Re: Problem Spoofing From Field with Django Emails

[benp]

Darn, thanks for saving me a lot of time and frustration Brett.

Best,
Ben

On May 10, 10:48 am, Brett Parker 
wrote:
> On 10 May 07:34, benp wrote:
>
> > Thanks Brett,
>
> > I was starting to go a little nuts.
>
> > >To a limited extent - also don't forget that the envelope sender and the
> > >from header are different.
>
> > This seems to imply that I can still change the from header (what I
> > understand to be spoofing). I assume that companies like AddThis (a
> > social media sharing widget), just change the from header.
>
> > How can I do that through Django?
>
> What you'd got would have worked - gmail rewrites the from *and* the
> envelope (because they're nice like that) on authenticated smtp - the
> only way you could do it is by going through a third party server that
> does not rewrite the from header, and have the mail submitted to google
> from there.
> --
> Brett Parker

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Problem Spoofing From Field with Django Emails

[Brett Parker]

On 10 May 07:34, benp wrote:
> Thanks Brett,
> 
> I was starting to go a little nuts.
> 
> >To a limited extent - also don't forget that the envelope sender and the
> >from header are different.
> 
> This seems to imply that I can still change the from header (what I
> understand to be spoofing). I assume that companies like AddThis (a
> social media sharing widget), just change the from header.
> 
> How can I do that through Django?

What you'd got would have worked - gmail rewrites the from *and* the
envelope (because they're nice like that) on authenticated smtp - the
only way you could do it is by going through a third party server that
does not rewrite the from header, and have the mail submitted to google
from there.
-- 
Brett Parker

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Problem Spoofing From Field with Django Emails

[benp]

Thanks Brett,

I was starting to go a little nuts.

>To a limited extent - also don't forget that the envelope sender and the
>from header are different.

This seems to imply that I can still change the from header (what I
understand to be spoofing). I assume that companies like AddThis (a
social media sharing widget), just change the from header.

How can I do that through Django?

Best,
Ben

On May 10, 10:22 am, Brett Parker 
wrote:
> On 10 May 07:15, benp wrote:
>
>
>
>
>
>
>
>
>
> > Hi,
>
> > I'm new to mail servers.  My issue is that I want to enable my
> > website's users to email each other directly via their personal (often
> > gmail) accounts.  I've have the default Email backend set up and my
> > settings file looks like this:
>
> > EMAIL_HOST='smtp.gmail.com'
>
> > EMAIL_HOST_USER='...@mycompany.com'
>
> > EMAIL_HOST_PASSWORD='mypass'
>
> > EMAIL_PORT=587
>
> > When I try to send mail to a user with the send_mail() function, the
> > sender naturally defaults to b...@mycompany.com, even when I add a
> > "sender" argument to the function, such as b...@gmail.com.  HOWEVER,
> > when I add another user from my google apps account (i.e.
> > h...@mycompany.com) to that sender argument, it does send override the
> > default and send the mail from h...@mycompany.com.
>
> By default google's auth smtp service will rewrite the from header to
> the authenticated user. I do not believe that there's a way to stop it
> from doing so (you can add extra sender addresses to the authentication
> account, but each of those will then get a "please confirm that we're
> allowed to do this" mail.).
>
> > Now, an additional wrinkle is that when I add the option "auth_user"
> > and "auth_password" arguments to the send_mail function (ie.
> > b...@gmail.com + myotherpass), it also overrides the EMAIL_HOST_USER
> > default.  What this is suggesting to me is that I need to pass my
> > gmail credentials to override the default.  That's a problem for
> > sending mail between users because I obviously don't have their
> > passwords.
>
> > I know that you can spoof FROM fields and clearly there are
> > webservices out there that send emails from any account to any
> > account, without credentials.
>
> To a limited extent - also don't forget that the envelope sender and the
> from header are different.
>
> > What am I missing here?
>
> Mostly that gmail *will not* allow you to send from an address that it
> does not know you've got permission to send from. If you use thier auth
> smtp service it *will* rewrite the from header.
>
> Thanks,
> --
> Brett Parker

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Problem Spoofing From Field with Django Emails

[Brett Parker]

On 10 May 07:15, benp wrote:
> Hi,
> 
> I'm new to mail servers.  My issue is that I want to enable my
> website's users to email each other directly via their personal (often
> gmail) accounts.  I've have the default Email backend set up and my
> settings file looks like this:
> 
> EMAIL_HOST='smtp.gmail.com'
> 
> EMAIL_HOST_USER='b...@mycompany.com'
> 
> EMAIL_HOST_PASSWORD='mypass'
> 
> EMAIL_PORT=587
> 
> 
> When I try to send mail to a user with the send_mail() function, the
> sender naturally defaults to b...@mycompany.com, even when I add a
> "sender" argument to the function, such as b...@gmail.com.  HOWEVER,
> when I add another user from my google apps account (i.e.
> h...@mycompany.com) to that sender argument, it does send override the
> default and send the mail from h...@mycompany.com.

By default google's auth smtp service will rewrite the from header to
the authenticated user. I do not believe that there's a way to stop it
from doing so (you can add extra sender addresses to the authentication
account, but each of those will then get a "please confirm that we're
allowed to do this" mail.).

> Now, an additional wrinkle is that when I add the option "auth_user"
> and "auth_password" arguments to the send_mail function (ie.
> b...@gmail.com + myotherpass), it also overrides the EMAIL_HOST_USER
> default.  What this is suggesting to me is that I need to pass my
> gmail credentials to override the default.  That's a problem for
> sending mail between users because I obviously don't have their
> passwords.
> 
> I know that you can spoof FROM fields and clearly there are
> webservices out there that send emails from any account to any
> account, without credentials.

To a limited extent - also don't forget that the envelope sender and the
from header are different.

> What am I missing here?

Mostly that gmail *will not* allow you to send from an address that it
does not know you've got permission to send from. If you use thier auth
smtp service it *will* rewrite the from header.

Thanks,
-- 
Brett Parker

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.