Is it a good practise to validate email addresses using SMTP validation? - smtp

Let's imagine that I have a site with some features that require email validation (eg. user registration). Of course I will validate emails using regex but once upon a time I saw SMTP validation in someone else's code. What good and bad sides has SMTP validation?
I can assume the following pros and cons:
Pros:
We can check out some email addresses for existence (not all SMTP servers allows this feature).
Cons:
Our site can be blocked.
Maybe we can use this to make webserver going down. Webserver will take domain part of email address and make request to it. We can create fake SMTP server that will receive request but will make great delay to response. Maybe if we force webserver to make dozens of such checks it will not be able to answer other clients.
Not all SMTP servers provide this capability.
Please be constructive.

"SMTP Validation" I assume refers to the SMTP VRFY command, and in this day and age you would be a fool to trust in it. It's a great feature if you're a spammer because it allows you to enumerate email addresses for a given server.
No one in their right mind will expose this command to the internet and have it respond with anything other than 252 send some mail, i'll try my best, aka "I'm only going to validate email addresses during an actual mail transaction".
The only sane use of VRFY these days is as an internal interface between a spam filtering appliance and the mail server hiding behind it.
TL;DR Don't use "SMTP Validation", it will be horribly unreliable at best.
If you want to validate that a user has entered a valid email address, then send it an email with an activation link/code.

In addition to Sammitch's answer, there are email validation services available via API that can provide SMTP validation - sometimes down to the mailbox level - for reasonable prices.
You can find these with a simple Google search, but I'm told LeadSpend and QAS (an Experian subsidiary) are among the best of the bunch.

Related

can you use a custom smtp server with docusignapi in development mode

In developing our docusign application, we need to use real emails addresses (to test the addressing logic, etc.) but we do not want those users to get all the development envelopes. In our own code, we handle this using mailtrap.io, a custom SMTP service that traps emails and sends them all to a common inbox that developers can review. Is there a way to do something similar in your docusign developer account, where you would be using real email addresses, but they would not actually go the intended user.
thanks,
~Bill
Thanks for any help
No, you cannot. The emails are sent from DocuSign.
If you want to test the real thing, completely real, then it also includes emails being sent.
If you are ok making any change, so it's not 100% like the real thing, I would suggest to take your email address and change the domain (mailinator.com or your own internal domain) this is a change, yes, but also changing the SMTP server is a change, so in either case - you are not doing 100% what the real app will do.
The emails can also be suppressed (by changing account settings in DocuSign), but again, that won't test the real thing if that's what you need.

They have won. I cannot use a custom SMTP server for my user registration

I have tried to have my SMTP server with exim4 for a while to send ecommerce registration and transaction confirms.
I followed all the good rules, like SPF, DKIM, DMARC, SMTP encryption. The postmaster tool by google said the IP has a good reputation and there are not spam traffic.
I reached a antispam test result of 10/10 using https://www.mail-tester.com/ or some similar tools.
But everything was not enough, my ecommerce registration messages are sent to spam by Gmail and it is the same with some other famous providers. I have understood I can't do nothing against.
Then, what is a good solution for user registration for an ecommerce? How can I reduce the messages delivered to spam folder?
I'm afraid you haven't provided enough information to identify the problem.
Hundreds of factors can contribute to deliverability outcomes; it's not as simple as setting up authentication, reverse DNS, etc. In addition, no free mail tester can accurately tell you how your deliverability will be at Gmail, Outlook, Yahoo, etc., because mail testers don't have the same data those ISPs use to make spam filtering decisions.
If you want more reliable deliverability, it's generally easiest to use a transactional email service to send email, rather than trying to run an SMTP server yourself. There are occasional exceptions to this, but because most senders will have an easier time using one of these services, it's almost always the first thing to try.
(How do email services provide better deliverability? A number of ways, but I think the biggest difference is that they can more closely manage the email sending reputation of their IP ranges. Having anti-spam systems built into the service enables them to resolve problems that much faster, compared to hosting providers which tend to have fewer tools and less data available to stop spammers, so their IP ranges' sending reputation is usually worse.)
Here is something you can try that may help.
Use a 3rd-party delivery provider (AWS SES, SendGrid, Mailgun) with a Good IP reputation. Here's a list of places you can check their IP reputation https://www.helloinbox.email/#reputation (Talos and Barracuda).
Use a subdomain to send transactional emails (email.example.com).
Let me know if that doesn't work.

