I'm trying to send an SMTP Email to SendGrid using Telnet and getting "535 Authentication failed: The provided authorization grant is invalid, expired, or revoked" as a response when I enter my base64 encoded API Key.
I have authenticated my domain.
I have a Full Access SendGrid API Key (and converted it to base64).
I have created and verified a sender (but, it has a mere ...#gmail.com address).
I am following the steps at https://docs.sendgrid.com/for-developers/sending-email/getting-started-smtp.
I have tried port 25 and port 587, but I can't get beyond step 4: Enter your Base64 converted API Key.
What could be causing this error?
Do I need to create a sender with a business email address?
Do I need a paid SendGrid plan?
Related
So i try smtplib to send gmail automatically, however it fail because of a error, after some checking, my username and pass are True. So i want to ask if there were any mistakes that can lead to this error.
Here is my code, the port is 465 and i don't want anyone know my pass and my username.
The error message "username and password not accepted" is the standard error message you get from the smtp server when sending the users actual google password.
This method of authentication is not acceptable by the SMTP server after (May 30, 2022). Partially due to the removal of Less secure apps & your Google Account mostly because client login is not considered to be secure.
Your options are to to enable 2fa on our google account and use and create an apps password. Simply use it in place of the password in your code.
smtp.login(username, appsPasswrod)
Or to use XOauth2 and authenticate the application.
Create a sendEmail() function, which will help to send emails to one or more than one recipient by calling the function.
def sendEmail(to, content):
server = smtplib.SMTP('smtp.gmail.com', 587)
server.ehlo()
server.starttls()
server.login('youremail#gmail.com', 'your-password')
server.sendmail('youremail#gmail.com', to, content)
server.close()
content = "Message to send"
to = "useremail#gmail.com"
sendEmail(to, content)
NOTE: Do not forget to make sure that the smtplib requires 'enable the less secure apps' feature in your Gmail account. Otherwise, the sendEmail function will not work properly..
Create App Password: App Passwords
I have created a record on "ir.mail_server" model which is the outgoing mail server model. configured as:
SMTP Server = smtp.gmail.com
SMTP port = 465
Connection Security = SSL/TLS
Username = my gmail id
Password = my gmail password
tested the connection too gives me a message that"Connection Test Succeeded! Everything seems properly set up! "
previously this was working perfectly
but now when I send an invoice through mail in odoo its sent without error but the recipient is not receiving the mail
any help will be appreciated
Google made updates to the security measures related to app access, so you will not be able to use password. You need to use App Passwords.
In your Google account: Go to Manage your Google Account and select Security:
Turn on 2-Step Verification.
Once the 2-Step Verification turned on, the app passwords option will be enabled and it will be shown under 2-step verification.
Click on App passwords and create an App password and copy the 16 digits password which you got.
Use that 16 digits instead of the password in the Odoo email configuration settings
You can refer to google help for more details about how to create app passwords.
Until yesterday I was using the default mechanism of sending mails like "verify mail" or "forgot password mail". These mails have specials tokens included inside the mail. Both of these endpoint also returns tokens in the response body.
I am now changing the way of sending mails in my application and I want to do it with a separate service. So to activate my users or change their password I need these tokens, but I dont want FusionAuth to send emails. When disabling "verify mails" or "forgot password", calling these endpoints results in a 403. Is there a way to get this tokens without starting the process of sending a mail by FusionAuth ?
The workaround is to add a fake host to the mail config. But it isn't the best idea since I see then an error in logs when generating tokens.
You can use the /api/user/forgot-password API and set sendForgotPasswordEmail to false.
In the Forgot Password API it is the second example :
Start the forgot password workflow using an API key
This will create you a token and will not send the email. You can then build the link yourself and send the email through an external service.
I understand that DKIM can be used to prevent the spoofing of the "From:" header in an email. Email receivers can validate the DKIM-Signature to verify the "From:" header.
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; **d=example.com**;
h=from:to:subject:content-type; **s=smtpapi**;
bh=Qdu07jaeIipfZPkXZqzhD3HXzeo=; b=skdennE1MwDXUGfm/mox/OF8MJjaq
jrE3ETrbeE4PdvokFigU5qTuf2LJ8M9MmxCm4ji6G+CG4u7eKeCdMgAFgEwZCVhp
8UFYUwXkHFqgzKznGremWWHaXU9aIzUtWyFuOziZhqcP3Jn7/V8xyaCEIPP0dz6b
aaaI87oazVBMp8=
From: CEO <ceo#example.com>
For instance, in this email header, the DKIM-Signature says to check "smtpapi._domainkey.example.com" for the public key used to sign the email headers.
But couldn't the attacker simply replace the entire DKIM-Signature content to point to another domain that they control, and re-generate the DKIM-Signature with a set of keys that they own? This would create a valid DKIM-Signature, but would allow email spoofing.
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; **d=attackerDomain.net**;
h=from:to:subject:content-type; **s=attackerKey**;
bh=Qdu07jaeIipfZPkXZqzhD3HXzeo=; b=skdennE1MwDXUGfm/mox/OF8MJjaq
jrE3ETrbeE4PdvokFigU5qTuf2LJ8M9MmxCm4ji6G+CG4u7eKeCdMgAFgEwZCVhp
8UFYUwXkHFqgzKznGremWWHaXU9aIzUtWyFuOziZhqcP3Jn7/V8xyaCEIPP0dz6b
aaaI87oazVBMp8=
From: CEO <ceo#example.com>
Using DKIM, would an email receiver be able to determine that the first email is valid, while the second email is spoofed? How does the email receiver know which DKIM servers are authoritative for the "example.com" domain? (example.com vs attackerDomain.net)
If they created a new key pair and point it to their domain, then they would be authenticating on said domain and not the domain they are trying to spoof.
