Reasonably secure email sending functionality

Question

0.00/5 (No votes)

See more:

We are developing a desktop app and want to add email sending functionality from within. The problem we now have is that the old smtp libraries are no longer entirely adequate since providers like gmail now call them 'applications that do not meet modern security standards'. They still allow you to enable less secure apps to access your email account, but the user is no doubt going to be put off by this and we want to avoid that. On the other hand, the OAUTH 2 protocol that seems to prevail requires consumer key and security to be provided by the email provider and we cannot surely collect these from every provider that our users may subscribe with.

My question is: What is the standard approach these days to email sending from within desktop applications? Can we just use good old TLS and live with the potential consequences? Surely there are loads of applications that do not implement oauth - every fax machine, photocopier or printer can send emails, it seems quite doubtful to me that they use OAUTH.

What I have tried:

I have tried to look around to see what others are doing and found this, but it's not quite definitive.

https://bugzilla.mozilla.org/show_bug.cgi?id=849540

Posted 21-Apr-16 1:09am

Shant Nercessian

Updated 21-Apr-16 1:22am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

F-ES Sitecore · Answer 1 · 2016-04-21T01:22:00

Solution 1

The problem you are having is simply a common misconception. Sending email and receiving email are not connected in any way, shape or form. Email clients (both desktop and web) give the impression that they are connected but they're not.

If you are dealing with sending email than you don't have to send through the "in box" provider's smtp servers, or their general services, you can send any email from any address through a properly configured smtp server. If your site is hosted then the web host more than likely has such an smtp server for you to use.

Things you shouldn't spend time doing | The ASP.NET Forums[^]

Posted 21-Apr-16 1:22am

F-ES Sitecore

Comments

Shant Nercessian 21-Apr-16 7:44am

Hello again,

Many thanks for this! I appreciate it.

If I may:
1. Does that mean that I should not bother with OAUTH at all (noting that gmail is not the only email provider that uses OAUTH - at least as far as I know)? If so, how does this affect the security of my desktop app since the app will still need to send login details/password to the smtp server so as to send the mail?

2. Another twist is that, the app we're developing will give freedom to the user of the app to determine which email account she/he uses to send emails. So he/she will decide what smtp server to use (e.g. gmail or not).

Thanks once more!

F-ES Sitecore 21-Apr-16 7:58am

Sending mail has no security...it is a non-secure protocol which is why there is such a problem with spam. Some SMTP servers ask you to login to that SMTP server to prove you are a valid user of it, but once you have a connection to the SMTP server you can send email "from" any account "to" any account. You don't need to know the user's credentials, sending email has *no* credentials, you only need to login to read mail not to send it.

As for point 2...again...there is no such thing as sending "from" an account, that is smoke and mirrors that email clients like Outlook and Gmail make it look like is happening, but it isn't. You don't allow users to choose smtp servers and you don't care, as long as you are using an SMTP server that allows relaying you can send any email through it. Forget gmail, it simply doesn't come into the equation.

If you want the email to appear in the "sent" items then that will indeed require access to the user's IMAP account (POP3 doesn't support "sent items") which leads you into so many problems it's simply not worth doing, as you can never guarantee to get the code working for everyone. My mail might only support POP3, I might have moved or renamed by Sent Item folder, I might have configured my client to not copy emails to sent items and if you do so I might be very annoyed.

Basically, if you want to create items in people's "Sent" folder then forget what you're trying to do, it's not going to work. If you just want to send emails on behalf of other people all you need is an SMTP server that alloys relaying and nothing else.

Shant Nercessian 22-Apr-16 3:57am

If what you say is reflected among user attitudes, then would this be a good option in your opinion? We set up a basic smtp server within the software that is started every time the user wants to send mail. Then the mail is delivered to this server and the server sends it directly to the recipient, without relaying it to any other smtp server and it does not require a password itself, residing on the localhost. Can you see any flaws with this plan? Will it work?

Thanks once again for all your help!

F-ES Sitecore 22-Apr-16 4:30am

I don't think you're going to be able to start an smtp server on each client machine. Ideally you'd have one configured somewhere that your apps can all connect to (or one you pay to use, there are various bulk-mailing systems that are pre-whitelisted so you shouldn't have issues), but if that's not possible you may have to resort to asking users to configure individual smtp settings but that is going to be troublesome for reasons you already know.