This post will be irrelevant for Google Workspace after 2022-10-04 because OAuth out-of-band (OBB) flow will be deprecated.
See my newer post
which describes loopback IP flow for mbsync and msmtp.
Google will remove Less Secure app Access (LSA) from Gmail of G Suite.
And I want to continue to use Gmail from NetBSD laptop with mbsync (isync) and msmtp.
However I cannot find any successful report about mbsync with XOAuth2.
I do not understand OAuth2 and its derivatives at all.
This post is for reporting how to use mbsync and msmtp for Gmail without LSA,
not for understanding OAuth2.
Prerequiestics
I am a NetBSD desktop user.
I will use pkgsrc as a package management system.
The pkgsrc is portable for almost all POSIX system.
You can bootstrap pkgsrc on non-NetBSD POSIX-like operating system that you are using.
I should install the following pkgsrc packages.
pkgsrc/mail/isync (isync-1.3.1nb2 or later)
pkgsrc/security/cyrus-sasl-xoauth2
pkgsrc/mail/msmtp
Be sure to use isync-1.3.1nb2 or later.
isync-1.3.1nb1 has short buffer (80 bytes) for an output of PassCmd.
Generate client ID and client secret on Google CLoud Platform console
Goole Cloud Platform console is very complicated.
I will not show how to generate clinet ID and client secret step by step.
I should follow Google Cloud Platform console -> API&Services -> Credentials -> OAuth 2.0 Client IDs.
Get my Access Token and Refresh Token with Google's oauth2.py
With my client ID and client secret, I can get my (temporal) Access Token and Refresh Token with Google's
oauth2.py commandline tool.
I can get oauth2.py tool from
https://raw.githubusercontent.com/google/gmail-oauth2-tools/master/python/oauth2.py.
This oauth2.py is for Python 2.7 not for Python 3.
Be sure to execute the tool with python2.7 command from pkgsrc/lang/python27.
And I must have modern web browser like pkgsrc/www/firefox to access Google's webpage.
An outline of my steps is as follows.
- Execute oauth2.py with my client ID and client secret.
- I can get a URI of Google's webpage and open the webpage with my Firefox.
- I can get a code and input the code to oauth2.py.
- I can get the access token and refresh token.
I will use the refresh token to renew the access token.
Do not discard my refresh token.
I will execute oauth2.py as follows.
$ python2.7 /opt/share/oauth2.py \
--user=MY_GSUITE_EMAIL_ADDRESS \
--client_id=MY_CLIENT_ID.apps.googleusercontent.com \
--client_secret=MY_CLIENT_SECRET \
--generate_oauth2_token
Create a script to generate a access token from the refresh token
My access token will expire in 3600 seconds.
I will regenerate my access token every e-mail send/fetch.
Google's oauth2.py has no special mode to output refresh access token only.
I will create the following script as /opt/bin/get_teteraorg_token.sh.
#! /bin/sh
/usr/pkg/bin/python2.7 /opt/share/oauth2.py \
--user=MY_GSUITE_EMAIL_ADDRESS \
--client_id=MY_CLIENT_ID.apps.googleusercontent.com \
--client_secret=MY_CLIENT_SECRET \
--generate_oauth2_token \
--refresh_token=MY_REFRESH_TOKEN | \
awk -F" " '{if(NR==1)print $3}'
Do not ferget to execute chmod 700 /opt/bin/get_teteraorg_token.sh
.
My ~/.mbsyncrc
My .mbsyncrc is very simple. PassCmd and AuthMechs are special.
IMAPAccount gmail
Host imap.gmail.com
User MY_GSUITE_EMAIL_ADDRESS
#AuthMechs LOGIN
AuthMechs XOAUTH2
PassCmd "/opt/bin/get_teteraorg_token.sh"
SSLType IMAPS
CertificateFile /etc/openssl/certs/ca-certificates.crt
IMAPStore gmail-remote
Account gmail
MaildirStore gmail-local
Path ~/.maildir/teteraorg-gmail/
Inbox ~/.maildir/teteraorg-gmail/inbox
Channel gmail-inbox
Master :gmail-remote:
Slave :gmail-local:
Channel gmail-trash
Master :gmail-remote:"[Gmail]/Trash"
Slave :gmail-local:trash
Channel gmail-sent
Master :gmail-remote:"[Gmail]/Sent Mail"
Slave :gmail-local:sent
Channel gmail-archive
Master :gmail-remote:
Slave :gmail-local:
Patterns "Arch*"
Group teteraorg
Channel gmail-inbox
Channel gmail-sent
Channel gmail-trash
Channel gmail-archive
My ~/.msmtprc
For msmtp, no special patch is reaquired.
msmtp has no XOAuth2 support (it seems that XOauth2 support is removed already).
Use auth oauthbearer
instead.
defaults
account teteraorg
tls on
tls_certcheck off
tls_starttls off
host smtp.gmail.com
port 465
protocol smtp
auth oauthbearer
from MY_GSUITE_EMAIL_ADDRESS
user MY_GSUITE_EMAIL_ADDRESS
passwordeval "/opt/bin/get_teteraorg_token.sh"
account default: teteraorg