I have been putting together a website using vanilla JavaScript, HTML, Python (Flask) and SQLAlchemy
I’m using 2 linode servers. One for the website, one for the database
I contacted linode and they unblocked the email ports, and I configured gmail to allow less-secure apps.
As of right now I am using Flask-Mail and it uses my gmail username and password to log in, and everything on the website is functioning exactly how I want it to
I only use email for 3 things:
registration confirmation
recover account password
I would like to send emails to users who sign up with site updates, once per month at the most.
However, I’ve seen many people say gmail is not good for production. My main concern is that some people have said gmail will limit your outgoing correspondence to 100 people.
I really don’t anticipate a high volume. If it exceeds 100 people I would be surprised tbh, but I want to be able to handle at least a couple thousand at the most.
I’d prefer not to get bogged down with changing all of the code and dealing with setting up a separate email server and all of that. If there’s a solution as simple as “hey use this website and user login instead of your gmail account” that would be great.
If that’s not acceptable, I understand. I’m just looking for the easiest solution that doesn’t necessarily have to be amazingly scalable at the moment.
Thanks in advance!
SendGrid is a great option. Their free teir allows you to send 100 emails per day and can scale up if you do find your application is gaining momentum. Below are the setting you'd use to configure your flask app (and flask-mail) to be able to use the service. This is derived from a tutorial that SendGrid itself provides here for configuring a flask app with flask-mail.
MAIL_DEFAULT_SENDER="theemailyouwanttoshow#site.com"
MAIL_USERNAME="apikey"
MAIL_PASSWORD="SG.abcdjekfkdmd"
MAIL_SERVER="smtp.sendgrid.net"
MAIL_PORT=587
MAIL_USE_TLS=1
MAIL_USE_SSL=0
Related
Premise: I am a beginner in search for an easy way to send bug reports from users over sea.
I've made a script for some friends that are living on the other side of the sea (US - EUROPE)... I will like to gather automatic bug reports whenever they happen. So my first idea was to send myself an email with the smtplib module. It works fine when testing home, but as soon as the sender "sends", my email provider (gmail) blocks the connection because of course, its from an "unknown device". I've already enabled "Allow less secure apps" as someone suggested but with no avail.
What I am searching its a simple way of dealing with this.
Yes I could make the script to ignore the error if the email its not being sent, and then go into my google account and enable those devices so at least it will work from the second run..
But it doesn't seem what a programmer would do in this case. I am learning so a solution withing the language is what I am after.
A different provider that has no restriction its also a good start but I tried Yahoo, Live, Yandex but I couldn't make them work. Are there any?
So my question is: how others do? what is the best solution for some one like me?
I've read about sentry or other error/bug tracking but its obviously way too much for want I need
You should certainly not incorporate e.g. Gmail credentials in the code that is remotely executed on devices you do not control, given I understand correctly the Gmail less secure device issue happens as every "user" is running this code and using your credentials. This holds true for any other provider.
Now this won't exactly be simple but one way to go about it would be to create a server side API endpoint that can accept HTTP(s) or any other protocol requests that then will authenticate in a little more secure way on the server side with Gmail.
The concept for emails is:
Bug > Python Script > API call > Email
This could be implemented using Python on the API side (Flask e.g.) using an AWS Lambda Function with Amazon API Gateway, but again that is something to get through and understand by itself which will take a good chunk of time.
You need to touch a lot of concepts, like auth tokens to make this really secure.
Could you elaborate a little on where the code needs to run and if you are willing to try AWS or any other cloud provider, or would have access to an internet connected server ? This makes it easier to provide you with a full example on the solution in a hackish way while I would highlight the problems you could face on the security side.
I understand that this is not the way to go but as for my needs and my level of experience it works for me!
Yandex allows you to send email from different ip so Yandex is the way to go. What I was doing wrong in the first place was to use the wrong port (587 instead of 465)
Is it possible to send an email using Google App Engine (GAE) from a Google Apps user account alias?
Since we are using a "custom" domain with our app (e.g., "www.example.com"), Google requires us to use a Google Apps paid account to enable web site HTTPS, which is a hidden cost when considering the cost of hosting.
We don't want to have pay for extra accounts for things like "support#example.com", so we've just set that up as an alias of the paid account. And I don't want to have to be checking multiple accounts. But now we can't figure out how to send email from "support#example.com".
This article explains email sending options, but when I try to use the domain account approach, it basically ends up canonicalizing the support email alias and tells me that my account is already authorized. Anyway, I can't seem to figure out how to get any of the approaches to work for my situation. Is it even possible to do this?
I have been trying to find a solution for this as well, but Unfortunately there does not seem to be any way to send email from domain alias registered to Google Apps using GAE. Or any other domain for that matter.
There is an open ticket with low priority opened here: https://code.google.com/p/googleappengine/issues/detail?id=2766
So I don't have high hopes as the ticket has been open for 5 years.
I know the best practise is to hash user passwords, and I do that for all my other web apps, but this case is a bit different.
I'm building an app that sends email notifications to a company's employees.
The emails will be sent from the company's SMTP servers, so they'll need to give the app email/password credentials for an email account they allocate for this purpose.
Security is important to me, and I'd rather not store password that we can decrypt, but there seems like no other way to do this.
If it makes any difference, this is a multi-tenant web app.
What's the best way in python to encrypt these passwords since hashing them will do us no good in trying to authenticate with the mail server?
