There are situations where one is required to use gmail through G-suite. Some companies lock down their G-suite and only permit XOAUTH2 authentication. Fortunately, getmail has a modular IMAP client, whose excellent design permits plugging in an external XOAUTH2 token generator with minimal effort.
getmail-5.6 ships with the getmail-gmail-xoauth-tokens script that handles access and refresh tokens.
The resulting setup is not more secure than a regular getmailrc with 0600 permissions.
Obtain a client_id and a client_secret. Go to https://developers.google.com/identity/protocols/OAuth2InstalledApp and follow the instructions. Now create the gmail.json file. Note that this file will be edited by getmail-gmail-xoauth-tokens in order to update the access and refresh tokens.
cd ~/.getmail
touch gmail.json
chmod 0600 gmail.json
Edit the contents:
{"scope": "https://mail.google.com/",
"user": "your_account@gmail.com",
"client_id": "xzy.apps.googleusercontent.com",
"client_secret": "foo",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"redirect_uri": "urn:ietf:wg:oauth:2.0:oob",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs"}
|
cd /tmp wget http://pyropus.ca/software/getmail/old-versions/getmail-5.6.tar.gz tar xvf getmail-5.6.tar.gz cd getmail-5.6 python setup.py build sudo python setup.py install |
cd ~/.getmail
Edit getmailrc contents:
[retriever]
type = SimpleIMAPSSLRetriever
server = imap.gmail.com
username = your_account@gmail.com
use_xoauth2 = True
password_command = ("getmail-gmail-xoauth-tokens", "/home/user/.getmail/gmail.json")
|
This is only necessary once during setup or when a refresh token expires.
getmail-gmail-xoauth-tokens --init /home/user/.getmail/gmail.json Go to the URL and follow the instructions. |
It should now be possible to run getmail non-interactively without any further user input.