GMail: Fetchmail is a "less secure app"

I have been receiving emails from Google about a sign-in attempt prevented. These messages are sent to the recovery address for my GMail account. I run my own IMAP server which uses fetchmail to download any email sent to various third-party email accounts that I use. GMail isn't that important to me so I haven't bothered to rectify this issue until now, when curiosity got the better of me.

TL;DR - set up Google 2-step verification and generate an application-specific password for Fetchmail.

Here's a sample of the email received:

A quick bit of research reveals that Google would like email clients to implement OAuth2.0 based authentication instead of password-based logins and that they are forcing this on people through some new security measures.

we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.

OAuth2 would require clients to launch a browser to display a HTML form provided by Google and then use the token that it returns.

The issue isn't whether or not clients implement the latest version of SSL/TLS etc, it's more that Google are trying to actively discourage clients that use password-based logins to Gmail using POP, IMAP or SMTP. Fetchmail already uses SSL when connecting to the GMail IMAP server.

The Fetchmail FAQ discusses this problem.

Google has started pushing towards more complex authentication schemes based on OAuth 2.0 that require clients and users to jump through quite a few hoops, and use web browsers for signing in. If this hinders access to your account through fetchmail, you may need to turn on access for less secure apps. It is disputable whether an application that does not include web browsing capabilities or heavy-weight libraries is "less secure" as Google claims.

The OAuth2 protocol RFC6749 states

This specification is designed for use with HTTP (RFC2616). The use of OAuth over any protocol other than HTTP is out of scope.

A Fetchmail maintainer stated on the Fetchmail mailing list that Fetchmail does not support HTTP or OAuth2.

I don't like the idea of adding such complex matters to fetchmail that make it a web browser, that takes it way out of scope I'm afraid.

There are two solutions to the problem and the simplest is to allow so-called less-secure apps to be used by disabling this security measure.

A, perhaps, more appropriate solution is to go with the flow. Google offers 2-step verification with OAuth2 authorisation and application-specific passwords allow applictions that don't support 2-step verification to be used. This is a new 16-character passcode that provides access to a Google account, bypassing the 2-step verification process. They can be used indefinately until revoked. However, they aren't really application-specfific either but have this name because they are supposed to be generated per-application although nothing forces this use pattern.

I set up 2-step verification for my Google account. After giving my mobile phone number, I received a code by SMS text message that I entered to complete the setup process.

With 2-step verification turned on, you can add app-specific passwords:

Click the manage application-specific password button

You either select app or select device; they both cause a new app password to be generated (the layout of this page is misleading).

no, that isn't a real password!

The generated password is a 16-character string (ignore the spaces) and can be entered into Fetchmail to successfully connect to GMail.

A final thought: it would have been useful if the message from Google said what their view of a secure app, like Gmail, actually is (one that uses OAuth2.0 authentication) and that, after enabling 2-step verification, an application-specific password can be generated for use by a so-called less-secure app that does not support OAuth2.