Bypass “Less Secure Apps” in GMail With SeaMonkey Mail Using IMAP.
Problem: Google doesn’t support STARTTLS or plain username and password over TLS anymore.
Google has declared war on mail clients. It will probably get worse in the near future, but for now, you can still log in with a proper email program, like SeaMonkey.
When Google makes these additional changes I’ll see if I can hack around them too and update everyone.
(Google really doesn’t like IMAP because they can’t shove ads that look like email messages in it like they do in the Web Mail version. These are basically a phishing attack that Google lets advertising companies pay for.)
"To help keep your account secure, from May 30, 2022, Google no longer supports the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.
Important: This deadline does not apply to Google Workspace or Google Cloud Identity customers. The enforcement date for these customers will be announced on the Workspace blog at a later date.
If an app or site doesn’t meet our security standards, Google might block anyone who’s trying to sign in to your account from it. Less secure apps can make it easier for hackers to get in to your account, so blocking sign-ins from these apps helps keep your account safe."
Solution: Fake the User Agent for Google.com and GMail.
Even though SeaMonkey Mail doesn’t have any security problems that Thunderbird doesn’t have, Google allows Thunderbird and denies SeaMonkey. They both use the same code to implement mail support.
To get around this, lie to Google about your User Agent String.
In about:config, right-click, make a new String.
Paste in general.useragent.override.gmail.com and for the value, use Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:115.14) Gecko/20100101
Be careful there’s no whitespace. Then do the same thing, make the value
Paste in general.useragent.override.google.com and for the value, use Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:115.14) Gecko/20100101
Then select OAuth as the authentication type and set up your GMail account in SeaMonkey and sign-in again (you may need to click the “Get Messages” button), and instead of seeing the “less secure apps” warning, it’ll log in and fetch your mailbox.
Every 18 months or so you have to bump the fake User Agent. This should be easy because Thunderbird uses ESR branches of Firefox (currently 115) and the minor builds on this ESR branch normally go to .14.
They only check the minor revision to make sure it’s not lower than the minimum required Thunderbird. They don’t check the major version to see if it actually exists yet or not. So putting “current ESR plus .14” works even though there is no such version.
This is important because I have also found out that if you’re not “following minor versions” of Thunderbird, Google will log you out and your mailbox will disappear from SeaMonkey until you bump it. And you usually only get two minor releases behind before they do this!
So really the only thing to bump is the rv:xxx.xx part of the String, whereas the x’s indicate the major and minor build of Thunderbird you’re claiming to be.
If you look in the “apps with access to my account” you’ll see an entry for “Mozilla Thunderbird” with “Access to GMail”. This is SeaMonkey.
“Security“ that you lie your way past. I like it.
Very “I’ll make three Windows Registry entries and Windows 11’s installer has no Secure Boot, TPM, or minimum processor anymore.” (which is also a thing) of Google.