Dave’s Musings

Thursday, 14 May 2020

GSuite and Families

History

Way back, in the dim dark ages of last decade, a company that had been around for a few years advertised a new way for families to connect together on the Internet.

They called it Google Apps.

If you follow the link above (courtesy the Wayback Machine), you'll see this image with a link to follow:

This is what I clicked on way back in early 2008, and after reading what it was offering:

I was sold. Especially when I was told that Thousands of families and groups have already powered up using these services. Why wouldn't you? Oh, and it was free. Totally. So, I signed up. Got a custom domain and away we went. The family started using it. They loved having our family name as an email address. Calendars could be shared so we all knew what everyone else was doing. And so on. We were set! Or, so we thought ...

Fast-forward a few years, Google Apps changed. Became more ... “business”-orientated. In 2011, the free version was retired for more than 10 users, and ‘upgraded’ to Google Apps for Business. Later on, in 2012, the free version of Google Apps was retired completely. In 2016, Google Apps became GSuite, and that name has remained since then.

All through this time, those of us with the Free Google Apps had retained our free status. “Grandfathered” was the term used, and basically it meant we were upgraded to GSuite with some limitations. But it worked.

The problems started when we tried to use our Google Apps accounts with products outside of the Apps family. Things like Google Reader (remember that?), YouTube and others required a Google Account which us poor unfortunates soon found out was not a Google Apps account. They were two completely different things. So we had the bizarre situation where some of Google’s products used our Google Apps account, while others used a (totally separate) Google Account (which just happened to have the same email address). Confused? Imagine living it.

So, in 2010, Google automatically transitioned all Google Apps accounts to (and I quote) “work more like a full Google Account”. This introduced a whole other situation, where when we signed in to a service using our email address, we now had to choose between our “new” almost-full account, or pick the existing full Google Account (which now did not have our email address, but instead a weird one like user%domain@gtempaccount.com, which then had to be transitioned to a new email address (not the Google Apps one).

Still with me? Just to recap, those of us who signed up for Google Apps for our families now have

GSuite Legacy Free Edition (which we can upgrade to a full business account—if we want)
Access to almost everything that requires a “full Google Account” (more on this below)
Subscriptions to other Google services that are no longer tied to our email address but to another account

So, what’s the issue?

The Issue

The issue is that our accounts are not “full” Google Accounts, they are now treated as if they were business accounts. Which has some really, really annoying side-effects:

I can’t sign up for the family package of Google Music. Or YouTube Music, as it will be soon. I can’t do this as Google says I have a business account, and this product is unavailable for Gsuite accounts.
I can’t create a Home for my Chromecast devices then share them with the family. My Gsuite account is a business account, and will not allow me to invite anyone else to the Home. As such, I’m the only one able to fully-control the Chromecasts.
In fact, anything on Google Families is out-of-bounds, as my domain is classified as “business”.

This, quite frankly, is appalling. We signed up for Google Apps specifically to keep our family together and connected using a custom domain, and Google’s advertising were key to making that decision. Now we are locked in to the Google infrastructure, we are now specifically denied access to the Family-friendly parts of Google!

There are workarounds out there (create a “real” Google Account for each family member that they use to sign in to services, but keep the Gsuite account for everything else) but that becomes unwieldy far too quickly. What needs to happen (and happen soon!) is for Google to allow GSuite accounts that are simply family groups (and have been Grandfathered thus far) to access their services like a full Google Account.

I’m picking the number of these legacy accounts is fairly small, compared to the paying customers that have subscribed to GSuite since it became a paid service. Surely these domains could just be flagged in some way, and allow us to access the rest of the Google services. I am just so glad I never “upgraded” to a full GSuite account, as I would then be paying for something that did not allow me to connect with my family in the way a free Google Account would!

On the other hand, I would be prepared to pay for having my custom domain in Gmail if all the accounts I was paying for were given the same rights as a standard Gmail account. Then I could have my family group, and our custom email addresses, and everything would just ... “work”.

Whatever, it needs addressed and fixed. Sooner rather than later. You can’t tell me that there is no way of doing this!

Thursday, 19 September 2019

PGP and Gmail

Now that I have Thunderbird as my main email client (see my previous post), I started thinking about PGP.

