I am using Mailgun for sending emails to customers for account verification and password reset. Unfortunately Mailgun seems to be a very bad option. Even during development, at times it takes 20 minutes to get the email. This is not acceptable for password reset as the token has a specific timeout. I need to find a solution that is reliable and the customer immediately gets their password reset token sent to them. I have little experience with this kind of thing and would appreciate any advice.
Not sure if it matters but we are using nodejs as a backend.
Thanks.
I use sendgrid all the time. They are pretty reliable.
I had issues with Mailgun as well. Have you tried sendmail? I don't know how well it might work for a production environment, but it works really well in our testing environment.
I can't imagine having to wait 20 minutes for a password reset email! As the end-user then would drive me crazy. I'm wondering if they are throttling your emails or something.
But anyway, if you're still looking for an alternative, here are some of the top SMTP services that you could try.
SocketLabs.com: disclaimer - I work for SocketLabs, so I'm a little bias with that opinion :)
Sendgrid
Sparkpost
AWS
Related
I'm building a system, where its registered users are able to send emails automatically. I came across 2 solutions to achieve this,
By getting the username and password of GMAIL accounts and sending mails using nodemailer.
By using Google Oauth, to let the users give access to my app to send mails on their behalf(Without sharing their mail credentials).
The first method works as a piece of cake, but the second option sounds a bit more professional and safe. I figured out how to send mail using a single acc. to other people. But couldn't find a possible solution, to send emails from the user's mail. (As it requires refresh token to send them)
I came here looking up for a possible solution that helps me solve this issue.Thanks in advance!
Go with google OAuth or if using first one use bcrypt salt or some type of hashing to secure password.
I would suggest you to go for second option. There is a good and very important reason to do so. You need to have a good and secure DB to save this information which could be an overhead for you.
Hashing the password and saving it to the DB won't help you. As you can never get the actual password from the hashed one and you can't send the hashed password to the gmail account. So, you can't do that.
Second option is a better way in every term, you just need to have a refresh token and that won't be a big deal. You can get it nodemailer transport layer can help you to get it.
I am attaching this link where you can easily replicate the steps to get it done.
I have installed GLPI 0.90.1 on a CentOS 7.
After more and more problems, everything was going right, but I tried to configure an IMAP mailbox on it in order to create tickets from mail.
The first time I collected my mail (for test), it works well. The ticket is created.
But the second time I tried (maybe 20 minutes later),
I get an error :
"connexion bloked" (translated, because I'm french).
I thought it came from Gmail, but the configs were good, and I didn't change anything.
On Glpi, I do not understand my error messages in the .log.
So I come here to find answers.
If you need more informations, tell me.
Maybe you must enable allow less secure apps to access account on your Gmail account.
Related: What are the dangers of allowing “less secure apps” to access my Google account?
"less secure apps" refers to applications that send your credentials directly to Gmail
I have just signed up for SendGrid and have been able to successfully email but I was wondering if it is possible to send emails with no authentication? At the moment I have only been able to send using authentication.
Thankyou in advance for your response!
Why do you want to send without authentication?
Imagine that from SendGrid's perspective, how are they going to know that it is you sending email (and hence bill you for it) and how are they going to prevent just anybody connecting and bulk sending whatever they want!
This is known as an Open SMTP Relay and is generally considered a very bad thing™ ;)
The good thing though, is that it is very difficult to find an application that doesn't support SMTP authentication. Whatever you are using will have a setting to configure auth, and once its set up you can likely forget all about it being there.
However, if you can give an idea of your use case, we can probably help you figure out a better way of achieving your goal...
A little background: I am going to be constructing a webserver, likely the most up to date version of apache when I get around to it. It is going to be updated with sensory information from a makeshift security system I have.
As a counterpart, I am designing an app to go along with it, that will automatically contact the webserver and pull the sensory information about once every 1.5 minutes.
I want to have an authentication method so that the average Bob can't see this information, mostly due to the fact that there will be some command and control as part of the server as well.
The question: I feel like a simple username and password is the wrong way to go about this since it isn't dynamic and theoretically seeing the same credentials sent that frequent could be dangerous, so is there any other authentication method that could mitigate this?
The question pt. 2: Obviously I want an encrypted channel, will https stumble over itself if it tries to renegotiate every minute and a half?
I haven't begun this project yet much less chosen any language to write it in, meaning I am super open minded to suggestions, any help is greatly appreciated.
The question: I feel like a simple username and password is the wrong
way to go about this since it isn't dynamic and theoretically seeing
the same credentials sent that frequent could be dangerous, so is
there any other authentication method that could mitigate this?
You could use Google Sign-In to allow log on via a Google account.
Or you could implement two factor authentication with say Google Authenticator or via SMS to prove that the user logging in has more than one factor of authentication. These factors could be:
Something you know (e.g. password)
Something you have (e.g. phone that provides a One Time Password)
Edit: Having re-read your question - yes you are fine to authenticate with username and password (over HTTPS), however you should then store a session identifier client-side and simply send this in future rather than the username/password each time. This is more secure as it can be stored safely client-side, and if exposed the identifier can be easily revoked.
The question pt. 2: Obviously I want an encrypted channel, will https
stumble over itself if it tries to renegotiate every minute and a half?
Nope, this is what it is designed for. Browsers will keep open an HTTPS connection for a length of time. Additionally, they will use session resumption rather than executing a full HTTPS handshake in the case that a new connection needs to be established. Session resumption is much quicker than establishing a completely new session. See this article on the CloudFlare blog for more info.
I'm thinking about a sign-up-with-mobile number system whereby someone can register with a mobile number and get a SMS to verify that they exist... at which point I'd like to have them automatically logged in without a password... (the SMS is basically a password)
This is patterned on the Lyft app sign-up, which doesn't ask for a username/password/etc.
But for the life of me, I can't figure out how to do this.
I'm totally fine with a server only Meteor.method which responds with something "secure" but I don't know what that would be now.
The only thing I can think of would be to set the password on the User and then transmit it to the client and run a login (which seems insecure to me).
I have read through this great article
https://meteorhacks.com/extending-meteor-accounts.html
and it's a good option, but I don't know of a strategy for that which wouldn't bypass security too
(at some point the server has to communicate securely back to the client...)
Recommendations?
I made a package that might help you, Meteor accounts phone, which do login based on sms mobile number verification https://github.com/okland/accounts-phone/ Enjoy!