I'm using web-based gmail as my primary email client. I want to use anoter SMTP server to send emails using secondary email address which is managed by GSuite.
GMail offers "Send emails from a different address or alias" feature[1].
Historically it has been possible to use smtp.gmail.com
with my GSuite credentials to enable
the feature and send emails via my secondary email without problems.
Unfortunately this solution is no longer working properly. It suffers from intermittent "535 5.7.8 Username and Password not accepted." issues. The Internet is full of complains[6][7] with messy answers and without proper solution.
Generally there are two ways how to use smtp.gmail.com
(speaking about the secondary email google account, GSuite in my case):
- your account does not have 2FA
- you use your real login+password
- and you must have enabled "Use less secure apps" under the account security
- your account does have 2FA enabled
- you must generate a new app-specific password
- and you use login+generated password[3][4]
This is causing quite some confusion among users. Anyways, I tested both methods and both are subject of this issue.
(this is my speculation)
Gmail web-interface uses some backend services to send emails. This is probably some google's cloud so it is not one but many machines in the cloud. When you add a new email via "Send emails from a different address or alias" gmail immediatelly performs a test of the connection and then has to store the credentials for later use.
Note that smtp.gmail.com
is another independent service running in the cloud,
not related to the "Send emails from a different address or alias" feature of gmail.
(smtp.gmail.com
may be used by any 3rd party app to send emails via google).
Recently (probaly around April 2020) Google likely deployed more security hardening of smtp.gmail.com
.
Imagine a more strict black list for abusing computers. So smtp.gmail.com
might refuse to communicate with a banned IP.
The likely root of the problem is that Google's own computers providing "Send emails from a different address or alias"
feature of gmail might get banned.
This would exaplain the random behaviour of the issue:
- assume Gmail web-interface uses 10 backend computers: C0, C1, C2, ..., C9 to implement the "Send emails from a different address or alias" feature
- assume none of them is currently banned by
smtp.gmail.com
- your web interface is assigned to work with C0.
- you are able to setup "Send emails from a different address or alias" with your GSuite login+password, no problem in validating your credentials
- later some bad actor using gmail web interface behaves in a way which triggers
smtp.gmai.com
ban, say it happened to be C0 machine - later when you try to send an email via gmail web interface, it uses C0, and you get "535 5.7.8 Username and Password not accepted." response back [5]
- then you go into gmail settings and try to re-enter your password, you will get back "Authentication failed. Please check your username/password and Less Secure Apps...". This leads to a great confusion because your username/password are 100% correct. And you have no idea what "Less Secure Apps" mean, because you already have 2FA enabled, so this option is nowhere to be found. You try to google for some explanation and there is no clear answer. Only partially correct historical pages describing various stages how it worked in the past or confusing pages not related to the issue.
- anyways, C0 ban is somehow time-limited. So it is possible that during next 24h or so, it starts working again. Or there is a chance your gmail client starts using a different backend computer, say C1 because of rotation.
- so the feature now started working again...
- ...until it stops again - because some other backend computer got banned and your gmail web client happened to be using it.
This also explains why some people on the forums claim they solved the issue by enabling 2FA, or doing some captcha woodoo with Less Security Apps setting, or by removing and re-adding the email account in "Send emails from a different address or alias" settings.
It was a pure luck or they managed to trigger reassigning of their backend computer, so they luckily got assigned a non-banned machine.
[1] https://support.google.com/mail/answer/22370?hl=en
[3] https://support.google.com/domains/answer/9437157?hl=en
[4]: note that the option to "Use less secure apps" is not available with 2FA enabled
[5]: note that technically there is no problem in the login/password, the problem is that C0 is banned and smtp.gmail.com refused to talk to it
[6] https://support.google.com/accounts/thread/4520575?hl=en
[7] https://support.google.com/mail/thread/40210887?hl=en
It worked for me!
I created the key in the menu account and instead of using my password I used the generated key to authorize my application!!
Thanks bro!! 👍
This is how I defined my application.yml in spring boot: