any explanation and ignores any follow up communication.

I despise oauth2 reauthentication requests in a mail client. It's insanely annoying.

Do mutt and git-send-email have support for OAuth2?

Not sure, I know that newer versions of thunderbird and k9 do, but you may need remove the account and re-create it; I didn't test changing the settings myself, I just deleted the old accounts and re-created them as IMAP / oauth.

I don't know about git-send-mail, but mainline mutt has oauth2 support for imap4, pop3, and smtp.

I haven't used it but it looks like it pushes the oauth2 token refresh off to an external script.

They have turned it back on.

It does not work on some group accounts.

I’m out of the loop - where does Google commit to turning off IMAP? Is there any other standard that non-Google mail clients can follow?

Will Apple Mail lose Gmail compatibility or can they upgrade to something?

This is the original announcement I'm aware of:

https://gsuiteupdates.googleblog.com/2019/12/less-secure-app...

IIRC Apple Mail uses IMAP via Oauth.

So it's specifically IMAP without OAuth?

Yes- I used to maintain an open source imap library and looked into this when they first made the announcement. Microsoft is also planning on doing the same thing.

https://developer.microsoft.com/en-us/office/blogs/end-of-su...

Happening since morning, I got rid of Gapps on phone (for privacy concerns) and can't use K-9 Mail anymore, guess I'll have to resort to mobile browsers for email access.

Can't you create an "application password" for IMAP?

That requires two-factor auth, which requires giving them a phone number.

You can't set up TOTP without giving Google a phone number?

I'm not sure if Google allows using phone notifications first (another 2fa method) and then switching to TOTP, but TOTP isn't allowed as the first choice.

They support using phone numbers and then switching to TOTP and deleting the phone number.

So how does this avoid giving the number to Google?

It doesn't. I think they were just confirming this:

> I'm not sure if Google allows using phone notifications first (another 2fa method) and then switching to TOTP...

Can you use a Twilio number for $1/mo or some other burner service?

Twilio numbers, and most other VOIP numbers, cannot receive the short code text messages that Google uses for verification.

You're right, I forgot that it doesn't work the other way around (my Google Voice number definitely can receive shortcodes though).

Can you setup google voice?

Voice requires a phone number to link your GV number to

Only if you're in the US.

Also for me this page (https://myaccount.google.com/lesssecureapps) says - "Setting could not be read".

Unless it's for work, why not use a different service or host your own mail server? I'd say setting up a mail server with projects like Mail In A Box is easier than living without GApps.

Running your own mail server is a sure fire way of making sure that your email don't get through to anyone.

> Running your own mail server is a sure fire way of making sure that your email don't get through to anyone.

How is your experience so far with inboxing while using Mail In A Box?

At least for me it's for work

I can confirm. Same thing for, started 3 hours ago. It seems to work again for the moment though (after one hour, no change from my side).

The setting is also gone for me!

Plenty of comments and current status at downdetector[0]. Clicking on the different countries suggests it's a global thing.

Edit: the "Less secure apps" [1] setting was reporting "setting could not be read", it's just re-appeared here in the UK (11:40 UTC).

[0] https://downdetector.co.uk/status/gmail/

[1] https://myaccount.google.com/lesssecureapps

I have no problem with it so far. Thunderbird on Debian through VPN in Amsterdam. (edit: wording)

Plenty of others in NL appear to have been hit [0]. Seems to be resolved now anyway.

[0] https://allestoringen.nl/storing/gmail/

> However, with the pandemic they delayed this indefinitely.

I guess someone didn't get the memo. Or else yes, perhaps they got some automated thing scheduled in advance and failed to roll it back properly as announced.

> I guess someone didn't get the memo.

Probably 'cause they can't log into their IMAP account right now...

I just switched to g suite for business over the weekend and setup mail checking from my main account. I found enabling "Less secure apps" to get sending and receiving emails from my other accounts via POP3 to be very odd. Also had to create the app specific password. How is it a less secure app? It's a gmail account checking another gmail account. That really didn't make sense to me, but the tech support from g suite was happy to read the script to walk me through the setup. It was pretty frustrating to not be able to figure that out myself, it was not intuitive.

Also confirming an issue for the past few hours.

It's currently 2020-05-04 11:26 UTC and the issue is ongoing.

EDIT: does anyone know if google has an "uptime" page for their various services where they can provide status updates as they diagnose the issue? This is impacting our entire org on G-suite.

EDIT2: Found this, but it shows "Gmail" as "green" Yeah, it's still down :rolleyes: https://www.google.com/appsstatus#hl=en

EDIT3: As of 2020-05-04 11:45 UTC, it's back up for me.

On a related note, how can I run internal mailserver that stores mail locally on my network, accessible through IMAP or web interface, and uses accounts on a POP3/IMAP-capable public server like Gmail only to receive and send mail (no long-term storage)? Where should I look?

I'm comfortable with setting up a VM, but I don't know much about email.

I would use something like OfflineIMAP to sync from an external IMAP server to your own Dovecot instance, assuming you want the local copy to be kept in sync (e.g., read status should be copied to the local copy as it changes, etc).

Ah, misread. I was just looking into entirely self-hosting this last week.

https://github.com/awesome-selfhosted/awesome-selfhosted#ema... See especially homebox, Mail-in-a-box "complete solutions".

With brief exploration you might also be comfortable with just running the MTA for sending and forwarding, and MDA for "delivery", i.e. reading.

I haven't used it in a few years, but https://www.iredmail.org/ was fairly hassle-free if you're familiar with linux server administration.

