User avatar
RDK
Posts: 435
Joined: Wed Aug 13, 2014 10:19 am
Location: Wyoming and France

G-Mail and less secure sign-in technology

Thu Mar 31, 2022 4:22 pm

Folks....I recently got an e-mail from Google about one of my accounts which I use to send daily updates from each of my Pi's. As discussed somewhere in this reference (viewtopic.php?p=1616422&hilit=rdk#p1616422 ) I'm using a mail script in CRON to send the mails. It is all working fine.

However, after I got this "note" from Google
On May 30, you may lose access to apps that are using less secure sign-in technology
me@gmail.com
To help keep your account secure, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password. Instead, you’ll need to sign in using Sign in with Google or other more secure technologies, like OAuth 2.0.
Learn more
What do you need to do?
An app or device which uses Simple Mail Transfer Protocol (SMTP) to send emails using your Google Account has less secure access to your Gmail. This might be an older device, like a printer or scanner. To continue using your Google Account with this app or device:

App - Remove your Google Account from the app or device and sign in again using Sign in with Google Device
- Change your device’s settings so you’re using more secure sign-in technology
I'm wondering if after May 30, all of my Pi's will go silent??

Anyway, what is the correct procedure to address the G-Mail warning issue? Changes in my e-mail script or the configuration file???
Thanks...RDK

pcmanbob
Posts: 13298
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: G-Mail and less secure sign-in technology

Thu Mar 31, 2022 7:32 pm

Yes your pi will no long be able to access your gmail account.

this is what you need to do.

Using a web browse log in to the pi gmail account.

add a mobile number and a recover email address to the account if it does not already have one.

then enable 2 factor authentication using the mobile number so you get a text every time you want to log in.

once this is enabled you can get an app password that your pi can use in place of the account password to log on to the account just as it did before.

its not to hard to do but one point is to copy or write down the app password because once you close the screen displaying it you cant see it ever again, but it does keep working.

If you want detailed instructions and pointers to the page locations in gmail I will endeavour to write some tomorrow .
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

User avatar
RDK
Posts: 435
Joined: Wed Aug 13, 2014 10:19 am
Location: Wyoming and France

Re: G-Mail and less secure sign-in technology

Fri Apr 01, 2022 11:54 am

Many thanks. Yes, I would appreciate some more details before I start modifications. I have 8 Pi's to touch some of which are remote..RDK

pcmanbob
Posts: 13298
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: G-Mail and less secure sign-in technology

Fri Apr 01, 2022 2:38 pm

I suggest you do this on a desktop / laptop PC
I will apologise at the start for some bad screen shots , it just because you cant screen cap some pages/popups,
and don't close any tabs until you are done you may need to get back to a page and it simpler if you can use an already open page.

So first thing log in to you pi email account on google from a browser.

then click on the account icon on the top right of the page to get this

Image

Then click on manage your google account

at the home page

Image

you will need to add your date of birth if you have not already done this ( if you don't you may be prevented from continuing on a later page ) and then click on protect your account under you have security recommendations, assuming you have not added a recovery phone number

Image

you may need to click on 2 verification methods to expand the page.

so you can now update email /phone number as required.

once you have done this you can click on the security tab on the left of the screen which will get you here.

Image

from here you can activate 2-step verification to sign in to your account ( click on 2-step verification ), here you will set up sending a text to your mobile when ever you log in to your account as a second security step..

once you have done this you need to go back to the security page, your inbox should still be open in one of the tabs on your browse so just click on the account icon top right and click on manage your google account and then security.

Image

now you can see an option for app passwords, if you click on it you will be taken to this page, to create you app password.

Image

now you need to enter these details, its important you get them right or the app password wont work ( don't ask me how I know )

first click on select app and from the drop down box select Mail.
then click on select device and from the drop down box select other and enter pi in the field.

now click on generate button which will present the code like this.

Image

DO NOT CLOSE THIS BOX until you have copied the code down because once you close this box you cant ever see the code again..

Now to update your pi's ( the easy bit )

so if you are sending mail using python then in your program you need to replace the password entry with the 16 digit app password like this.

