0

I have a Gmail account that uses POP to download emails from a GWS (Google Workspace) inbox, effectively another Gmail account.

enter image description here

In order for this to work, I had to turn on LSA (Less Secure App) for that GWS account.

Now Google is ending LSA, requiring OAuth going forward.

I see no facility in Gmail to to use OAuth for POP access.

Any ideas on how to deal with this or am I SOL? Has Google effectively crippled features between its own services?

PS. I prefer not use mail forwarding from the GWS inbox to my Gmail inbox. This has SPF drawbacks causing some legit emails to get labeled as spam.

Edit: Leaving this here, it may help someone. I ended up using App Passwords successfully even before @pigrothe responded, the last paragraph being the relevant part. But I waited until after Sept 30 for the LSA sunset to make sure App Passwords still works and indeed it still works, even if discouraged by Google. This is the link for App Passwords.

rvh
  • 73

1 Answers1

1

I think the POP access can be handled the same way as someone who is using "Send mail as" for another Google address, where OAuth is also unavailable. I just helped a user with this (send mail as) today, because we force-turned off LSAs in our Google Workspace for Education domain and then (as expected) any in-use LSAs started to time out or claim "Authentication Failed. User name and password not accepted."

The solution for the above, that I believe should work for your POP case, too, is to

  1. Enable 2SV (2 Step Verification) in the Security section of your GWS account settings if not enabled already.
  2. With 2SV enabled, then you can create an "Application specific password" (ASP) (also in the Security section), name it "Gmail POP" or something,
  3. Then take the 16-character ASP that's generated and use that in the Password field for the POP configuration, instead of your actual account's password.

My understanding is that even though it's still straight-up username + password configured for the POP connection, it's more secure (or considered more secure by Google) because the password is just for that connection, is therefore of limited utility and access, and does not expose your actual password to your account.

I found this writeup helpful to explain all the steps used for the 'Send mail as' scenario, just adapt to your POP needs.

  1. Enable 2SV on your Google Workspace account: https://connect.ucsb.edu/training-support/connect-user-guides/google-workspace-email/enabling-googles-2-step-verification

  2. Set an app-specific password within your GWS account to enable the send-as from your gmail account: https://connect.ucsb.edu/training-support/connect-user-guides/google-workspace-email/app-passwords-to-send-mail-as

pigrothe
  • 36