Hello ! I use msmtp with gmail to send ping-monitor warning from OpenWRT. So far I chose "allow less secure app access" on google account in order to do it.
However, after 5/30, google will no longer allow "less secure app access". So I have to figure out what to do by then.
I guess I need to change
tls on
tls_starttls on
tls_certcheck off
in msmtprc,
tls_certcheck on and put a certificate file somewhere and do something with it.....
First question is, would I be able to use msmtp with gmail if I do it ?
And the second: if that's the case, could someone please tell me how to do it?
And, if tls_certcheck isn't going to help, is there anyway that I can keep using gmail for msmtp, or could someone recommend me another email account to use? Or should I drop msmtp and use something else? I do things like
echo "Subject: $NAME2 is online" | msmtp myaddress@gmail.com
Thank you for your replies! @dizzy could you tell me what I should do with stunnel ? I suppose get ssl file and put somewhere? @lantis1008 I looked at App Password, but it seems you have to set it up for each device, and I don't see how I can set one up for my OpenWRT router..... did you manage that way?
Up to now, Gmail "preferred" OAuth login but allowed "less secure login".
It may be that the problem is OAuth is becoming mandatory.
You could try setting tls_starttls off
This is a very old and deprecated way of connecting with an smtp server.
It might be what Gmail does not like.
However:
When tls_starttls is on, it means tls is only used for login, all other communications are done unencrypted, so it should actually be off anyway. Possibly Gmail would be happier with this off.
msmtp is an email client, so uses the certificates of the server, so you do not have to do anything other than enable tls.
A typical msmtp.conf would look something like this:
host smtp.gmail.com
port 465
auth on
user my.emailaddress@gmail.com
password mypassword
auto_from off
from my.emailaddress@gmail.com
add_missing_from_header on
add_missing_date_header on
tls on
tls_starttls off
tls_certcheck off
syslog LOG_MAIL
Unfortunately I don't think you will be able to continue using a gmail account....
I generated a password for “mail”, then I said it was for “other” use.
Normally you would generate one for each use, but I recorded the generated password in my password manager and used it for ThunderBird and a few other uses. It should work fine for smtp in openwrt as well in theory.
Thanks a lot for your replies!
I tried tls_starttls off, then it won't send emails anymore: I get this:
msmtp: TLS handshake failed: An unexpected TLS packet was received.
msmtp: could not send mail (account default from /etc/msmtprc)
I tried various combinations, tls_certcheck doesn't seem to matter, the other two have to be on, and, "less secure app access" has to be allowed, unfortunately....
I think google account can be used for soooo many things, that the security is very important. I have an account with hetzner and I can create email addresses there, too. I will give it a try. Perhaps it's not that tight. But I would be interested to know if someone has used msmtp on openwrt successfully, with "less secure app access" turned off.
Now I tried with hetzner, it didn't work;; because hetzner's smtp server name is different from the domain name of the email address. msmtp doesn't like it.
So I tried with app passwords. I set it up, and then wanted to try if it works with "allow less secure app" off, then realized that this option is no longer there ! I think it's because, in order to make app-password, you have to turn two-step verification on. It does look like app password is intended as a more secure alternative to "less secure app access"-on. Even if app-password gets stolen, it can't be used for any apps with ability of two-step verification, which makes it safer than just letting us use regular login-info on less-secure app without two-step-v.
I think it makes sense, and I think it's going to work beyond May.