Code: Select all

import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.mime.base import MIMEBase
from email import encoders

email_user = "account@gmail.com"
email_password = "tgafghizmaeas"  <<<<<<<< enter 16 digit code here to replace the password you were using
email_send = "address to send to"

subject = "Test email from pi"

msg = MIMEMultipart()
msg["From"] = email_user
msg["To"] = email_send
msg["Subject"] = subject

body = "Hi there, sending this email from Python!"
msg.attach(MIMEText(body,"plain"))

text = msg.as_string()
server = smtplib.SMTP("smtp.gmail.com",587)
server.starttls()
server.login(email_user,email_password)


server.sendmail(email_user,email_send,text)
server.quit()
if you are using msmtp to send mail then you need to edit your msmtprc file in /etc and add the 16 digit code like this

Code: Select all

defaults
auth           on
tls            on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /home/pi/msmtp.log
aliases        /etc/aliases
# Gmail specifics
account        gmail
host           smtp.gmail.com
port           587
from           a user@gmail.com
user           a user@gmail.com
password       tgafghizmaeas  <<<<<<<< enter 16 digit code here to replace the password you were using
# Default
account default : gmail
now you pi can continue to send email using google just as it did before, and you can use the same credentials on more than one pi at the same time and email will be sent from them all.


you can add more app passwords if you find the one you created does not work, like I did when I got the mail and pi entries incorrect, but I suggest you delete the old non working one first which you will find the option for on the same page you used to create one , just click on the icon to the right of the listed app passwords.

Of course you will be asked for your account password the one you normally use to sign in many times during these processes so make sure you have it to hand if you can't remember it.

hope this helps you , I have not covered steps like updating recovery email and entering phone number or actually activation 2 step authentication because these steps will be guided by the web page anyway and there is lots of personal information on the pages, just allow yourself an hour or so for each account you want to update and you should be fine, but if you have a specific problem I will try to help.

Trust me it gets easier the more times you do it I have done it for over 15 accounts now , and not just for use on the pi but on PC's using email programs that need this option as well.

Edited to correct typing errors
Last edited by pcmanbob on Sun Jun 19, 2022 9:16 am, edited 1 time in total.
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

User avatar
RDK
Posts: 435
Joined: Wed Aug 13, 2014 10:19 am
Location: Wyoming and France

Re: G-Mail and less secure sign-in technology

Tue Apr 26, 2022 7:33 am

@pcmanbob Thanks for this info. I have been busy with other things and just now about ready to address this issue. I have a couple questions before I start:
1. for the phone number, does it include the + before the country code?
2. will it send a text alert to my phone every time I log on to my Google account? GMail? Or every time one of my Pi's sends an e-mail?
3. will this change the way I get to my g-mail account on my PC, laptop or phone?
4. will it affect sending mail to g-mail from other non-Google accounts?

Thanks again for this "tutorial" for my Pi bakery....RDK

pcmanbob
Posts: 13298
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: G-Mail and less secure sign-in technology

Tue Apr 26, 2022 9:55 am

RDK wrote:
Tue Apr 26, 2022 7:33 am
@pcmanbob Thanks for this info. I have been busy with other things and just now about ready to address this issue. I have a couple questions before I start:
1. for the phone number, does it include the + before the country code?
2. will it send a text alert to my phone every time I log on to my Google account? GMail? Or every time one of my Pi's sends an e-mail?
3. will this change the way I get to my g-mail account on my PC, laptop or phone?
4. will it affect sending mail to g-mail from other non-Google accounts?

Thanks again for this "tutorial" for my Pi bakery....RDK
1. I think I just typed in my number 07981 XXXXXX the system then does what it wants with it in the way of formatting.

2. If you log in via a web browser then yes it will send you a code via text after you have entered you ID and password that's 2 factor authentication.
but you pi will use the app password so no text and no code needed.

3. Yes on your PC/laptop accessing the account will now require user ID , password and code which it texted to you., on your phone it depends on how you access the account, but then I don't access my pi email accounts from my phone any way. But it may affect other accounts you have if they use less secure apps.

4. No it does not affect receiving mail to the account or even sending mail from the account only how you access the account.
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

User avatar
RDK
Posts: 435
Joined: Wed Aug 13, 2014 10:19 am
Location: Wyoming and France

Re: G-Mail and less secure sign-in technology

Tue Apr 26, 2022 1:11 pm

@pcmanbob ....Thanks again, setting up FTA and getting the app password worked about like you said it would.

I just added the new PW to one of my Pi, but then wondered what will not happen to those Pi's that I haven't updated. Will the automatic (CRON jobs) mailings fail? Will I get a failure message or alert?

I'm pretty sure I know all of the affected Pi's but what if I miss one?.

Thanks...RDK

pcmanbob
Posts: 13298
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: G-Mail and less secure sign-in technology

Tue Apr 26, 2022 1:24 pm

I would expect your pi's to fail in the same was as if less secure apps had been turned off due to lack of mails being sent or you turning it off.

