How to build an IMAP Email client with Elixir?

antfarm · April 6, 2025, 6:55pm

I want to build an IMAP Email client that can connect to Gmail. What library would you suggest?

I tried using Mailroom, but cannot even get it to connect to my account.

iex> {result, client} = Mailroom.IMAP.connect("imap.gmail.com", "me@example.com", "PASSWORD", ssl: true)
{:error, :unable_to_connect}

Any help is appreciated, thanks.

D4no0 · April 6, 2025, 7:00pm

Have you done that successfully with any other imap client?

If you are using gmail, using username/password for authentication is no longer possible:

Starting in January 2025, Google Workspace accounts will no longer support less secure apps, third-party apps or devices that ask you to sign in to your Google Account using only your username and password. For exact dates, visit Google Workspace Updates. To access apps, you must use OAuth. To prepare for this change, review the details in Transition from less secure apps to OAuth.

antfarm · April 7, 2025, 7:21am

Thanks, that must be the issue. I granted “Access to less secure apps” in the Security Settings, though.

Is there an Elixir lIMAP client ibrary that allows for OAuth authentication?

maennchen · April 7, 2025, 7:00pm

I don’t know if there’s a library that already does this, but it should be relatively simple to implement:

Setup an OAuth lib and obtain a token
Adapt the IMAP implementation to support the AUTHENTICATE command instead of the default LOGIN command.

Here’s an example imap implementation in PHP:

github.com/pluginsGLPI/oauthimap

inc/imap/imapoauthprotocol.class.php

5e5cead36


      
          $this->sendRequest(
              'AUTHENTICATE',
              [
                  'XOAUTH2',
                  base64_encode("user={$user}\001auth=Bearer {$token}\001\001"),
              ],
          );

maennchen · April 7, 2025, 7:04pm

(Also see the Google Docs about the AUTHENTICATE command: OAuth 2.0 Mechanism | Gmail | Google for Developers)

D4no0 · April 7, 2025, 7:13pm

The per-requisites that it has nowadays are so disgusting that it might be easier to have your own email server.

maennchen · April 7, 2025, 7:37pm

Doing OAuth2 for Authentication is not such a bad idea for security. Also the AUTH / AUTHENTICATE commands are on the way to a standard (RFC 9051 / RFC 4954).

I agree that this is more complicated than a basic credential login, but it seems reasonable and far from “digusting”.

D4no0 · April 7, 2025, 7:43pm

I am not against hardening of security, but when manual review comes into play, you know there is a bias involved.

Here is the line that worries me:

If your public application uses scopes that permit access to certain user data, it must complete a verification process. If you see unverified app on the screen when testing your application, you must submit a verification request to remove it. Find out more about unverified apps and get answers to frequently asked questions about app verification in the Help Center.

This is the same story as google play apps requires and it will most probably only get worse the next years.