Proper Way to Programatically Send Mail Using Google Apps - email

I have a domain which uses Google Apps for Business to handle email. I already have it mostly set up--MX records point to the correct location and my domain is verified.
I'm now writing a python app (with Django) that will need to serve mail from my domain. What's the correct way to do this with Google? Should I create a Google Apps "user" for the organization as a whole, and then authenticate via SMTP as that user and send mail from there?
The Gmail API says that it
is the best choice for authorized access to a user's Gmail data.
and that
Automated or programmatic message sending
is a typical use case. However, I'm not trying to access a user's data or send mail on behalf of a user, but on behalf of my domain. What's the correct way to proceed?
Any help much appreciated!

You could use SMTP or the Gmail API based on your description. In both cases, you'll need some sort of service account to send mail from. With SMTP, as you mentioned, you'll be authorizing via the instructions you linked.
If you choose to use the Gmail API route, you'll be authorizing the API usage with the account. The Gmail API has many other use cases (e.g. to access user's data) but you're only using it to send emails on behalf of a service account you control.

Related

Sending email from GCE or AWS on behalf of users

How could I use Google Compute Engine (or a similar service, like AWS) to send email on behalf of users via their SMTP server?
I am interested in building an online email client which allows users to enter their SMTP and POP servers and send/receive email, like they would with their desktop clients. GCE blocks all SMTP ports to prevent abuse and recommends using a mail service like SendGrid instead. However, after researching dozens of these services, they all seem to only support transactional email using their own SMTP servers, or possibly a pre-cleared smtp server. I simply want to send email using the user's SMTP server (ex smtp.mail.yahoo.com), just like they would if they were using a desktop client.
I realize I could host my own servers but I am not interested in maintaining the infrastructure. I would like to host everything on a cloud service. Is there any way I can work around Google's restrictions with an existing service?
As I'm sure you are aware, you would have to have the user enter their SMTP server information and account credentials. You would then use that information to connect to their SMTP server.
By default AWS EC2 instances have SMTP traffic on port 25 rate limited. To remove this limitation, you would need to fill out and submit the following form:
https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request
If you're looking to send mail as a Gmail, Hotmail, or Yahoo user, you'll probably want to call the service's API to have the server send mail on the user's behalf. There are several benefits of this:
You'll need to get authorization from users (usually via an OAuth flow)
in order to access their mail. This means that users shouldn't be
surprised that you're sending mail from their accounts, and they'll
have some control over your access.
The mail will be signed and come from the appropriate IP addresses to
comply with the various spam-control mechanisms set up by those
companies. Without this, it's likely that the mail you send will end
up in the bit-bucket of the recipient.
By using the API, the service should be able to keep a copy of the
sent mail in the user's outgoing mail folder. This will let the user
see and search for the original message sent if they want.
Unfortunately, this may also mean that each mail service you want to send from will need separate integration, and that you may not be able to send as the user's email address from smaller providers.
Note that the App Engine mail API allows you to send mail as the currently logged-in user (when logging in, users have a similar consent screen to the OAuth process mentioned above).

Is there any way to access Yahoo IMAP with Oauth2 for new applications?

I'm looking for a way to allow Yahoo application to read user's emails over IMAP. It works well for old applications (that were created before Yahoo Mail API has deprecated), but trying to access IMAP for new applications gives me an error
[AUTHENTICATIONFAILED] (#AUTH007) Bad scope.
Unfortunately, I have no idea how to add a correct scope for accessing IMAP for new applications. During creation of the app, I was not given a choice to add scope with name even looking like 'mail'.
Is Yahoo API just broken or there is some tricky way to work around?
Contact imap-service#yahoo-inc.com
With your Yahoo.com email address and
Brief description of your product.
How will your product use Yahoo user's email content?
How will your product help Yahoo mail users?
What market do you serve?
What is your product's userbase?

