I have a free hosting account at 000webhost. I have configured PHPMailer to send a message to me in the mail as soon as someone fills out the feedback form. Messages do not come if the gmail function allow less secure apps is disabled.
How to accept gmail emails without enabling allow less secure apps. This is my main mail, and I would not like to disable protection on it. It's not here for beauty, is it?) After searching the Internet, I could not find a similar solution. Seems disabling allow less secure apps suits many. So maybe there is a way to make my hosting account trusted?
Ignore the naysayers, this is entirely possible, and it doesn't involve IMAP.
To be clear, the "allow less secure apps" option only applies to sending email from your gmail account. It has nothing to do with you receiving messages from other people, or how they receive messages sent from you.
Gmail (and others) offers an SMTP authentication mechanism called XOAUTH2, which is, as you might expect, based on OAuth 2.0. If you use this mechanism, you do not need to enable "less secure apps". PHPMailer supports this mechanism, and provides code example showing you how to use it](https://github.com/PHPMailer/PHPMailer/blob/master/examples/gmail_xoauth.phps). However, that only shows how to use the auth credentials, not how to get them, which, being OAuth, is a confusing and unpleasant experience. Fortunately there is documentation (which should always be the first place you look before asking questions anyway) and an example script that helps you get the tokens you need. I'm not going to reproduce them here because it just makes more work for me as a maintainer.
The approach is broadly:
Define an OAuth app within your Google account
Use the supplied script to perform an authentication procedure (requires that you have a functioning HTTP server)
Take the credentials from that process and drop them into the PHPMailer sending example.
Send email as usual.
Related
As of May 30, 2022, Google disabled less secure app access options. I understand that setting a Google Account to allow less secure app access was the key for PHPMailer to send emails via Gmail. I took over the maintenance of a few websites where this PHPMailer/Gmail functionality was used for the 'Contact us' pages.
https://support.google.com/accounts/answer/6010255?hl=en#zippy=%2Cuse-an-app-password
Now that this option is gone - what are the alternative solutions that do not require re-engineering the core functionality for the existing Contact Us pages?
You first port of call should be to read the docs. You've not needed to to use less secure apps for the last 5 years, but lots of people didn't realise that so now there's a frantic rush. In short, App Passwords are the easiest way to go as they don't require you to change your code at all, just update a password.
The quickest solution is to use use an apps password. This will require that you have 2fa enabled on your google account to create the apps password.
The second option is to use Xoauth2 to request authorization of the owner of the account. Then you can send an access token instead of the password.
There is a very good guide to how to set this up here Using Gmail with XOAUTH2
$mail->oauthUserEmail = "<your gmail address>#gmail.com";
$mail->oauthClientId = "237644427849-g8d0pnkd1jh3idcjdbopvkse2hvj0tdp.apps.googleusercontent.com";
$mail->oauthClientSecret = "mklHhrns6eF-qjwuiLpSB4DL";
$mail->oauthRefreshToken = "1/7Jt8_RHX86Pk09VTfQd4O_ZqKbmuV7HpMNz-rqJ4KdQMEudVrK5jSpoR30zcRFq6";
As long as this is a single user app you will not need to apply for verification.
I am making a basic web app on Heroku and want to be able to send basic emails. I am coming from PHP but trying to write this one in node.js. I am used to PHPMailer. I have a gmail account that I want to send a certain email from every time a certain page is accessed. Nodemailer and postmark all seem to have costs associated - is there a 100% free option that I could use to send from Gmail? Else I may just do this in PHP.
Thank you
Add a POST endpoint to your Node router to submit the data to be used to create a message and use a library with support for SMTP with TLS/SSL security like emailjs to send standard SMTP emails via accounts like Gmail (you will need to enable third party apps in the security settings for the Gmail account). There is likely more than one library option but I am recommending one that I've used for a few years myself:
emailjs Lib for Node
https://www.mailgun.com/ is a service similar to postmark. They provide a simple REST API to send email and their free plan allow you to send 10,000 emails per month. Depending on the volume you want to send, this can be a viable solution for you.
I'm developing a web app. One of the required features is sending emails, in this case using mandrill or mailgun, which works pretty fine.
My question is about the sensitive data as passwords, password reset links and other possible stuff... is this secure to do so through a third-party app? Are you used to do so? Since i'm not a server admin and i don't want to set a mail server for such that things... is that a good and secure option? or how do you handle that?
Best practice is to treat email as an insecure channel.
Passwords should never be sent via email, password reset links should be one-time use only, etc. Mandrill, Mailgun, and similar services make no promises on data security or compliance.
I am trying to get a full Kerberized domain environment configured, and one of the obstacles is webmail. I have scoured the Internet for information about how to do single sign on with Kerberos through webmail, but without definitive results. So now I am going to try and do it on my own.
The point is, while it is easy to authenticate against one service (the webmail frontend in this case) using mod_auth_kerb for Apache, forwarding a ticket to the IMAP/SMTP servers is proving more tricky. From the documentation about Kerberos that I have read it seems to be possible to accomplish this - The client would send a forwardable ticket to the webmail application, and then that server would use delegation to authenticate (as the user) to IMAP/SMTP. However, finding any actual information on existing implementations seems to be fruitless.
In attempting to make my own implementation, one of the first problems that I will face will be getting the ticket for use against the IMAP/SMTP servers. I can think of doing this one of two ways - either a forwardable ticket is stored at the point of authentication to the webmail, or whenever the user tries to send an email/refresh their mailboxes authentication occurs again, but this time no data is stored since it all occurs in one request (and mod_auth_kerb supports saving credentials for the duration of the request).
In going down the storing of credentials route, there are security concerns, scalability concerns and implementation concerns. However, authentication only happens once (whatever benefit that would give).
The reauthentication on refresh/send would be much more secure, since the credentials are only stored for the duration of the request due to mod_auth_kerb, and there should be fewer scalability issues since there will not be many credential caches floating around the place when many people are logged on. However, authentication would happen much more frequently, perhaps causing problems due to higher network load, or the chance that something bad would happen on the client between authenticating and attempting to send an email.
I am leaning towards the second method, simply because the security issues seem quite drastic, however I would like some more opinions - perhaps there is a better way of doing it?
EDIT: Another challenge which I will face is getting GSSAPI working with the PHP IMAP extension. From the material I have read it seems possible to do this one of two ways - either using Cyrus IMAP or using the built in GSSAPI mechanism in PHP IMAP. There is next to no documentation on how to do either method though, so help would be appreciated.
I am building a service that will have a 'forgot my password' feature. In addition to that, it will also email users when results are ready from my service.
I would like to ensure delivery of my emails so I was looking around to find a service that would let me send emails.
All that I've been able to find so far are services that require a user to opt-in to a list.
In other words, I've been unable to find any that will let me send customized messages to individual users.
I am currently using swiftmailer for php but would really like to find a service to do this...Anyone know of one?
Edit1: It's not that I don't like swiftmailer but more that I want to make sure I do not have my emails end up getting blocked by spam filters. Also, it would be easier to rely on a service that already has the stuff setup that Atwood talked about in that article.
A very low volume solution that I use, and by low volume, I mean under twenty pieces per day, is to setup a GMail account and send your messages from that account. There are plenty of very simple programmatic solutions for this. Just Google for "php gmail send" and take your pick!