Email for the modern world

Topic

New Reply

ON SECURITY By Susan Bradley When we go online, we begin with a basic tool that started us all on the technology journey years and years ago — an emai
[See the full post at: Email for the modern world]

Susan Bradley Patch Lady/Prudent patcher

8 users thanked author for this post.

ibe98765, Robb, SueW, TechTango, fisher75, WCHS, rc primak, DLivesInTexas

Reply | Quote

Replies

Susan, you recommend Oath for email. In Thunderbird (Popmail), if I use

Account Settings > Server Settings > Security Settings > Authentication Method and select OAuth2 from the Authentication Method dropdown,

then I can send email but not received it. So how does one implement Oauth2 for Tbird or is only for Gmail accounts?

Reply | Quote

Thunderbird (Popmail) … I can send email but not received it.

GMail has a setup in their Web Mail settings which allows you to create a one-time entry for a permanently saved App Password. You must use this App Password setup for POP-3 clients, and many IMAP clients (like Thunderbird) also require it.

Setting up an App Password requires turning on two-factor authentication with Gmail. Gmail requires 2FA of all its users now, so this does not introduce an additional hoop to jump through.

Once set up, the App Password is negotiated by your email client transparently — you never have to enter it or any other password again.

Other providers may also have this requirement.  (My Yahoo Mail account does need an App Password for POP-3 access, but this does not require setting up 2FA to access Web Mail through Yahoo. But you should enable 2FA for all online accounts.)

-- rc primak

Reply | Quote

rc: Are you and Susan saying that Oath is not possible for Tbird unless using Gmail?

“Setting up an App Password requires turning on two-factor authentication with Gmail.”

So if one used Tbird Popmail for email, then one cannot use Oath2?

 

Reply | Quote

cmar6 wrote:

So if one used Tbird Popmail for email, then one cannot use Oath2?

Being able to use OAuth2 isn’t solely a function of whether the e-mail program you’re using includes support for it (FYI, Tbird “does” support it), the e-mail provider you’re using must also support it.

If your e-mail service provider doesn’t support it (and not all of them do) then you won’t be able to use it for that particular account in your e-mail program!

I.e. I have three different POP3 e-mail accounts setup in Tbird on my PC from three different e-mail service providers but only one of them (gmail) supports OAuth2… actually, it now requires it. The other two still use legacy authentication (SSL/TLS + password) with no option to enable any form of 2FA.

Reply | Quote

Alejr: Thanks for the clarification. Spectrum is my internet and email provider.

In my up to date Tbird, I can go to Settings/Account Settings/Server Settings/Authentication method/ and choose “OAuth2”. However, when I did that and sent myself an email, I never received it.

When I go to Settings/Account Settings/Outgoing Server/ which shows only “RoadRunner mail”, which I select and then Edit/Authentication Method/ , there is no choice for “OAuth2”.  So what’s going on?

Reply | Quote

Firstly,

E-mail programs “communicate” with the mail server you choose when you create an account and the server will respond indicating exactly which authentication methods it supports.

So, if the OAuth2 option is missing, that means that mail server responded indicating it doesn’t support OAuth2 and, as you’ve discovered, it won’t work for that account.

i.e. you can’t “force” a mail server to use OAuth2 if it’s not configured to support it!

Secondly,

If you provider does support OAuth2, you must enable it on their end of the connection first to get the “special code” needed to make it work on your end. Without that code, which you’ll be prompted to enter the first time you send/receive messages after setting the account to use OAuth2, your e-mail won’t work!

I checked, and as far as I can determine, Spectrum only supports OAuth2 for business users not home users; which would explain why it’s not an option for your outgoing mail server and doesn’t work for your incoming mail server.

• Feasibility of Oauth authentication for Spectrum

3 users thanked author for this post.

ibe98765, cmar6, geekdom

Reply | Quote

Alejr:

Thanks for the very useful analysis of the Oauth situation at Spectrum (and likely at other email providers):

“as far as I can tell, Spectrum only supports OAuth2 for business users not home users; which would explain why it’s not an option for your outgoing mail server and doesn’t work for your incoming mail.”

One has to pay up for a business account if one wants the bells and whistles.

1 user thanked author for this post.

rc primak

Reply | Quote

2 Things … my EPIM Mail app — Hotmail acct Server setting (Incoming) shows IMAP (OAuth), SO, the issue isn’t (as Susan stated but it doesn’t always sink in with amateurs) just POP or IMAP, it’s the “Basic” approach — & absence of OAuth.

For wife’s – at bellsouth.net — acct EPIM shows Only IMAP4 – BUT – she has a 15-Digit Secure Key for Logins I got from an AT&T page after login. It appears that the Secure Key equates to OAuth type protection making IMAP4 OK –

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

Reply | Quote

Yes, it’s the older Basic login vs. the better 2FA, OAuth or App Password (Secure Key) login methods.

he has a 15-Digit Secure Key for Logins

That is what is known as an App Password. It operates on a per-application basis and serves as a digital fingerprint or 2nd login factor. It’s not as secure as OAuth, but for older programs it may be the only viable alternative.

-- rc primak

2 users thanked author for this post.

oldfry, CraigS26

Reply | Quote

I’m fairly certain shared mailboxes use no Exchange Online licenses.  The exception is, if you’re using Microsoft Defender for Office 365 to protect the shared mailbox, it uses a Defender license.

Another helpful site for learning and implementing DMARC is Global Cyber Alliance.  They have both a learning portal, plus the tools to help setup and check your DMARC implementation.