So I expect the mails will not send as access will be refused , so if you have error logging in your code then that will capture it ,
I doubt you will get any warnings form google but who knows guess you will just have to wait for the date when they say that are turning off less secure apps and see what happens.

If you miss one you just wont get emails from it , its down to you to check and see if you are missing expected emails
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

User avatar
RDK
Posts: 435
Joined: Wed Aug 13, 2014 10:19 am
Location: Wyoming and France

Re: G-Mail and less secure sign-in technology

Tue Apr 26, 2022 1:36 pm

OK, basically what I expected....RDK

User avatar
RDK
Posts: 435
Joined: Wed Aug 13, 2014 10:19 am
Location: Wyoming and France

Re: G-Mail and less secure sign-in technology

Wed Apr 27, 2022 5:48 am

@pcmanbob ....Well, 4 of 6 Pi sent their "Call Home" messages last night. I've reviewed the ssmtp.conf on both failing Pi's relative to those that worked and can not see any differences or typos. All of them are running Stretch except one is Buster and that was one of the Pi's that failed. Here is what I see in the log from the Cronjob.
  • Stretch Pi: mail: cannot send message: Process exited with a non-zero status
    Buster Pi : mail: cannot send message: Broken pipe
I see nothing in the syslog. Can you assist in debugging this?....RDK

pcmanbob
Posts: 13298
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: G-Mail and less secure sign-in technology

Wed Apr 27, 2022 9:43 am

I don't have stretch running on any of my pi's that do email , so not tested it with ssmtp, I have moved all mine to msmtp as they are buster or bullseye.

If I get time I will try setting up ssmtp on stretch and see what I can find.

Could the pi running buster be a different problem if its has a broken pipe, I would be inclined to SSH in to it and try sending a simple test email just to prove its not some other problem.
I have not had a broken pipe problem on any of my pi's when sending email following the change over to app password.

Assuming they are all using the same gmail account did you use the same app password on them all ?

this works for both msmtp and ssmtp as a simple test email from the command line.

Code: Select all

echo "Hello world email body" | mail -s "Test Subject" recipientname@domain.com
EDIT.....

So set up ssmtp on stretch lite using one of my pi gmail accounts which is using the app password. ( was lucky I still had a working copy of stretch but it needed updating :lol: )
Ran one of my standard ssmtp bash scripts that sends the pi IP address to several of my email addresses and it worked just fine.

So you must have made an error when copying over the app password to the ssmtp.conf file, if you are doing this using windows to ssh in to your pi but editing your ssmtp.conf file in windows I would suggest you use notepad++ and set it to save files in unix format.

another option is that is if you have another pi running ssmtp and it works copy the ssmtp.conf file form it to the one that's not work and try that, same goes for buster and msmtprc file.

Also on msmtp you can enable logging by adding this line

Code: Select all

logfile        /home/pi/msmtp.log
to the msmtprc file and it will give you output like this.

Code: Select all

Apr 27 11:35:46 host=smtp.gmail.com tls=on auth=on user=addresssendfrom@gmail.com from=pi@bullseye-test-1 recipients=sendtoaddress@gmail.com mailsize=170 smtpstatus=250 smtpmsg='250 2.0.0 OK  1651055746 i14-20020a1c540e000000b00393dc91e9c9sm1301587wmb.17 - gsmtp' exitcode=EX_OK
addresses redacted.

Which might help you figure out what's wrong.
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

User avatar
RDK
Posts: 435
Joined: Wed Aug 13, 2014 10:19 am
Location: Wyoming and France

Re: G-Mail and less secure sign-in technology

Wed Apr 27, 2022 12:05 pm

@pcmanbob....I didn't mention it before but all of these are either Pi2 or Pi3 (not 3B) units. I use this command in Crontab to collect files and send them:

Code: Select all

/usr/pgms/sendtome.sh "PV3-Meteo" "/mnt/usbdrive/output/Meteo_error.log;/mnt/usbdrive/output/MeteoPrintLog.txt;/mnt/usbdrive/output/todaydata.txt"  > /mnt/usbdrive/output/CRON_output.txt 2>&1
This is the script which is called by the above Cronjob entry.

