Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is Django 1.7 mailing API "insecure"?

Tags:

django

By seeing this answer I learned that Google blocks certain apps to connect, due to "lack of application of modern security standards" in those apps, and I can make Google allow my account to connect from such apps - I must do that explicitly.

This was due to an issue in Django mailing:

send_mail(
        u"Message",
        render_to_string('template.txt', {'data': data}),
        settings.EMAIL_HOST_USER,
        [dest['address'] for dest in settings.FORM_DESTINATIONS],
        html_message=render_to_string('template.html', {'data': data}),
)

And my EMAIL_ settings involving a @gmail.com account (neither SSL/465 or TLS/587 worked).

Does this mean Django 1.7 has an insecure mailing mechanism? What does "secure" mean in this context and what mailing standards is Django not applying?

Edit Even when I provided context for this question (a pointed answer and related links/docs) perhaps some readers may not find where does Google talks about "secure"/"insecure" applications. By entering here using your google account credentials there's an option telling about "less secure apps" which lead to this page, which has a "More Info" link, pointing Here (this link does not need authentication).

like image 231
Luis Masuelli Avatar asked Oct 31 '22 16:10

Luis Masuelli

1 Answers

Sending email via SMTP with Django requires you to store you password in plain text on your server. Apparently, Google considers storing the password in plain text a security risk and wants you to use either OAuth 2.0 or two factor authentication with application specific passwords. See http://googleonlinesecurity.blogspot.de/2014/04/new-security-measures-will-affect-older.html

It is up to you to decide whether you consider storing the email password in plain text on a server a security risk. Keep in mind that you usually store your database password in plain text too, so when an attacker is able to read your application settings, it is pretty much game over anyway.

I would suggest enabling two factor authentication and using an application specific password, especially if you use that Google account for more than just sending mail from your server.

like image 119
Daniel Hepper Avatar answered Nov 15 '22 09:11

Daniel Hepper
Sign in to Comment

Related questions

Pros and Cons of using Redis vs memcached+db as Django's session system?
Detect whether Celery is available and running
Django server side app (maybe a micro blog) and android app client - how to communicate
Deleting a file from S3 using Django + Fineuploader + boto
Log in / Sign up directly on home page
How to compress a specific file using pipeline in Django?
django-guardian how to make object inherit permissions of related object?
Django w/ MySQL non-transactional changed tables couldn't be rolled back
What is the difference between initial and instance in django formset?
How to return a lazy translation object with placeholders?
Django: TextField (string) data compression on database level or code level
What's should Django ALLOWED_HOSTS be when using a unix socket?
How to get data from Django Many To Many Field?
Why are my crispy formset layouts being ignored?
Query parameters in the URL, with REST Framework
'unique_together' refers to the non-existent field
Django calling save on a QuerySet object - 'QuerySet' object has no attribute 'save'
Override "remaining elements truncated" in Python
django - ordering queryset by a calculated field
What is "swappable" in model meta for?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!