Integrating with Gmail using OAuth
JEMH Cloud allows users to connect with Gmail using OAuth. The generated authentication token will be used to secure the SMTP and IMAP connections from JEMHC to your gmail mail box.
Whitelisting JEMH Cloud
Personal google email accounts are not supported.
G Suite domain administrators must whitelist the JEMHC application, in order for it to be usable for OAuth with your Gmail domain. If whitelisting and/or app access is not granted to the account through which OAuth is occurring, likely the auth will fail due to ‘development’ limits being reached.
Controlling G Suite data for apps
https://support.google.com/a/answer/7281227?hl=en
Note that Domain Admins can limit what Applications individual users can use, i.e., for JEMHC usage only the mailbox user accounts need to have access to JEMHC.
Get your G Suite domain administrator to follow along:
Navigate to App Access Control:
Click Add app, and search for JEMHC, select it and hit Add:
Add a filter, type JEMHC to see JEMHC listed:
Want to limit connectivity for IMAP Protocol to specific mail client APP?
Sign in to the Google Admin console.
Go to Menu > Apps > Google Workspace > Gmail > End User Access and edit
Ensure “Enable IMAP access for all users“ is set and to limit mail clients that can use IMAP in your domain, get the app ID (shown above) and refer in “Restrict which mail clients users can use (OAuth mail clients only)”:
You can refind the list of allowed apps through Menu > Security > Access and data control > API controls > Manage App Access
Creating Message Source by Signing in with Google
Go to JEMHCloud > Messaging > Message Sources > Click Sign in with Google.
This will take you to the google confirmation screen
Select the Account you with to authenticate and JEMHC access to your support email account
Once accepted, close the tab and go back to JEMH Cloud.
You will then see a new message source which is connected to the gmail account.
Create Message Source IMAP to Gmail using OAuth
Go to JEMH Cloud > Messaging > Message Sources > Click the Create button.
In the Create Message Source screen enter a Name and select the Type IMAP GMAIL OAuth
Click on the Authorize link. This will take you to the Google confirmation screen.
Select the account you want to authorize and allow JEMHC the access to your support email account.
Once accepted, close the tab and go back to JEMH Cloud.
The Message Source should appear authorized. The Username should be automatically filled. If not, enter the same email address as the selected account.
Submit the configuration. Once the configuration is tested, the connection will be created.
Create Message Outbound SMTP to Gmail using OAuth
Go to JEMH Cloud → Messaging → Message Outbounds → Click the Create button.
In the Create Message Source screen enter a Name and select the Type SMTP GMAIL OAuth
Click on the Authorize link. This will take you to the Google confirmation screen.
Select the email account that you want JEMHC to be able to access.
Once accepted, close the tab and go back to JEMH Cloud.
The Message Outbound should appear authorised. The Username should be automatically filled. If not, enter the same email address as the selected account.
Submit the configuration. Once the configuration is tested, the connection will be created.
Enabling IMAP for only specific Oauth mail clients (ie not all users)
Google admins can enable/disable IMAP, if it is disabled for security, admins can selectively enable just for specific mail clients authorized with Oauth. The mail clientID required is the JEMHC ‘app ID’ that was created when registering JEMHC with your domain.
https://knowledge.workspace.google.com/admin/sync/turn-pop-and-imap-on-or-off-for-users
Video showing how to find mail client IDs.
Troubleshooting
Why re-authorization is required
See Refresh token expiry for more reasons:
The user has revoked your app's access.
The refresh token has not been used for six months.
The user changed passwords and the refresh token contains Gmail scopes.
The user account has exceeded a maximum number of granted (live) refresh tokens.
If an admin set any of the services requested in your app's scopes to Restricted (the error is
admin_policy_enforced).For Google Cloud Platform APIs - the session length set by the admin could have been exceeded.
Denied authorization
During OAuth ‘authorization' its possible to get denied (below) typically this means that the account used is not a GSuite account (app not going through Verification for public use are disabled for ‘free’ accounts). To resolve this, create an ‘incognito’ browser session, login only to Jira, then follow the authorization flow.
Outbound mail being added as inbound mail
It appears that when you use a filter for stopping mail from going to the spam, when this is configured it will add the Sent mail into the Inbox which would cause the email to be seen as inbound mail. To solve this you would need to either remove the filter or modify the filter so that it does not match the address used for Outbound emails.
Note: This only applies if you are using the same Gmail mail server for Inbound and Outbound Mail processing.
For more info see: https://thepluginpeople.atlassian.net/wiki/spaces/KB/pages/3930390542
Access disable for domain
If your domain administrator has disabled IMAP access for the domain then you may see an error message similar to this:
Can't read messages from message source. AuthenticationFailedException: [ALERT] IMAP access is disabled for this mail client for your domain. Please contact your domain administrator for questions about this feature.
Your domain administrator will need to modify “End User Access” - see further up this page for more information. Specifically, enable IMAP access in order for the connection to the mailbox to succeed. Once access is enabled, it should take around a minute for the change to take effect.