11

Why does Google consider a request from my Django app to send an email via SMTP (smtp.gmail.com) to be insecure? Reading their security standards is not very helpful:

How more secure apps help protect your account When a third-party app meets our security standards, you can:

See what level of account access you’re giving the app before you connect your Google Account Let the app access only a relevant part of your Google Account, like your email or calendar Connect your Google Account to the app without exposing your password Disconnect your Google Account from the app at any time

This is a very common issue when emailing from Django. There are tutorials and stackoverflow question/answers (second answer) that 'solve' this by changing settings in your google account to allow less secure apps. I had this working and was OK with it until I read this from Control Access to Less Secure Sites:

Because Google is beginning to shut off Google Account access to less secure apps, the enforcement option is no longer available. We recommend turning off less secure apps access now. You should start using alternatives to less secure apps.

As Google gradually moves away from allowing less secure apps to access Google Accounts, you’ll receive email notifications about changes that affect you.

When I try searching 'How to make Django secure with Google' or 'Why does Django appear as an insecure app to Google' I see results that reflect more of the same guidance: just flip the switch to allow insecure apps on your Google account. I want to know why Django is considered insecure so that maybe I can configure it to be secure.

EDIT: I still haven't verified these steps make Django a 'more secure app'. Until then using an app password allowed me to keep 'Allow less secure apps' off. It was very simple to implement.

Liam Hanninen
  • 1,525
  • 2
  • 19
  • 37

1 Answers1

6

It's not that Django is insecure, it's probably the way you're sending email, using SMTP. Enabling TLS is the first thing to do, and also a requirement to even use Google's SMTP service:

EMAIL_USE_TLS = True
EMAIL_PORT = 587

The port number depends on the SMTP service you're using. 587 is the standard, but it may be something else.

Next is setting up SPF and DKIM.

Amazon's SES (Simple Email Service, not free) makes this almost transparent.

Additionally you could setup DMARC which provides feedback on the effectiveness of your setup.

There is a DKIM package for Django: https://pypi.org/project/django-dkim/ to help you set this up manually.

Addiotionally, there is a DMARC package for Django 2 and Python 3: https://pypi.org/project/django-dmarc2/ (I made some fixes to the original package to make it compatible with Django 2+)

SPF should be setup on your DNS.

Having this in place, should make your emails secure.

webtweakers
  • 715
  • 7
  • 19
  • Thanks! I'm going to try these out to see if they make things 'secure' as far as google is concerned. So it might be a while before I mark this 'correct'. I'm getting started, TLS with Django - is it just updating these settings: https://www.codingforentrepreneurs.com/blog/ssltls-settings-for-django/ - if so maybe include in your answer. – Liam Hanninen Apr 28 '20 at 02:59
  • 1
    No, those are for running your website under HTTPS. The [article](https://medium.com/@_christopher/how-to-send-emails-with-python-django-through-google-smtp-server-for-free-22ea6ea0fb8e) you referrer to already explains how to use TLS in your email: `EMAIL_USE_TLS = True`. I only mentioned it, because I sometimes still receive email from reputable organizations that don't use TLS. – webtweakers Apr 28 '20 at 13:04
  • The SPF record is intended to authenticate the origin of email to your domain, which is not _quite_ what the OP was asking about. Sending mail in a "less secure" way just means authenticating with a password instead of an OAuth token, which is the modern way of app to app authentication where you can withdraw access via the token at will. Google should really provide token generation for gmail service as it does with its cloud platform and Django should support this. – David Nugent Aug 30 '20 at 07:08
  • Just for reference https://developers.google.com/gmail/imap/xoauth2-protocol. So google already support oAuth on gmail SMTP (as does Microsoft, btw). – David Nugent Aug 30 '20 at 07:21