Keycloak SMTP configuration with Google Workspaces - smtp

I'm setting up the SMTP server on my keycloak instance.
I tried with my Gmail account, just to see if it works. I generated applications credentials following Google documentation. It worked nicely.
Now, I want to use the SMTP relay mode on my Google Workspace account, which has a specific domain. Google recommends. It works on other apps I have, but I could not make it work with Keycloak. There is no place to put the Domain so I don't even know if it's possible.
I searched the internet. This guy encountered my issue, but I think he solved it by doing it with applications credentials as I did in the beginning.
The thing is, I'd prefer not use application credentials because that would link my app to a Google User. I could create a dedicated one, but it would be a monthly cost. The SMTP relay solution seemed the perfect way, until I could not make it work.
Is there something I miss ? Maybe another way to use Google's SMTP server ?
Thank you for reading
Antoine

Related

How to fix less secure app access problem in Gmail ...?

Google is getting rid of less secure app access feature. I'm using smtp email service for my website's contact page. But after 30 May, 2022 this service will not work probably.
Is there any other way to give third party less secure app access to my Gmail account ..?
Can an app password solve this problem ..? I have doubts that setting app password will not give access either as google said this may not work for less secure app.
So is there any way to fix this so that the smtp email service works as it should ...?
TLDR:
I had a similar problem, I set up an App Password, and my email-sending piece of code is working fine again.
This video shows how to set up App Password.
Google's formal instructions for setting up an App Password.
Caveats:
Initially, Gmail had automatically turned off my less secure apps setting because I hadn't used that test account in several months. I turned it on, but since I saw the message that it'd be disabled by 2022.05.30, I went ahead and set the app password. This means my current setup has both less secure apps AND app password enabled in my Gmail account, though I'm only using the app password for authentication.
My program usually ran from within WSL2 on top of Windows 11. Even after setting up the app password, my code was returning a gaierror: [Errno -3] Temporary failure in name resolution error when running from within WSL2. I then tried running it straight from Windows 11 and it worked just fine. I now need to fix the networking issue causing this, but it doesn't seem to be directly caused by using app password.
I hope this helps.
Note: 2-factor authentication needed to be enabled before proceeding.
Less secure apps (https://myaccount.google.com/u/0/lesssecureapps) options is deprecated.
We can use apppasswords functionality provided by Google using following link.
https://myaccount.google.com/u/0/apppasswords
Use 16 digit code provided by google instead of password and that should serve as authentication token.
It can be done via 2 factor authentication and app password

duck (CyberDuck CLI) with google drive

I'm trying to get the Cyberduck CLI (duck.sh) to work interfacing with a google drive (not "Google Cloud Storage") and I'm having problems getting the oAuth authorization to work. I found this thread but it's out of date - as the newer versions of Cyberduck do absolutely work with Google Drive. Using the regular cyberduck GUI I can browse and operate on my G-drive instance, but I can't quite quack the code (sorry!) for how to make this work using the CLI.
[lwobker:~]$ duck -l googledrive://<user>#gmail.com/
Authenticating as <user>…
OAuth2 Authentication. Paste the authentication code from your web browser.
Authentication Code: <pasted pass here>
Save password (y/n): n
Disconnecting www.googleapis.com…
Login failed. Malformed auth code. Please contact your web hosting service provider for assistance.
I've tried a number of different URLs, including:
#gmail.com
me#gmail.com#www.googleapis.com
and a couple of others.
I also can't seem to figure out where the GUI version of cyberduck stores it's authorized credentials... if I could re-use those that would be fine, doing a one-time setup at the beginning doesn't break my use case.
I'm somewhat familiar with the Google Developers API, and I've created one for use with this project, but I can't seem to figure out how the Google "Client ID" and other credentials map to the Cyberduck tool.
Make sure you paste the auth code obtained from the Google login page opened exactly as is without any line breaks. More information is available in the wiki.

Google Compute Engine (GCE) email delivery solution HOW TO?

