My application is ruby-on-rails, but I expect any answers to this question will probably be framework agnostic.
My application sends emails via gmail SMTP using rails ActionMailers a-la:
mail = MyActionMailerSubclass.setup_email
options = { :address => "smtp.gmail.com",
:port => 587,
:domain => 'mydomain.com',
:user_name => '[email protected]',
:password => 's3cur3p@s$w0rd',
:authentication => 'plain',
:enable_starttls_auto => true }
mail.delivery_method :smtp, options
mail.deliver
Ok, that's great...there's my password for gmail in plain text in the application code. Or I could store it in the database in plain text. Obviously both are unacceptable.
Salting and hashing, the usual technique wont work here because I need to send the password along to gmail.
So, what strategies are there for securing a password for a third party service?
Ultimately that user name and password wont even belong to me, they will belong to the application end-user.
Gmail's SMTP server supports two authentication mechanisms: PLAIN and XOAUTH. The PLAIN mechanism requires that you know the user's plaintext password, and I'm glad you aren't prepared to store those.
Take a look at the OAuth protocol as used by Gmail. I haven't ever used it and I just found out that Gmail supports it for SMTP, so I can't help any further, but I'd say that's precisely what you want. OAuth is a way for a service (such as Gmail) to allow third-party services (such as yours) to perform a limited set of actions on behalf of users without logging in with their password.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With