XMPP Google-like solution for sync server notifications

I'm looking for an easy way to implement the XMPP server running with the following protocol:
https://developers.google.com/cloud-print/docs/rawxmpp
The only difference is that I must use X-GOOGLE-TOKEN authentication mechanism: https://stackoverflow.com/a/6211324/227244
The procedure is simple: I get the token from the data sent by a client, request user data based on this token and set the JID accordingly, appending some random chars to the resulting JID.
After that other clients with possibly different tokens, but same user account, connect to the XMPP resource and for clients who are subscribed the broadcast of push notifications is enabled.
What amount of the server code can be borrowed from the currently available implementations? I would avoid writing all of the server code myself, though the logic is pretty simple. I know there're ejabberd and prosody xmpp servers which implement lots of XEP. Which one is easier to add the custom handling mechanism to? Can you suggest other stable alternatives for the core xmpp server?
The way google has designed X-OAUTH2 is dead simple and straightforward to implement. Infact, there is no difference between how PLAIN and X-OAUTH2 mechanisms work. You can simply pick a standard PLAIN implementation and make it work for google X-OAUTH2 authentication mechanism with no extra effort.
I am author of Jaxl PHP library and I recently announced support for X-OAUTH2 inside the library. Here you can see exact lines of code I had to write to support this. The only relevant piece of code is:
switch($mechanism) {
case 'PLAIN':
case 'X-OAUTH2':
$stanza->t(base64_encode("\x00".$user."\x00".$pass));
break;
For X-OAUTH2 implementation $pass is nothing but your oauth token. In short, password field from PLAIN auth mechanism becomes oauth token for X-OAUTH2 mechanism. Rest all remains the same.

Webapp sending email via gmail SMTP a bad idea?

TL;DR - Any webapp devs out there able to squeeze performance out of using gmail as SMTP server without a 3-10 minute delay to delivery?
I'm looking for some feedback from developers who are using gmail as a secure SMTP server for use with Webapps.
Within the past 2 weeks, my company has switched to gmail to host email for our domains.
I have a few webapps that send from our ISP server, but I'd like to refactor the code to use gmail with our domain name. I know the ISP can rig things up, but I don't want relay issues.
I have gmail sending for the Webapps and it's more or less working. On ASP/IIS, I'm using SSL and on PHP Linux, I'm using TLS.
It seems that TLS (port 587) works better than plain old SSL (port 465), but the overall performance difference seems minimal.
What concerns me is that there is often a significant delay (10-20 minutes at times) to get email to a recipient no matter which method I use to send via gmail.
While I understand this can happen in any environment, I am used to fast delivery. Use case is salespeople talking to customers and needing to get email to them very quickly using the Webapp. Before the gmail switch, usually less than a minute to deliver. Now, it is 3-4 minutes minimum.
Am I crazy to try to use gmail for this purpose? There seem to be a lot of devs using it, so just wanting to know how it works out for them/you.
Thanks for any feedback!
Ive found gmail problematic for another reason... Grey listing. My application happy works away using gmail smtp and then every now and then just stops working. Manually logging into the gmail web interface and entering a captcha "unlocks" the account and my application can send mail again. Seems at some point google determines that I may be sending spam and locks my account...? Feels like sending automated mail through gmail is a risky idea IMHO
Just a shot in the dark, but may it have to do with additional outgoing mail spam checking and therefore long output queues on GMail's side and (at least in some cases) greylisting?
To elaborate on that:
Google is known to take things seriously. Hosting a mail service that may be used by everyone nowadays is a bit of a hassle. One user posting spam/viruses through your service and bam! your servers are on someones blacklist. Therefore, additional checking on outgoing mail would be a good idea, but the mail may take longer (especially in a distributed server environment where the mail has to pass several message queues ... from the incoming ESMTP server to the spam checker to the virus checker to the message storage to the outgoing mail queue to the outgoing mail SMTP service).
If a recipient uses greylisting, his mail server first rejects a mail by stating a temporary problem, remembering the sender address and/or the message id and telling the sending server to try again later. Most spammers do not try again. But GMail's servers will try again, but due to long message queues and/or long retry intervals it will be delayed further.
And, as Ryan already stated, try to get one of the most delayed mails into your hands, including all mail headers. Check the timestamps on the Received: headers and find out which server is the bottleneck. Then you'll have at least an idea where it goes wrong.
Gmail has a pretty nice step-by-step resolution process on their support site.
Here is a direct link
You will want to do some more digging to try and isolate the issue. I'm rather surprised you are seeing 10 - 20 minute delays. One thing to look at is the email message header. This will give you a good idea how long each hop is taking. There could be an issue somewhere else that you don't know about.
I doubt you are going to be able to get your email sending as fast as it was in-house. It just comes with the territory.
On my server, debian with plesk and postfix mailserver, i seen that using gmail took a bit of time to sent the mail (~2-3 seconds to send the mail via php using phpmailer), but the mails usually arrive in 1~2 minutes.
Seldom happens that the deliver took about 10 minutes.
Using posix, instead, php send email faster, but they take more times to be delivered (in true, php is faster delivering the mail at the mail server, but then the mail server is slower to deliver the mail to the recipient).. and is a nightmare with spam.
This is my experience, my 2 cents ;)

