Results 1 to 19 of 19

Thread: [RESOLVED] Gmail Authentication?

  1. #1

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Resolved [RESOLVED] Gmail Authentication?

    I have come to the conclusion that I have a complete lack of understanding in how Gmail provides authentication. I added TLS 1.3 to my email client program and was able to connect with the Gmail POP server on port 995. But when I went to check the mail, it rejected my request and I got a "security alert" on the backup account. After acknowledging the attempt, I was able to check for mail, but the only message I got was the same "security alert", but no real mail. When I went to acknowledge it, it said that it was already acknowledged. So I went into the account and enabled "less secure". After acknowledging the change, I was able to check for mail. But instead of the actual mail, I get a "critical security alert" that less secure had been turned on. Once again, a check revealed that it had already been acknowledged. But instead of the actual mail, all I kept getting was the same "critical security alert".

    I had a hacker problem that I had to deal with, so I didn't get back to the issue for a couple of days. This time, I get the real mail??????.

    I realize that Google wants us to use a Google App, and that browser based email can use a cookie to activate the Google account, but I really don't like the idea of having to login to Google every time I want to check the mail. Can anyone explain the code necessary to use this Gmail authentication system?

    J.A. Coutts

  2. #2
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: Gmail Authentication?

    Quote Originally Posted by couttsj View Post
    . . . the code necessary to use this Gmail authentication system?
    Which authentication system? I'm using App Passwords w/ my gmail's POP3/SMTP mailbox as my google account has 2-FA turned on -- no problems with this.

    Have no idea how are we supposed to use "Sign in with Google" outside of shelling a full-blown browser to retrieve OAuth2 access tokens or whatever.

    cheers,
    </wqw>

  3. #3

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Gmail Authentication?

    Quote Originally Posted by wqweto View Post
    Which authentication system? I'm using App Passwords w/ my gmail's POP3/SMTP mailbox as my google account has 2-FA turned on -- no problems with this.

    Have no idea how are we supposed to use "Sign in with Google" outside of shelling a full-blown browser to retrieve OAuth2 access tokens or whatever.

    cheers,
    </wqw>
    App Passwords requires dual authentication, which I am not keen on doing. If my ESP enforces full authentication, I may be forced to go that route, but for now I do not want to mess with my wife's Gmail account more than I have already.

    On a different note, have you noticed that Gmail authentication via password is a lot slower than non-TLS authentication on a regular POP server?

    J.A. Coutts
    Last edited by couttsj; Nov 22nd, 2020 at 03:02 PM.

  4. #4
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: Gmail Authentication?

    > Gmail authentication via password

    You mean POP3 on port 995 with regular user/pass?

    I'm using App Passwords because plain user/pass auth on POP3 does not work for 2-FA accounts and have no direct measurements on it's speed as Outlook does not report elapsed time but keeps on lagging with *every* service anyway. . . :-))

    So no idea but regular POP3 servers users database must be miniscule compared to google accounts database. Could be a deliberate choice to deter/slow bruteforce attempts too.

    cheers,
    </wqw>

  5. #5

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Gmail Authentication?

    Yah, that's what I meant.

    The ISP/ESP has not been very forthcoming with the detail, hence all my questions. The new email service will be via G-Suite rather than freebie, and I assume the actual servers will reside on the ESP network, hence the requirement for SNI. The connection will be to "pop.gmail.com", but the SNI will be "mail.google.com/a/telus.net". Where the authentication actually takes place is unknown, but it could quite conceivably be on the ESP network as well.

    I am not happy with this upcoming change, but at least I have done a lot of the prep work with TLS 1.3. I actually use a third party service for incoming email, which is then forwarded to my ESP. The third party provides SMTP service as well, but unfortunately they do not support TLS 1.3 yet. Too bad, because they are much easier to get information out of.

    The world needs a better email system with end-to-end encryption and sender authentication.

    J.A. Coutts

  6. #6
    Hyperactive Member
    Join Date
    Jun 2016
    Location
    España
    Posts
    506

    Re: Gmail Authentication?

    and through the google api.
    You only need to log in once to give permission to the application and then save the authentication token.
    and every time you enter you do a refresh of the token.

    Greetings
    sorry for using translator

  7. #7

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Gmail Authentication?

    Quote Originally Posted by yokesee View Post
    and through the google api.
    You only need to log in once to give permission to the application and then save the authentication token.
    and every time you enter you do a refresh of the token.

    Greetings
    sorry for using translator
    So where do I find this Google API, and how do I access it?

