12

GMail can used as a SMTP server. I've written the code that does it. But as we all know GMail may occasionally authenticate using captcha (image verification as they call it). The same thing may be the cause to reject SMTP authentication.

As I've seen google shows image verification when you try to log-in for the first time from some machine. All consecutive log-ins from the same machine (to the same account) use regular login. I'm a bit afraid this captcha may also come up again for some other reasons that I can't control.

So. Is it possible to still authenticate when special measures are needed? And how?

I should also mention that logging in from the machine via web browser also enables programmatic SMTP authentication.

Robert Koritnik
  • 103,639
  • 52
  • 277
  • 404
  • Perhaps I've misunderstood, but can you please tell me how to even detect the mail was not sent? In my case, I send "blindly" and pray for CAPTCHA mechanism not to kick in, without any idea whether it did or didn't. (And it happens - **ALOT**) Thanks ! – Boris Milner Feb 05 '14 at 16:21
  • 1
    This question is a bit old, but today I had to deal with something similar. I've wrote an answer to explain how I stept forward with this. Good luck! – laconbass May 05 '15 at 19:28

3 Answers3

13

Try:

http://www.google.com/accounts/DisplayUnlockCaptcha

Or for Google Apps for your domain:

https://www.google.com/a/yourdomain.com/UnlockCaptcha

I can bet it's an IP based solution, so if your app if deployed somewhere else, It doesn't help.

Ben Orozco
  • 4,361
  • 4
  • 33
  • 49
10

Google doesn't seem to be particularly clear about what prompts them to block a user's account until he has successfully entered a captcha phrase. However, it's likely that this is a mechanism which is triggered when Google sees what it considers to be unusual or suspicious activity associated with your account. As a result, I would expect it to be unlikely that they will supply an option to opt out of a mechanism which is protecting both them and you, although others are welcome to find evidence to the contrary.

Various discussions of when and how this happens throw up some suggestions which you might like to try to see if they help, such as choosing a stronger password or simply changing your password. Good luck!

Tim
  • 9,171
  • 33
  • 51
  • For searches, at least, they'll throw up a captcha if anyone from your IP is acting like a robot, and you probably can't control who shares the IP you're behind. So it might not depend on anything you do. – Karl Anderson Oct 22 '09 at 21:55
3

IMHO The right way to do this, without implementing the user consent workflow or "hacking your account's security settings", is obtaining a refresh token with the Google OAuth2.0 Playground for Offline Access. After that, you can authenticate using the OAuth 2.0 API.

I got it working after reading Nodemailer/Gmail - What exactly is a refresh token and how do I get one?

Community
  • 1
  • 1
laconbass
  • 17,080
  • 8
  • 46
  • 54
  • Where you able to use the refresh token directly onto the browser? – Antoine Dussarps Oct 16 '19 at 07:44
  • @AntoineDussarps I can't remember exactly, but what I can remember is sending the token to request an authentication token and after that using the authentication token within the api requests – laconbass Oct 20 '19 at 09:39