I have just signed up for SendGrid and have been able to successfully email but I was wondering if it is possible to send emails with no authentication? At the moment I have only been able to send using authentication.
Thankyou in advance for your response!
Why do you want to send without authentication?
Imagine that from SendGrid's perspective, how are they going to know that it is you sending email (and hence bill you for it) and how are they going to prevent just anybody connecting and bulk sending whatever they want!
This is known as an Open SMTP Relay and is generally considered a very bad thing™ ;)
The good thing though, is that it is very difficult to find an application that doesn't support SMTP authentication. Whatever you are using will have a setting to configure auth, and once its set up you can likely forget all about it being there.
However, if you can give an idea of your use case, we can probably help you figure out a better way of achieving your goal...
Related
I'm building a system, where its registered users are able to send emails automatically. I came across 2 solutions to achieve this,
By getting the username and password of GMAIL accounts and sending mails using nodemailer.
By using Google Oauth, to let the users give access to my app to send mails on their behalf(Without sharing their mail credentials).
The first method works as a piece of cake, but the second option sounds a bit more professional and safe. I figured out how to send mail using a single acc. to other people. But couldn't find a possible solution, to send emails from the user's mail. (As it requires refresh token to send them)
I came here looking up for a possible solution that helps me solve this issue.Thanks in advance!
Go with google OAuth or if using first one use bcrypt salt or some type of hashing to secure password.
I would suggest you to go for second option. There is a good and very important reason to do so. You need to have a good and secure DB to save this information which could be an overhead for you.
Hashing the password and saving it to the DB won't help you. As you can never get the actual password from the hashed one and you can't send the hashed password to the gmail account. So, you can't do that.
Second option is a better way in every term, you just need to have a refresh token and that won't be a big deal. You can get it nodemailer transport layer can help you to get it.
I am attaching this link where you can easily replicate the steps to get it done.
How would I go about deploying a web app intended for only a single user (myself)? I feel like making a login that only accepts 1 user is the wrong method and also easy to hack? Would it be a good idea to make it only accessible from a certain IP? Please advise! Thank you. Backend will be using nodejs.
If I were you, I would program the back-end the proper way. This involves generalizing the entire implementation so that any hypothetical user with the correct password could use your login system. You could still authorize and authenticate the application so that when anybody else tries to log in, you automatically decline their request. If you are concerned about security, ensure that you are using SSL, basic encryption, hash passwords and, most importantly, do not use your own authorization library. It is far more secure if you use OAuth instead of using an IP, for example. Last, but definitely not least, make it as hard as you can for hackers to steal your data in the client side. This way, you also learn a lot of things that might come in handy in the near future.
I am using Mailgun for sending emails to customers for account verification and password reset. Unfortunately Mailgun seems to be a very bad option. Even during development, at times it takes 20 minutes to get the email. This is not acceptable for password reset as the token has a specific timeout. I need to find a solution that is reliable and the customer immediately gets their password reset token sent to them. I have little experience with this kind of thing and would appreciate any advice.
Not sure if it matters but we are using nodejs as a backend.
Thanks.
I use sendgrid all the time. They are pretty reliable.
I had issues with Mailgun as well. Have you tried sendmail? I don't know how well it might work for a production environment, but it works really well in our testing environment.
I can't imagine having to wait 20 minutes for a password reset email! As the end-user then would drive me crazy. I'm wondering if they are throttling your emails or something.
But anyway, if you're still looking for an alternative, here are some of the top SMTP services that you could try.
SocketLabs.com: disclaimer - I work for SocketLabs, so I'm a little bias with that opinion :)
Sendgrid
Sparkpost
AWS
I'm thinking about a sign-up-with-mobile number system whereby someone can register with a mobile number and get a SMS to verify that they exist... at which point I'd like to have them automatically logged in without a password... (the SMS is basically a password)
This is patterned on the Lyft app sign-up, which doesn't ask for a username/password/etc.
But for the life of me, I can't figure out how to do this.
I'm totally fine with a server only Meteor.method which responds with something "secure" but I don't know what that would be now.
The only thing I can think of would be to set the password on the User and then transmit it to the client and run a login (which seems insecure to me).
I have read through this great article
https://meteorhacks.com/extending-meteor-accounts.html
and it's a good option, but I don't know of a strategy for that which wouldn't bypass security too
(at some point the server has to communicate securely back to the client...)
Recommendations?
I made a package that might help you, Meteor accounts phone, which do login based on sms mobile number verification https://github.com/okland/accounts-phone/ Enjoy!
Is it better (more convenient or secure) to provide users with a lost username or password via direct message on Twitter rather than via email?
You don't supply lost passwords at all (mostly because you can't, because if you're doing it right you don't store passwords in plain text anyway).
You facilitate a reset-feature that allows the user to, with the help of for example a secret question or simply an activation link via email, change their password.
I really don't want sites throwing my username and password over Twitter.
No thank you!
It is as secure as sending it over email. If you generate a new password and then send it to the user via dm only the user can read it. And yes the user can access twitter in an unsecure way over an not encrypted connection. But you can't assure that somebody uses an encrypted connection to access his mail either.
In fact it could be more secure because you know that only twitter admins can intercept the message and no admin reading the mails from his users
Security aside, there's also the significant flaw that you can't send password reset information, password reminders, or anything else to your user via direct message if he's not following you on twitter. Unless your site is itself a twitter client, then the odds are pretty good that a substantial fraction of your potential users won't be particularly interested in following you and are likely to resent being told that they must follow you (or at least follow/change password/unfollow) if they want to use your site.
Update: I forgot to mention... If you want to tie your user authentication functionality to twitter, then why not just use Twitter OAuth instead of maintaining your own password store at all? It works quite well (barring the fail whale), is very quick and easy for the users, and doesn't place any requirements on who they follow or don't follow.
Start by reading this post: What is the best “forgot my password” method?
This will get you started in the right direction.
I want my password sent by UPS, FedEx, or USPS when I forget them.
Punish the user.
Bad user.
Enough people have pointed out that you shouldn't be storing passwords in plain text anyway, so I won't repeat that.
But if you're sending a one-time-use password-reset link as a Twitter DM, then you have to take into account that the user might receive that message on their mobile phone.
Then you'll have to make sure whatever that link points to is set up to display correctly on mobile phone web browsers.
Then you'll wish you just stuck with email.
Secure your passwords and don't send anything by email or twitter. Lookup MD5 and other algorithm to do this.
Wikipedia says:
In cryptography, MD5 (Message-Digest
algorithm 5) is a widely used
cryptographic hash function with a
128-bit hash value. As an Internet
standard (RFC 1321), MD5 has been
employed in a wide variety of security
applications, and is also commonly
used to check the integrity of files.
I hate it when I see a website storing my password without encryption... and if the website started sending me my password via twitter I'd break something.
Instead of sending passwords verbatim over any insecure channel, send a nonce instead. Such as: a one-time URL the user clicks, verifies personal info, then is forced to choose a new password.
This way, if the message is intercepted, no damage can be done without also hacking the personal questions.