Basic Mail Server

Richard Gaskin ambassador at fourthworld.com
Mon Oct 12 16:08:28 EDT 2015 

Here I took the laziest route available, since I just needed a quick 
solution for monitoring notifications:  I used the email options 
provided by one of my shared hosting providers.  I have neither the 
patience or time to setup and manage SMTP myself (been there, and as 
much as I enjoy poking around in Apache I find SMTP uninteresting), so 
I'm always happy to let dedicated staff handle that for me, esp. with 
today's low prices for hosting.

LC Server runs on just about any shared host, and any CGI that can send 
mail is fine.

Since it uses the email account set up with the host for the 
domain/subdomain, this does mean that all email is sent from one 
apparent sender.  But if you set the account up with a meaningful name 
that's not necessarily a bad thing (could reflect something related to 
sales or whatever department your recipient might expect).

In my case encryption isn't an issue since I'm only sending monitoring 
data to the CGI.  But if I needed it HTTPS could be used to call the CGI 
- free certs become available later this year, cheap certs are available 
now, and one could easily encrypt the data client-side before sending 
and decrypt on the server with LC's encrypt/decrypt functions.

As for the hash, just use anything that works for you. I use sha1digest 
with input being the message concatenated with the date and the IP 
address along with a "shared secret" salt, a file containing a long 
string on both the client and server.  Could be just about anything you 
like, but with this simple setup anyone attempting to send spam with it 
needs to do the following:

- Build a hash that satisfies what the server will expect, and while
   most of it is simple the "shared secret" file is unlikely to be
   guessed successfully.

- Know the name of the CGI to call

- Know the name of the subdomain I set up for it (as inconveniently
   named as the CGI file)

And in my case I'm the only recipient so it's not like anyone can spam 
the world with my setup anyway.

If you wanted to use something like that for sending email to others, 
encryption is likely useful (so that if decrypt fails you know it's spam 
junk and can just discard it), and even restrict by IP address if that's 
a practical option (it is for me since the CGI is only called from a 
known number of other systems, all of which have fixed IP addresses).

-- 
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  Ambassador at FourthWorld.com                http://www.FourthWorld.com



Bob Sneidar wrote:
> I'm curious about this. Are you saying you have an SMTP service running?
> If so, who do you relay through? I have an issue with customers
> frequently, where the contact does not know what their email server is,
> who provides it, or even who the IT company is that maintains it.
> (Frankly it shocks me to see how many people run businesses with a
> complete lack of any technical expertise whatsoever).
>
> What I would like to offer the customer is an easy to set up SMTP server
> to act as a relay. The problem then becomes encryption. Sarah's library
> does not do any encryption, and all attempts by anyone (including
> myself) have failed to get this to work even with the shell.
>
> If you have something that has gotten around this (you mentioned a hash)
> I'd be interested in it and would be glad to pay a fair price for it to
> use in these situations.
>
> *Bob Sneidar* | IT Technician
> Integrated Office Technology | 12150 Mora Drive, Unit 2, Santa Fe
> Springs, CA  90670
> /
> /
>
> I don't know if this will help the OP's situation, but here I have a
> number of apps that need to send email notifications, and some of them
> are running on systems that have no email server installed. Most of
> these are for server monitoring so I'm the only recipient, but maybe
> the general idea may be useful:
>
> I set up a CGI on one system that I want the emails to be sent from
> (which happens to also be written in LC, but it could be Perl, PHP,
> Python, bash, etc.) which accepts a recipient address, subject, and
> body, along with an obscure hash used for authentication, and puts
> those together to send the email from there.
>
> The CGI itself is named very obscurely (e.g. something like
> "gfdRRth88ewLYKss.cgi"), so it's unlikely to be guessed by any
> spiders.  And even if it were, anyone attempting to use the CGI for
> spamming would also need to figure out the hash inputs, and there are
> enough zombied Win installs that there are easier ways to hijack
> machines; this one just isn't worth the effort :)
>
> Not bullet-proof (nothing is), but reasonably secure and super-easy to
> use.  Now I have a single location for notifications that I can use
> from any client or server process that needs to send email, without
> even needing to have an email server installed.  Sending notifications
> is a one-liner anywhere I need 'em.

More information about the use-livecode mailing list