    J.A. Coutts

  8. #8
    Hyperactive Member
    Join Date
    Jun 2016
    Location
    España
    Posts
    506

    Re: Gmail Authentication?

    I don't have much time to explain everything.
    and I would show you my code, but it's disastrous and they would ban me hahaha
    but more or less this is how it explains in the guide with web requests api rest "MSXML2.ServerXMLHTTP".
    You have to create an application and some credentials to give the application permission to access your google account.
    https://developers.google.com/identi...er#top_of_page

    There are different methods to obtain access token and it is the one that I have tried.
    https://developers.google.com/identi...rotectauthcode
    you get the path and permission to access the account.
    When you accept it returns a code or error if you cancel the permissions.
    then you follow the instructions on the page to get the acess_token and refresh_token.
    and with the acess_token you have access to all the services that you have allowed in the previous step.
    you use it in every request with .SetRequestHeader "Authorization", acess_token_here
    https://developers.google.com/gmail/...rest?apix=true


    Surely someone can advise you better, I am for contributing ideas.
    Greetings
    sorry for using translator


    PD:wqweto sure can help you better with the apis this is where I found the idea a long time ago
    https://www.vbforums.com/showthread....ort&highlight=
    Last edited by yokesee; Nov 23rd, 2020 at 06:40 PM.

  9. #9
    PowerPoster
    Join Date
    Feb 2017
    Posts
    4,995

    Re: Gmail Authentication?

    I think you need Oauth 2.
    I posted a sample here but is is for Dropbox.

    Here to read about Oauth 2 with Google.

  10. #10

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Gmail Authentication?

    Thanks for the information. That is a lot of screwing around for such a simple task. I have a number of other things to do, and I will take a further look at it later.

    J.A. Coutts

  11. #11

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: [RESOLVED] Gmail Authentication?

    Ran into another problem with SMTP on port 465. I can connect to "smtp.gmail.com" without a problem and receive the following response:
    220 smtp.gmail.com ESMTP w22sm183992pfu.33 - gsmtp
    but when I send "HELO me", I get a Fatal Alert 47 (illegal_parameter).

    Using "openssl s_client -connect smtp.gmail.com:465 -crlf", I get:
    220 smtp.gmail.com ESMTP 23sm514462pfx.210 - gsmtp
    HELO me
    250 smtp.gmail.com at your service
    which is normal.

    What am I doing wrong?

    J.A. Coutts

  12. #12
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: [RESOLVED] Gmail Authentication?

    Usualy alert illegal_parameter (47) is raised during the TLS handshake only.

    The fact that you are receiving app data means the handshake is successfully complete so the alert makes no sense being received so late.

    cheers,
    </wqw>

  13. #13

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: [RESOLVED] Gmail Authentication?

    I had to manually decrypt the Alert record because Gmail immediately closed the connection without sending a "QUIT" record. Which brings up another question. The record was sent as a type RT_APPLICATION_DATA (&H17) instead of RT_ALERT (&H15). Is this normal? If so, how do we identify an Alert record after the Server Hello?
    Code:
    InBuffer:
    17 03 03 00 13 
    59 50 F4 5D 5C 08 40 1F 54 17 41 AD D3 95 AE CF CC E5 DA 
    Decrypted:
    02 2F
    J.A. Coutts

  14. #14
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: [RESOLVED] Gmail Authentication?

    Quote Originally Posted by couttsj View Post
    The record was sent as a type RT_APPLICATION_DATA (&H17) instead of RT_ALERT (&H15). Is this normal?
    Yes, this is what TLS 1.3 does. When bulk secrets are succesfully negotiated everything past this point is shimmed through RT_APPLICATION_DATA with the last non-zero byte of the decrypted payload encoding the actual record type.

    This means that RT_ALERT can be sent unencrypted during handshake and encrypted inside RT_APPLICATION_DATA records past bulk secrets negotiation.

    cheers,
    </wqw>

  15. #15

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: [RESOLVED] Gmail Authentication?

    Quote Originally Posted by wqweto View Post
    Yes, this is what TLS 1.3 does. When bulk secrets are succesfully negotiated everything past this point is shimmed through RT_APPLICATION_DATA with the last non-zero byte of the decrypted payload encoding the actual record type.

    This means that RT_ALERT can be sent unencrypted during handshake and encrypted inside RT_APPLICATION_DATA records past bulk secrets negotiation.

    cheers,
    </wqw>
    Yah, I have already adjusted for it. Hopefully the next version of TLS will get rid of all these leftovers and workarounds and advertise itself properly. That will probably take quite a while as the world is very slow to adapt to changes in TLS, and with a new version being adopted, TLS 1.2 will probably become predicated.

