0

I have tried using luasec to connect to my gmail account and send email via SMTP, and though after a while I was able to allow insecure apps to connect, I'd like to find out how to implement a secure connection via gmail.

I've used the following code, that I found here, where the socket connection is wrapped by ssl before connecting to gmail, but google still says the connection is insecure.

local socket = require 'socket'
local smtp = require 'socket.smtp'
local ssl = require 'ssl'
function sslCreate()
    local sock = socket.tcp()
    return setmetatable({
        connect = function(_, host, port)
            local r, e = sock:connect(host, port)
            if not r then return r, e end
            sock = ssl.wrap(sock, {mode='client', protocol='tlsv1'})
            return sock:dohandshake()
        end
    }, {
        __index = function(t,n)
            return function(_, ...)
                return sock[n](sock, ...)
            end
        end
    })
end

function sendMessage(subject, body)
    local msg = {
        headers = {
            to = 'Your Target <target email>',
            subject = subject
        },
        body = body
    }

    local ok, err = smtp.send {
        from = '<your email>',
        rcpt = '<target email>',
        source = smtp.message(msg),
        user = 'username',
        password = 'password',
        server = 'smtp.gmail.com',
        port = 465,
        create = sslCreate
    }
    if not ok then
        print("Mail send failed", err) -- better error handling required
    end
end

I even went as far as creating a self signed certificate and using it as a variable in the ssl wrap, but still gmail identifies the connection as being insecure. Do we need to change the protocol or does the luasec library need updating?

On that note, neither have I been unable to send email via hotmail / outlook.com

Nepaluz
  • 669
  • 1
  • 12
  • 27

1 Answers1

1

Regarding Gmail:

Take a look here. Essentially, Google took it upon themselves to say, "Hey, we want to make every account safe, so we refuse to let less secure applications access our users' Gmail accounts!" Thankfully, you can turn it off, or I would have never been able to use Fossamail as my e-mail client.

It may be the same situation for Hotmail/Outlook, though I don't use them myself.

Josh
  • 3,225
  • 7
  • 30
  • 44
  • Thanks for the comment. I actually saw that link, but the notion that, for example, the code above is less secure is the premise of my question, i.e, what protocol does a secure app use? (The above has TLS and SSL and is still deemed insecure!) And yes, turning less secure app access is an option (though not an ideal one). On a side note (but still relevant to the question) I came accross this https://support.google.com/a/answer/176600?hl=en . Question is, what protocol is deemed secure for an ap to use? – Nepaluz Oct 18 '15 at 09:16
  • In that case, Google wants users to use OAuth 2.0. Those not using OAuth 2.0 will be deemed "Less secure". – Josh Oct 18 '15 at 22:48
  • Hi @Nepaluz did you get this sorted in the end, with support now removed for tls 1.0 and 1.1 - I need to update my Lua email script (like yours) to use 1.2 but am struggling to get that to work. – nodecentral Feb 15 '23 at 10:13
  • That was a while ago and I do not recall how or whether I ever got it done, but looking at the code sample above, I wrapped the port with an ssl protocol of tlsv1 - try setting it to the 1.2 – Nepaluz Feb 15 '23 at 17:01