5

By seeing this answer I learned that Google blocks certain apps to connect, due to "lack of application of modern security standards" in those apps, and I can make Google allow my account to connect from such apps - I must do that explicitly.

This was due to an issue in Django mailing:

send_mail(
        u"Message",
        render_to_string('template.txt', {'data': data}),
        settings.EMAIL_HOST_USER,
        [dest['address'] for dest in settings.FORM_DESTINATIONS],
        html_message=render_to_string('template.html', {'data': data}),
)

And my EMAIL_ settings involving a @gmail.com account (neither SSL/465 or TLS/587 worked).

Does this mean Django 1.7 has an insecure mailing mechanism? What does "secure" mean in this context and what mailing standards is Django not applying?

Edit Even when I provided context for this question (a pointed answer and related links/docs) perhaps some readers may not find where does Google talks about "secure"/"insecure" applications. By entering here using your google account credentials there's an option telling about "less secure apps" which lead to this page, which has a "More Info" link, pointing Here (this link does not need authentication).

Community
  • 1
  • 1
Luis Masuelli
  • 12,079
  • 10
  • 49
  • 87
  • 1
    It's more than likely that the problem isn't with Django. Google is a security mega-monster that feeds on overly-complex APIs and puppies (probably). Almost every app or extension I've used needed my explicit allowing for it to connect to gmail. I don't think there's any way around that, it seems like a standard security on Google's part that isn't related to Django – yuvi Oct 02 '14 at 20:48
  • What issue did *you* encounter with using Django mailing? What specific error did *you* get? What specific settings are *you* using? Where does the quote "lack of application of modern security standards" come from exactly? I don't think Google is calling Django insecure. Most likely it is what you are trying to *do* which is insecure.) – Louis Oct 02 '14 at 22:12
  • The quote comes from Google. Please read the pointed answer and the pointed docs (by the pointed answer) to understand that. Without reading the answer, this question cannot be understood at all. – Luis Masuelli Oct 03 '14 at 14:50

1 Answers1

2

Sending email via SMTP with Django requires you to store you password in plain text on your server. Apparently, Google considers storing the password in plain text a security risk and wants you to use either OAuth 2.0 or two factor authentication with application specific passwords. See http://googleonlinesecurity.blogspot.de/2014/04/new-security-measures-will-affect-older.html

It is up to you to decide whether you consider storing the email password in plain text on a server a security risk. Keep in mind that you usually store your database password in plain text too, so when an attacker is able to read your application settings, it is pretty much game over anyway.

I would suggest enabling two factor authentication and using an application specific password, especially if you use that Google account for more than just sending mail from your server.

Daniel Hepper
  • 28,981
  • 10
  • 72
  • 75