Msmtp with gmail: "Less secure app access" no longer allowed after May

Hello ! I use msmtp with gmail to send ping-monitor warning from OpenWRT. So far I chose "allow less secure app access" on google account in order to do it.

However, after 5/30, google will no longer allow "less secure app access". So I have to figure out what to do by then.
I guess I need to change

tls on
tls_starttls on
tls_certcheck off

in msmtprc,
tls_certcheck on and put a certificate file somewhere and do something with it.....
First question is, would I be able to use msmtp with gmail if I do it ?
And the second: if that's the case, could someone please tell me how to do it?

And, if tls_certcheck isn't going to help, is there anyway that I can keep using gmail for msmtp, or could someone recommend me another email account to use? Or should I drop msmtp and use something else? I do things like

echo "Subject: $NAME2 is online" | msmtp


      sed -i -e '1iSubject: APs Marienhaus\' /tmp/alert2_send;
 msmtp < /tmp/alert2_send

As long as I can do the same thing, I don't have to stay with msmtp.

I would appreciate your advice!

Tunnel using stunnel?

Just generate an App Password in Google and sign in with that.

1 Like

Thank you for your replies!
@dizzy could you tell me what I should do with stunnel ? I suppose get ssl file and put somewhere?
@lantis1008 I looked at App Password, but it seems you have to set it up for each device, and I don't see how I can set one up for my OpenWRT router..... did you manage that way?

Up to now, Gmail "preferred" OAuth login but allowed "less secure login".
It may be that the problem is OAuth is becoming mandatory.

You could try setting tls_starttls off
This is a very old and deprecated way of connecting with an smtp server.
It might be what Gmail does not like.

When tls_starttls is on, it means tls is only used for login, all other communications are done unencrypted, so it should actually be off anyway. Possibly Gmail would be happier with this off.

msmtp is an email client, so uses the certificates of the server, so you do not have to do anything other than enable tls.

A typical msmtp.conf would look something like this:

port 465
auth on
password mypassword
auto_from off
add_missing_from_header on
add_missing_date_header on
tls on
tls_starttls off
tls_certcheck off
syslog LOG_MAIL

Unfortunately I don't think you will be able to continue using a gmail account....

I generated a password for “mail”, then I said it was for “other” use.
Normally you would generate one for each use, but I recorded the generated password in my password manager and used it for ThunderBird and a few other uses. It should work fine for smtp in openwrt as well in theory.

Yes, I have done that in the past but unfortunately I think it is probably the "other" part that Google intend to stop.

Not what I’m interpreting from here, but I might be wrong.

3 options at the end, one of which is App Passwords

I could be wrong too. I stopped using msmtp with gmail a while ago for other reasons so not sure. It might be the starttls problem though.

Thanks a lot for your replies!
I tried tls_starttls off, then it won't send emails anymore: I get this:

msmtp: TLS handshake failed: An unexpected TLS packet was received.
msmtp: could not send mail (account default from /etc/msmtprc)

I tried various combinations, tls_certcheck doesn't seem to matter, the other two have to be on, and, "less secure app access" has to be allowed, unfortunately....

I think google account can be used for soooo many things, that the security is very important. I have an account with hetzner and I can create email addresses there, too. I will give it a try. Perhaps it's not that tight. But I would be interested to know if someone has used msmtp on openwrt successfully, with "less secure app access" turned off.

Now I tried with hetzner, it didn't work;; because hetzner's smtp server name is different from the domain name of the email address. msmtp doesn't like it.

So I tried with app passwords. I set it up, and then wanted to try if it works with "allow less secure app" off, then realized that this option is no longer there ! I think it's because, in order to make app-password, you have to turn two-step verification on. It does look like app password is intended as a more secure alternative to "less secure app access"-on. Even if app-password gets stolen, it can't be used for any apps with ability of two-step verification, which makes it safer than just letting us use regular login-info on less-secure app without two-step-v.
I think it makes sense, and I think it's going to work beyond May.

Thanks a lot for the info!!!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.