Standard email clients with SSL aren't secure enough for Gmail anymore?

[Ichinisan]

I just tried to add a Gmail account to Outlook 2007. All the settings are correct.

incoming (imap)
imap.gmail.com

outgoing (smtp)
smtp.gmail.com - outgoing

username/account name
full email address

SMTP authentication enabled

IMAP SSL encryption enabled (port 993)
SMTP SSL encryption enabled (port 465)

I've done this dozens of times in the past. It has always worked. This time, Outlook hung for over 1 minute after I clicked "Finish" when adding the account, then a pop-up error message appeared directing me to: https://support.google.com/mail/answer/78754

---------------------------
Microsoft Office Outlook
---------------------------
Your IMAP server wants to alert you to the following: Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
---------------------------
OK
---------------------------

Then I got this email message from Google:

Sign-in attempt prevented

Hi Evans,
Someone just tried to sign in to your Google Account -----@gmail.com from an app that doesn't meet modern security standards.

Details:
Wednesday, August 5, 2015 10:35 AM (Eastern Daylight Time)
Newnan, GA, USA*

We strongly recommend that you use a secure app, like Gmail, to access your account. All apps made by Google meet these security standards. Using a less secure app, on the other hand, could leave your account vulnerable. Learn more.

Google stopped this sign-in attempt, but you should review your recently used devices:

[REVIEW YOUR DEVICES NOW]

Best,
The Google Accounts team

I wanted to show screeshots of my configuration to prove that it's all correct, but Outlook hard-locked when I accidentally clicked the "Folders" tab under More Settings.

I was bombarded with a flurry of those error messages after killing Outlook and re-launching it. I had to spend a few minutes dismissing them so I could go remove the account settings and stop the flood.

 

[Ichinisan]

Got this when I tried to add to Windows Live Mail 2012:

WEBALERT https://accounts.google.com/ContinueSignIn?sarp=1&scc=1&plt=AKgnsbvwwjFkMOqW3z2T31CAl1GoquKOPhjGowUHm1OCnbFYTIu69okJJHHU7P66_2LLffhg1KJi7wdJyWXSEEMIE6QynmVgOcYuBKYiZsbml5dNlh3ty50Wc0d2JzY4pEWqegBbhoEa1Z5c95iFfuMZElCNCx1FIRMLbuzH_07oDu62Li7bQQkf634aauqBVAt9MjYaJn5r9trTWf8BL8XdoS1zHk3uDYVPvTm6ktNra7CW_Kr3KdE] Web login required.

Configuration:
   Account: Gmail (-----)
   Server: imap.gmail.com
   User name: -----@gmail.com
   Protocol: IMAP
   Port: 993
   Secure(SSL): 1
   Code: 800cccd1

https://accounts.google.com/Continu...r9trTWf8BL8XdoS1zHk3uDYVPvTm6ktNra7CW_Kr3KdE]

So I guess Windows Live Mail 2012 doesn't support the security requirements of Gmail?

 

[Ichinisan]

I tried it with my other Gmail account (has 2-factor authentication enabled) and it allowed me to add to WL Mail 2012 with no problems. Of course, I had to use an application-specific password.

I'll try enabling 2-factor authentication on the other Gmail account to see if that allows me to set it up with Outlook 2007 / Windows Live Mail...

 

[matricks]

My dad lost access to his e-mail recently, it's the same issue. Google is enforcing application-specific passwords for what they call "less secure applications" (POP/IMAP and anything else that can't support Google two-factor authentication). Even if you don't use two-factor authentication on your account, you have to explicitly agree to let less secure applications log in to your account. The Google support link has links to these buttons.

 

[Puffnstuff]

Have you tried letting outlook configure itself to your account automatically? I use office 2010 and I let outlook configure itself automatically to the account and I just provide the required information.

 

[Ichinisan]

Have you tried letting outlook configure itself to your account automatically? I use office 2010 and I let outlook configure itself automatically to the account and I just provide the required information.

I never do that out of habit, because it would always guess the wrong settings for some Google-hosted domains I deal with.

Tried it just now and it fails to detect settings (Outlook 2007).

 

[BarkingGhostar]

Test the IMAP account with another client (Thunderbird) and see what happens to rule out it is a Microshit Outlook issue.

 

[Puffnstuff]

I used to be a stickler for manually entering my account info but I've had good success with allowing Outlook to automatically acquire the server settings.

 

[Ketchup]

Strange. I access my Gmail through Outlook 2013 and Thunderbird and haven't had issues with either. Haven't touch the configuration since I set them up (at least) a couple years ago.

 

[Ichinisan]

Tried in Thunderbird 31.6.0 with another account (does not have 2-step auth).

Auto detection seemed to get the correct settings, but still failed.

Thunderbird is only on this computer for testing purposes. I can't tell when it was last updated. When I opened the About dialog to check the version (31.6.0), it started downloading the 38.1.0 update.

I installed the 38.1.0 update. Deleted the user profile. Created a new user profile with a slightly different name. Tried configuring it again.

It auto-detected IMAP settings just before I clicked Done. Then it showed a Google web authentication:

I know OSX and iOS devices started doing this after an update 2-3 months ago.

Perhaps Google only restricts this for accounts that haven't had regular / periodic POP/IMAP/SMTP access for a while.

Yeah, I could change the option to allow insecure methods, but I don't want to open up anything other than SSL IMAP/POP/SMTP. I definitely don't want to open up insecure HTTP or old APIs with that same setting.

I guess the only real option is to enable 2-factor authentication for all Gmail / Google accounts. I already do that for my own, but it could be a problem for an account that I share with others.

 

[Chiefcrowe]

Yeah, it sounds like you will have to enable 2-factor and then use more than one app password if you have to share the acct.

 

[Iron Woode]

glad I don't have this problem with postbox express.