Thanks!
Note: The mailserver is not on the same network as the web app
I've faced this issue before as well. I think that ultimately, if you are stuck being able to produce a plain-text password inside your app, then all of the artifacts to produce the password must be accessible by the app.
I don't think there is some encryption-magic to do here. Rely on file-system permissions to prevent anyone from accessing the data in the first place. Notice that your SSH private key isn't encrypted in your home dir. It is just in your home dir and you count on the fact that Linux won't let just anyone read it.
So, make a user for this app and put the passwords in a directory that only that user can access.
I would strongly recommend using BCrypt. There are lots of advantages to the algorithm, and most implementations handle all of these questions for you.
As described in this answer:
Bcrypt has the best kind of repute that can be achieved for a cryptographic algorithm: it has been around for quite some time, used quite widely, "attracted attention", and yet remains unbroken to date.
I've written up a detailed article about how to implement BCrypt in python as well as other frameworks here: http://davismj.me/blog/bcrypt
I'm writing an application on GAE that is exposing a RESTlike API to a fixed number of remote servers which may be using any OS/software. At the moment I'm pondering how to identify and authenticate these remote servers painlessly.
I'm trying to avoid having to program too much of this myself for obvious security concerns.
If I'd were on an Apache or nginx I'd use SSL client certificates and let the clients choose whatever they want to contact the API, curl, webapp, whatever.
I understand that, at this time, GAE doesn't provide checking client certificates this way.
Is there any other way to do this in GAE with Py2.7?
If this is not possible or a very big hassle, can anyone point me to another good way to identify and authenticate remote servers in a situation like this?
I can only post two links of what I checked
https://groups.google.com/forum/?fromgroups=#!topic/google-appengine-python/c5PHMrAMAcI
https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app
plus much more over the last few days. I found some questions which are similar to mine, but none with a satisfying answer, to me at least.
I'd suggest looking into Google Cloud Endpoints, which is currently in the trusted tester phase. I discuss it in more detail in this answer, but the main things you'll get are:
An easy way to define your API
Automatic support for OAuth 2
We're primarily targeting developers building APIs in their application backends, but other "same party" (e.g. you're the API developer and consumer) uses should work equally well.
I need to do the following and I was wondering if anyone has done something similar, and if so what they did.
I need to write a program that will handle incoming emails for different clients, process them, and then depending on the email address, do something (add to database, reply, etc).
The thing that makes this a little more challenging is that the email addresses aren't static they are dynamic. For example. The emails would be something like this. dynamic-email1#dynamic-subdomain1.domain.com . The emails are grouped by client using a dynamic subdomain in this example it would be 'dynamic-subdomain1'. A client would have their own subdomain that is assigned to them. Each client can create their own email address under their subdomain, and assign an event to that email. These email addresses and subdomains can change all of the time, new ones added, old ones removed, etc.
So for example if an email comes in for the email 'dynamic-email1#dynamic-subdomain1.domain.com' then I would need to look up in the database to find out which client is assigned the 'dynamic-subdomain1' subdomain and then look to see which event maps to the email address of 'dynamic-email1' and then execute that event. I have the event processing already, I'm just not sure how to map the email addresses to the event.
Since the email addresses are dynamic, it would be a real pain to handle this with file based configuration files, it would be nice to look up in a database instead. I did some research and I found some projects that do something similar but not exactly. The closest that I found is Zed Shaw's Lamson project: http://lamsonproject.org
More background:
I'm using python, django, linux, mysql, memcached currently.
Questions:
Has anyone used Lamson to do what I'm looking to do, how did you like it?
Is there any other projects that do something similar, maybe in a different language besides python?
How would I setup my DNS MX record to handle something like this?
Thanks for your help.
Update:
I did some more research on the google app engine suggestion and it might work but I would need to change too many things and it would add too many moving parts. I would also need a catch all emailer forwarder, anyone know of any good cheap ones? I prefer to deploy on system that handles all email. It looks like people have used postfix listening on port 25 and forwarding requests to lamson. This seems reasonable, I'm going to try it out and see how it goes. I'll update with my results.
Update 2:
I did some more research and I found a couple of websites that do something like this for me, so I'm going to look at them next.
http://mailgun.net
http://www.emailyak.com
I've done some work on a couple projects using dynamic email addresses, but never with dynamic subdomains at the same time. My thoughts on your questions:
I've never used Lamson, so I can't comment on that.
I usually use App Engine's API to receive and handle incoming messages, and it works quite well. You could easily turn each received message into a basic POST request on your own server with e.g. To, From, Subject, and Message fields and handle those with standard django.
One downside with GAE email is having to use *#yourappname.appspotmail.com, but you could get around that by setting up a catch-all email forwarder for *#yourdomain.com to direct everything to secretaddress#yourappname.appspotmail.com. That would let you receive the messages on the custom domain and handle them with GAE.
The other issue/benefit with GAE is using Google's servers instead of your own (at least for the email bit).
For the subdomain issue, you could try setting up wildcard DNS for the MX records, which (in theory) would direct all mail sent to any subdomain to the same server(s). This would enable you to receive email on all subdomains (for better or worse--look out for spam!)
For lamson, have you tried something as simple as:
#route("(address)#(subdomain).(host)", address=".+", subdomain="[^\.]+")
def START(message, address=None, subdomain=None, host=None):
....