Code: Select all

#!/bin/bash
TO="me@hotmail.com"
MESSAGEx="Midnight `date '+%Y-%m-%d %H:%M:%S %Z'` $HOSTNAME Pi report"
echo $MESSAGEx
# Parsing the arguments ($2) and the displaying them
temp=$(echo $2 | tr ";" "\n")
for file in $temp
do
    echo "> [$file]"
done
# Generate a file  real time
"[some SQL code to generate a file" > /mnt/usbdrive/output/todaydata.txt

declare -a attargs
for att in $temp; do
  attargs+=( "-A"  "$att" )
done
echo $MESSAGEx | /usr/bin/mail -s "$1" "$TO" ${attargs[@]}
This script is basically the same on all of the Pi's, those that are working and those failing, and note all were working before I switched to the two-factor authentication. All of the Pi's are set up to use ssmtp. I now understand that ssmtp is outdated and that I should updated to msmtp. If I do that will I have to change anything in the above script? And, I assume there is a configuration file?

Finally, you suggested that I "try sending a simple test email just to prove its not some other problem.". I'm not sure what you mean. Is there a way to send an email without it referencing the Gmail stuff in the ssmtp config?

Thanks....RDK

pcmanbob
Posts: 13298
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: G-Mail and less secure sign-in technology

Wed Apr 27, 2022 12:39 pm

So my stretch test was run on a pi2B so it does not matter which pi its on.

So if you pi is still running stretch and ssmtp there is no need to change it to msmtp, that was only needed if you switched to buster or bullseye because ssmtp would not work correctly on those later versions of the OS.
Finally, you suggested that I "try sending a simple test email just to prove its not some other problem.". I'm not sure what you mean
So what I am suggesting is that we need to prove its something in the confg file for ssmtp that's causing the problem and not something unrelated that just happens to have failed when you made the change to the file.

By running a simple mail send test from the command line using the line I posted we will test ssmtp and its config file , if the test files with an error message then you know its ssmtp config that's the problem, you might also get more information from the error as you can see it directly on the screen.
If however the mail sends OK then you know its something else that caused the problem.
This is especially try with the msmtp on buster failure that was a pipe error.

its just a way to try and narrow down what's causing the problem as we know that ssmtp should work just fine with the app password.

Its also a way to test mail sending while you are trying to sort the problem rather than having to wait for you mail to send each night.

You have to approach debugging errors in a logical way by testing each part of the system to prove were the problem lies, this is what we are trying to do here.

As a quick fix you could also try copying the config file for ssmtp from one of your working pi's ( assuming they all use the same email to send from ) on to the pi that wont send and see if that fixes it.

(*All references to ssmtp above also apply to msmtp as well )
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

User avatar
RDK
Posts: 435
Joined: Wed Aug 13, 2014 10:19 am
Location: Wyoming and France

Re: G-Mail and less secure sign-in technology

Wed Apr 27, 2022 1:22 pm

@pcmanbob.....I'm very embarrassed!!!

When I checked my setup notes on the two failing Pi's, I discovered that they were not using ssmtp, but rather msmtp. When I update the /etc/msmtprc file with the new password, voila they both worked.

I apologize for wasting your time trying to help me debug. It has been a while since I built those units and my memory is not what it used to be....RDK

pcmanbob
Posts: 13298
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: G-Mail and less secure sign-in technology

Wed Apr 27, 2022 1:33 pm

:lol: :lol: :lol: :lol: :lol: :lol: :lol:

"To err is human, to forgive divine"

Glad you fixed your problem.
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

jbudd
Posts: 2078
Joined: Mon Dec 16, 2013 10:23 am

Re: G-Mail and less secure sign-in technology

Fri Apr 29, 2022 11:01 am

Edit - no longer relevant
Last edited by jbudd on Sat May 07, 2022 1:59 pm, edited 1 time in total.

KripyPicli
Posts: 1
Joined: Wed Oct 20, 2021 1:48 pm

Re: G-Mail and less secure sign-in technology

Fri May 06, 2022 10:07 pm

I had the same problem. I do not know who to blame, the area I was in, or the telephone network, but I was never able to get a confirmation message. Let's be serious; this is a 4-digit code, not an Interpol secret formula that provides such a high level of security. You can use the temporary phone number Germany for SMS confirmation. When you use virtual numbers, you can easily get a confirmation message, and you won't have to wait that long. Try different areas if it doesn't work, but it came out of the first release for me, so I wish you success.
Last edited by KripyPicli on Wed May 11, 2022 7:46 am, edited 1 time in total.

pcmanbob
Posts: 13298
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: G-Mail and less secure sign-in technology

Sat May 07, 2022 7:56 am

KripyPicli wrote:
Fri May 06, 2022 10:07 pm
I had the same problem. I do not know who to blame, the area I was in, or the telephone network, but I was never able to get a confirmation message.
Hi.