I have a project uploaded on google cloud and on that project whenever some one registers he gets an email saying "welcome".
When this project was hosted on a web server(not google cloud server) it was working fine and emails would go on registration.
But since the project has been moved to google cloud the email services have stopped.All the other functionalities are working fine.
IS there something iam missing out ,or does google want us to get a email domain from google.
coding language- cake php
database - Mysql
I have already unblocked ports 25,587,465 ,but that also did not resolve the issue
Please advise and help.
I think you may have to use SendGrid to use other email than gmail.
As describe in this document:
https://developers.google.com/compute/docs/sending-mail
There are examples listed there as well.
I deployed a relay outside of GCE and configured it to listen on TCP/588 (non standard SMTP port) and then configured all of my GCE instances to relay to that host over TCP/588. That's been working great for months now.

Joomla PHP Mail vs. SMTP

I've been asked to change all of our current Joomla sites from using PHP Mail to SMTP.
The background: we were recently compromised through a vulnerable component on one of our sites. We have a dedicated server, running CPanel. The hack involved a file being uploaded to one account, which had a file manager (with access to /home, ie. all other accounts). From there, another file was uploaded that began sending emails - not enough to catch with ease, but eventually enough to get our main server IP blacklisted. Because the main IP was blacklisted, many of our other sites (for which we also host email) were also blacklisted.
My argument (your comments/ideas on this are much appreciated!)
Changing to SMTP will not solve this instance
It would solve the issue of any vulnerable components where an email can be sent via a request spoof (ie. option=com_users?task=email&..., or something similar to that)
Because the hacker has access to the files in the account, they also have access to the configuration.php file, which holds the SMTP password in plain text. Access to this means they would also have access to the SMTP server.
The SMTP that we would be using is localhost, which doesn't solve the issue of our IP being blacklisted.
My first idea was to provision/setup SMTP on a separate IP (or server), but that can still be blacklisted if a site gets hacked.
The second idea was to provision each site a unique IP, so no one site can get the rest blacklisted.
So I'm a bit lost. Before we tackle the task of setting the mailing function to SMTP, testing each site (there's roughly 70, with varying components to test) I'd like to have a better idea of what's the best route, if any.
It seems that either setting in Joomla is insecure in the event of a compromised site, no?
Find where your server is blacklisted, and apply to be removed. Note: if any of the sites require payment to be de-listed, ignore them. [eg: SORBS] Nobody cares about extortionists, trust me. I was admin for several busy mail servers for the last few years.
If you're completely switching from PHP-based mail() on all sites, then disable the mail agent on the server. mail() simply submits to the MTA running on the server [usually Sendmail or Postfix] and if your server is compromised again they will still be able to spam out.
Yes, your SMTP credentials will be stored in a config file somewhere, but most instances the intruder won't even bother to look for them. They simply drop in a basic PHP script that calls mail() and that's it.
If mail service is at all important to you you should always monitor:
The reputation of your outbound server.
The abuse mail for your domain. It will either be coming to abuse#yourdomain.com, or the abuse# contact for whoever owns the IP address block.

Plesk, SMTP and sending e-mail from same domain

I have a server with Plesk installed.
On that I've created a domain, my-domain.com, and added and e-mail account noreply#my-domain.com with access to SMTP for sending e-mails.
With PHPMailer or Swift Mailer I am able to send via the SMTP account noreply#my-domain.com whenever the from address is outside the my-domain.com, for example info#my-second-domain.com.
Whenever I'm using an e-mail address that ends on #my-domain.com it fails.
I've tried to look in the /usr/local/psa/var/log/maillog file, but it only stores the mails that doesn't fail.
Can someone help me figure out where the problems is?
You can try this:
Delete the related domain in the qmail file /var/qmail/control/virtualdomains
Then reload/restart qmail. Now it should work.
More technical background at http://forum.parallels.com/pda/index.php/t-93222.html
Benjamin answer didn't work on my installation (Plesk 11.5), but I found another solution:
just turn off the mail service itself. It might not be the solution for everyone but it was for me (my domain's mx records pointing to another server, with some scripts sending emails here and there).
You can turn off the mail service fairly easily using Plesk GUI.
Then uncheck
However, this won't turn it off for subdomains and secondary domains you might have. No problem, just log in with ssh and run this command:
/usr/local/psa/bin/domain -u mydomain.example.com -mail_service false
And if one day you decide you want to turn it back on just replace false by true.