Achieving emailing between website users without "Mailing Server" configuring? - django

I have requirement like, each user of the site
will be mailing any other user and I have rules for that communication
(let them aside for now). So user1 will be picking an email id like:
mypickeduser1n...#sitedomain.com and will be sending an email to
user2, whose email id will be like:
mypickeduser2n...#sitedomain.com. Like that any number of users will
be sending emails to any numbers of users. And any outsider should be
able to send an email to mypickeduser2n...#sitedomain.com. My question
is,So in this context, do I need to build my own smtp(setup mailing)
servers. I am totally a newbie in the smtp arena. Can I achieve the
email communication between the users without "mailing server"
configurations?
Can this be achievable?

You need a mail server. Even if local email is just directly deposited into a mail directory or database somewhere, something has to be responsible for accepting email from the outside world. I recommend postfix - it's powerful but easy to set up, and the config files don't look like Klingon.

If you want users to be able to create e-mail accounts in Django, you need Django, your MTA and your IMAP/POP server to use the same user account database.
I've successfully used the following setup:
PostgreSQL as the user database
Postfix as the MTA
Dovecot as the IMAP server
a custom Django app as the user account management front-end
virtual mail user accounts (not using Unix accounts)
I've only used the Django admin interface to let administrators manage the mail accounts, but a management UI for users is trivial to implement as well.
Some tips and sources of information for such a setup:
Design your database schema carefully. I based mine on howtos mentioned below with modifications for easier Django integration.
Take care that all components use the same encryption for user passwords.
two howtos (first, second) describing how Dovecot and Postfix can authenticate users using PAM and PostgreSQL as backend
a howto in German for Dovecot/Postfix/PostgreSQL
a howto for gluing together virtual user/domain support for Debian, Postfix 2 with SMTP AUTH, SASL2 with libpam-pgsql for Postfix, PostgreSQL and Dovecot
the Postfix PostgreSQL howto
You might also want to check out the Virtual Mail Manager command line tool for managing domains, accounts and aliases with a Dovecot/Postfix/PostgreSQL setup.

There are a few django apps out there to handle messaging between users, but the only one that seems to be active is:
django-messages
This gives you all the functionality you asked for, except for outsiders being able to send mail in to users.
This is a much harder problem and will certainly require a mail server and much custom code on your part.

Related

Multi-tenant Centralized Authentication Server

I am trying to create a centralized authentication server for multiple Django apps (APIs). I've seen posts/recommendations but none fit exactly what I am looking for.
Overview:
Users can be associated to one or multiple projects
Users have same credentials to all projects they are associated to
Use JSON Web Tokens - use payload to add user data, sub-domain (project) to route to, role, etc
Sub-domain will not be used for login. All users will login to same site and will be routed to project they are associated to (or given list if there are multiple). SSO is optional.
Questions/uncertainties:
Q: Should the authentication tokens be created on the authentication server or on each project? ie) Each user having one auth token for all projects or have one auth token for each project?
Q: Roles will be stored in each app. I would like to send the roles along with the authentication token in the JWT. Should this data be redundantly stored on the authentication server? Another other way would be for the authentication server to access the project databases. What is the best way to handle this? Users will have different roles for each project.
Q: Auth server will have basic user information (email/username, password, first/last name, etc). Since foreign keys can't be used between databases I can use a user proxy based on usernames to create the user on each project. Do the app servers need to have access to which authentication tokens are valid?
Taking advantage of pre-existing software:
Another approach I had in mind was to use django-tenant-schemas which takes advantage of Postgres schemas where each one of my projects would be a schema (currently using MYSQL databases). Does it make sense to take advantage of this?
Can I take advantage of an IdP service to offload some of the authentication? Does this easily tie into the Django auth layer?
Your question seems to be multiple so I would split the answer too:
ABOUT THE USERS
Since your users are not part of your "mutitencancy model" you have two options here:
Replicate your user data among the different tenant databases (via triggers and what not).
Write your own authentication middleware that verifies users in the right database (lets call it root database since now on). You can use user ids to from the root database and verify manually that they match, which is a bad idea.
That means your database schema will be something like this:
root database (all common data here)
project 1 database (with it's own user data or referencing root)
project 2 database (with it's own user data or referencing root)
Now for authentication tokens
You have the same options as above:
Keep them in the root database and write your own middleware.
Replicate them.
How to implement the whole thing
Since your use case is pretty particular, you may encounter some resistance from existing software. But creating your own multitenant solution is not that hard

Need concept clarification for wso2is

I am a 30+ year programmer, but almost all of it was in the semi-conductor world and none of that was with web sites. I have been given the task of getting wso2is to work with 1 new app and eventually add the already existing apps. Most of the terminology is foreign to me. I have read much of the documentation, it is beginning to make sense. I can get it to run and create some of the items needed, user, role, permissions and claims. But there are some concepts that I don't get from the manual.
Ok I know that what I need to get out of it is simple authorization.
Person->web_app->wso2is->authorization->web_app
We will eventually have several apps that our internal users wish to forgo multiple logins.
So if I have AppA and AppB and I want to use both Apps. I login to AppA, it sends authorization request to IS and it sends back true/false that all is good for AppA, but now I need to get into AppB from the same browser, new tab. It is my understanding that wso2is is single sign-on (SSO). So it looks like I would have to sign also to AppB completely independent to AppA. Our developers are looking to use curl to communicate with IS. So how does IS tie all this together?
I'm very confused.
I understand users, roles, permissions and claims, at least I think I do.
I've managed to add users with REST and SCIM. I've had no luck in getting ANY of the samples to work.
Hope it is not too late to answer this question. I will try to expalin the steps as simple as possible.
Add App A, as service provider in WSO2 IS.
Add App B as service provider in WSO2 IS.
Note: Both apps can be ( and should be) fully independent to each other. By that I mean, App A can be java, App B can be a .net application. They can have different certificates for encryption etc.
When you try to log in to App A in new browser session, it will redirect you to WSO2 login page and there you can authenticate yourself with user id and password.
Now when you try to open App B in same browser in new tab, WSO2 will not ask you again for user id and password, rather it will allow you to access App B. All this happens because of SSO.
This is SSO in the simplest way.

Track emails to clients within web application

I am developing a Django-based system. It is kind of client-tracking tool.
Some users can work with different client accounts.
I would like to track the emails among users and clients within the application.
The company uses MS Outlook Server as a mail server and users are sending emails from their workstations.
The goal is to have the list of emails to/from users/client on the web page.
I see some possible ways how to do this.
Make the email form on the web page and send all emails from this page. Thus we can store the email sent.
While sending the email - manually add a CC field with the address of robot who will have access to this mail thread and can fetch messages from the inbox sorting them by the sender/recipients.
Automatically fetch messages from user mailboxes (don't want to store their passwords though)
Probably use some mail filter on the mail server to forward messages from/to specified address (don't know how to do this)
But maybe someone can give some advices? Any ideas, guys?
I had done something similar a couple years ago (with Postfix, however, not with MS Exchange).
The best approach IMO is to setup a mailserver to blind-copy each email to your script. In Postfix this called a "custom transport". This way your clients will be able to send emails using any program, not necessary through a web form. AFAIK, nearly all production email archiving solutions work that way.
Sounds like you are looking for something like the journaling feature in microsoft exchange-server. It allows you to define a special mailbox that will recieve a copy of all mails. You can find more information about this here, here and here
Once all the messages are in one mailbox you can access it from your application.

Django Open ID - Assign permissions to users who have never logged in by email

I'm using django-auth with the django-auth-openid extension to use OpenID (specifically, Google) to log users into my site. I have a user base of about 90 who will be using the site. All of them have Google accounts, and will be using them to access the site. Since the user base is set (there is no registration allowed, only admins can add users), I already have an exhaustive list of all of my users, including their email addresses and other information. How can I allow these users to login with their Gmail addresses without making them register first? Essentially, I'd like to make django-auth-openid match OpenID Gmail addresses to rows in the existing django-auth Users table. Is this possible?
Thanks!
I ended up using the python-social-auth library (which has Django support built in). The documentation for use with Django isn't great, but between the docs and the provided example it was relatively easy to integrate it with my existing django-auth setup. After that, I just deleted the 'create_user' pipeline from the SOCIAL_AUTH_PIPELINE tuple in my settings, and, that way, only users with existing OpenID connections were allowed in (no new registrations occurred from OpenID logins). This meant, though, that I had to create those connections (between OpenID identifiers and Users) manually, but that was pretty easy to do just using the Django Python shell.

How to improve authentication in a Perl Dancer app

I am working on a Perl Dancer web application that needs to accomplish two things in terms of authentication:
authenticate users based on Active Directory for access to the application
authenticate as the user to access a couple of .NET web services.
The application is being hosted as a CGI application by Apache on a Linux box, and I do not have much control over Apache's configuration.
Below is the workflow of the currently working application:
Display a login page to the user
When the user submits the form, use Authen::Simple::ActiveDirectory to verify the account is valid
Store the user's credentials using Dancer::Session::Cookie (encrypted cookies)
Display a search form to the user
When the user submits this form, use Authen::NTLM and SOAP::Lite to access the .NET services (similar to the example here) to perform a search
Display the results to the user
The handling of user credentials here concerns me, but I am generally new to web applications and authentication. For a small internal application, is this okay? If not, how do you suggest I improve this process? Like I said, the application as outlined above works, but I feel like it could/should be improved.
One (part of a) solution could be that you let your apache webserver handle the
authentication. You could use Kerberos for this.
So only permitted users can access your application. In that
case $ENV{REMOTE_USER} contains the username (e.g. foo.bar#MY.DOMAIN.COM).
If you need more information about the current user you can query your LDAP (containd in your Domain). I use a common (LDAP) user to get more information about the current user foo.bar#MY.DOMAIN.COM.
I know that this is only the fist part. I do not have experience useing/passing Kerberos tickets by SOAP. But if you mange to handle this, you have a clean SSO solution.
HTH
We do this in the Apache config. It requires something like the below. You'll need a read only password-less user to bind to Active Directory.
AuthName "Active Directory"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://server:389/OU=COMPANY,DC=COMPANY,DC=com?sAMAccountName,mail,name,extensionAttribute2,memberOf?base?(objectClass=user)
AuthzLDAPAuthoritative on
AuthLDAPBindDN "CN=ReadOnlyUser,OU=ServiceAccounts,OU=Users,OU=XXX,OU=COMPANY,DC=COMPANY,DC=com"
AuthLDAPGroupAttributeIsDN on
require valid-user