"Someone just used your password to try to sign in to your account from a non-Google app."


I always seem to have problems sending emails to gmail (and less often an issue with microsoft 365). I get my customers to switch on Allow 3rd Party Access and it seems to work for a while then I get a bad credentials error returned or user gets a “Someone just used your password to try to sign in to your account from a non-Google app.” email from google.

I went down the MBS using Curl but had even less success than the SecureSMPTSocket.

Does anyone know a reliable way to send emails (with attachments) to the Gmail and Microsoft365 servers (some example projects would be perfect :slight_smile: ?

Thanks very much


did you create an app specific password for that?

Thanks Christian. No, and I’m not even sure what you mean?

See here for App Secific Passwords at Google: Sign in with app passwords - Google Account Help

Thanks Sascha. Oh I see, sorry, this shouldn’t be an issue as 2-step verification isn’t switched ON.

I believe there’s a Gmail account security setting that you can turn off at the account level. I’ve seen this before when trying to use older versions of Outlook with Gmail. I’m not sure if there’s some certificate or something from Google that is needed to be considered a “Google” app. Maybe it happens with modern version of Outlook as well (I was working with an older version at the time).

So the easiest is to disable that function in the account.

Thanks Jon. Yes, there’s a “Less secure app access” security option which can be turned ON, but that seems to be set as well. What’s annoying (especially for my customers) is the inconsistency

I know that what I’m about to say isn’t strictly on topic, but I think it’s relevant.

Google are really trying to discourage apps from using SMTP to send messages via Gmail. They really want you to be using OAuth for authentication (with a strictly limited set of scopes) and the Gmail API to actually send emails.

This might not be relevant if you’re not asking customers to hand over their Gmail SMTP details, but wording like “less secure app access” isn’t reassuring for customers. Moving to the Gmail API was a temporary pain for us, but the experience is a lot better for our customers now.

Thanks very much Tom. I think it’s probably the way to go alright - Telling my customers to switch ON Less secure Apps never sat right with me. Could I trouble you for a few pointers on how you approached this? (Anything at all links, example projects, etc.) as I am not at all familiar with OAuth and Googles APIs. Thanks again

@Chris O’Brien if you are willing to use a Plugin, take a look at http://www.chilkatsoft.com/refdoc/xojoOAuth2Ref.html (Examples: https://www.example-code.com/xojo/oauth2.asp).

Hi Sascha. Happy to use plugins, if they solve problems for me… I’ll contact you directly through your website to discuss further, if that’s ok?

MBS Xojo CURL Plugin can take the oAuth token if needed.
You put it in OptionXOAuth2Bearer property.

Thanks Christian - How does one go about obtaining an oAuth token - Is this something I need to request from Google?

Actually, sorry - Found it on the web Thanks

I am just a user :slight_smile:

@Matt Fausey is the Founder off Chillkat :slight_smile:

[quote=478674:@Sascha S]I am just a user :slight_smile:

@Matt Fausey is the Founder off Chillkat :)[/quote]
:smiley: Spotted that when I receive the reply from Matt (I’d say he was scratching his head :-D) - Thanks again Sascha

Given the ubiquity of Gmail use in both companies and by individuals, this is something Xojo should support in the framework IMO.


Our email sending is actually done via PHP so I implemented this via the Google Client Library. That’s probably not helpful for your immediate needs, but please feel free to DM me if there’s anything I can help with.

Thanks Tom. You’re a gentleman

Any CurlMBS examples? Since I have that and used it successfully for a different application. I get lost in the GMAIL developer site with all kinds of info, that doesn’t seem relevant to my use case.

I currently have a Xojo console app implemented as a deamon on a Raspberry PI that monitors some equipment and sends an e-mail using the standard Xojo functions allowing sending of e-mail via SMTP with SSL. Works fine with most servers and also with GMAIL when this awful ‘Less secure’ option is set within the gmail account.
This app is deployed by users who will configure their own credentials and e-mail account. I offer a separate Xojo web app on the raspberry for configuration of the mailbox parameters. Which should be a one time action.

How to I get this implemented via the GMAIL api??? All the credentials you configure on the developer site seem to point to me as a service provider… service credentials and client credentials. And a validation process…

Some time ago I used another oAuth based service (albeit using Python) to get info from and I just accessed a login URL which returned a token to continue the session. This doesn’t seem that straightforward.