Now, why would I be doing this?

At work, we received this memo from the Ministry of Education:

Some schools have recently received phishing emails with requests to change employees’ bank accounts, pay invoices or purchase gift cards. The email will appear to come from a known sender’s email address, such as the principal of the school, but the reply address may be a public email such as gmail or yahoo. You may then receive an apparent email confirmation. Phishing emails lure victims into disclosing sensitive information, releasing money or installing malware. They appear to be from a legitimate source and often request the recipient to click on a link or provide additional information. These types of scam emails are often difficult to spot as they appear to be coming from someone you know.

Which got me thinking, how do my recipients know that the email that purports to come from me ... actually is from me?

Which, of course, got me on to PGP. Basically, I wanted to be able to send emails using a PGP signature so that recipients would know it's from me. Then, if any spam arrives looking like it's from me, my contacts would know it's not.

Using Thunderbird, this is very easy. I installed an add-on called Enigmail, which is absolutely brilliant. It allows you to create your keys, publish the public ones to key servers, and encrypt and/or digitally sign your emails.

Which is all well and good, but I also access my mail through the Gmail web interface, and the Gmail Android app. What I wanted was a seamless workflow, so that all email that I send or receive that is encrypted can be decrypted anywhere.

What I've settled on (after much testing!) is FlowCrypt.This comes as a web extension for both Chrome and Firefox, and as a stand-alone mail app for Android. This allows me to use TB as my main email app, but also gives me the freedom to be off the laptop and still able to access and send encrypted email. The setup was fairly straightforward, as I was able to export my keys from Enigmail and import them into FlowCrypt.

The last app I installed was OpenKeychain. This is a stand-alone encryption/decryption app which I can use without having to be writing an email. I can encode text or files and email them without any hassle. It also decrypts the PDP attachments in the Gmail app by simply clicking on them, which is nice.

The next step, of course, is to get my colleagues and other email contacts to start using PGP. That will be the real challenge ...

Friday, 23 August 2019

Thunderbird (yes, an Email Client in 2019)

Over the last couple of weeks I've been working on getting Thunderbird working with my Gmail. Why? Well, I realised that I had reached a point after using Google Apps (now GSuite) for over 10 years, I had totally moved to living in the cloud. Which, in terms of actually doing stuff, is fantastic. But what if ... what if Google servers died? What if the cable coming into New Zealand was chopped and we lost our international internet feed? What if I wanted offline backups of everything?

I've been using Insync on Linux for a number of years now to do exactly that, mirror my Google Drive onto my laptop and automatically converting the docs into something that a "real" app can read (it was OpenDocument, it's now MSOffice for reasons I'll go into in another post). And that works well. Whenever I backup my laptop, all my Google Drive gets backed up to.

But what about my emails?

Years ago (before July 2008) I was using Thunderbird as my email client. It was open source, worked well, and more importantly was cross-platform. So I've decided to use Thunderbird as my email client once more, mainly to have a backup of my Gmail "somewhere sensible".

On the way, I've come across a number of different ways of doing this, and I've taken what I thought was the best of a few different ideas, and put them together for a way that works well for me. Hopefully, this will help some people out there too.

What's wrong with the defaults?

There are a few things "wrong" with the default way both Gmail and Thunderbird are set up by default to work together. Here are the things that annoyed me:

Deleting emails in Thunderbird didn't delete them. I only found this out after trying to work out why my "All Mail" folder wasn't losing messages when I deleted them. In Thunderbird, using the defaults means deleting is the same as "remove all labels and archive".
Using All Mail caused duplicate messages in conversation view. After using Gmail's conversation view for years, I still want to. But having All Mail there just makes it unnecessarily convoluted when Thunderbird displays the conversation.
Sending or replying to mail made conversations broken. I'm so used to having the whole thread together, it was annoying to have to keep opening messaging in "Conversation View" to view my replies.

So, here goes what I did, and the rationale behind each step. This took a number of goes to get right, so hopefully I can save some people some time. My aim is to try and get Thunderbird to mirror the way Gmail works, so I can switch between the web interface and Thunderbird without changing my workflow. Here goes ...