In order for them to spoof a legitimate domain, they would need to obtain your private key. Therefore, signing out on their mail server with the private key.
However, they will not pass SPF authentication because the server they are sending from are not authorized.
When your legitimate mail server sends out mail, it will sign the mail with a crypto signature using your private key. The receiving e-mail servers does a look up on the public key (remember, its your public key that you publish yourself) and validates it.
SHORT ANSWER:
DKIM makes impersonation DIFFICULT, not IMPOSSIBLE:
All a DKIM validated email proves is that it came from the domain whose key signed it. It might have come from a legitimate member of the organization, or it might be from a hacker who has gained access to their DKIM configured mail server either as an open-relay or through a compromised user's account that could put mail through the server.
But an email FAILING DKIM validation on the recipient's mail server DOES necessarily prove forgery and/or tampering in transit. A subtle but very important nuance.
So the only thing a DKIM signed email can prove in absolute terms is in the case of FAILED test: the email is either spoofed and/or has been modified in transit. An email PASSING DKIM validation only proves the mail was signed by the domain's key.
And in the case of an unauthorized user- somebody without a set of credentials issued by the organization to use their mail server- or an open-relay, then DKIM validation can actually serve to confer credibility on a bad actor leading staff to let their guard down when considering its' content.
LONGER Answer:
I received a DKIM signed email notifying me:
The password for your email account (victim#example.com) expires today 10/11/2022 12:01:50 p.m..
Keep and continue with the same password using the below portal.
I opened "view Source" and the link to the button was revealed to be:
https://jccm.com.ve/wap/MailUpdateFresh/index.html#victim#example.com
I found such a claim incredulous as I configured and administrate my own mail server. I have no relationship with any companies in Venezuela in respect to the provision of my mail services.
This clearly was a phishing email.
How did the Phishing email pass DKIM Validation?
So I checked the headers and found the email had successfully passed DKIM validation:
Received-SPF: pass (ee-smarts.top: 106.75.143.14 is authorized to use
'sales#ee-smarts.top' in 'mfrom' identity (mechanism 'a' matched))
receiver=mail.example.com; identity=mailfrom; envelope-
from="sales#ee-smarts.top"; helo=ee-smarts.top; client-ip=106.75.143.14
Authentication-Results: mail.example.com;
dkim=pass (1024-bit key; unprotected) header.d=ee-smarts.top
header.i=sales#ee-smarts.top header.a=rsa-sha1 header.s=default header.b=EO/D+N5H
Received: from ee-smarts.top (ee-smarts.top [106.75.143.14])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.example.com (Postfix) with ESMTPS id BD4245DAF4
for <victim#example.com>; Tue, 11 Oct 2022 13:02:44 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=ee-smarts.top;
Using the value of s=default in the header I then checked the TXT record for the key:
host -t txt default._domainkey.ee-smarts.top
default._domainkey.ee-smarts.top descriptive text "v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCteqwk5m985UgrkYNFy0U6I6k+
QYGTilepE1Mrit5+LXAMFVfdArvbK99AljxpbSOJEOYvkQmAqgtCBgD0tlSmGjiFCQ
A7ylPzp9Owsq/OCPjpAMWA/eHwZua8FKFwPcPvRpww34z9lNr0+XJOb5+6B16tV+BK
La5y8fUgpCLKGQIDAQAB"
As far as I could see, the sending mail server WAS configured for DKIM and thus my own mail server rightly passed the validation.
So What happened?
Only two things were possible:
Either somebody was foolish enough to DKIM-sign phishing emails from their own domain OR
The phisihing email was passed through a DKIM-configured OPEN-RELAY mail server
Further investigation revealed the later was the case:
The following are attempts from publically listed open relays on
ordb.org, spamhaus.org and spamcop.net. If you're here, don't contact us
to get off. We do not determine who is in the ORDB. (These are the
connect attempts we've denied for the previous day)
What was the trick?
The miscreants weren't trying to get me to respond to the message itself, but merely trick me into clicking on a link in the email which now had DKIM-conferred credibility to trick me into compromising my email account credentials. Notice they didn't want me to CHANGE my credentials: the Phishers' defaults were "KEEP SAME PASSWORD"
Conclusion
In this case, DKIM served to confer a high level of credibility to phishers attempting to gain my email credentials. So DKIM works, but only if the DKIM configured mail server is not an open-relay. Thus, DKIM cannot 100% guarantee that impersonation is not possible in the case of an Open-Relay. This is a serious achilles' heal with DKIM from my own observations.
I have a bugzilla 4.4.2 installation. I want to use the gmail smtp service to send email from my application. I have applied these blogs
http://www.dawood.in/bugzilla-alerts-using-gmail/
http://prasadlinuxblog.wordpress.com/2014/02/26/975/
Applied the patches mentioned there. I configured the mta parameters in Bugzilla admin section with my gmail user name and password. Note that, I am not using two step verification in google account. So after all these, the application fails with an Authentication Error. It says the following message
There was an error sending mail from 'myemailaddress#gmail.com' to 'receiver#gmail.com': Could't set FROM: 530 5.5.1 Authentication Required. Learn more at at lib/Email/Send/SMTP/TLS.pm line 49
Cant really figure out whats going wrong here. I found one similar question https://stackoverflow.com/a/8533805/3692283 but I am already following the solution mentioned there.
Check whether the email entered at the SMTP user is still valid. If the password is no longer valid, then it cannot be chosen as the SMTP user name.
The SMTP password is the email's password.