←back to thread

How IMAP works under the hood

(blog.lohr.dev)
230 points michidk | 4 comments | 29 Mar 25 09:05 UTC | HN request time: 0.211s | source
Show context
superkuh ◴[31 Mar 25 13:36 UTC] No.43534900[source]
Of course these days the mega-corp walled garden email providers don't really follow standards like IMAP. IMAP will not work with, say, Google's gmail or Microsoft office365, or AT&T ISP email, etc, etc. They have each implemented their own proprietery out-of-band authentication system that only works over HTTPS using the OAuth2.0 toolkit to build it. Any email client that does not explicitly design for each particular OAuth2.0 implementation (each megacorp's is slightly different) will not be able to connect over IMAP (unless they login via HTTPS using a web browser and set up "app passwords" for google, or similar for others).
replies(4): >>43535154 #>>43535551 #>>43536258 #>>43544796 #
jeffbee ◴[31 Mar 25 14:35 UTC] No.43535551[source]
Struggling to think of a way in which "IMAP will not work with gmail". Please explain.
replies(1): >>43537792 #
1. Aloisius ◴[31 Mar 25 17:56 UTC] No.43537792[source]
It can, but it does require doing a lot of Google-specific things (set up a google cloud account, create a consent screen, get a security review, justify your usage of the IMAP API instead of the web APIs to them, find the right scopes, etc) or instruct users to go through multiple screens in their google settings to create an app password.

Google really doesn't want you to use IMAP. They're trying to push everyone to their neutered web apis instead.

replies(1): >>43537971 #
2. jeffbee ◴[31 Mar 25 18:14 UTC] No.43537971[source]
You seem to be taking the perspective of an application developer or something like that? Certainly for users all they need to do is roll in with their favorite IMAP client and use it. All of what you said applies not at all to users.
replies(2): >>43538359 #>>43547068 #
3. Aloisius ◴[31 Mar 25 18:49 UTC] No.43538359[source]
> roll in with their favorite IMAP client and use it

That's just it. Lots of client developers, especially open source ones, balked.

So to use something like mutt with gmail requires a user go into their google settings, set up 2fa then create an app-specific password. And if a user is on a Google Workspace account with "insecure" passwords turned off, they either have to do all the gcloud/consent/etc. stuff themselves or steal a client secret from another client.

Oauth client secrets aren't really compatible with open source and oauth flows don't work well in terminals. Google's onerous process didn't help and on top of that, using oauth means getting hit by Google's quotas.

Who knows how long Google will support app-specific passwords? Or perhaps they'll start forcing 2fa via their own gmail app every login.

4. superkuh ◴[01 Apr 25 14:18 UTC] No.43547068[source]
It does. Gmail disabled imap login for everyone. You explicitly have to find and set up a special "app password" to enable just IMAP now. Many major corporate email clients (like thunderbird) have implemented these corporation-mail-company specific work arounds though so the user doesn't notice them.