python - How to send an email through gmail without enabling 'insecure access'?

Question

Google are pushing us to improve the security of script access to their gmail smtp servers. I have no problem with that. In fact I'm happy to help.

But they're not making it easy. It's all well and good to suggest we Upgrade to a more secure app that uses the most up to date security measures, but that doesn't help me work out how to upgrade bits of code that look like this:

server = smtplib.SMTP("smtp.gmail.com", 587)
server.ehlo()
server.starttls()
server.login(GMAIL_USER, GMAIL_PASSWORD)
server.sendmail(FROM, TO, MESSAGE)
server.close()

Sure, I'll go and turn on "Access for less secure apps", but if anyone has worked out what to replace this code with, I'll be grateful.

Answer 1

This was painful, but I seem to have something going now...

Python3 is not supported (yet)

I don't think it will be too hard to attain, as I was stumbling through converting packages without hitting anything massive: just the usual 2to3 stuff. Yet after a couple of hours I got tired of swimming upstream. At time of writing, I couldn't find a published package for public consumption for Python 3. The python 2 experience was straight-forward (in comparison).

Navigating the Google website is half the battle

No doubt, over time, this will change. Ultimately you need to download a client_secret.json file. You can only (probably) do this setting up stuff via a web browser:

1. You need a google account - either google apps or gmail. So, if you haven't got one, go get one.
2. Get yourself to the developers console
3. Create a new project, and wait 4 or 400 seconds for that to complete.
4. Navigate to API's and Auth -> Credentials
5. Under OAuth select Create New Client ID
6. Choose Installed Application as the application type and Other
7. You should now have a button Download JSON. Do that. It's your client_secret.json—the passwords so to speak

But wait that's not all!

You have to give your application a "Product Name" to avoid some odd errors. (see how much I suffered to give you this ;-)

1. Navigate to API's & auth -> Consent Screen
2. Choose your email
3. Enter a PRODUCT NAME. It doesn't matter what it is. "Foobar" will do fine.
4. Save

Newsflash! Whoa. Now there's even more!

1. Navigate to API's & auth -> APIs -> Gmail API
2. Click the button Enable API

Yay. Now we can update the emailing script.

Python 2

You need to run the script interactively the first time. It will open a web browser on your machine and you'll grant permissions (hit a button). This exercise will save a file to your computer gmail.storage which contains a reusable token.

[I had no luck transferring the token to a machine which has no graphical browser functionality—returns an HTTPError. I tried to get through it via the lynx graphical browser. That also failed because google have set the final "accept" button to "disabled"!? I'll raise another question to jump this hurdle (more grumbling)]

First you need some libraries:

pip install --upgrade google-api-python-client
pip install --upgrade python-gflags

• you need to change the to and from addresses
• make sure you have the client_token.json file whereever the Storage instructions expect it
• the directory needs to be writable so it can save the gmail.storage file

Finally some code:

import base64
import httplib2

from email.mime.text import MIMEText

from apiclient.discovery import build
from oauth2client.client import flow_from_clientsecrets
from oauth2client.file import Storage
from oauth2client.tools import run


# Path to the client_secret.json file downloaded from the Developer Console
CLIENT_SECRET_FILE = 'client_secret.json'

# Check https://developers.google.com/gmail/api/auth/scopes for all available scopes
OAUTH_SCOPE = 'https://www.googleapis.com/auth/gmail.compose'

# Location of the credentials storage file
STORAGE = Storage('gmail.storage')

# Start the OAuth flow to retrieve credentials
flow = flow_from_clientsecrets(CLIENT_SECRET_FILE, scope=OAUTH_SCOPE)
http = httplib2.Http()

# Try to retrieve credentials from storage or run the flow to generate them
credentials = STORAGE.get()
if credentials is None or credentials.invalid:
  credentials = run(flow, STORAGE, http=http)

# Authorize the httplib2.Http object with our credentials
http = credentials.authorize(http)

# Build the Gmail service from discovery
gmail_service = build('gmail', 'v1', http=http)

# create a message to send
message = MIMEText("Message goes here.")
message['to'] = "yourvictim@goes.here"
message['from'] = "you@go.here"
message['subject'] = "your subject goes here"
body = {'raw': base64.b64encode(message.as_string())}

# send it
try:
  message = (gmail_service.users().messages().send(userId="me", body=body).execute())
  print('Message Id: %s' % message['id'])
  print(message)
except Exception as error:
  print('An error occurred: %s' % error)

Hopefully that gets us all started. Not as simple as the old way, but does look a lot less complicated now I can see it in the flesh.