Casey

Reply | Quote

So now I am baffled. I don’t use exchange, I do use Outlook 365. I don’t see alternatives to POP and IMAP. Are there any?

I also note that wikapedia includes some pretty disparaging remarks about Oauth 2.0

Reply | Quote

If you are using Office 365 and connecting to a mailbox hosted on online Exchange you ARE using Exchange.  When you get your email what are you connecting to?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

https://www.pathcom.com

Reply | Quote

… which is Exchange:

https://www.pathcom.com/my-exchange

https://docs.pathcom.com/mediawiki/index.php/MyExchange_Main_Page

Windows 11 Pro version 22H2 build 22621.2359 + Microsoft 365 + Edge

Reply | Quote

Pathcom assure me that they only use their exchange server for corporate clients – and a unix platformed server for residential clients – of which I am one.

So back to my original query / comment

I don’t use exchange, I do use Outlook 365. I don’t see alternatives to POP and IMAP. Are there any?

I also note that wikapedia includes some pretty disparaging remarks about Oauth 2.0

and perhaps – why should I care?

Reply | Quote

It’s how that password is stored and protected.  With imap and pop it’s less secure than when it’s wrapped with a newer security protocol.

It’s entirely possible that your ISP only offers IMAP and POP.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

petermat

Reply | Quote

I think this is a really good article and I’ve run across instances of everything that Susan cautions about (many of them in my own family).

I wonder if you can comment on email services like Google’s.   Is the only caution that one needs to keep one’s account active (i.e. each 2 years)?  I somehow think that relying on a company like Google (and not picking only on Google – equally MS and the like) for “free” email service is inherently somewhat ‘risky’.    Nothing is ‘free’ – everything is a business decision – and who knows what the future holds.  Of course even paid services might well go out of business too…

I somehow think that relying on Webmail services for the future aren’t great.   That’s why I continue to use a venerable POP client (Eudora) and have every email I want downloaded to my own machine – where I alone am responsible for keeping that intact….

Richard

Reply | Quote

Susan, you said in the article “Some domain choices involve underscores or dashes, which can also make it difficult to communicate the name.” It can be worse than that. Since I set up my personal website more than a decade ago with a dash in the domain name and use a few addresses in that domain for my main email, I’ve run into a handful of commercial sites that refuse to recognize those addresses as syntactically valid. The problem is obviously in their validation algorithms, but there’s no hope of getting them to change.

1 user thanked author for this post.

ibe98765

Reply | Quote

Thanks Susan.

A small comment about Aliases and a secure email provider.

I signed up with a paid version of Proton mail, which purports to be extremely secure and allows one to send encrypted mesaages user to user, without any intervening ISP being able to read them.

They also provide 5 aliases that one can use for the same email account, both to send from and reply to.  I thought what a great idea! Brilliant! I’ll use one alias for friends, one for business, one for non-computer-literate friends who are likely to be hacked/compromised (based on past experience), one for retailer that I buy from online, etc.

In practice though, it proves impossible to manage that many. Even though it is easy to select the relevant address to use, one soon forgets which address you have used previously for which person, and end up in a complete muddle confusing people by using different addresses.  I now only use two email addresses/aliases.

———————————–

Now all we need to do is find a modern equivalent of Eudora, which is still the best email program I ever used.

RobB

Reply | Quote

“Some people consider email addresses temporary, changing them often as they switch ISPs or other services. But others, perhaps a vast majority, consider them a matter of identity.”

Ha!  Then I am a person with many multiple identities.  I have a couple of email address hung off of a personal domain, 10 or so GMail addresses and 250 or so spamex.com “temporary” email addresses.

Google/Microsoft loves people who use only one email address.  That makes it much easier to track what they are doing across the web and profile them for advertising.

Reply | Quote

Hear Hear!

RobB

Reply | Quote

2 items related to email:

1. I go to fairs and loads of vendors have domains / websites…. but then they use @gmail.com or their ISPs domain for email.  I used to point out that they could & should use their website’s domain for email.  Not trying to drum up business for myself.  Just a pet peeve.  I always say for them to check with the people that set up their website.  I know Exchange plan 1 costs a few buck per month, but I think makes you look more professional when you use your own domain for email.  And then you can leave your ISP if they raise prices.  And customers know your website if they have your email address.
2. knowing how to get in touch with someone on the web.  Collaboration is the hot topic for years, right?Years ago, you had someone’s street address. You could use your choice of brand car / bike or walk to get there.

   Then with phones.  You have my phone number and could use any phone to get to me.

   With the web, you have my email address and you could use any mail client you want to get to that email address.

   But now, it seems we’re going backwards? This is my twitter name? What’s your discord name? Facebook messenger address?  I don’t use slack, he uses X or Y, it’s so fragmented.  You could send me a message through 1 of dozens of different apps / sites and I won’t see it because I don’t use this or that app anymore.  Or you don’t know my account on this or that app / site.  So less collaboration.  And at least some of these apps / services will email me to tell me I have a message on their service. Huh?  Why not stick with email / a least common denominator.

Am I wrong? Am I missing something?  Sure, sites / forums for specific things, but they typically email that someone replied on the forum.  Or you can send a private message in the forum / another place to have to check if you got any messages.  Moving away from standards seems like the wrong way.

Seems we’re going to more time wasted checking this or that app to see if I got a message or to figure out what app should I use to reach that person.

3 users thanked author for this post.

Perq, Zimbof, ibe98765

Reply | Quote