Google SMTP 2FA: google identify Grav as not secure

[jimblue]

Hi,

I'm following all the steps from the readme for 2FA protected gmail account without success. It always returns me an error and gmail send me security email:

the error header:

the error content:

{
  "error": {
    "type": "Swift_TransportException",
    "message": "Expected response code 250 but got code \"535\", with message \"535-5.7.8 Username and Password not accepted. Learn more at\r\n535 5.7.8  https:\/\/support.google.com\/mail\/?p=BadCredentials c54sm14163416wra.84 - gsmtp\r\n\"\nLog data:\n++ Starting Swift_SmtpTransport\n<< 220 smtp.gmail.com ESMTP c54sm14163416wra.84 - gsmtp\r\n\n>> EHLO immersion-pictures.dev\r\n\n<< 250-smtp.gmail.com at your service, [82.251.158.9]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-STARTTLS\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-CHUNKING\r\n250 SMTPUTF8\r\n\n>> STARTTLS\r\n\n<< 220 2.0.0 Ready to start TLS\r\n\n>> EHLO immersion-pictures.dev\r\n\n<< 250-smtp.gmail.com at your service, [82.251.158.9]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-CHUNKING\r\n250 SMTPUTF8\r\n\n>> AUTH LOGIN\r\n\n<< 334 VXNlcm5hbWU6\r\n\n>> amltQGltbWVyc2lvbi1waWN0dXJlcy5jb20=\r\n\n<< 334 UGFzc3dvcmQ6\r\n\n>> Y3Bic29hb3J3dWt2ZnBlZQ==\r\n\n<< 534-5.7.14 <https:\/\/accounts.google.com\/signin\/continue?sarp=1&scc=1&plt=AKgnsbt2\r\n534-5.7.14 AbIHDC-sRD4_atsdRKjm_o_nmzyMVn9rLQmB62EYrLwD7YMUSUK7SrH8H2d_yB2mW3tIWZ\r\n534-5.7.14 wHZyMhIN7k8bfZfk-IqBP3HL_8GOaWANCVZR6o7vslD_Onr-h5K2WgdKml4Bsna8SPkzeY\r\n534-5.7.14 UFL_HFmiriG2UeH4zyy7O3DJFyGjS0ukWflgMbCK-MuDkQBB7yPffytGzq2N1cW7CoTpmx\r\n534-5.7.14 vn_5s70_gOQYScB9gWp9DWJAXGkq4> Please log in via your web browser and\r\n534-5.7.14 then try again.\r\n534-5.7.14  Learn more at\r\n534 5.7.14  https:\/\/support.google.com\/mail\/answer\/78754 c54sm14163416wra.84 - gsmtp\r\n\n!! Expected response code 235 but got code \"534\", with message \"534-5.7.14 <https:\/\/accounts.google.com\/signin\/continue?sarp=1&scc=1&plt=AKgnsbt2\r\n534-5.7.14 AbIHDC-sRD4_atsdRKjm_o_nmzyMVn9rLQmB62EYrLwD7YMUSUK7SrH8H2d_yB2mW3tIWZ\r\n534-5.7.14 wHZyMhIN7k8bfZfk-IqBP3HL_8GOaWANCVZR6o7vslD_Onr-h5K2WgdKml4Bsna8SPkzeY\r\n534-5.7.14 UFL_HFmiriG2UeH4zyy7O3DJFyGjS0ukWflgMbCK-MuDkQBB7yPffytGzq2N1cW7CoTpmx\r\n534-5.7.14 vn_5s70_gOQYScB9gWp9DWJAXGkq4> Please log in via your web browser and\r\n534-5.7.14 then try again.