Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support SASL with OAuth2 for outgoing mail #100

Open
benfrancis opened this issue Mar 4, 2024 · 0 comments
Open

Support SASL with OAuth2 for outgoing mail #100

benfrancis opened this issue Mar 4, 2024 · 0 comments
Labels

Comments

@benfrancis
Copy link
Member

Later this year, Google will start the process of deprecating what they call "Less Secure Apps" which only use a username and password to access Google Accounts, which includes apps using protocols like IMAP and SMTP.

Currently GMail is used as an outgoing SMTP mail server for the webthings.io instance of the registration server, to send emails to confirm an email address or reclaim a subdomain.

From 15th June 2024, no new users will be able to enable less secure apps which will mean that people won't be able to configure new instances of the registration server to use Google as an SMTP server (not a huge problem, since other options are available and the webthings.io instance should keep working).

From 30th September 2024 access to Less Secure Apps will be turned off for all Google Workspace accounts, and protocols like IMAP and SMTP will stop working. This is a bigger problem because it means the webthings.io registration server will no longer be able to send new outgoing emails.

In order for the registration server to continue sending outgoing mail via Google's mail servers, we will need to implement OAuth2 support on the registration server, to authenticate with the [email protected] GMail account.

The Google Workspace documentation says this involves using SASL (Simple Authentication and Security Layer) authentication for SMTP. It's possible that the application may also have to be verified by Google in order to gain this API access, but there are exceptions which I think may cover us.

The registration server appears to use the lettre Rust library for outgoing mail. According to the documentation, the authentication module of this library "provides limited SASL authentication mechanisms", but I'm not sure what this means.


An alternative to implementing OAuth2 for the registration server would be to switch to an alternative paid email service which still supports less secure password-based SMTP authentication, but that will entail an additional ongoing cost because webthings.io currently piggyback's on top of Krellian's paid Google Workspace account. It would also mean we couldn't use other Google Workspace features for webthings.io like the [email protected] email alias in Google Groups. Using a lesser known outgoing mail service may also result in more outgoing emails being filtered out as spam.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant