I'm developing a cross-platform C++11 application and I need to send a validation email to a user-entered address to make sure his email account exists and is valid.
I know there are temporary mail services like mailinator, but honestly I feel like a validation email is a good approach in my case since it gives people malicious intention more work to do to circumvent the system and also goes well with the rest of the application (example: having the email address allow me to automatically send status updates to users).
I have searched on the internet but I haven't been able to find a portable, cross-platform way to achieve this, at least without introducing big dependencies.
How can this issue be solved?
This email better not send from the client side. Write a server side http api and accept request from the client side application, then send the email on server.
Given that we don't even have networking(!) in the C++11 standard (not to mention the POP3, SMTP or the IMAP protocols on the top of it), I am afraid you cannot do it without "introducing big dependencies."
If you are willing to use third party libraries
VMime
libcurl
SmtpClient for Qt
implementint the protocols yourself on the top of boost::asio
are viable options depending on your needs and licensing requirements.
Related
Using WinHTTP right now, and looking to switch over to cpprestsdk. I'm looking through the documentation, and I don't see anything about support for NTLM/Negotiate/Kerberos support. Am I missing something? I find it hard to believe that MS wouldn't have supported it, but I don't see any sample code on how you would use it.
The reason we need NTLM/Negotiate/Kerberos support is that we are running our client via RemoteApp, and want our users to only have to login once with their Domain Credentials when starting the app, and not have users prompted to enter passwords a second time.
It seems that Windows authentication is readily build into Casablanca (when used on a Windows machine). Take a look at src/http/client/http_client_winhttp.cpp. There you'll find a function "ChooseAuthScheme". To my understanding this will select the "most secure" authentication scheme that a server supplies. If the server e. g. claims to support both, "BASIC" and "NEGOTIATE", it will prefer and select the latter as the more secure scheme. Thus using Widows authentication should a very easy to use, just don't set any credentials (username/pwd) and try to connect to a server that supports Windows authentication and also announces this in the http "Authenticate" header (otherwise Casablanca will of course not attempt to use Windows authentication).
BUT
I'm also trying to use Windows authentication in Casablanca and I'm currently facing two problems:
Windows authentication sort of works as explained above in my scenario. Bewilderingly however sometimes it does not. This goes as far as that I can connect to a server from machine A with user Foo logged in and I cannot connect from machine B with user Bar logged in at the the very same time and with all machines being in the very same network segment without any router or proxy in between. From a Fiddler log I can see that in case of a failure Casablanca attempts a connect without any authentication and then receives a http 403 unauthorized from the server (which is to be expected and perfectly fine) but afterwards fails to resend the request with the NEGOTIATE in the headers, it simply aborts. On the contrary in the successful case there is a resent with the credentials being a base64 encoded blob (that in fact has binary content and presumably only MS knows what it means). I'm currently unclear about what triggers this, why this happens and how to resolve this. It could well be a bug in Casablanca.
I have a special scenario with a server that has a mixed operation mode where users should be able to connect via BASIC or Windows authentication. Let's not reason about the rationale of the following scenario and best practices, I'm dealing with a TM1 database by IBM and it's just what they implemented. So the users admissible for basic and Windows authentication don't necessarily overlap, one group must authenticate via Windows integrated (let's say domain users) and the other one must use basic authentication (let's say external users). So far I found no way (without patching Casablanca) to clamp the SDK to some mode. If the server announces BASIC and NEGOTIATE it will always switch NEGOTIATE as the more secure mode, making basic authentication inaccessible and effectively locking out the BASIC group. So if you have a similar scenario, this could equally be a problem for you, ChooseAuthScheme() tests several different authentication methods, NEGOTIATE, NTLM, PASSPORT, DIGEST and finally BASIC, in this sequence and will stubbornly select the first one that's supported on both, client and server, discarding all other options.
Casablanca (CpprestSDK) fully supports NTLM authentication. If server rejects request with status code 401/403 and header WWW-Authenticate, library will handle it internally using most secure authentication method. In case of NTLM you could either specify login/password pair, or use automatic logon (Windows), based on calling thread current user token.
However, when I tried using auto-logon feature, it unexpectedly failed on some workstations (case 1 in Don Pedro answer).
Windows version of Cpprest uses WinHTTP internally. When you try to automatically authenticate on the remote server, automatic logon policy takes effect.
The automatic logon (auto-logon) policy determines when it is
acceptable for WinHTTP to include the default credentials in a
request. The default credentials are either the current thread token
or the session token depending on whether WinHTTP is used in
synchronous or asynchronous mode. The thread token is used in
synchronous mode, and the session token is used in asynchronous mode.
These default credentials are often the username and password used to
log on to Microsoft Windows.
Default security level is set to WINHTTP_AUTOLOGON_SECURITY_LEVEL_MEDIUM, which allows auto-logon only for intranet servers. Rules governing intranet/internet server classification are defined in the Windows internet options dialog and somewhat murky (at least in our case).
To insure correct auto-login I have lowered security level to WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW using request native handler config:
web::http::client::http_client_config make_config()
{
web::http::client::http_client_config config;
config.set_proxy(web::web_proxy::use_auto_discovery);
if (!m_wsUser.empty()) {
web::credentials cred(m_wsUser, m_wsPass);
config.set_credentials(cred);
}
config.set_nativehandle_options([](web::http::client::native_handle handle) {
DWORD dwOpt = WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW;
WinHttpSetOption(handle, WINHTTP_OPTION_AUTOLOGON_POLICY, &dwOpt, sizeof(dwOpt));
});
return config;
}
In my case this approach was acceptable, because server and clients are always inside organization network boundary. Otherwise this solution is insecure and should not be used.
I have seen many tutorials (http://curl.haxx.se/libcurl/c/smtp-multi.html, VMIME website, etc) that explain how to send mail through some server like GMail or whatever. That is, they require a username/password to log in to some server, and then they forward the email through the server to the destination.
What I am looking for and cannot find is an explanation of how to send email that is not routed through a server though. How do you send email without a mail server? I am looking for a [Linux] library that can let my program be the mail server itself, both to send mail and receive it. If this is not possible with curl or vmime then I will be glad to switch to another library. I really do not want to have to roll my own SMTP server, but I've spent a day on google to no avail, and read the VMIME book but I can't find anything helpful and it's a little abstruse to my mind.
Edit:
So basically I'm looking for a SMTP server library (that can also send emails to other servers) for C or C++. Does such a thing exist? I see them for .NET and Java and Python but no C or C++ yet. Still googling...
Sadly, I don't know of any that are still active. VMIME has some support but the API for SMTP/SMTPS is kinda awkward looking. I have looked at libcurl for the sending portion too. It looks a bit easier to manage than VMIME's SMTP/SMTPS API. I am currently using VMIME to generate the messages and am sending using the MSMTP utility. The combination of VMIME and MSMTP works great but would prefer to keep it all in one utility program...
I don't have too much experience programming in C++, but I need to build a basic application for sending state emails from a computer using windows or linux, and I've found that POCO C++ suppoorts both platforms, but I have a proxy http provider behind to filter unauthorized connections, so, how could I do it?.
You can't send SMTP e-mail through a HTTP proxy.
But you can make a HTTP connection to a website you control. And you can write a web-to-email script and put that on your website. E.g. your script can take a status message as a POST parameter and then send it out as e-mail.
Spammers often try to hack web-to-email scripts to send spam, so please make sure your script has a hard-coded destination e-mail address. That way the spammer can only send mail to you, not everyone else on the Internet. Whatever you do, don't pass the destination e-mail address as a parameter.
regarding web to email scripts - make sure you strip newlines from anything that ends up in email headers! (to prevent spammers from injecting headers)
I would like to create a mail sender on C++ (not Mail Client for eg. GMail). In this mailer I want to be able to change the headers also.
I have already downloaded and installed the POCO libraries, that might help (I found it on a similar anwser).
For example, what I would like is a command like below:
e-mailsend(to,headers,subject,message);
// Or something like:
email.send(to,headers,subject,message);
However, If possible, I would like to use a C++ Mail function not a system function (like mail-utils in unix).
If you need any more explanation please comment...
In your comments you asked for an option without an SMTP server.
SMTP requires an SMTP Server. The choice is that could send emails directly (e.g. to joe at yahoo.com on port 25) or to a SMTP server that will relay the message.
Ideally, you will want your own SMTP server locally (so your application is simpler and your SMTP server sends the messages in the background, handles retries, bounces and connection errors) and use a reputable SMTP service or an existing email account.
If you want to send spam, I'd strongly advise against it.
If you want to send a small number of messages that will be opened by people expecting those messages, use a normal account (Yahoo, GMail, Google Apps, etc) and if you find your application not responsive enough, install Postfix, Sendmail or whatever local SMTP server you like.
If you want to send a large volume of emails and you are sure those message won't get you targeted as a spammer, use an SMTP service, like SendGrid (note: they also have a web API that you might find easier to use than SMTP).
Depending on which of the above you need, I'm sure answering your original question with a recommendation for SMTP C++ clients (like POCO) with become simpler.
I want to connect from webserver via dedicated proxy to the intranet. I am not sure if it matters I want to send and receive XML. It would be great if I could use HTTP.
I know of one open port 78xx which I successfully used with a TCP socket as described in this excellent tutorial
Is it possible? Or does the answer depend on the actual proxy configuration - if it scans for the protocol, and dislikes it it's gonna be blocked!?
And what library would you recommend? I just found pion - Can i link it statically? It's almost not possible to install sth on the web server for me.
EDIT My question is probably two-fold:
First, I have to add, there is an existing communication client+server, but the server is a mixup of the concrete socket and networking implementation and the API to the database, consisting of about 10 commands I find hard to extend. So I ask for a generic lib so I can rewrite that API from scratch.
Second, I need session handling, the webapplication passes the user login data to that client and there is a session-id returned which is used for all further communication - until it expires. That was the reason I asked for HTTP, but meanwhile i realized http itself is stateless.
The answer is.... in progress.- I need to practice more with c++ tcp libs etc.
My post was unfortunately hard too understand, Had some confusion about that all.