\r\n534-5.7.14  Learn more at\r\n534 5.7.14  https:\/\/support.google.com\/mail\/answer\/78754 c54sm14163416wra.84 - gsmtp\r\n\" (code: 534)\n>> RSET\r\n\n<< 250 2.1.5 Flushed c54sm14163416wra.84 - gsmtp\r\n\n>> AUTH PLAIN amltQGltbWVyc2lvbi1waWN0dXJlcy5jb20AamltQGltbWVyc2lvbi1waWN0dXJlcy5jb20AY3Bic29hb3J3dWt2ZnBlZQ==\r\n\n<< 534-5.7.14 <https:\/\/accounts.google.com\/signin\/continue?sarp=1&scc=1&plt=AKgnsbtb\r\n534-5.7.14 8P4LV7wcP7-hqF1BItOiDUUluYJ9qCOvNIJ3JESV8sYU6a2gBarFEhH0kN3PijdGbTlmqA\r\n534-5.7.14 JwZ-8AFW2GU4AZy_CvmDyTE11VYI3hvC5-LuqM4M2NEAF0Ez-r7FxKyIcqndttD5phIVML\r\n534-5.7.14 39_YVoiuztI7NSq4HkMRemPHzkGsD4RVHh95t8GG5HDleJ_3u8gy2iGdk2tcoq9KmmPOCW\r\n534-5.7.14 qTaVY-ppUe0WRwhCXqF_8veICbR3g> Please log in via your web browser and\r\n534-5.7.14 then try again.\r\n534-5.7.14  Learn more at\r\n534 5.7.14  https:\/\/support.google.com\/mail\/answer\/78754 c54sm14163416wra.84 - gsmtp\r\n\n!! Expected response code 235 but got code \"534\", with message \"534-5.7.14 <https:\/\/accounts.google.com\/signin\/continue?sarp=1&scc=1&plt=AKgnsbtb\r\n534-5.7.14 8P4LV7wcP7-hqF1BItOiDUUluYJ9qCOvNIJ3JESV8sYU6a2gBarFEhH0kN3PijdGbTlmqA\r\n534-5.7.14 JwZ-8AFW2GU4AZy_CvmDyTE11VYI3hvC5-LuqM4M2NEAF0Ez-r7FxKyIcqndttD5phIVML\r\n534-5.7.14 39_YVoiuztI7NSq4HkMRemPHzkGsD4RVHh95t8GG5HDleJ_3u8gy2iGdk2tcoq9KmmPOCW\r\n534-5.7.14 qTaVY-ppUe0WRwhCXqF_8veICbR3g> Please log in via your web browser and\r\n534-5.7.14 then try again.\r\n534-5.7.14  Learn more at\r\n534 5.7.14  https:\/\/support.google.com\/mail\/answer\/78754 c54sm14163416wra.84 - gsmtp\r\n\" (code: 534)\n>> RSET\r\n\n<< 250 2.1.5 Flushed c54sm14163416wra.84 - gsmtp\r\n\n>> AUTH XOAUTH2 dXNlcj1qaW1AaW1tZXJzaW9uLXBpY3R1cmVzLmNvbQFhdXRoPUJlYXJlciBjcGJzb2Fvcnd1a3ZmcGVlAQE=\r\n\n<< 334 eyJzdGF0dXMiOiI0MDAiLCJzY2hlbWVzIjoiQmVhcmVyIiwic2NvcGUiOiJodHRwczovL21haWwuZ29vZ2xlLmNvbS8ifQ==\r\n\n!! Expected response code 235 but got code \"334\", with message \"334 eyJzdGF0dXMiOiI0MDAiLCJzY2hlbWVzIjoiQmVhcmVyIiwic2NvcGUiOiJodHRwczovL21haWwuZ29vZ2xlLmNvbS8ifQ==\r\n\" (code: 334)\n>> RSET\r\n\n<< 535-5.7.8 Username and Password not accepted. Learn more at\r\n535 5.7.8  https:\/\/support.google.com\/mail\/?p=BadCredentials c54sm14163416wra.84 - gsmtp\r\n\n!! Expected response code 250 but got code \"535\", with message \"535-5.7.8 Username and Password not accepted. Learn more at\r\n535 5.7.8  https:\/\/support.google.com\/mail\/?p=BadCredentials c54sm14163416wra.84 - gsmtp\r\n\" (code: 535)",
    "file": "\/Users\/jim\/Sites\/immersion-pictures\/user\/plugins\/email\/vendor\/swiftmailer\/swiftmailer\/lib\/classes\/Swift\/Plugins\/LoggerPlugin.php",
    "line": 140
  }
}

the gmail security email: sorry it's in french but it's basically saying: "we just blocked a connexion trial to your account from an app with security risk"

To be sure my grav configuration was working I've made some test with an other gmail account but without 2FA and by activating less secure apps option. And this time It was working... Mails are properly send!