Configure Gmail

IMAP

I started by turning on the IMAP setting in Gmail. This allows me to use Thunderbird in the same was as the Android app, and anything I do on the web is mirrored in TB. A couple of things while we're here:

I left the Auto-expunge option on. As detailed later, I configure TB to delete messages when I delete them (!), so this makes no difference.
Once IMAP is on, head to Settings > Labels, and untick "All Mail" and "Sent". I left everything else on. (All Mail ends up copying all the emails twice, once for the labeled messages in folders and once for All Mail. Annoying.)
Make a couple of new labels: "Archive" and "My Sent Mail" (you'll see why soon). Make sure the IMAP option is ticked for all the labels you want to see in TB.

Labelling Messages

Now that's all done, we can get on with the "real" work.

If you're like me, you have thousands of messages just ... "there". No labels, just there waiting to be searched for. To get all these messages into TB, we need to give them all labels. Happily, there is a quick search that will allow us to do this fairly easily.

However, first we need to turn off conversation mode in Gmail (in the settings). We want to label individual unlabeled emails with a label so TB can find them.

Once you've done that, enter the following search into Gmail:

-has:userlabels -in:inbox -from:me -in:chats

This will find all email that you have received that does not already have a label. Now click on the "select all" checkbox, then click on "select all conversations that match this search", then label all of these with "Archive".

We now have to do the same with the Sent mail. The search this time is

in:sent -has:userlabels -in:inbox

Same as before, select all the messages, then apply the label "My Sent Mail".

Phew! That's all done now, time to hit TB ...

Configure Thunderbird

The first thing we need to do is to add the Gmail IMAP account to TB. The wizard worked well for me, even though I have a GSuite custom domain email. It obviously queries the MX records and found the Gmail servers, so let me set it up as a Gmail IMAP account.

Once that's done, there are quite a few changes to make from the defaults.

Subscriptions

I found the first thing to do is to check that the TB account is "subscribed" to folder changes. Right-click on the account in the folder pane, and follow your nose from there.

Account Settings

Right, here is where my trial-and-error went. I'll do each option in the settings window separately...

Other than adding my standard signature here, I didn't change any of these settings.

What I did change on the server settings was to move the message to the Bin (Trash) when it was deleted. This is immediate, and ensures that mail is always deleted when I delete it.

I did try with the Auto-expunge options and have this set to "just mark it as deleted", but I always either had email simply archived, or left set as "deleted" and never ... deleted. This way works. (Also, since the Bin is being synced, I can also go there and un-delete email.)

Here is where my main changes were made.

The default is to have TB do nothing with sent mail. This is because Gmail will always give any mail you send the "Sent" status, so it appears in the Sent label. If you have that syncing, it will come back to TB, right?

Well ... sort of. The problems I was having were related to the fact I wanted the whole conversation together in TB. If I selected the "place replies in folder" option, I would sometimes have just one copy of my sent email in a conversation ... but sometimes, two. Which was annoying, to my mild OCD.

Also ... if I moved a message out of Sent into (say) the Inbox, it "lost" the Sent status in Gmail. Moving it back into Sent did not give it back it's sent status, so it was lost from the sent view in Gmail. Annoying.

My solution was to ignore Gmail's Sent folder completely. I basically give every Sent emal a label ("My Sent Mail"), which means TB knows where the copy is to go, and it still ends up as a labeled message in Gmail's Sent view. Same with replies that are moved into the same folder as the message. It works well for me.

Since I am not syncing "All Mail", Archived messages have to "go" somewhere else, hence the "Archived" label I created in Gmail.

I just left Draft and Templates as their default settings.

Last (but by no means least), make sure the mail is actually being copied to your computer!

Allow to Sync

I'd do this, then let TB spend some time sucking the mail across. In my own experience, trying to do too much while TB is syncing the mail makes it run slooow.

My workflow is as follows now:

I can read, reply to and send new emails in TB. Emails that are read in TB are marked read in Gmail. Deleted emails end up in the Bin in Gmail, replies and new emails appear in Sent on Gmail as well as under the appropriate labels.
Working from the web, I just have to ensure that any new emails I send have a label on them before I send (otherwise they never get imported into TB).

And now all my email is backed up onto my computer! I must confess, I'm enjoying using an email client again for emails, it means I'm focused on replying to emails and not surfing at the same time!