How to implement a single sign-on authentication server?

I want to implement a discrete remote authentication server that handles login for many sites. Somewhat similar to OpenID.
Basically, I have site-1 and site-2 and they're both reliant on the same user database, which is on a separate auth-site. So, auth-site handles user authentication for them, and during this process, makes information on the authenticating user available to the requesting system.
Each site can be on a completely separate domain name, on completely separate machines.
This is all via HTTP(S), there can be no direct database access.
There's one last quirk: once an user has logged in to site-1, when accessing any other site reliant on auth-site, the site must treat the user as already authenticated.
This whole business must be entirely fuss-free to the end-user. It should work like a simple everyday login form.
As a concrete example, say we're talking about stackoverflow.com and serverfault.com, and they both authenticate via authentic-overflow-server-stack.com. Again, once logged in to either site, I can go to the other and do my business without logging in again.
What I'd like to know are the general interaction mechanism between the sites behind this scenario.
In my particular setup, I'm using Rails, but I'm not looking for code[1], just general best practice and guidance, so feel free to answer in pseudo-code or any generally readable language. OTOH, bear in mind that I'll have decent MVC, REST, and meta-programming in my toolkit.
[1]: unless you happen to know an existing tiny neat free MIT/BSD-licensed app/plugin/generator that handles this.
It sounds like (especially with the emphasis on fuss-free), you want something like what the Wikimedia Foundation is doing. Basically, you log on to en.wikipedia.org, then that server communicates with other servers (e.g. en.wikinews.org) and gets authentication tokens. Finally, those tokens are embedded into images, e.g. http://en.wikinews.org/wiki/Special:AutoLogin?token=xxxxxxxxxxxxxxx , and when your browser visits that url (img src) it gets a authentication cookie for Wikinews. Of course, the source code is available for your reivew at http://www.mediawiki.org/wiki/Extension:CentralAuth .
OpenID is also a good choice, but it does require that the user "consciously" visit two domains. An example of one entity with two domains doing this is Canonical. E.g., if you go to https://help.ubuntu.com/community/UserPreferences they will redirect you to Launchpad (https://login.launchpad.net/+openid) for authentication.
Note that Wikipedia is doing this over http, but you can do it all https to ensure the img src tokens aren't intercepted.
Looks like CAS is good enough for me, and has ruby implementations, along with dozens of other lesser languages, e.g. one that rhymes with femoral bone rage.
http://code.google.com/p/rubycas-server/
http://code.google.com/p/rubycas-client/
It sounds like you want to actually use the OpenID protocol itself. There's no reason you can't restrict the authentication provider to only your own server, and do some shortcuts that make the authentication process transparent. Also, the OpenID protocol supports what you describe about logging into one implies logging in to all services.