So which confirmation message could you not get ?

If you provide more detail about what you did I might be able to help.
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

jools72
Posts: 130
Joined: Sun Sep 29, 2019 12:40 pm

Re: G-Mail and less secure sign-in technology

Sat May 07, 2022 8:13 am

pcmanbob wrote:
Thu Mar 31, 2022 7:32 pm
Yes your pi will no long be able to access your gmail account.

this is what you need to do.

Using a web browse log in to the pi gmail account.

add a mobile number and a recover email address to the account if it does not already have one.

then enable 2 factor authentication using the mobile number so you get a text every time you want to log in.
How to do this without providing a phone number to google?

pcmanbob
Posts: 13298
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: G-Mail and less secure sign-in technology

Sat May 07, 2022 8:27 am

jools72 wrote:
Sat May 07, 2022 8:13 am

How to do this without providing a phone number to google?
Basically you can't, as the two factor authentication either sends an SMS message or calls you with the message.

there are options once you have set it up to use backup codes if you phone is lost or you cant get a service but you need the phone to set it up in the first place .

Edit.

there are 2 other options it seems but I have no idea how you go about getting one, that's to use a USB security key.

ref . https://security.googleblog.com/2014/10 ... -with.html

or the Google Authenticator app

https://gadgets360.com/apps/features/go ... ty-1684339
I think you might still need a phone number to set this one up.
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

tinker2much
Posts: 481
Joined: Wed Jun 20, 2018 12:38 am

Re: G-Mail and less secure sign-in technology

Tue May 17, 2022 11:48 pm

pcmanbob wrote:
Fri Apr 01, 2022 2:38 pm
I suggest you do this on a desktop / laptop PC
I will apologise at the start for some bad screen shots , it just because you cant screen cap some pages/popups,
and don't close any tabs until you are done you may need to get back to a page and it simpler if you can use an already open page.
pcmanbob, don't worry about the screenshots - everything was very clear and I had no trouble following your instructions and I was able to get my app password. I had been putting this off and it was your post that got me to do it. Thank you.

From your other replies it seems like an app password can be used on multiple boxes - are there limits to this? I only have a couple of boxes using some home-brew python email-checking code, so I'm probably not going to hit a limit - I was just idly wondering (it seems like if it worked for 100 boxes, how secure is that?)

pcmanbob
Posts: 13298
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: G-Mail and less secure sign-in technology

Wed May 18, 2022 9:06 am

tinker2much wrote:
Tue May 17, 2022 11:48 pm
From your other replies it seems like an app password can be used on multiple boxes - are there limits to this? I only have a couple of boxes using some home-brew python email-checking code, so I'm probably not going to hit a limit - I was just idly wondering (it seems like if it worked for 100 boxes, how secure is that?)
I used the same app password on more than one pi and I have even used 2 different passwords on the same pi, I don't know what the limit is but if you ever run in to it just set up another app password for the same account and use that as well.

Do don't actually consider the app password any more secure than the old less secure apps being switched on and a long random character password which is what I used for all my pi accounts, I also only use the pi accounts on my pi's that way if they are hacked I can just abandon them and switch to another., but I have never had this problem with long random character passwords.
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

ole_thor
Posts: 5
Joined: Thu Mar 12, 2020 2:43 pm

Re: G-Mail and less secure sign-in technology

Thu Jun 09, 2022 6:03 pm

pcmanbob,
thank you very much for this detailed description.
It resolved my problem as well

ole_thor

marc bcn
Posts: 7
Joined: Fri Sep 19, 2014 10:03 pm

Re: G-Mail and less secure sign-in technology

Sat Jun 18, 2022 4:47 pm

Hello , in your explanation you say that there are 13 characters the new password to put in Python or configuration, but they are 16, no?

Thanks , it works well. Excellent explanation. It resolved my problem as well, with 15 RPI to send mails every day on cron job.

pcmanbob
Posts: 13298
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: G-Mail and less secure sign-in technology

Sun Jun 19, 2022 9:14 am

marc bcn wrote:
Sat Jun 18, 2022 4:47 pm
Hello , in your explanation you say that there are 13 characters the new password to put in Python or configuration, but they are 16, no?

Thanks , it works well. Excellent explanation. It resolved my problem as well, with 15 RPI to send mails every day on cron job.
well spotted there are in fact 16 characters in the app password.

will amend my explanation.
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

Return to “Beginners”