Re: Problem Spoofing From Field with Django Emails
Darn, thanks for saving me a lot of time and frustration Brett. Best, Ben On May 10, 10:48 am, Brett Parkerwrote: > On 10 May 07:34, benp wrote: > > > Thanks Brett, > > > I was starting to go a little nuts. > > > >To a limited extent - also don't forget that the envelope sender and the > > >from header are different. > > > This seems to imply that I can still change the from header (what I > > understand to be spoofing). I assume that companies like AddThis (a > > social media sharing widget), just change the from header. > > > How can I do that through Django? > > What you'd got would have worked - gmail rewrites the from *and* the > envelope (because they're nice like that) on authenticated smtp - the > only way you could do it is by going through a third party server that > does not rewrite the from header, and have the mail submitted to google > from there. > -- > Brett Parker -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Problem Spoofing From Field with Django Emails
On 10 May 07:34, benp wrote: > Thanks Brett, > > I was starting to go a little nuts. > > >To a limited extent - also don't forget that the envelope sender and the > >from header are different. > > This seems to imply that I can still change the from header (what I > understand to be spoofing). I assume that companies like AddThis (a > social media sharing widget), just change the from header. > > How can I do that through Django? What you'd got would have worked - gmail rewrites the from *and* the envelope (because they're nice like that) on authenticated smtp - the only way you could do it is by going through a third party server that does not rewrite the from header, and have the mail submitted to google from there. -- Brett Parker -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Problem Spoofing From Field with Django Emails
Thanks Brett, I was starting to go a little nuts. >To a limited extent - also don't forget that the envelope sender and the >from header are different. This seems to imply that I can still change the from header (what I understand to be spoofing). I assume that companies like AddThis (a social media sharing widget), just change the from header. How can I do that through Django? Best, Ben On May 10, 10:22 am, Brett Parkerwrote: > On 10 May 07:15, benp wrote: > > > > > > > > > > > Hi, > > > I'm new to mail servers. My issue is that I want to enable my > > website's users to email each other directly via their personal (often > > gmail) accounts. I've have the default Email backend set up and my > > settings file looks like this: > > > EMAIL_HOST='smtp.gmail.com' > > > EMAIL_HOST_USER='...@mycompany.com' > > > EMAIL_HOST_PASSWORD='mypass' > > > EMAIL_PORT=587 > > > When I try to send mail to a user with the send_mail() function, the > > sender naturally defaults to b...@mycompany.com, even when I add a > > "sender" argument to the function, such as b...@gmail.com. HOWEVER, > > when I add another user from my google apps account (i.e. > > h...@mycompany.com) to that sender argument, it does send override the > > default and send the mail from h...@mycompany.com. > > By default google's auth smtp service will rewrite the from header to > the authenticated user. I do not believe that there's a way to stop it > from doing so (you can add extra sender addresses to the authentication > account, but each of those will then get a "please confirm that we're > allowed to do this" mail.). > > > Now, an additional wrinkle is that when I add the option "auth_user" > > and "auth_password" arguments to the send_mail function (ie. > > b...@gmail.com + myotherpass), it also overrides the EMAIL_HOST_USER > > default. What this is suggesting to me is that I need to pass my > > gmail credentials to override the default. That's a problem for > > sending mail between users because I obviously don't have their > > passwords. > > > I know that you can spoof FROM fields and clearly there are > > webservices out there that send emails from any account to any > > account, without credentials. > > To a limited extent - also don't forget that the envelope sender and the > from header are different. > > > What am I missing here? > > Mostly that gmail *will not* allow you to send from an address that it > does not know you've got permission to send from. If you use thier auth > smtp service it *will* rewrite the from header. > > Thanks, > -- > Brett Parker -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Problem Spoofing From Field with Django Emails
On 10 May 07:15, benp wrote: > Hi, > > I'm new to mail servers. My issue is that I want to enable my > website's users to email each other directly via their personal (often > gmail) accounts. I've have the default Email backend set up and my > settings file looks like this: > > EMAIL_HOST='smtp.gmail.com' > > EMAIL_HOST_USER='b...@mycompany.com' > > EMAIL_HOST_PASSWORD='mypass' > > EMAIL_PORT=587 > > > When I try to send mail to a user with the send_mail() function, the > sender naturally defaults to b...@mycompany.com, even when I add a > "sender" argument to the function, such as b...@gmail.com. HOWEVER, > when I add another user from my google apps account (i.e. > h...@mycompany.com) to that sender argument, it does send override the > default and send the mail from h...@mycompany.com. By default google's auth smtp service will rewrite the from header to the authenticated user. I do not believe that there's a way to stop it from doing so (you can add extra sender addresses to the authentication account, but each of those will then get a "please confirm that we're allowed to do this" mail.). > Now, an additional wrinkle is that when I add the option "auth_user" > and "auth_password" arguments to the send_mail function (ie. > b...@gmail.com + myotherpass), it also overrides the EMAIL_HOST_USER > default. What this is suggesting to me is that I need to pass my > gmail credentials to override the default. That's a problem for > sending mail between users because I obviously don't have their > passwords. > > I know that you can spoof FROM fields and clearly there are > webservices out there that send emails from any account to any > account, without credentials. To a limited extent - also don't forget that the envelope sender and the from header are different. > What am I missing here? Mostly that gmail *will not* allow you to send from an address that it does not know you've got permission to send from. If you use thier auth smtp service it *will* rewrite the from header. Thanks, -- Brett Parker -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.