Thread: Question: Does POP/IMAP/SMTP protocol include info about client?
View Single Post
Old 29 Oct 2019, 09:36 AM   #6
emoore
Essential Contributor
 
Join Date: Apr 2002
Posts: 280
Quote:
Originally Posted by xyzzy View Post
I have always thought that the POP/IMAP/SMTP protocol does not include any identification about which email client is being used. When I look at the exchange log in my Thunderbird I don't see anything that says "I am Thunderbird". Well at least I didn't notice anything.
There is a optional ID extension to the IMAP protocol. I looked in a imap log file I created using version 68.0 of Thunderbird and it contains:

ID ("name" "Thunderbird" "version" "68.0")

It sent that to the IMAP server to identify what the email client was. However, I don't think that command is needed for OAuth2 support.

IMAP also supports a CAPABILITY command which a client can send to the server to request what capabilities it supports. It returns various keywords. I believe AUTH=XOAUTH2 is used to identify that the IMAP server supports OAuth2. The email client has to send a AUTHENTICATE XOAUTH2 command that contains a OAuth2 token to the server to login to the users account, if the IMAP account is configured to use OAuth2 for authentication.

When you add a email account that uses OAuth2 you get a browser popup that requests you enter your username and password and confirm that you want Thunderbird to be able to access the mailbox. If it succeeds it returns a token, which is saved and used whenever Thunderbird logs you in to that email provider. I assume that if the server is not configured to support Thunderbird, the attempt will fail. If that's true that would prevent any random email client from using OAuth2 with a email provider, they have to get the email provider to register their email client first.

OAuth 2 providers typically issue the developers a identifier for their application and some secret/password. These are used to check if a call was really issued by your application. I'm unsure exactly when they're passed to the server but its over a secure connection.

The POP3 and SMTP protocols use a AUTH, rather than a AUTHENTICATE command. But I suspect they work basically the same way.

https://developers.google.com/gmail/...auth2-protocol , https://developer.yahoo.com/oauth2/guide/?guccounter=1 and https://stackoverflow.com/questions/...onsumer-secret has more details.
emoore is offline   Reply With Quote