Of course activating less secure apps is not an option for production for obvious reasons.

If Grav is not consider by Google as secure maybe the best way would be to add an oauth solution for this plugin? (from what I've read on google...)

I hope you have some kind of solution :)

Thank you

[rhukster]

What docs? Are you talking about the oauth plugin?

[jimblue]

Nop the grav-plugin-email docs: https://github.com/getgrav/grav-plugin-email#google-email

About oauth I'm saying that because I have an other app (Spark) that use gmail to send email and it's seems to use oauth:

As you can see this app is in gmail list of app that have an access (Grav is not here): it's in french again but basically it's a list off tierce app having access to some part of my account, here gmail

Google asked me only once if I authorised Spark to control email... Grav cool probably do the same nope?

[jimblue]

From google: https://support.google.com/accounts/answer/185833?authuser=1&hl=en

[rhukster]

Ah ok, you definitely do have to use a single-app password, bug that should still work as long as you are using TLS security. If that's still not working, the the issue is likely do do with Swiftmail itself, as all that authentication is handled via Swiftmail plugin. The Grav email plugin simply passes the values along. I will try to test this scenario though as I also have 2factor auth setup on my account.

[jimblue]

Yep I'm using TLS. Here are the settings I use in grav-email-plugin to help:

• Mail engine: SMTP
• SMTP server: smtp.gmail.com
• SMTP port: 587
• SMTP encryption: TLS
• SMTP login name: myaccount@gmail.com
• SMTP password: my account single-app password

Tell me if I can give you more information to help.

[jimblue]

PS: If you didn't read the return content message on my first post the following should help:

Expected response code 250 but got code \"535\" (At the end of the message)

[rhukster]

Do you have your App password set in this section? Should not be with other Apps like Spark. Should be under the "Signing in to Google" section:

[rhukster]

Just tested and it worked fine with this setup:

enabled: true
from: 'devs@getgrav.org'
to: 'username@gmail.com'
mailer:
  engine: smtp
  smtp:
    server: smtp.gmail.com
    port: 465
    encryption: ssl
    user: 'username@gmail.com'
    password: 'mycustomapppassword'

also worked fine with port: 587 and encryption: tls

I think its something with your app password to be honest.

[rhukster]

BTW: https://stackoverflow.com/questions/42558903/expected-response-code-250-but-got-code-535-with-message-535-5-7-8-username

[jimblue]

Yes my configuration was good, it's exactly the same as yours.

But I found something... My SMTP login name is not a classical contact@gmail.com but contact@mycompany.com. It's because I'm using gmail with a custom domain (trough G Suite).

So I just tried with a classical gmail address and an app password... ...guess what... it's working!

That's mean there is some kind of problem because the username is not .....@gmail.com

Do you have an idea why?

[rhukster]

Nope, I actually used my @trilbymedia.com google account when testing, so it's not that.

[jimblue]

I don't get it...

Just by changing user from ...@mycompany.com to ...@gmail.com and password to the corresponding app password it's working...

You use @trilbymedia.com with G suite too? I it's the case do you have any special configuration that could make the difference?

[rhukster]

yes, you have to login with the email in question and generate your password for that email. I don't have a regular gmail one and a gsuite one, only gsuite and that's how i login and generate the app password.

[jimblue]

Dam it, that's exactly what I do too... 😞

[jimblue]

Thanks for you support Andy. I'll probably contact google, as I don't know what I can do on my side

[jimblue]

For people running into the same issue while using G Suite follow this steps:

• Go to admin console> Security> Basic settings> Less secure Apps (goto settings for less secure apps>>)
• Set the option ‘less secure apps’ to ‘allow users to manage their access to less secure apps.
• Make sure to save the changes. Then try again.

[rhukster]

You know that was already documented in the README.md :)

[jimblue]

Yes I know Andy but this setting is not in the same place in G suite.

[robhuijben]

@rhukster I suggest reopening this issue because Google Workspace (using Gmail) dropped the support for less secure password apps. It is recommended to use OAuth 2.0 to authenticate.