How to send Emails via Gmail without allowing less secure apps?

[florianmutter]

According to https://support.google.com/accounts/answer/6010255?hl=en less secure apps will not be allowed some time later this year. It seems to me that SMTP with app password does only work if less secure apps are allowed.

Is there any alternative to app passwords that we can use?

EDIT: Maybe jit-access needs to use the gmail api to send emails?

[jpassing]

Less secure apps and app passwords are unrelated: You can disable less secure apps and it should have no impact on app passwords. The upcoming deprecation of less secure apps therefore shouldn't affect JIT Access.

Maybe jit-access needs to use the gmail api to send emails?

That would certainly work, but not everybody uses Gmail for email delivery. So we'd have to maintain 2 mechanisms for email delivery, and I'm not sure if that's worth it.

[florianmutter]

We did create a new workspace account, enabled 2-FA and created an app password.

Setting "Allow users to manage their access to less secure apps" in Google Admin console allows us to send emails. Setting this to "Disable access to less secure apps (Recommended)" prevents us from sending emails. Documentation of this setting here: https://support.google.com/a/answer/6260879?hl=en

We did not change any setting for the user itself.

The error we get is:

User florian.mutter@example.com failed to request role 'roles/artifactregistry.writer' on '//cloudresourcemanager.googleapis.com/projects/puc-d-ce-jit-access-faf3' for 5 minutes: The notification could not be sent, caused by MailException: The mail could not be delivered, caused by AuthenticationFailedException:

534-5.7.9 Please log in with your web browser and then try again. For more 534-5.7.9 information, go to 534 5.7.9 https://support.google.com/mail/?p=WebLoginRequired g18-20020a170906199200b00a46b0d47710sm5321781ejd.161 - gsmtp

Any idea what we could do or whom we could ask about this?

[florianmutter]

With the help of our TAM we found this article https://workspaceupdates.googleblog.com/2023/09/winding-down-google-sync-and-less-secure-apps-support.html that states

If you have scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails, you’ll need to either: configure them to use OAuth, use an alternative method, or configure an App Password for use with the device.

So I agree that it should work but it doesn't 🤷‍♂️

[florianmutter]

I created a app password for my user and it works. It seems to be an issue with the jit-access user we created for this.

[jpassing]

I also did some internal reasearch yesterday but couldn't find anything that would explain why disabling LSAs would have an impact on application-specific passwords. In fact, one of my test accounts uses the same configuration: LSA disabled, but JIT Access uses an ASP to send emails.

I created a app password for my user and it works. It seems to be an issue with the jit-access user we created for this.

In that case, maybe just delete and recreate the jit-access user? And if you haven't already, make sure it has a Workspace license. The error message doesn't indicate a license issue, but a Workspace license is required to send emails.

[florianmutter]

Thanks for the hint. The service account did not have a workspace license.