Expected lifetime of IMAP access for email?

[oddhack]

Gmail and now Microsoft have moved over to supporting only OAuth 2.0 authentication for their mail servers, which cannot reasonably be done in my workflow (using fetchmail to get mail onto my local workstation, where I want it). For the time being I'm forwarding mail to those addresses to Sonic, but I'm worried about the lifetime of traditional "basic authentication" e.g. IMAP with user/pass to Sonic's mail server. I don't find the arguments for OAuth 2.0 convincing from a security standpoint and the complexity is immense, thus I'm hoping that you will not be removing "basic" IMAP support as well. Can you speak to this point?

[daniel15]

I can't speak for Sonic of course, but I think eventually every provider will want to switch to OAuth2 for authentication. You mentioned security - it's more secure as it allows for two-factor authentication and uses more narrowly-scoped access tokens that need to be periodically refreshed by the client, rather than an authentication token that last indefinitely and can be stolen and reused anywhere (a regular password). A lot of organisations are completely banning usage of basic authentication for email because of these reasons.

Ideally everything would migrate to JMAP (RFC 8621) as it's a lighter, more modern, stateless API, but for now we'll have to deal with IMAP and XOAUTH2.

[kgc]

We're unlikely to remove basic authentication on IMAP or SMTP at any time in the foreseeable future and I too find *some* of the arguments around OAuth 2 for email clients dubious. However, I have intended on adding application specific password support with the potential ability for a user to mange preferences like requiring one be used for a given protocol. We may be somewhat late to the part there but should be able to do it based on some other changes we're working. Coincidentally, that may also allow us to support OAuth 2.

[placebo]

Ideally everything would migrate to JMAP (RFC 8621) as it's a lighter, more modern, stateless API, but for now we'll have to deal with IMAP and XOAUTH2.

Does Sonic have any plans to support JMAP in the near future?

[kgc]

No, to quote the lead developer of Dovecot when asked about JMAP support: "Lots of work, and nobody really seems to want it that much, so we're not actively working on it."