Copied on 19 Mar 2022 from [here](https://www.bytereef.org/howto/oauth2/getmail.html)

getmail-5.6 XOAUTH2 configuration for gmail

There are situations where one is required to use gmail through G-suite. Some companies lock down their G-suite and only permit XOAUTH2 authentication. Fortunately, getmail has a modular IMAP client, whose excellent design permits plugging in an external XOAUTH2 token generator with minimal effort.

getmail-5.6 ships with the getmail-gmail-xoauth-tokens script that handles access and refresh tokens.

The resulting setup is not more secure than a regular getmailrc with 0600 permissions.

Hoop jumping

Obtain a client_id and a client_secret. Go to https://developers.google.com/identity/protocols/OAuth2InstalledApp and follow the instructions. Now create the gmail.json file. Note that this file will be edited by getmail-gmail-xoauth-tokens in order to update the access and refresh tokens. 


cd ~/.getmail
touch gmail.json
chmod 0600 gmail.json

Edit the contents:

{"scope": "https://mail.google.com/",
 "user": "[email protected]",
 "client_id": "xzy.apps.googleusercontent.com",
 "client_secret": "foo",
 "token_uri": "https://accounts.google.com/o/oauth2/token",
 "auth_uri": "https://accounts.google.com/o/oauth2/auth",
 "redirect_uri": "urn:ietf:wg:oauth:2.0:oob",
 "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs"}

Install getmail 5.6


cd /tmp
wget http://pyropus.ca/software/getmail/old-versions/getmail-5.6.tar.gz
tar xvf getmail-5.6.tar.gz
cd getmail-5.6
python setup.py build
sudo python setup.py install

Update getmailrc


cd ~/.getmail

Edit getmailrc contents:

[retriever]
type = SimpleIMAPSSLRetriever
server = imap.gmail.com
username = [email protected]
use_xoauth2 = True
password_command = ("getmail-gmail-xoauth-tokens", "/home/user/.getmail/gmail.json")

Get the initial access and refresh tokens

This is only necessary once during setup or when a refresh token expires.


getmail-gmail-xoauth-tokens --init /home/user/.getmail/gmail.json

Go to the URL and follow the instructions.

It should now be possible to run getmail non-interactively without any further user input.

Updated: