I have a couple of macs (sharing keychains via iCloud) and a few iOS devices (also sharing keychains via iCloud). For one reason or another on ONE of my Macs all the gmail accounts (5 of them - which all have 2fa) stopped working (server offline problem reported and the little broken connection icon appearing in Apple Mail). These are accounts and settings that haven't moved for years and have worked throughout mac upgrades/migrations etc etc. But something changed very recently and very badly.
Running connection doctor (and doing some tcpdump'ing to make sure that was all ok), looking at the SMTP messages between the broken mac and gmail servers the problem was being flagged on a 501 error line: 5.5.2 Cannot Decode response
I re-checked all of the smtp settings (username @gmail.com, trying the different ports, and playing around using different authentication schemes), dug into keychain to see if there was anything odd going on there, and differences between the keychains on the two macs, ... all to no avail. In particular one odd thing was going on, re-entering the app specific password in the SMTP connections, and setting the account name to be @gmail.com looked fine to start with, then a few seconds later the SMTP server connection would go offline, and re-opening the SMTP settings panel showed a blank password again. Try as I might I could not get a password to 'stick' in that box and remain there.
In a fit of desperation, I just removed all the google accounts on the broken mac using system preferences->Internet accounts, watched them disappear on the second mac (so iCloud sync'd up), and then re-installed them on the broken mac from scratch by re-entering them into the internet accounts system prefs panel, and again watched them re-appear on the second mac. Still no joy. Same problem, they worked on one mac, but still not on the broken mac. The password in the SMTP connection settings was simply not being recorded correctly, or there was some odd clash going on between keychain and apple mail.
So again, I removed all the accounts using the system preferences internet accounts panel. But before reinstalling them I removed all of the gmail keychain entries using keychain access (in your utilities folder if you are following along at home) - note that removing the gmail accounts from the internet accounts panel does not clear out the keychain entries (which appears to be one of the confusing things here - you have to go and do that yourself). Then I re-installed the accounts through the internet accounts panel yet again (using 2fa from an authenticator app, and ticking the box saying don't ask for codes on this device again) and waited for them to sync to the second mac. Then on the second mac I went into internet accounts, visited each newly installed gmail account and authenticated again on the second mac using the same 2fa process as on the first.
And suddenly everything was well again. HOWEVER... a couple of odd things to note:
1) The usernames in the apple mail preferences -> accounts for those connections is NOT postfixed with @gmail.com in the SMTP settings
2) the password fields are blank
3) I left the 'manage these accounts for me' tick box TICKED (against my better judgement) in both the inbound and outbound settings for each account
4) in keychain there are now o-auth records and expiry dates for the gmail accounts (they may have been there before but I don't remember seeing them)
5) I AT NO POINT have used any app specific passwords, just my main account passwords and the 2fa sequence (this is ONLY true on OS X, not on IOS - I've not had a problem on IOS and always used app specific passwords)
As a test, just to see if I was going insane, I went into the SMTP settings for one of the accounts via Apple Mail and manually set the password for the outbound connection to the app specific password for that account ad set the @gmail.com on the end of the username. It broke. offline. straight away.
Also worthy of note is ONE of my accounts is a google apps account rather than simple gmail account. That one HAS to have the @mydomain.com and the app specific password in it in the Apple Mail SMTP connections tab - it doesn't send if you don't (but it will happily receive).
I *think* what is going on is that for GMAIL only (NOT GOOGLE APPS) something has changed to use 2fa properly, and that the o-auth record is being stored in keychain correctly, if you go in via Apple Mail and do what you always used to do and setup the app specific password and the full username, turn off manage my account, and generally mess about then it breaks the o-auth link and you end up in a world of pain and with multiple keychain entries that get duplicated and generally ignored.
So, the fix for me (in simple terms) if you are seeing gmail accounts go offline in apple mail on OS X recently:
1) Remove all your Gmail accounts using system preferences->internet accounts
2) Open up keychain access (utilities folder) and clear out any gmail entries in there (be careful in there and delete the right things, select all, search for gmail, and check the top white area of keychain access to make sure you are deleting something that is for google mail - there are multiple entries for each gmail account - just zap them all)
3) Add back in your Gmail accounts using system preferences->internet accounts - if you are using 2fa then tick the little box saying don't ask for codes on this mac and enter your code (auth app or text) - and I also tweak the Details section if you have multiple accounts to give each a better name than 'Google' (you can also do this later in Apple Mail -> Preferences -> Accounts in the description field as well - I did but I'm not sure if that was if I was being impatient waiting for it to sync that bit of info)
4) wait for it to sync (go have a cup of coffee)
5) Open up mail and try out your accounts - if something (one of the accounts) isn't working then chances are you didn't zap a keychain entry for that account entirely (there are multiple keychain entries per account)
6) DO NOT be tempted to open up the SMTP settings and mess around with them in Apple Mail - that way leads to madness (despite it being the right place to go and play, it just seems to not be 'working' well with setting up gmail accounts via the system preferences route) - take a deep breath and live with the fact that Apple Mail can manage those accounts.
If you have a google apps account then you will need to go back into the Apple Mail preferences->accounts and set up @yourdomain.com and your app specific password in the outbound SMTP settings.
I am assuming that this is because something has 'improved' in the way OS X handles internet accounts 2fa for google, but apple mail hasn't caught up yet... if you are reading this in a few months time your mileage may vary!
Hope that helps