Why does gmail block my postfix relay?
The terms modern security standards standards was "little" vague here. No one except google can explain what is the exact meaning of modern security standards standards.
However, after lurking the internet about this term, here some explanation about this incident.
- apsillers answer on Security.SE
In my understanding, "less secure apps" refers to applications that send your credentials directly to Gmail. Lots of things can go wrong when you give your credentials to third party to give to the authentication authority: the third party might keep the credentials in storage without telling you, they might use your credentials for purposes outside the stated scope of the application, they might send your credentials over a network without encryption, etc.
"Less secure" isn't meant to say that apps that use your credentials are necessarily full of security holes or run by criminals. Rather, it is the category of behavior -- giving your credentials to a third party -- that is fundamentally less secure than using an authorization mechanism like OAuth. With authorization, you never allow the third party to see your credentials, so an entire category of problems are instantly eliminated.
Google wants email clients to implement OAuth2.0-based authentication, and has stated they intend to cause disruption (hassles) for users that authenticate (login) using a username/password with the POP, IMAP, or SMTP protocol. OAuth 2.0 requires the email client to launch a browser to display a HTML form provided by Google (which can do anything they want) , and then use a token that it returns.
This is not an issue of whether or not Thunderbird is implementing the latest version of SSL/TLS etc., they're basically saying they are trying to actively discourage people from using any email client that logins to Gmail using POP, IMAP or SMTP anymore. This appears to be another example of embrace, extend, and extinguish.
I haven't noticed anybody else that has run into this problem (where it wasn't due to password problem or logging in from a new device) yet. The help page states: "Go to Allow less secure apps and choose “Allow” to let less secure apps access your Google account. " I assume they're referring to a tab in the gmail webmail settings. I suggest you try that. Please let me know if that works around the problem
And in this case, you give your credentials to a third party called postfix. And because postfix doesn't (maybe won't) support OAuth, then GMail warns you.
The possible solution(s) came from this page by Martin Brinkmann
- Enable Two-Factor Authentication for the account. Then generate one time password for postfix.
- Change the "allow less secure apps" setting to enable. This allows them to connect to the account again.
- Switch to a different service or program.
Related videos on Youtube
websterridge
Updated on September 18, 2022Comments
-
websterridge almost 2 years
Here is partial postfix config:
relayhost = [smtp.gmail.com]:587 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_use_tls = yes
File
sasl_password
recently updated and db is rebuilt.I am getting warning emails that say, in part:
We recently blocked a sign-in attempt to your Google Account
If this was you You can switch to an app made by Google such as Gmail to access your account (recommended) >or change your settings at https://www.google.com/settings/security/lesssecureapps so that >your account is no longer protected by modern security standards.
I have been looking for info on how to configure postfix for this 'modern security standards standards'. I am not finding what I need.
Can somebody point to me to the correct resource?
-
fukawi2 over 9 yearsIt should be directed to the hosting provider (GMail)
-
Jenny D over 9 yearsThe pointer is included in the warning email.
-
websterridge over 9 yearsPlease read my question. How is a question about how to configure postfix which is a part of the server infrastructure not about server, networking, or related infrastructure administration? It was only through the below answer that I learned about Google's move towards oauth requirements.
-
Alex Blyzniuchenko about 6 yearsThis is a great question, why is it marked as off topic? Perfectly good question, many folks have encountered this issue.
-
-
websterridge over 9 yearsInteresting. So for now I 'allow less secure apps' and go research oauth for postfix. Thanks - I was not finding citations like yours
-
Lars Nordin almost 8 yearsFor the beginnings of postfix and sasl-oauth2, see: plus.google.com/+RobertNorris/posts/WH65ekaZ5Xu
-
Lars Nordin almost 8 yearsand this github.com/robn/sasl2-oauth/issues/1