What security can we implement in PHPmailer to make it a more secure app for Gmail? https://support.google.com/accounts/answer/6010255
I am using PHPmailer to send emails via Gmail. PS: I don't want to enable "access for less secure apps" here: https://www.google.com/settings/security/lesssecureapps, I want to make the app more secure.
Gmail has started imposing a new authentication mechanism that substitutes SMTP athentication for OAuth2-based authorisation. The docs on their changes can be found here.
This doens't really improve security much because ultimately you still need to submit your username and password over SSL at some point (the very mechanism that google deems insecure) to authenticate to get an OAuth token, which is exactly as secure as existing SMTP auth systems.
As yet, PHPMailer does not support this new mechanism - PRs welcome! You will need an OAuth2 class, such as this one, and perhaps make use of this code example.
In the mean time, you do have to "enable access for less secure apps", and you should set SMTPSecure = 'tls' and Port = 587 and use normal auth to connect using PHPMailer.
Update
PHPMailer supports Gmail's XOAUTH2 authentication as of version 5.2.11. See this guide. It's being expanded in version 6.0 to support other services too.
Related
I am building a mass-emailing component for my Flask app.
I've used flask_mail, and able to send it, using 'smtp.google.com' as a server:
app.config['MAIL_SERVER']='smtp.gmail.com'
To enable it, I had to disable two-way authentication in my gmail and turn on access for "less secure apps".
Given the lowered security level, how secure is this setup?
Are there more secure alternatives?
I wouldn't personally use my "everyday" GMail account for an application of any kind, especially not in production. If you're going to stick with using GMail for this project I'd make another application, specific account. Obviously, removing 2FA from your account makes it more vulnerable should someone discover you password, but "Allowing less secure apps" isn't inherently scary, in my opinion, as you've created your application you know it isn't doing anything malicious.
Furthermore, I would find it more appropriate and professional, to use a service like AWS Simple Email Service, with a custom domain, if you're planning on sending "mass emails." It may even be against Google's TOS to use GMail in this way, make sure to find out before proceeding.
That's my two cents on the issue.
I have exposed some rest services in spring, using spring mvc, I have secured the webapp using spring security, that uses bcrypt on the server to encode the password and store it in the datbase.
The user will send the password in the url in plain text under https, And i have written a custom basic_auth_filter to check the uername and passowrd - basically authenticate. I also have set up a firewall that only allows one ip to connect.
Im no security expert, is there anything else i need to, should i encode the username/password in the url.. even though it will be coming via https?
regards
ps. this was a requirement to use username on the url?
Passwords, and all other non-ephemeral credentials, should never be sent in the URL, if for no other reason then because the browsers and other HTTP tools and servers will remember this in history, various logs etc, HTTPS or not, making it trivial to steal by anyone with local access, or even by someone just looking over your shoulder. This is why Spring by default rejects authentication via GET requests.
For this reason, you should move the sensitive parameters to the body of the request (thus requiring a POST).
If your login flow is based on username/passwords, I recommend you use UsernamePasswordAuthenticationFilter as it already encapsulates the logic and best practices for this type of flow.
In general your scheme is secure.
Consider pinning the server, that is validating the server certificate, to ensure the connection is to your server.
The password should not be used other than to authenticate using (in your case) bcrypt.
Re question update: "HTTPS encrypts the query string, only the actual server address portion is un-encrypted. But, the full URL including query string will probably be logged by the server so that has security implication. It is best to send confidential information in a POST.
I am trying to secure an https post service through a username/password authentication (Basic authentication). But so far I am not able to figure out how I can secure my service on the server side and force the username/password combination for the clients. I get that using httpclienthandler/httpclient/networkcredentials you can access the server, but how to force it on the server side and send appropriate unauthorized access errors etc.
Any directions or links using C#?
It seem there is the AuthenticationFilter, what I was looking for..
Here is a good amount of detail here;
I'm trying to connect and retrieve a list of message headers from Gmail via IMAP.
I'm getting a response from Google with "Web Login Required" and then a URL to continue the sign-in via the web interface. Log: http://hastebin.com/odufaducew.vhdl
Why does this happen? How to handle this case? I'm using the MailCore2 lib for iOS if that helps at all.
You can enable access for less secure apps in this page Google - Less secure apps
Choose enable and try again!
As legoscia points out, this happens when the login is done using a password and considered risky. The best option seems to be to avoid storing and using user's passwords for Gmail and instead switch to Oauth2. Is this app a mail user interface or are you using IMAP as an API? (Perhaps, https://developers.google.com/gmail/api/ would be more appropriate?)
I'm trying to learn more about Integrated Windows Authentication but everything I read introduces me to three new acronyms, many of which incorporate other acronyms, and I don't feel I know anything about the mechanics.
I understand that if an HTTP client doesn't support Integrated Windows Authentication there is a chain of fallbacks that can identify the client and might involve prompting for a username and password. Is there ever a case where it will fallback to HTTP Basic Authentication or any other plain text username / password communication?
I'm trying to determine if I need to provide SSL to protect user credentials and I'm hoping that all authentication is secured in some way.
There is no plain-text credential for the SSPs available to IWA in a default installation (NTLM and Kerberos). In principle you could deploy some other SSP and make it available to IWA via NegoEx, and that SSP might implement password checking in the clear, but that's pretty unlikely.
Of course there is nothing stopping a web application from returning a response requesting HTTP Basic Authentication or Forms Authentication, independently of IWA, so you would have to check no applications were doing that.
I'm trying to determine if I need to provide SSL to protect user credentials and I'm hoping that all authentication is secured in some way.
If you're only interested in complying with a corporate policy against cleartext passwords, then IWA should be enough.
If you have a real threat model and it includes a snooper on the network, then you have much more to worry about - such an attacker can just as easily do active man-in-the-middle attacks and make the web application appear to do something like create a bogus NTLM login box that leaks passwords. That's why you might want SSL.