I personally like dockerized Mailcow: https://github.com/mailcow/mailcow-dockerized

They removed access for 'insecure apps'. Go to your Google account > Settings > activate 2 factor authentication and get an individual password for each app.

Source: Had to do this to all my superb python bots that we using mails for error reporting.

Lots of people are reporting this outage on this Google Support Thread:

* https://support.google.com/mail/thread/44318228?hl=en

I'm having a different (but likely related) problem, which is that my SMTP stopped working today.

I have a legacy Google Apps account on a custom domain, and have had two-factor auth configured for years. Today my SMTP credentials stopped working, so I went in and made a new app-specific password, and that is also not working as my SMTP password. I also can't enable the "less secure apps" option because 2fa is enabled. I don't see any path to fix this.

It also happened to me and nothing has helped to solve it for hours.

At the very end, I thought of changing my password and IT WORKED! Try "update" your password.

It's really time to move away from Gmail & co.

Any suggestion for a comparable email service?

fastmail or with (many) own domains: mailbox.org, runbox.com ...

I second fastmail, it's a really great service. I've been a happy customer for a year now, using my own domain and a sieve script for automated triaging of my emails. Their web interface is really, really good, and they're working hard to modernize the email protocols, with their work on JMAP and so on.

How’s the Australian spy law [1] thing?

[1] https://www.ctrl.blog/entry/goodbye-fastmail.html

Does that really change much in reality?

If you expect your emails to be inaccessible to anyone except you and the recipient you'll have to encrypt them anyway. If you are worried about the data-mining for ad purposes on other providers switching to a paid provider like Fastmail is still a good option and while everyone is subject to ad-tech data mining not everyone is subject to a targeted collection by a government actor most of the time.

My threat model is: governments can read my email but that will incur a cost, a timelapse and a judge -- not just a point and click mega-spy interface.

I want to bash Trump's latest haircut without fear of incoming, frivolous litigation.

I do, however, expect consequences if I do something really stupid.

I'm in France, and use email mostly to keep up with newsletters, personal comms, and non-important professional comms. If your threat model includes the Australian Government as a threat, then yes, using another provider would make sense. Then again, if you have government agencies in your threat model, you might want to move to E2E communications anyways.

This is terrible, I'm [genuinly] surprised that other people recommend fastmail.

I don't think the blog post is accurate, see [1]. From the three providers mentioned above (fastmail/mailbox/runbox) which I have experience with, fastmail has by far the best ui, speed and feel (atm).

As with gmail the fastmail provider does read your email content to provide e.g. search (and in case of gmail who knows what more?). Both will hand out information with a lawful warrant. -- And as long as the government is reasonably sane [2] that's perfectly fine with me.

[1] https://fastmail.blog/2018/12/21/advocating-for-privacy-aabi... [2] otherwise I'd try ProtonMail (but it has a price in useability)

Government interception is not part of my threat model for email. Emails may relayed through intermediate servers I can't control and may or may not be encrypted in transit or storage along the way. If I want private communication I'm not going to use email (or probably the internet).

However a service not randomly shutting down or dropping support for open protocols _is_ part of my requirements for an email host.

I'm also very satisfied with Fastmail. Cost is the same as Google's paid tier but they do email really well.

+1 for Runbox. Reliable service and better price than Fastmail for my circumstances, at least.

Fastmail. Definitely.

They exceed all my expectations, and I‘m picky.

Why not Fastmail with many own domains? The $5/month ($50/year, $130/3-year) plan allows 100 domains.

Some years ago this was not possible in fastmail (or I didn't find it;) In addition: if you want to separate the domains, then mailbox/runbox have a low-cost plan (around €15/y, iirc) which doesn't exist in fastmail.

i second to fastmail

Depends on what you want. Personally, I use Gandi Webmail [1] which provides SOGo groupware [2].

NOTE: it is not as AJAXy as Gmail.

[1] https://news.gandi.net/en/2017/01/introducing-sogo-new-webma...

[2] https://sogo.nu/

Seconded. The vast number of aliases you can create is fantastic - I'm using unique addresses for every site I register on. Given the features and storage space, Gandi webmail seems to be very good value for money.

Comparable email service? Not sure on what terms to compare. But take a look at the below privacy focused (or privacy respecting) services before you look at Fastmail (which can be quite expensive if you need multiple mailboxes):

Posteo.de (no custom domain support), runbox.com, mailbox.org, mailfence.com, migadu.com, mxroute.com (if you don't mind hosting in the U.S.), ProtonMail (needs a bridge software to use IMAP) and Tutanota (no IMAP support)

If you'd like to support the next generation JMap (which Fastmail develops), then getting a paid subscription on Fastmail could help.

I've been hosting my mail with Zoho for a couple years and I've not had any issues with them.

Use your own domain, and you can try as many email services as you like to see which one is best.

Set up your own. iredmail and mail-in-a-box do most of the grunt work for you.

Personally I use Soverin.net. Hosted in the EU and with IMAP support.

Reading through the comments, sounds like it's a blip.

But yeesh - would've been just my luck! I'm in the process of putting together my de-Google plan lately.

For a few hours this morning, Gmail also had difficulty retrieving mail from other Gmail accounts via POP3.

Yep, the same. I solved that by changing password to the same for "blocked" account.

LoL Google.... I thought that I was a victim of your random account deletion for a bit

Wow, for me it started happening Monday, May 4, 5:50 EDT.

LSA is back in settings, it should work fine now.

does anyone know if POP is still working?