    J.A. Coutts

  16. #16

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: [RESOLVED] Gmail Authentication?

    Got past that problem. It was my error, as I neglected to change the Record Type from RT_HANDSHAKE (&H16) to RT_APPLICATION_DATA (&H17).

    Now on to the next problem. Gmail does not want to accept AUTH PLAIN. It returns "451 4.5.0 SMTP protocol violation, see RFC 2821 u1sm158344pjn.40 - gsmtp" (RFC 2821 does not even address AUTH PLAIN). I know the AUTH PLAIN is correct because OpenSSL returns correctly using the exact same BASE64 string.
    Code:
    220 smtp.gmail.com ESMTP z19sm2416279pfa.122 - gsmtp
    HELO me
    250 smtp.gmail.com at your service
    AUTH PLAIN ABd49jE0ZTU0QGdtYWlsLmNvbQBvq45tamVrMzEp (obfuscated)
    235 2.7.0 Accepted
    J.A. Coutts

  17. #17

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: [RESOLVED] Gmail Authentication?

    Through a lengthy process of trial and error, I was able to establish that even though RFC 4954 clearly provides for it, Gmail does not accept the AUTH PLAIN plus BASE64 of User Address & Password on a single line. I had to use:
    Code:
    220 smtp.gmail.com ESMTP o9sm348865pjl.11 - gsmtp
    --> HELO me
    250 smtp.gmail.com at your service
    --> AUTH PLAIN
    334 
    --> ABd49jE0ZTU0QGdtYWlsLmNvbQBvq45tamVrMzEp (obfuscated)
    235 2.7.0 Accepted
    This is getting to be a real pain in the butt, but I have no choice, as I have received official notice from my ISP of the move to the Gmail platform.

    J.A. Coutts

  18. #18
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: [RESOLVED] Gmail Authentication?

    Quote Originally Posted by couttsj View Post
    Yah, I have already adjusted for it. Hopefully the next version of TLS will get rid of all these leftovers and workarounds and advertise itself properly.
    Actually there is an added bonus with this scheme. Every application data record can be padded with random number of zeroes if the peer has to mitigate some vulnerability/incompatibility or just wishes so on a whim.

    This was originally intended for some TLS 1.2 middle-boxes that went bonkers if certain records were less that 512 bytes but has a nice side effect that the sender can hide the length of the payload at any time by randomly padding the record with zeroes.

    The trouble with designing wide-spread protocols like TLS is that it has to be future proof. For instance if a vulnerability is found in whatever part of it there must be a way to avoid the disaster within existing protocol specification.

    Imagine if AES gets shattered -- this is the reason why TLS 1.3 has Chacha20 in the back pocket. The same for GCM mode -- they have CCM just in case, never putting all their eggs in one basket.

    cheers,
    </wqw>

  19. #19

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: [RESOLVED] Gmail Authentication?

    Finally!!!
    Code:
    220 smtp.gmail.com ESMTP 196sm5448167pfz.11 - gsmtp
    --> HELO me
    250 smtp.gmail.com at your service
    --> AUTH PLAIN
    334 
    --> ABd49jE0ZTU0QGdtYWlsLmNvbQBvq45tamVrMzEp (obfuscated)
    235 2.7.0 Accepted
    --> MAIL FROM: <xxxxxxx@gmail.com>
    250 2.1.0 OK 196sm5448167pfz.11 - gsmtp
    --> RCPT TO: <xxxxxxx@pobox.com>
    250 2.1.5 OK 196sm5448167pfz.11 - gsmtp
    --> DATA
    354  Go ahead 196sm5448167pfz.11 - gsmtp
    --> To: <xxxxxxx@pobox.com>
    From: John Coutts<xxxxxxx@gmail.com>
    Subject: Test
    X-Mailer: JACMail Version 4.0.0
    Date: Fri, 04 Dec 2020 08:44:13 -0800 (PDT)
    Message-ID: <44169.3640509259@key.domain.com>
    MIME-Version: 1.0
    --> 
    --> 
    250 2.0.0 OK  1607100253 196sm5448167pfz.11 - gsmtp
    --> QUIT
    221 2.0.0 closing connection 196sm5448167pfz.11 - gsmtp
    There are potentially other problems with attachments etc, but at least I was able to send a simple text message. One interesting side note is that using SMTP directly with Gmail transmits the source IP address in the header. Using a browser does not. Without the source IP, it is difficult to determine if the message is bogus or not.

    J.A. Coutts

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width