How to avoid access to a user's GMail inbox being counted as "hacking attempts"

We want to offer users of our (web-based) personal document management solution the possibility to import documents sent as attachments to their GMail addresses.
Our current solution of just allowing our users's to store their login credentials in our web app and then using this to access the user's GMail inbox via IMAP is not only suboptimal from a security standpoint (we'd rather not store the login credentials, if possible), it also sometimes (maybe when we're polling too often or for too many users's) leads to the login attempts of our app being blocked by GMail. We get the error message "[ALERT] Please log in via your web browser: http://support.google.com/mail/accounts/bin/answer.py?answer=78754" from the IMAP server and our user's report that they see that GMail has blocked some "possible hacking attempts" or similar.
So my main questions are these:
Would switching to OAuth for authentication (and still using IMAP to check our user's inbox, just authenticated with the OAuth tokens) help in this situation? I found documentation on how to do this, I just want to know if it would help in this situation.
Are there any guidelines/quotas/restrictions on how often we should / are allowed to poll a user's inbox (or how many connections we open to GMail in parallel etc.)? I couldn't find anything about this in the developer docs at Googles site.
Is there any other way besides IMAP to be able to import attachments from GMail messages into our app?
Answers to your questions
1.Benefit of using OAuth is that you are not storing user's credential directly.So you will redirect user to google login page,where google will authenticate user and provide you an access token and refresh token,you can then access user's emails using access token and google API.Refresh token is to regenerate that access token.
2.Since gmail supports IMAP4 protocol with Idle you can use it to accept real-time notifications from gmail server when new email comes(you dont need to poll gmail every time)

Single account for multiple OAuth providers (Facebook, Google, Windows Live)?

I have a web application that allows registration and authentication through Facebook, Google and Windows Live. Each OAuth request has the required scope to retrieve associated e-mail addresses from the authentication provider.
The current situation is that an account is created based on the provider and the provided identifier. This means that if a user has logged in with multiple providers the user will have multiple accounts on the web application.
I want to have the ideal situation of having a single acccount even when using multiple providers. I was thinking about using the e-mail addresses to see if an account exists for the user. If it exists, use the account based on the e-mail address.
How safe/reliable is this? Do all OAuth providers mentioned validate e-mail addresses? Better ways?
EDIT: Ran a tests and came up with this. Still looking for further advice :)
FaceBook: Cannot authenticate with unvalidated e-mail. Additional e-mail will not appear until validated.
Google: Provides `verified_email`. Additional e-mail will not appear until validated.
Windows Live: Cannot authenticate with unvalidated e-mail. Additional e-mail will not appear until validated.
Interesting question. You could try to use e-mail to check if user exists, but the problem is, user could be using different e-mail addresses for different providers.
My suggestion would be asking user (once he/she logs into your application using one of the methods) to attach other providers to to this account, so he/she can use them as well to log into your application.
It doesn't completely solve your problem (I'm not sure if solution exists), but user will have more control that way and you'll reduce the amount of accounts per user.

How to provide tenants in SaaS application with their #companyName.application.com specific email services?

In our SaaS application each company (tenant) is given their custom domain like companyName.ourapp.com
We would like to provide some email services like:
Ability to send and receive email notifications from info#companyName.ourapp.com and similar addresses
Ability to create new email accounts in clients' subdamains at runtime, programmatically, when needed. For example we would have separate emails created for each "opening" so that emails sent to this address would be parsed info would be extracted
Similar tasks
For now I just don't even know on where to look and how this could possibly work.
As far as I understand email it should be some kind of custom mail server (SMTP) serving all sub-domains and having API we can use to send emails, list and retrieve messages etc.
Please suggest how it may work and is there any components out there we can use to implement this.
There are three options for this.
Create an email server and programatically configure it to accept or deny the specific accounts. Then use cron to poll via pop3 or imap and download the messages for the account. You can then send them on for the customer or handle them in your web app.
Create a script that is fired by the email server as it receives each email. The script can then handle what to do with the email as it's received.
Use a third party to receive the email via HTTP Post at your app. Using CloudMailin for example would allow you to create a custom authorization filter that would call your app in realtime and determine if the given account exists and messages should be accepted for it.
I wrote a blog post for Rails about receiving incoming email, however the principals would apply to any programming language and framework.